IBM Application Security on Cloud

Similar documents
How to Secure Your Cloud with...a Cloud?

Fabrizio Patriarca. Come creare valore dalla GDPR

Optimize your BigFix Deployment via Customization and Integration. Lee Wei

Open Mic Webcast. IBM Sametime Media Manager Troubleshooting Tips and Tricks. Tony Payne Sr. Software Engineer May 20, 2015

May the (IBM) X-Force Be With You

Push to Client. RDz IDz ADFz Virtual User Group. Kelly McGraw

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

Ponemon Institute s 2018 Cost of a Data Breach Study

Partitions. Make Administration on the Cloud more organized. Rajesh (Raj) Patil Girish Padmanabhan Rashmi Singh

IBM MaaS360 Kiosk Mode Settings

The New Era of Cognitive Security

Frankensteining Software: Recycling Parts of Legacy Systems. Jennifer Manning and Joseph Kramer

ISAM Advanced Access Control

Integrated, Intelligence driven Cyber Threat Hunting

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

MSS VSOC Portal Single Sign-On Using IBM id IBM Corporation

Be effective in protecting against the cybercrime

Threat Intelligence to enhance Cyber Resiliency KEVIN ALBANO GLOBAL THREAT INTELLIGENCE LEAD IBM X-FORCE INCIDENT RESPONSE AND INTELLIGENCE SERVICES

ISAM Federation STANDARDS AND MAPPINGS. Gabriel Bell IBM Security L2 Support Jack Yarborough IBM Security L2 Support.

IBM Security. Endpoint Manager- BigFix. Daniel Joksch Security Sales IBM Corporation

What's new in AppScan Standard/Enterprise/Source version

What's new in AppScan Standard version

IBM Verse On-Premises for Dummies

Resiliency Orchestration in the Hybrid Cloud Era

IBM Security Network Protection Solutions

Skybox Security Vulnerability Management Survey 2012

IBM UrbanCode Cloud Services Security Version 3.0 Revised 12/16/2016. IBM UrbanCode Cloud Services Security

Securing global enterprise with innovation

Overview of Data Reduction in IBM FlashSystem A9000

IBM License Metric Tool Enablement Guide

How AppScan explores applications with ABE and RBE

Cybersecurity. You have been breached; What Happens Next THE CHALLENGE FOR THE FINANCIAL SERVICES INDUSTRY

WORKSHARE SECURITY OVERVIEW

IBM Application Security on Cloud

The McGill University Health Centre (MUHC)

Integrate IBM Rational Application Developer and IBM Security AppScan Source Edition

4 Reasons to Love the New IBM Guardium Data Encryption v3.0

Predators are lurking in the Dark Web - is your network vulnerable?

BigFix Query Unleashed!

BigFix 101- Server Pricing

Best Practices in Securing a Multicloud World

IBM Security QRadar Version 7 Release 3. Community Edition IBM

IBM Compliance Offerings For Verse and S1 Cloud. 01 June 2017 Presented by: Chuck Stauber

Combatting advanced threats with endpoint security intelligence

Analyzing Hardware Inventory report and hardware scan files

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

IBM Kenexa LCMS Premier on Cloud. Release Notes. Version 9.3

SIEM: Five Requirements that Solve the Bigger Business Issues

Lab Zero: Create a Cloud Native Application in Less than 5 Minutes with zero Install

IBM emessage Version 8.x and higher. Account Startup Overview

MyCreditChain Terms of Use

Let s Talk About Threat Intelligence

IBM Guardium Data Encryption

Build integration overview: Rational Team Concert and IBM UrbanCode Deploy

CONTRAST ASSESS MARKET-DEFINING APPLICATION SECURITY TESTING FOR MODERN AGILE AND DEVOPS TEAMS WHITEPAPER

IBM Cloud Object Storage System Version Time Synchronization Configuration Guide IBM DSNCFG_ K

GDPR: An Opportunity to Transform Your Security Operations

INCLUDING MEDICAL ADVICE DISCLAIMER

Overview. Business value

What's New in Notes/Domino 901 Feature Pack 8

Le sfide di oggi, l evoluzione e le nuove opportunità: il punto di vista e la strategia IBM per la Sicurezza

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

A Technical Introduction to IBM Integration Bus

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Continuous Diagnostics and Mitigation demands, CyberScope and beyond

Automating the Top 20 CIS Critical Security Controls

IBM Security Guardium Tech Talk

Mile Terms of Use. Effective Date: February, Version 1.1 Feb 2018 [ Mile ] Mileico.com

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Managed Security Services - Endpoint Managed Security on Cloud

Penetration testing a building automation system

Reinvent Your 2013 Security Management Strategy

Getting Started with InfoSphere Streams Quick Start Edition (VMware)

Innovate 2013 Automated Mobile Testing

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

ios 9 support in IBM MobileFirst Platform Foundation IBM

IBM FlashSystem V MTM 9846-AC3, 9848-AC3, 9846-AE2, 9848-AE2, F, F. Quick Start Guide IBM GI

RMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS

MERIDIANSOUNDINGBOARD.COM TERMS AND CONDITIONS

INTELLIGENCE DRIVEN GRC FOR SECURITY

Version 9 Release 0. IBM i2 Analyst's Notebook Premium Configuration IBM

Implementing Enhanced LDAP Security

IBM Security AppScan Enterprise v9.0.1 Importing Issues from Third Party Scanners

Application Security at Scale

IBM Security Guardium Tech Talk

Aligning with HIPAA mandates in healthcare

IBM Storage Management Pack for Microsoft System Center Operations Manager (SCOM) Version Release Notes IBM

CA ERwin Data Profiler

Terms of Use. Changes. General Use.

IBM. Avoiding Inventory Synchronization Issues With UBA Technical Note

Introduction to IBM Security Network Protection Manager

GETTING STARTED GUIDE. Mobile Admin. Version 8.2

IBM Proventia Management SiteProtector Sample Reports

IBM Geographically Dispersed Resiliency for Power Systems. Version Release Notes IBM

Mobile Admin GETTING STARTED GUIDE. Version 8.2. Last Updated: Thursday, May 25, 2017

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

CA Cloud Service Delivery Platform

IBM Security AppScan now supports SAP code quality and data loss prevention testing with Virtual Forge CodeProfiler for IBM Security AppScan Source

Transcription:

April, 2017 IBM Application Security on Cloud Service Overview

Security has and will always be about understanding, managing, and mitigating the risk to an organization s most critical assets. - Dr. Eric Cole, SANS Institute According to 2016 Ponemon report, "69 percent of respondents didn t know all the apps and databases currently active in their organizations. IBM s Application Security Testing solutions provide preemptive protection for mobile and web-based applications. They secure apps from malicious vulnerabilities and help organizations to remediate potential attacks in the future. The best application security defense strategy is designing and building secure applications. There are different techniques, both automated and manual, used to test applications for unknown vulnerabilities. Dynamic Application Security Testing (DAST) Static Application Security Testing (SAST) Interactive Application Security Testing (IAST) Open Source Analysis Application Pen Testing 2 IBM Security

The Problem: Study: How to Make Application Security a Strategically Managed Discipline Independently conducted by Ponemon Institute LLC - March 2016 only 11% of respondents say their program is mature and the mission is fully Accomplished Full Survey Results 3 IBM Security

Application security challenges Compliance Pace Resources? External regulations and internal policy requirements Where is my business risk? How do I set internal policy requirements for application security? Is my private / sensitive data exposed by apps? How do I check for and demonstrate application compliance? Rapid growth in applications, releases and technology Which applications pose the biggest business risk? How do we test apps for security in rapid DevOps / Agile shops without slowing down the process / business? Is my language/framework supported? Small security teams, lots of applications How do we prioritize the work for the resources I have? What do we test and how do we test it? How do we staff and improve skills and awareness? How do we eliminate FP from reports 4 IBM Security

Application Security Management Managing Risk

IBM Application Security Framework Application Security Management Asset Inventory Business Impact Assessment Vulnerability Prioritization Status and Progress Measurement Compliance Determination Test Applications in Development Monitor and Protect Deployed Applications Dynamic Analysis Static Analysis Open Source Analysis Mobile Analysis Mobile Pen Analysis Testing Intrusion Prevention SIEM Database Activity Monitoring Web Application Firewall Mobile Application Protection Utilize resources effectively to identify and mitigate risk

Risk-based Approach to Application Security Management Application Security Management Asset Inventory Business Impact Assessment Vulnerability Prioritization Status and Progress Measurement Compliance Determination Create an application profile template Build an inventory of applications Describe each application Classify applications Determine business impact Prioritize assets Assess for vulnerabilities Import vulnerabilities discovered with third-party tools or manually Prioritize vulnerabilities based on severity and application context Determine overall risk status View applications that present highest risk Evaluate progress More than 45 compliance reports including PCI, DISA, etc. Utilize resources effectively to identify and mitigate risk

Application Security Testing

A full spectrum of application assessment techniques to provide deep security analysis Test Applications Dynamic Analysis Static Analysis Open Source Analysis Mobile App Analysis Penetration Testing Sends mutated HTTP requests to a running app and examines how the app responds Performs trace or expression analysis of the application code without executing the code. Covers most languages and any framework Identifies known open source component vulnerabilities from industry largest DB of open source vulnerabilities Uses Dynamic & Static analysis techniques analyze mobile executables (Android.apk or ios.ipa files) Utilize resources effectively to identify and mitigate risk Manual testing and verification of application vulnerabilities by IBM Security experts 9 IBM Security

IBM Application Security on Cloud

Bridging the gap between Security & development CISO & Security Team Reducing Risk in your app Portfolio Development Team 3 Imperatives for Security & DevOps # $$$ Inventory Business Impact Vulnerabilities Automation Speed Coverage Cognitive solution improving scan results and reducing human delays and errors 11 IBM Security

Identify and remediate high-priority vulnerabilities IBM Application Security on Cloud Simple Easy as 1-2-3 Fast Fully-Automated Solution Comprehensive Based on AppScan engines and powered by Cognitive Analytics Safe Meet IBM security requirements ISO27001 certified #CoverYourApps 12 IBM Security

IBM Application Security on Cloud Easy as 1, 2, 3! Does my application contain security vulnerabilities? 1 2 3 Enter URL / Upload Application Scan application Review Report Simple 13 IBM Security

IBM Application Security on Cloud - Simplicity IAST of Android application in 4 steps 1 2 3 4 14 IBM Security

Application Security on Cloud List of Running & Completed Scans 1 Create a new Scan 2 Scan Executing SAST & DAST in Same App 3 Completed Scans 15 IBM Security

Application Security on Cloud Architecture Development/Build Client IBM Application Security on Cloud Byte Code IR Gen.IRX HTTPS Manual Upload Web Portal Source Code ios Android Applications to be Tested Web App HTTP(s) Plugins Build: UrbanCode, Maven, Jenkins, Bamboo IDEs: Eclipse, VS, IntelliJ, Xcode Custom: CLI, APIs AppScan Presence agent Firewall REST API Dynamic Analyzer IBM Application Security on Cloud Service Static Analyzer Scan 4 Me Analytics Open Src Analyzer Pen Test Mobile Analyzer 16 IBM Security

Integrates Security into DevOps to maximize ROI Automation Integration into existing Development tooling/processes Speed Roundtrip analysis (Submit & Retrieve Scan Results) Coverage Breadth and Depth of analysis of your Application Inventory 17 IBM Security

DevOps Automation Integration into existing Development tooling/processes IDEs Automation Client ASoC CLI/REST APIs IBM ASoC Dynamic Analyzer Static Analyzer Mobile Analyzer Open Source Analyzer Pen Testing Analytics (IFA/ICA) 18 IBM Security

App Security Testing in the Hands of the Developers Streamlined Automation for DevOps: IDEs & Continuous Integration Frameworks Launch scans, Retrieve results & Learn how to fix All without leaving the IDE Extend your environment with CLIs or REST APIs Run security scans in your CI/CD 19 IBM Security

AppScan applies Cognitive capabilities to application security testing AppScan Cognitive Application Security Advisor Intelligent Code Analytics Expands analysis coverage and eliminates false negatives by generating Security Rules for ANY framework used by an application during trace analysis. Intelligent Findings Analytics Reduces false positives by up to 99% & eliminates lengthy manual review processes by provides fullyautomated review of Application Security Testing findings. Simple Fix Group recommendations Provides fix recommendations that help development teams resolve multiple vulnerabilities with a single code fix. No Other solution on the market can improve scan times, depth of scan & quality with cognitive capabilities 20 IBM Security

Open Source Analyzer IBM Application Security on Cloud (ASoC) IDEs Security Rules Static Analyzer Analytics (ICA) Analysis Findings Findings Analytics (IFA) Fix Groups Build CI/CD IRX Open Source Analyzer ASoC CLI Open Source Manifest Vul DB Analysis 21 IBM Security

Open Source Analyzer Gartner Hype Cycle for Open-Source Software, 2016 : many OSS development tools and frameworks have been adopted by far more than 50% of enterprises, thus moving beyond the Plateau of Productivity Poodle ASoC Open Source Analyzer Heartbleed Shellshock (Bash) Ghost (GNU C) Builds a manifest of an application usage of Open Source Checks for Open Source vulnerabilities Industry leading DB of over 180k vulnerabilities Remediation instructions on OSS version to upgrade to 22 IBM Security

Results based on Industry-Leading AppScan Engines Report examples 23 IBM Security

AppSec Program Management Dashboard Manage your organization risk Are we reducing risk? What is our current state? Most common issue? 24 IBM Security What is in my inventory? Is our test coverage improving?

Application Security on Cloud Resources & Collateral Learn more about our offerings! Application Security on Cloud Complimentary Trial: Access Trial Case Closed with Application Security on Cloud Infographic Interactive White Paper: Effectively Manage AppSec Risk in the Cloud Intelligent Code Analytics Blog: Increasing Application Security Testing Coverage with Cognitive Computing Intelligent Finding Analytics Blog: Your Cognitive Computing Application Security Expert & Webinar: How to Leverage Cognitive Technology to Think Like a Security Expert Forrester: Secure Applications at the Speed of DevOps Webinar and Research Report 25 IBM Security

THANK YOU FOLLOW US ON: ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of alawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

Legal notices and disclaimers Copyright 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non- IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. Other company, product, or service names may be trademarks or service marks of others. A current list of IBM trademarks is available at Copyright and trademark information www.ibm.com/legal/copytrade.shtml

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback