Continuously Discover and Eliminate Security Risk in Production Apps

Similar documents
Brochure. Security. Fortify on Demand Dynamic Application Security Testing

Best Practices in Securing a Multicloud World

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Product Security Program

RiskSense Attack Surface Validation for Web Applications

OWASP Top 10 The Ten Most Critical Web Application Security Risks

SIEMLESS THREAT MANAGEMENT

Vulnerability Management

Security Communications and Awareness

Trustwave Managed Security Testing

Comodo Certificate Manager

Presentation Overview

8 Must Have. Features for Risk-Based Vulnerability Management and More

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Imperva Incapsula Website Security

A Strategic Approach to Web Application Security

GDPR: An Opportunity to Transform Your Security Operations

Security Communications and Awareness

Saving Time and Costs with Virtual Patching and Legacy Application Modernizing

CSWAE Certified Secure Web Application Engineer

The Top 6 WAF Essentials to Achieve Application Security Efficacy

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Automating the Top 20 CIS Critical Security Controls

Discovering ZENworks 11

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

RiskSense Attack Surface Validation for IoT Systems

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Development*Process*for*Secure* So2ware

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

Micro Focus Security Fortify Audit Assistant

SIEMLESS THREAT DETECTION FOR AWS

Fortify Software Security Content 2017 Update 4 December 15, 2017

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

SECURITY TESTING. Towards a safer web world

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Gain Control Over Your Cloud Use with Cisco Cloud Consumption Professional Services

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach

An Introduction to the Waratek Application Security Platform

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

C1: Define Security Requirements

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Application. Security. on line training. Academy. by Appsec Labs

TREND MICRO SMART PROTECTION SUITES

Discover Best of Show März 2016, Düsseldorf

Oracle Database Security Assessment Tool

HP Fortify Software Security Center

IBM Security Guardium Analyzer

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

V Conference on Application Security and Modern Technologies

Chapter 5: Vulnerability Analysis

Application Security Approach

RSA INCIDENT RESPONSE SERVICES

Hybrid 2.0 In search of the holy grail

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

TREND MICRO SMART PROTECTION SUITES

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Continuous protection to reduce risk and maintain production availability

90% of data breaches are caused by software vulnerabilities.

THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT. August prevoty.com. August 2015

RSA INCIDENT RESPONSE SERVICES

Asset Discovery with Symantec Control Compliance Suite WHITE PAPER

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

BUYER S GUIDE APPLICATION SECURITY BUYER S GUIDE:

Defend Against the Unknown

Terms, Methodology, Preparation, Obstacles, and Pitfalls. Vulnerability Assessment Course

An Introduction to Runtime Application Self-Protection (RASP)

IoT & SCADA Cyber Security Services

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

Tenable.io User Guide. Last Revised: November 03, 2017

ShiftLeft. Real-World Runtime Protection Benchmarking

WHITEHAT SECURITY. T.C. NIEDZIALKOWSKI Technical Evangelist. DECEMBER 2012

WHITEPAPER THE EVOLUTION OF APPSEC: FROM WAFS TO AUTONOMOUS APPLICATION PROTECTION

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

A Risk Management Platform

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

Solutions Business Manager Web Application Security Assessment

Vulnerabilities in online banking applications

Improving Security in the Application Development Life-cycle

CloudSOC and Security.cloud for Microsoft Office 365

Solution Overview Cisco Tetration Analytics and AlgoSec: Business Application Connectivity Visibility, Policy Enforcement, and Business-Based Risk and

trend micro smart Protection suites

Master Every Stage of Your Mobile App Lifecycle: Micro Focus Mobile Center. Brochure. Application Development, Test & Delivery

SOLUTION BRIEF Virtual CISO

Brochure. Fortify on Demand. Fortify on Demand. Static Application Security Testing

THE CONTRAST ASSESS COST ADVANTAGE

Certified Secure Web Application Engineer

CA Host-Based Intrusion Prevention System r8

ForeScout ControlFabric TM Architecture

CYBERSECURITY RESILIENCE

INTERACTIVE APPLICATION SECURITY TESTING (IAST)

Transcription:

White Paper Security Continuously Discover and Eliminate Security Risk in Production Apps

Table of Contents page Continuously Discover and Eliminate Security Risk in Production Apps... 1 Continuous Application Monitoring... 1 Find and Protect Applications without Slowing Application Delivery... 2 Application Discovery and Risk Profiling... 3 Dynamic Scanning and Change Detection... 4 Comprehensive Dynamic Scanning... 5 Runtime Detection... 6 Continuous Application Monitoring Key Features and Benefits... 7 How We Sell It... 7 For More Information... 7

It is now an imperative to continuously monitor and protect production environments for application security risks from new or rogue applications, risk profile changes, and zero-day vulnerabilities. Continuously Discover and Eliminate Security Risk in Production Apps The first step in any application security initiative is to understand where your risk exposure is, particularly in live production environments that might already be vulnerable. While organizations are increasingly addressing security as part of the development process, they struggle to get security visibility into their externally facing apps in production. Continuous Application Monitoring Network vulnerability assessment and monitoring programs give no actionable insight into application layer vulnerabilities and suffer from the noise of inaccurate signature-based scanning. Finding vulnerabilities during development is essential to securing applications long term, but does little to save the company from attacks targeting live legacy applications today. It is now an imperative to continuously monitor and protect production environments for application security risks from new or rogue applications, risk profile changes, and zero-day vulnerabilities. 1

White Paper Continuously Discover and Eliminate Security Risk in Production Apps Find and Protect Applications without Slowing Application Delivery The Micro Focus Fortify on Demand Continuous Application Monitoring Service can help close the gap between application deployment and security. It combines application discovery with continuous dynamic vulnerability scanning, risk profiling, and runtime protection in a subscription service that provides visibility and insight into the risk facing customers public web application portfolios. The automated discovery scans identify new external-facing applications on a monthly basis and results are presented in a riskranked list with confidence scores. Confirmed applications can then be enrolled in fast, production-safe, continuous vulnerability, and risk profile scanning. The Micro Focus Fortify on Demand Continuous Application Monitoring Service can help close the gap between application deployment and security. Based on scan findings and business factors, deeper dynamic analysis and runtime protection can be added for critical applications. Continuous application monitoring serves as both an ideal first step in launching a software security assurance program and as a complement to dynamic and static testing of applications after they are deployed. Application Discovery Runtime detection Dynamic Scanning Figure 1. Continuous application monitoring 2

Application security program managers need an ongoing solution to monitor and assess their company s constantly evolving attack surface. Application Discovery and Risk Profiling Application Discovery Do you know what s out there? Fortify on Demand Continuous Application Monitoring Service quickly and regularly gives security teams visibility into their external-facing software portfolio. Some are obvious corporate, division, brand, or regional sites but others can be hard to keep track of. Marketing and channel campaigns are a common, ongoing source of shadow IT, while mergers and acquisitions can significantly grow your portfolio almost overnight. Application security program managers need an ongoing solution to monitor and assess their company s constantly evolving attack surface. Application discovery is kicked off monthly as part of the Continuous Application Monitoring service. I t starts by identifying your publicly accessible web applications, starting with a few simple inputs: your primary corporate domains and company name at a minimum, with IP address range and keywords optional. Our automated service employs multiple advanced domain and endpoint-based discovery techniques to identify publically accessible web applications. Discovered applications are verified and used as feedback for further iterative discovery. Seed data Domain-based discovery Endpoint verification Risk profile Prioritized hosts Endpoint-based discovery Figure 2. How application discovery works As part of the discovery process, we look for specific criteria to help us risk-profile the applications: site purpose (informational vs. ecommerce), collection of personally identifiable information (PII), authentication capability, and web technology information (application server, client-side JavaScript libraries, etc.) to name a few. The gathered information is used to generate risk ranking and confidence scores on a user-friendly scale. From the list of discovered and profiled applications, AppSec managers can make decisions about which sites to retire and which to confirm and enroll in their application security program. Application discovery use cases: Cataloging application inventory before starting a software security program Establishing the business case for an application security initiative or program growth Maintaining visibility across worldwide, constantly evolving medium-to-large application portfolios 3

White Paper Continuously Discover and Eliminate Security Risk in Production Apps Dynamic Scanning and Change Detection Dynamic Scanning Script kiddies are scanning your sites right now, so why aren t you? After a software portfolio has been scoped, an overwhelming feeling of where do we start? is often a security team s next reaction. For enterprises starting out, Continuous Application Monitoring s powerful, yet fast dynamic and risk profile scanning technology quickly finds and provides recommendations to fix the most glaring vulnerabilities across large numbers of applications, demonstrating value early on. The team can then establish a methodical process for onboarding applications for more comprehensive dynamic and static scanning during development. For organizations with established software security assurance programs that focus on pre-production testing, Continuous Application Monitoring provides a complementary layer of defense in depth where the focus of application security testing has traditionally been on pre-preproduction. For organizations with established software security assurance programs that focus on pre-production testing, Continuous Application Monitoring provides a complementary layer of defense in depth where the focus of application security testing has traditionally been on pre-preproduction. After an application is enrolled, Continuous Application Monitoring provides continuous lightweight, unauthenticated dynamic scans focused on common critical, highly exploitable vulnerabilities found in the OWASP Top 10, with a particular emphasis on common deployment issues, while also re-assessing the application s risk profile. Designed with production-safe principles at the forefront, the scan revalidates previous findings and looks for any changes that might have taken place since the previous scan which can occur due to frequent or untested patches, new zero-day vulnerabilities, or unintended configuration updates. The most recent changes, including new vulnerabilities or risk profile changes, are highlighted in a single dashboard and a notification is triggered when a new vulnerability is detected or if the risk profile changes. Users can drill into the findings to see vulnerability and risk profile details. What we cover in the OWASP Top 10: A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards 4

Leveraging information provided by the continuous scans, application security teams managing large portfolios have visibility in between periodic comprehensive dynamic scans and are able to make better decisions on which applications need those deeper dynamic assessments and which might need protecting via runtime detection. Leveraging information provided by the continuous scans, application security teams managing large portfolios have visibility in between periodic comprehensive dynamic scans and are able to make better decisions on which applications need those deeper dynamic assessments and which might need protecting via runtime detection. This helps allocate resources based on company risk criteria and internal and external security polices and regulations. Information can also be funneled back to threat modeling and development as part of a mature security program. Dynamic scanning and change detection use cases: Complement and prioritize comprehensive dynamic scanning in pre-production for defense in depth Quickly identify and remediate low-hanging but critical vulnerabilities Cost-effective alternative when not enough resources or budget to test every application during development Detect changes to application s threat model introduced by subsequent releases or patches Dynamic assessments mimic real-world hacking techniques and attacks, using both automated and manual techniques to provide comprehensive analysis of complex web applications and services. Featuring Micro Focus Fortify WebInspect for automated dynamic scanning, Fortify on Demand provides a fullservice experience. Comprehensive Dynamic Scanning Chances are you are already employing dynamic scanning or penetration tests for those applications you know about. Now, as new information becomes available via application discovery and continuous scanning, security teams can identify at-risk applications and kick off a deeper dynamic scan. Customer-facing websites and mobile apps, or those containing sensitive data, are obvious choices for cyber-attacks. However, even secondary websites and brochure pages within the same network are at risk and need to be constantly tested and monitored for security flaws. Dynamic assessments mimic real-world hacking techniques and attacks, using both automated and manual techniques to provide comprehensive analysis of complex web applications and services. Featuring Micro Focus Fortify WebInspect for automated dynamic scanning, Fortify on Demand provides a fullservice experience. All scans include macro creation for authentication and a full audit of results by our experts to remove false positives and for overall quality a level of service you don t get with other providers. Our manual testing focuses on the types of vulnerabilities that skilled hackers exploit, including authentication, access control, input validation, session management, and business logic testing. Simply provide a URL and our team will handle the rest. Fortify on Demand offers three levels of dynamic assessment types, depending on need and business criticality: basic, standard, and premium. Dynamic basic offers an automated scan with a manual audit and false positive removal. Dynamic standard adds manual testing to the basic scan, while Dynamic premium offers an extensive manual component with static code analysis, business logic testing, and web services assessment. Typically, marketing applications are tested at the basic level, while those needing to pass strict compliance guidelines are tested with the Dynamic premium assessment. 5

White Paper Continuously Discover and Eliminate Security Risk in Production Apps Comprehensive dynamic scanning use cases: Comply with industry compliance standards Quickly identify and validate critical security vulnerabilities and misconfigurations in running applications Identify application flaws that penetration testing or automated testing alone wouldn t find Runtime Detection The Application Defender solution works from within the application server, quickly instrumenting an application to stop attacks across dozens of vulnerability categories. Runtime detection Remediating vulnerabilities found in production applications is not an instantaneous process. While it s a best practice to fix all security issues, it s not always possible or practical to disrupt the software development flow. To protect production software, Micro Focus Application Defender offers runtime application self-protection (RASP) that quickly and easily detects and defends against exploits in real time. The Application Defender solution works from within the application server, quickly instrumenting an application to stop attacks across dozens of vulnerability categories. Contextual insight from within the application data flows and execution logic enables Application Defender to identify and stop even the most sophisticated attacks. Application Defender supports 29 vulnerability categories, including: SQL injection, cross-site scripting, Java deserialization, privacy violations, malformed request, command injection, internal security violations. Fortify on Demand integrates with Application Defender, allowing customers to implement smarter monitoring, logging, and protection for applications. While reviewing vulnerabilities identified from static or dynamic scanning within Fortify on Demand, customers can enable protections against identified vulnerability categories or even on a point-related basis for specific request paths. Conversely, by feeding realtime security event data from Application Defender, Fortify on Demand customers can better prioritize remediation efforts on the vulnerabilities where exploits are being attempted. Runtime detection use cases: A greater number of vulnerable applications than resources or time to fix Third-party or legacy applications where you cannot remediate the underlying vulnerability Zero-day vulnerabilities in applications or underlying platforms 6

We recommend customers purchase the Continuous Application Monitoring bundle, which includes monthly application discovery and allows continuous dynamic scanning for a desired number of applications. Additionally, continuous dynamic scanning is included with any dynamic basic, standard, or premium subscription and can also be purchased as a standalone service. Continuous Application Monitoring Key Features and Benefits Eliminates production application blind spots Discovers what web applications actually exist on external networks and the risk factors involved Identifies critical vulnerabilities early (before they are exploited) Detects the most recent changes both risk profile changes and new vulnerabilities through continuous scanning Low to no impact on site load designed for production safety Affordable, per application subscription model Fully automated set up Continuous Monitoring at the tenant level and enroll applications, there s nothing else to do How We Sell It We recommend customers purchase the Continuous Application Monitoring bundle, which includes monthly application discovery and allows continuous dynamic scanning for a desired number of applications. Additionally, continuous dynamic scanning is included with any dynamic basic, standard, or premium subscription and can also be purchased as a standalone service. Dynamic Scans are purchased by redeeming Fortify on Demand Assessment Units for single scans or application subscriptions. Runtime Detection from Application Defender is available through an on-premises license or as a service (SaaS).One Application Defender agent license is included with every Fortify on Demand Dynamic assessments by subscription. For More Information Continuous Application Monitoring is part of a Software Security Assurance program that embeds security at all points in the software development lifecycle (SDLC). Please feel free to contact us at FoDSales@ microfocus.com to get started. Learn More At Please feel free to contact us at FoDSales@microfocus.com to get started. 7

Additional contact information and office locations: 362-000034-002 4AA6-7588 H 06/18 2018 Micro Focus or one of its affiliates. Micro Focus and the Micro Focus logo, among others, are trademarks or registered trademarks of Micro Focus or its subsidiaries or affiliated companies in the United Kingdom, United States and other countries. All other marks are the property of their respective owners.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback