Micro Focus Fortify Application Security

Transcription

1 Micro Focus Fortify Application Security Petr Kunstat SW Consultant

2 My web/mobile app is secure. What about yours?

3 High level IT Delivery process Business Idea IT Development & Functional Testing IT Operations Delivery Management under control Full functional testing Running application Everything is GREEN

4 Visible attack Invisible attack 4 Example of Denial-of-service attack

5 Today s digital Enterprise needs a new style of protection IaaS PaaS SaaS Off Premise On Premise USERS Protect your most business-critical digital assets and their interactions, regardless of location device Insiders APPS DATA Hackers BIG DATA BYOD Off Premise 6

6 Add Application Security to Current Security Measures External Apps VNP % of breaches exploit vulnerabilities in the application layer Yet the ratio of spending between perimeter security and application security is 23-to-1 - Gartner Maverick Research: Stop Protecting Your Apps; It s Time for Apps to Protect Themselves (2014)

7

8 Application Security: Preventive Measures What does SAST & DAST means, any difference Static Analysis Fortify SCA Dynamic Analysis WebInspect Source Code Mgt. System Static Analysis Via Build Integration Dynamic Testing in QA or Production Application is not running DEV Application is running TEST/STAGING Hackers & Actual Attacks

9 Application Security: Real Time Monitoring Measures RASP - Run-time Application Security Protection Application Protection App Defender App Defender Server Sending Security Events Real-time Protection of Running Application Runtime Logs Application Application is running PRODUCTION Analysis and Protection Hackers & Actual Attacks

10 How you see your world Get Sales Data Get the username Get the password Edit my account Remember the User Generate Reports

11 How an attacker sees your world Insufficient Data Storage SQL Injection Data Leakage Cross Site Scripting Improper Session Handling Sensitive Information Disclosure Client Side Injection Weak Server Side Controls

12 Static Application Security Testing Fortify Static Code Analyzer SAST 18

13 Static Application Security Testing Accurately identify root cause and remediate underlying security flaw Results User Input XML PL/SQL VBScript VB.NET HTML Java.NET ABAP PHP T-SQL ASP C# CFML COBOL Visual Basic Python Classic ASP JavaScript/AJAX C/C++ SCA Frontend JSP T-SQL XML Java SCA Analysis JSP XML Java T-SQL 24+ Languages SQL Injection

14 Static Application Security Testing Source code analysis Vulnerability Categories , 800+ Command Injection Privacy Violation Session Fixation SQL Injection System Information Leak Unhandled Exception.. LDAP Injection Cross-Build Injection Cross-Site Request Forgery Cross-Site Scripting HTTP Response Split JavaScript Hijacking plus more than supported API s/frameworks

15 Fortify Security Assistant Real-time lightweight analysis of the source code Fortify menu for additional options Vulnerable line of code is highlighted as developer code & provides tips for additional information Level of criticality All issues detected in the project Type of vulnerability, explanation and detailed remediation guidance

16 Fortify SCA Translate Normalized format Fortify Analyze Risk assesment Audit Human review

17 Software Security Center (SSC) - Audit Assistant Machine learning assisted identification of relevant scan results Exploitable Potential Vulns. Indeterminate Audit Assistant Not an Issue

18 Dynamic Application Security Testing Fortify WebInspect DAST 27

19 Fortify WebInspect Dynamic Analysis WebInspect Dynamic Testing in QA or Production Dynamic and Runtime Analysis Technology Made Simple Compliance Management Build Integration Centralized Program Management

20 Fortify WebInspect IDE, API, CLI Crawl Automated Discovery WebInspect Update Vuln DB Audit Attack database VS crawl inputs Review Review

21 Dynamic Analysis Dashboard Fortify WebInspect Live dynamic scan visualization Live scan dashboard Coverage Analysis Live scan statistics Detailed attack table Vulnerabilities found in application Right click - remediation details Right click retest/rescan of Vuln

22 Reporting/Export Integration - Easily send defects directly to development for remediation - Create defect - ALM/QC, Octane, Rational, XML (API) - Reports RTF, PDF, Excel, HTML, TXT - Exports XML, TXT, SCAN, WAF CLICK HERE FOR MY REAL EXAMPLE 34

23 50 Fortify Ecosystem Marketplace on-line

24 Fortify Ecosystem DevOps & third party Code repositories & apps - HPE LiveNet - GitHub - SVN Requirements & issues - ALM Octane - JIRA - Bugzilla Build servers - Jenkins - Bamboo - VSTS/TFS Build tools - Gradle - ANT - Maven Security - Vuln Mgmt - SIEM - WAFs REST APIs with Swagger Fortify solutions Secure Development (SAST) Dynamic Security Testing (DAST) REST APIs with Swagger Continuous Monitoring & Protection (IAST/RASP) Communication/ChatOps DevOps & third party IDEs - Eclipse - Visual Studio - IntelliJ - Xcode/AS Open Source - Sonatype - Black Duck - Fortify Open Rev. Configuration automation - Chef - Puppet - Octopus Containers - Docker - Dockerized Security Cloud - Azure - AWS marketplace.microfocus.com/fortify

25 For more information: software.microfocus.com/en-us/software/application-security