IBM Rational Software

Similar documents
Web Applications (Part 2) The Hackers New Target

Hacking 102 Integrating Web Application Security Testing into Development

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Practical Guide to Securing the SDLC

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

Web Applications Part 1 The Weak Link in Information Security Your Last Line of Defense

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

Improving Security in the Application Development Life-cycle

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

SAMPLE QUESTIONS for: Test C , Security Dynamic and Static Applications V2, Fundamentals

Why we need Intelligent Security? Juha Launonen Sourcefire, Inc.

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

90% of data breaches are caused by software vulnerabilities.

Nebraska CERT Conference

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

Application Security at Scale

Defense in Depth Security in the Enterprise

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Cybersecurity. Anna Chan, Marketing Director, Akamai Technologies

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

Security by Default: Enabling Transformation Through Cyber Resilience

Cybersecurity for Service Providers

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

AKAMAI CLOUD SECURITY SOLUTIONS

Cybersecurity in Government

What It Takes to be a CISO in 2017

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Global Security Consulting Services, compliancy and risk asessment services

V Conference on Application Security and Modern Technologies

itsmf ITIL V3: Accelerate Success with Tools Maria A Medvedeva, PMP, ITIL Regional Director CA, Inc. itsmf Middle East Board of Directors

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Rethinking Information Security Risk Management CRM002

HP Fortify Software Security Center

Christopher Covert. Principal Product Manager Enterprise Solutions Group. Copyright 2016 Symantec Endpoint Protection Cloud

AT&T Endpoint Security

Name Aaron Clark. Title: Security Shifts to the Application

IBM Future of Work Forum

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

WEB APPLICATION Q.A. - Ensuring Secure & Compliant Web Services - YOUR LAST LINE OF DEFENSE

Combating Today s Cyber Threats Inside Look at McAfee s Security

Comodo Certificate Manager

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

Building a Resilient Security Posture for Effective Breach Prevention

IBM SmartCloud Notes Security

Accelerate Your Enterprise Private Cloud Initiative

whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk

The Center for Internet Security

MARCH Secure Software Development WHAT TO CONSIDER

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

Keys to a more secure data environment

Ingram Micro Cyber Security Portfolio

Reinvent Your 2013 Security Management Strategy

Product Security Program

Changing face of endpoint security

Improving Data Governance in Your Organization. Faire Co Regional Manger, Information Management Software, ASEAN

Imperva Incapsula Website Security

HOSTED SECURITY SERVICES

Advanced Security Tester Course Outline

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Cyber Security Updates and Trends Affecting the Real Estate Industry

Designing and Building a Cybersecurity Program

Mitigating Security Breaches in Retail Applications WHITE PAPER

TRAINING CURRICULUM 2017 Q2

IBM Internet Security Systems Proventia Management SiteProtector

Architecting the Right SOA Infrastructure

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

To the Designer Where We Need Your Help

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Building Security Into Applications

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Intelligent and Secure Network

.NET JAVA C ASE. Certified. Certified. Application Security Engineer.

IBM Security Network Protection Solutions

Securing Your Most Sensitive Data

Symantec Network Access Control Starter Edition

Five Essential Capabilities for Airtight Cloud Security

M365 Powered Device Proof of Concept

Evaluating the Security of Your IT Network. Vulnerability Scanning & Network Map

CYBERSECURITY HOW IT IS TRANSFORMING THE IT ASSURANCE FIELD

ACHIEVING FIFTH GENERATION CYBER SECURITY

Certified Information Security Manager (CISM) Course Overview

SIEM: Five Requirements that Solve the Bigger Business Issues

Symantec Network Access Control Starter Edition

CYBERSMART BUILDINGS. Securing Your Investments in Connectivity and Automation

Dom Nessi Burns Engineering March 29, 2017 CYBERSECURITY TRENDS 2017 REPORT

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

Cloud Essentials for Architects using OpenStack

How NOT To Get Hacked

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

BETTER Mobile Threat Defense (BMTD)

THE STATE OF MEDIA SECURITY HOW MEDIA COMPANIES ARE SECURING THEIR ONLINE PROPERTIES

Modern Database Architectures Demand Modern Data Security Measures

Mobile Security using IBM Endpoint Manager Mobile Device Management

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

INTELLIGENCE DRIVEN GRC FOR SECURITY

SDLC Maturity Models

Gain Control Over Your Cloud Use with Cisco Cloud Consumption Professional Services

Transcription:

IBM Rational Software Development Conference 2008 Our Vision for Application Security David Ng Rational Software Security, Asean IBM Software Group 2008 IBM Corporation

Agenda Application Security Defined Hacking Example Trends and Best Practices IBM Vision and Roadmap for Application Security 2

The world is riskier than it used to be Massive insider breach at DuPont February 15, 2007 By: Larry Greenemeier TJX data breach: At 45.6M card numbers, it s the biggest ever March 29, 2007 By: Jaikumar Vijayan 3 Black Friday Turns Servers Dark at Walmart, Macy s November 25, 2006 By: Evan Schuman Bill Would Punish Retailers For Leaks of Personal Data by Joseph Pereira (February 22, 2007) Blackberry outage widespread February 14, 2007 By Marcia Walton Bill would punish retailers for leaks of personal data February 22, 2007 By Joseph Pereira itunes back to normal after holiday traffic quadruples ABC News: December 28, 2006 3

Evolving Threats 4

Application Security - Understanding the Problem Info Security Landscape Desktop Transport Network Web Applications Antivirus Protection Encryption (SSL) Firewalls / IDS / IPS Firewall Application Servers Backend Server Web Servers Databases 5

Hackers Exploit Unintended Functionality to Attack Apps Actual Functionality Intended Functionality Unintended Functionality 6

IBM Rational Software Development Conference 2008 Application Security Hacking Example 2008 IBM Corporation

Web applications and web services are prone to attack so effective security and compliance are required 75% of today s attacks occur at application layer Yet only 10% of corporate spending is allocated to web application security 80% of organizations will experience an application security incident by 2010 Vulnerabilities are growing at an alarming rate 8 8

SQL Injection IBM Rational Software Development Conference 2008 User input inserted into SQL Command: Get product details by id: Select * from products where id= + $REQUEST[ id ] ; Hack: send param id with value or = Resulting executed SQL: Select * from products where id= or = All products returned 9

SQL Injection Example I 10

SQL Injection Example II 11

SQL Injection Example - Exploit 12

SQL Injection Example - Outcome 13

Motives Behind Application Hacking Incidents Source: Breach/WASC 2007 Web Hacking Incident Annual Report 14

Growth In Browser Vulnerabilities Source: IBM Xforce 2007 Annual Report 15

What is the Root Cause? 1. Developers not trained in security Most computer science curricula have no security courses 2. Under investment from security teams Lack of tools, policies, process, etc. 3. Growth in complex, mission critical online applications Online banking, commerce, Web 2.0, etc 4. Number one focus by hackers 75% of attacks focused on applications - Gartner Result: Application security incidents and lost data on the rise 16

Where Do These Problems Exist? Type: Customer facing services Partner portals Employee intranets Source: 1. Applications you buy e.g. COTS 2. Applications you build internally 3. Applications you outsource 17

Application Security Maturity Model UNAWARE AWARENESS PHASE CORRECTIVE PHASE OPERATIONS EXCELLENCE PHASE 10 % 30 % Maturity 30 % 30 % Duration 2-3 Years Time 18

Building Security Into the Development Process Production Test existing deployed apps Eliminate security exposure in live applications Define/Design Continuous security education of architects, developers etc. on Web Application Security Development Test apps for security issues in Development identifying issues at their earliest point Realize optimum security testing efficiencies (cost reduction) Deploy Test apps before going to production Deploy secure web applications Test Test apps for security issues in QA organization along with performance and functional testing Reduce costs of security testing *Graphics from OWASP.com 19

Security Testing Within the Software Lifecycle SDLC Coding Build QA Security Production Developers Developers Developers Application Security Testing Maturity 20

IBM Rational Software Development Conference 2008 IBM Vision and Roadmap for Application Security 2008 IBM Corporation

IBM Security Framework External Representation The The IBM IBM Security Security Framework Framework Professional Services Managed Security Services Security Hardware and Software Security Security Governance, Governance, Risk Risk Management Management and and Compliance Compliance People and Identity Security Governance, Risk & Compliance Solutions Identity and Access Management Solutions Data and Information Application and Process Information Security Solutions Network, Server, and End-point Application Security Lifecycle Mgmt Solutions Physical Infrastructure Threat and Vulnerability Mgmt & Monitoring Solutions Common Policy, Event Handling and Reporting Common Policy, Event Handling and Reporting Physical Security Solutions 22

IBM is laying the foundation for end-to-end application security IBM Global Services security risk assessments helping define policies and processes Rational automated vulnerability testing for web applications/web services across the development cycle IBM Technology Services/ISS managed services for network and application vulnerability assessment Tivoli access control and security information and event management to web applications/web services DataPower provides SOA security solutions IBM Research static analysis technology Application Security Management Lifecycle Define Policy Define application security standards and requirements IBM Global Services Continuously monitor applications for vulnerabilities and defend against attacks Manage, Monitor & Defend Analyze & Design Build security into application design and model threats Configure infrastructure for application policies; deploy applications in production Deploy Build & Test Build and test individual and composite applications 23

Software Security Development Ecosystem Control, Monitor and Report Developers Build System Quality Assurance Testing Security Auditor scanning Coding Build QA Security Web Based Security Training 24

IBM Rational AppScan SDLC Ecosystem Includes Fall 2008 Releases IBM Rational AppScan Enterprise / Reporting Console AppScan Developer Ed (Eclipse IDE) AppScan Ent. QuickScan (web client) AppScan Developer Ed for build systems (scanning agent) AppScan Tester Ed (scanning agent) AppScan Tester Ed (QA client) AppScan Enterprise user (web client) AppScan Standard Ed (desktop) Rational Application Developer Rational Software Analyzer Rational BuildForge Rational ClearQuest Rational Quality Manager Build security testing into the IDE Automate Security / Compliance testing in the Build Process Security / compliance testing incorporated into testing & remediation workflows Security and Compliance Testing, oversight, control, policy, in-depth tests Code Build QA Security IBM Rational Web Based Training for AppScan 25

Rational AppScan: Find and fix web application security and compliance issues 26

AppScan Tester Edition for RQM Security Testing is managed just like other types of testing 27

Forthcoming AppScan DE Security Testing in your Development Environment (Architect, RAD or Eclipse) Integration with source code, WebSphere, ClearQuest Can interoperate with AppScan Enterprise for central licensing, permissions and oversight 28

AppScan Enterprise Dashboards and Metrics 29

Integrated Computer Based Training Key to adoption across the organization is education 30

QUESTIONS 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback