April, 2017 IBM Application Security on Cloud Service Overview
Security has and will always be about understanding, managing, and mitigating the risk to an organization s most critical assets. - Dr. Eric Cole, SANS Institute According to 2016 Ponemon report, "69 percent of respondents didn t know all the apps and databases currently active in their organizations. IBM s Application Security Testing solutions provide preemptive protection for mobile and web-based applications. They secure apps from malicious vulnerabilities and help organizations to remediate potential attacks in the future. The best application security defense strategy is designing and building secure applications. There are different techniques, both automated and manual, used to test applications for unknown vulnerabilities. Dynamic Application Security Testing (DAST) Static Application Security Testing (SAST) Interactive Application Security Testing (IAST) Open Source Analysis Application Pen Testing 2 IBM Security
The Problem: Study: How to Make Application Security a Strategically Managed Discipline Independently conducted by Ponemon Institute LLC - March 2016 only 11% of respondents say their program is mature and the mission is fully Accomplished Full Survey Results 3 IBM Security
Application security challenges Compliance Pace Resources? External regulations and internal policy requirements Where is my business risk? How do I set internal policy requirements for application security? Is my private / sensitive data exposed by apps? How do I check for and demonstrate application compliance? Rapid growth in applications, releases and technology Which applications pose the biggest business risk? How do we test apps for security in rapid DevOps / Agile shops without slowing down the process / business? Is my language/framework supported? Small security teams, lots of applications How do we prioritize the work for the resources I have? What do we test and how do we test it? How do we staff and improve skills and awareness? How do we eliminate FP from reports 4 IBM Security
Application Security Management Managing Risk
IBM Application Security Framework Application Security Management Asset Inventory Business Impact Assessment Vulnerability Prioritization Status and Progress Measurement Compliance Determination Test Applications in Development Monitor and Protect Deployed Applications Dynamic Analysis Static Analysis Open Source Analysis Mobile Analysis Mobile Pen Analysis Testing Intrusion Prevention SIEM Database Activity Monitoring Web Application Firewall Mobile Application Protection Utilize resources effectively to identify and mitigate risk
Risk-based Approach to Application Security Management Application Security Management Asset Inventory Business Impact Assessment Vulnerability Prioritization Status and Progress Measurement Compliance Determination Create an application profile template Build an inventory of applications Describe each application Classify applications Determine business impact Prioritize assets Assess for vulnerabilities Import vulnerabilities discovered with third-party tools or manually Prioritize vulnerabilities based on severity and application context Determine overall risk status View applications that present highest risk Evaluate progress More than 45 compliance reports including PCI, DISA, etc. Utilize resources effectively to identify and mitigate risk
Application Security Testing
A full spectrum of application assessment techniques to provide deep security analysis Test Applications Dynamic Analysis Static Analysis Open Source Analysis Mobile App Analysis Penetration Testing Sends mutated HTTP requests to a running app and examines how the app responds Performs trace or expression analysis of the application code without executing the code. Covers most languages and any framework Identifies known open source component vulnerabilities from industry largest DB of open source vulnerabilities Uses Dynamic & Static analysis techniques analyze mobile executables (Android.apk or ios.ipa files) Utilize resources effectively to identify and mitigate risk Manual testing and verification of application vulnerabilities by IBM Security experts 9 IBM Security
IBM Application Security on Cloud
Bridging the gap between Security & development CISO & Security Team Reducing Risk in your app Portfolio Development Team 3 Imperatives for Security & DevOps # $$$ Inventory Business Impact Vulnerabilities Automation Speed Coverage Cognitive solution improving scan results and reducing human delays and errors 11 IBM Security
Identify and remediate high-priority vulnerabilities IBM Application Security on Cloud Simple Easy as 1-2-3 Fast Fully-Automated Solution Comprehensive Based on AppScan engines and powered by Cognitive Analytics Safe Meet IBM security requirements ISO27001 certified #CoverYourApps 12 IBM Security
IBM Application Security on Cloud Easy as 1, 2, 3! Does my application contain security vulnerabilities? 1 2 3 Enter URL / Upload Application Scan application Review Report Simple 13 IBM Security
IBM Application Security on Cloud - Simplicity IAST of Android application in 4 steps 1 2 3 4 14 IBM Security
Application Security on Cloud List of Running & Completed Scans 1 Create a new Scan 2 Scan Executing SAST & DAST in Same App 3 Completed Scans 15 IBM Security
Application Security on Cloud Architecture Development/Build Client IBM Application Security on Cloud Byte Code IR Gen.IRX HTTPS Manual Upload Web Portal Source Code ios Android Applications to be Tested Web App HTTP(s) Plugins Build: UrbanCode, Maven, Jenkins, Bamboo IDEs: Eclipse, VS, IntelliJ, Xcode Custom: CLI, APIs AppScan Presence agent Firewall REST API Dynamic Analyzer IBM Application Security on Cloud Service Static Analyzer Scan 4 Me Analytics Open Src Analyzer Pen Test Mobile Analyzer 16 IBM Security
Integrates Security into DevOps to maximize ROI Automation Integration into existing Development tooling/processes Speed Roundtrip analysis (Submit & Retrieve Scan Results) Coverage Breadth and Depth of analysis of your Application Inventory 17 IBM Security
DevOps Automation Integration into existing Development tooling/processes IDEs Automation Client ASoC CLI/REST APIs IBM ASoC Dynamic Analyzer Static Analyzer Mobile Analyzer Open Source Analyzer Pen Testing Analytics (IFA/ICA) 18 IBM Security
App Security Testing in the Hands of the Developers Streamlined Automation for DevOps: IDEs & Continuous Integration Frameworks Launch scans, Retrieve results & Learn how to fix All without leaving the IDE Extend your environment with CLIs or REST APIs Run security scans in your CI/CD 19 IBM Security
AppScan applies Cognitive capabilities to application security testing AppScan Cognitive Application Security Advisor Intelligent Code Analytics Expands analysis coverage and eliminates false negatives by generating Security Rules for ANY framework used by an application during trace analysis. Intelligent Findings Analytics Reduces false positives by up to 99% & eliminates lengthy manual review processes by provides fullyautomated review of Application Security Testing findings. Simple Fix Group recommendations Provides fix recommendations that help development teams resolve multiple vulnerabilities with a single code fix. No Other solution on the market can improve scan times, depth of scan & quality with cognitive capabilities 20 IBM Security
Open Source Analyzer IBM Application Security on Cloud (ASoC) IDEs Security Rules Static Analyzer Analytics (ICA) Analysis Findings Findings Analytics (IFA) Fix Groups Build CI/CD IRX Open Source Analyzer ASoC CLI Open Source Manifest Vul DB Analysis 21 IBM Security
Open Source Analyzer Gartner Hype Cycle for Open-Source Software, 2016 : many OSS development tools and frameworks have been adopted by far more than 50% of enterprises, thus moving beyond the Plateau of Productivity Poodle ASoC Open Source Analyzer Heartbleed Shellshock (Bash) Ghost (GNU C) Builds a manifest of an application usage of Open Source Checks for Open Source vulnerabilities Industry leading DB of over 180k vulnerabilities Remediation instructions on OSS version to upgrade to 22 IBM Security
Results based on Industry-Leading AppScan Engines Report examples 23 IBM Security
AppSec Program Management Dashboard Manage your organization risk Are we reducing risk? What is our current state? Most common issue? 24 IBM Security What is in my inventory? Is our test coverage improving?
Application Security on Cloud Resources & Collateral Learn more about our offerings! Application Security on Cloud Complimentary Trial: Access Trial Case Closed with Application Security on Cloud Infographic Interactive White Paper: Effectively Manage AppSec Risk in the Cloud Intelligent Code Analytics Blog: Increasing Application Security Testing Coverage with Cognitive Computing Intelligent Finding Analytics Blog: Your Cognitive Computing Application Security Expert & Webinar: How to Leverage Cognitive Technology to Think Like a Security Expert Forrester: Secure Applications at the Speed of DevOps Webinar and Research Report 25 IBM Security
THANK YOU FOLLOW US ON: ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of alawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
Legal notices and disclaimers Copyright 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non- IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. Other company, product, or service names may be trademarks or service marks of others. A current list of IBM trademarks is available at Copyright and trademark information www.ibm.com/legal/copytrade.shtml