Micro Focus Security Fortify. Application Security

Similar documents
Micro Focus Fortify Application Security

Effective Application Security Testing at High Velocity: Keeping up with Agile / DevOps February 28, 2017 Today s Speaker:

Discover Best of Show März 2016, Düsseldorf

Securing DevOps, RMF and STIG

Brochure. Fortify on Demand. Fortify on Demand. Static Application Security Testing

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

Protect your digital enterprise

Put Security Into Your DevOps NOW. Or Prepare for the Flood Matthew Fisher Solution Architect, Fortify Federal 08MAR2018

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

WHITEHAT SENTINEL PRODUCT FAMILY. WhiteHat Sentinel Product Family

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

Application Security at Scale

HP Fortify Software Security Center

Proactive Approach to Cyber Security

CONTRAST ASSESS MARKET-DEFINING APPLICATION SECURITY TESTING FOR MODERN AGILE AND DEVOPS TEAMS WHITEPAPER

Automating Security Practices for the DevOps Revolution

Suman Sourav Director DevSecOps, Vantage Point Security. OWASP Indonesia Day 2017

Qualys Cloud Platform

locuz.com SOC Services

Continuously Discover and Eliminate Security Risk in Production Apps

CLOUD WORKLOAD SECURITY

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Rethinking Product Security: Cloud Demands a New Way

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

Reinvent Your 2013 Security Management Strategy

Web Applications (Part 2) The Hackers New Target

Managing an Application Vulnerability Management Program in a CI/CD Environment. March 29, 2018 OWASP Vancouver - Karim Lalji 1

SYMANTEC DATA CENTER SECURITY

Micro Focus Fortify. Andy Earle Sr. Security Solutions Architect. Haleh Nematollahy Sr. Security Solutions Architect

THE ART OF SECURING 100 PRODUCTS. Nir

Hybrid 2.0 In search of the holy grail

Vulnerability Management

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

PT Unified Application Security Enforcement. ptsecurity.com

Qualys Cloud Platform

Cyber Defense Centers only for large companies?

Accelerate Your Enterprise Private Cloud Initiative

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

Security as Code: The Time is Now. Dave Shackleford Founder, Voodoo Security Sr. Instructor, SANS

Automating the Top 20 CIS Critical Security Controls

Best Practices in Securing a Multicloud World

THE CONTRAST ASSESS COST ADVANTAGE

AGILE AND CONTINUOUS THREAT MODELS

Gujarat Forensic Sciences University

Imperva Incapsula Website Security

AppSec Pipeline Application Security in an Agile Development, DevOps and Continuous Integration/Delivery/Change world.

IBM Rational Software

Micro Focus Security Fortify Audit Assistant

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

SECURITY TRAINING SECURITY TRAINING

The Oracle Trust Fabric Securing the Cloud Journey

How to Secure Your Cloud with...a Cloud?

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

TRAINING CURRICULUM 2017 Q2

WEBMETHODS AGILITY FOR THE DIGITAL ENTERPRISE WEBMETHODS. What you can expect from webmethods

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Improving Security in the Application Development Life-cycle

Atos Canopy Orchestrated Hybrid Cloud. Mark Nouris - Atos Head of Cloud Michael Kollar Head of Cloud engineering & TIC

Modern Database Architectures Demand Modern Data Security Measures

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

Achieving Java Application Security With Parasoft Jtest

V Conference on Application Security and Modern Technologies

8 Must Have. Features for Risk-Based Vulnerability Management and More

Everything visible. Everything secure.

THE THREE WAYS OF SECURITY. Jeff Williams Co-founder and CTO Contrast Security

FROM VSTS TO AZURE DEVOPS

Application Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.

85% 89% 10/5/2018. Do You Have A Firewall Around Your Cloud? Conquering The Big Threats & Challenges

We re redefining Software Quality

SIEMLESS THREAT MANAGEMENT

Securing Your Digital Transformation

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

DevSecOps Shift Left Security. Prioritizing Incident Response using Security Posture Assessment and Attack Surface Analysis

Borderless security engineered for your elastic hybrid cloud. Kaspersky Hybrid Cloud Security. #truecybersecurity

MEETING ISO STANDARDS

BUYER S GUIDE EVALUATING VULNERABILITY ASSESSMENT SOLUTIONS

MITIGATE CYBER ATTACK RISK

MIS Week 5. Operating System Security. Windows Patching

AKAMAI CLOUD SECURITY SOLUTIONS

Top 10 use cases of HP ArcSight Logger

A Strategic Approach to Web Application Security

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office

THE FOUR PILLARS OF MODERN VULNERABILITY MANAGEMENT

A10 HARMONY CONTROLLER

Cloud solution consultant

CenturyLink for Microsoft

Technical Review Managing Risk, Complexity, and Cost with SanerNow Endpoint Security and Management Platform

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Overcoming the Challenges of Automating Security in a DevOps Environment

PROTECT AND AUDIT SENSITIVE DATA

BUYER S GUIDE APPLICATION SECURITY BUYER S GUIDE:

Traditional Security Solutions Have Reached Their Limit

Day One Success for DevSecOps and Automation on Azure

Cloud solution consultant

7 Steps to Complete Privileged Account Management. September 5, 2017 Fabricio Simao Country Manager

Comodo Certificate Manager

Danish Cloud Maturity Survey 2018

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

WHITEPAPER THE EVOLUTION OF APPSEC: FROM WAFS TO AUTONOMOUS APPLICATION PROTECTION

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Transcription:

Micro Focus Security Fortify Application Security

Secure the new Application security in DevOps Agenda: - Fortify in brief (Offerings) - Fortify Source Code Analyzer - Fortify WebInspect - Using Fortify with DevOps 2

Managing risk in today s digital enterprise Increasingly sophisticated cyber attacks More sophisticated More frequent More damaging Cost and complexity of regulatory pressures Compliance Privacy Data protection Rapid transformation of enterprise IT Shift to hybrid Mobile connectivity Big data explosion

Today s digital Enterprise needs a new style of protection IaaS PaaS SaaS Off Premise On Premise USERS Protect your most business-critical digital assetsand their interactions, regardless of location device APPS DATA BIG DATA Off Premise BYOD 4

Protect your digital enterprise Prevent Detect & Respond Recover Build it in Identify the threats you face, assess your organization s capabilities to protect your enterprise Harden your applications, protect your users, and encrypt your most important data Proactively detect and manage breaches Help reduce time-to-breach-resolution with a tight coupling of analytics, correlation, and orchestration. Establish situational awareness to find and shut down threats at scale Safeguard continuity and compliance Drive resilience and business continuity across your IT environments, systems, and applications. Reduce risk with enterprise-wide governance, risk & compliance strategies 5

6 Application Security

Existing network and perimeter based security is insufficient VNP 1 2 3 4 5 6 7 8 84% of breaches exploit vulnerabilities in the application layer Yet the ratio of spending between perimeter security and application security is 23-to-1 - Gartner Maverick Research: Stop Protecting Your Apps; It s Time for Apps to Protect Themselves (2014)

The number of apps is growing Increasing platforms and complexity many delivery models Monitoring / Protecting Production Software Legacy Software Securing legacy applications Demonstrating Compliance Certifying new releases In-house Development Procuring secure software Outsourced Commercial Open Source

A reactive approach to AppSec is inefficient and expensive Somebody builds insecure software Somebody builds insecure software Cost to Remediate IT deploys the insecure software QA finds vulnerabilities in software Requirements Design/ Architecture We are breached or pay to have someone tell us our code is bad We convince & pay the developer to fix it thereby delaying the release Coding 7X We convince and pay the developer to fix it Testing Deployments/ Maintenance 15X 30X

The right approach for the new SDLC Build it in 1 Secure Development Continuous feedback on the developer s desktop at DevOps speed 2 Security Testing Embed scalable security into the development tool chain 3 Continuous Monitoring and Protection Monitor and protect software running in Production Improve SDLC Policies This is application security for the new SDLC

Micro Focus Security Fortify key advantages Comprehensive Proven Flexible Only app sec provider to cover SAST, DAST, IAST and RASP Over a decade of successful deployments backed by the largest security research team Available on premise and on demand

Micro Focus Security Fortify Leadership Over a decade of successful deployments backed by the largest security research team 10 out of 10 of the largest information technology companies 2017 Gartner MQ for AST 9 out of 10 of the largest banks 4 out of 5 of the largest pharmaceutical companies 3 out of 3 of the largest independent software vendors 5 out of 5 of the largest telecommunication companies

Micro Focus Security Fortify Application Security Solutions On premise and on demand Static Analysis SCA Dynamic Analysis WebInspect Application Protection App Defender Source Code Mgt. System Static Analysis Via Build Integration Dynamic Testing in QA or Production Real-time Protection of Running Application Hackers & Actual Attacks Vulnerability Management Remediation IDE Plug-ins (Eclipse, Visual Studio, etc.) Developers (onshore or offshore) Correlate Target Vulnerabilities with Common Guidance and Scoring Fortify on Demand Software Security Center Normalization (Scoring, Guidance) Vulnerability Database Correlation (Static, Dynamic, Runtime) Defects, Metrics and KPIs Used to Measure Risk Application Lifecycle Development, Project and Management Stakeholders Threat Intelligence Rules Management

Fortify Ecosystem DevOps & third party Code repositories & apps - Micro Focus LiveNet - GitHub LiveNet - SVN GitHub - SVN Requirements & issues - ALM Octane - JIRA - Bugzilla Build servers - Jenkins - Bamboo - VSTS/TFS Build tools - Gradle - ANT - Maven Security - Vuln Mgmt - SIEM - WAFs REST APIs with Swagger Fortify solutions Secure Development Security Testing REST APIs with Swagger Continuous Monitoring and Protection Communication/ChatOps DevOps & third party IDEs - Eclipse - Visual Studio - IntelliJ - Xcode/AS Open Source - Sonatype - Black Duck - Fortify Open Rev. Configuration automation - Chef - Puppet - Octopus Containers - Docker - Dockerized Security Cloud - Azure - AWS

15 Micro Focus Security Fortify DevInspect

Fortify Security Fortify DevInspect Key Benefits Designed for the Developer Easy to use Instant Results Continuous Feedback 16

Micro Focus Security Fortify DevInspect Bringing application security closer to the Developer Appsec solution created for developers to identify and remediate security vulnerabilities in source code within the native developers environment Real-time, instant security results as the developer is writing code. Brings market-leading appsec technologies directly to the developer, ensuring secure code as your shift left in your dev process. Enable developers to assess for security weaknesses. 17

Micro Focus Security Fortify DevInspect Real-time lightweight analysis of the source code Fortify menu for additional options Vulnerable line of code is highlighted as developer code & provides tips for additional information Level of criticality All issues detected in the project Type of vulnerability, explanation and detailed remediation guidance

Static Application Security Testing Micro Focus Security Fortify Static Code Analyzer 19

Micro Focus Security Fortify Static Code Analyzer (SCA) Static Analysis Fortify SCA Source Code Mgt. System Static Analysis Via Build Integration Most Comprehensive Most Accurate Easy to Use for Developers Build Integration Scales to any Application

Static Application Security Testing Accurately identify root cause and remediate underlying security flaw Results User Input XML VBScript HTML VB.NET.NET Java CFML COBOL ASP PL/SQL PHP ABAP Python T-SQL JavaScript/AJAX C# Visual Basic Classic ASP C/C++ SCA Frontend JSP T-SQL XML Java SCA Analysis JSP XML Java T-SQL 22+ Languages SQL Injection

Static Analysis Tools & Integrations Manage remediation and audit workflows Audit Workbench Security auditor s toolkit including scanning, remediation guidance, and reporting Security Assistant Instantly find vulnerabilities in real-time as developers code Developer IDE plug-ins Scan, view results, and manage remediation. Scan Wizard Easy scan configuration and build integration. Rules Editor Build custom scan rules. Customize Software Security Center to fit your SDLC. Process Designer Customize Software Security Center to fit your SDLC.

Dynamic Application Security Testing Micro Focus Security Fortify WebInspect 23

Micro Focus Security Fortify WebInspect Dynamic Analysis WebInspect Dynamic Testing in QA or Production Dynamic and Runtime Analysis Technology Made Simple Compliance Management Build Integration Centralized Program Management

Dynamic Analysis Dashboard Micro Focus Security Fortify WebInspect Live dynamic scan visualization Live scan dashboard Coverage Analysis Live scan statistics Detailed attack table Vulnerabilities found in application

Interactive Application Security Testing Micro Focus Security Fortify WebInspect agent 26

IAST with Micro Focus Security Fortify WebInspect agent Find More Runtime level insight into application behavior Discover new vulnerability categories Identify and assess hidden areas of the site IAST Find Faster Decrease scan time with active mode Avoid retesting reused code Micro Focus WebInspect Fix Faster Stack trace gives line of code accuracy to tell developers where to start Reduce false positives Index About Account Details Deposit Supports Java and.net applications Withdraw WebInspect Agent Admin Backup Message Center Send Message Read Message 27

Application Security on Premise Micro Focus Fortify Software Security Center 28

Micro Focus Security Fortify Software Security Center Application Security on Premise Remediation Vulnerability Management Application Lifecycle Developers (onshore or offshore) Software Security Center Development, Project and Management Stakeholders Find to Fix Workflow Automation Integration Reporting Simplified Program Management

Micro Focus Security Fortify Software Security Center Vulnerability detail Line of code vulnerability detail Remediation explanation and advice Vulnerabilities identified in the scan

Micro Focus Security Fortify Software Security Center Reporting and Program Management Global dashboard highlights risk across software portfolio Vulnerability status by application

Runtime Application Self Protection Micro Focus Security Fortify Application Defender 32

Micro Focus Security Application Defender Application Security Simplified Micro Focus Security Research Visibility Actionable and accurate insight from within the application to pinpoint vulnerabilities for protection or remediation Micro Focus Application Defender 1,2,3 Protection Stop attacks categorically or for specific vulnerabilities. Simplicity Install quickly and easily with a three-step deployment, get protection up and running in minutes Micro Focus Security Fortify Runtime

Fortify Application Defender Monitor and Protect your Applications Application Server Target Application Application Server Target Application Agent Orchestration & Policy Management Application Defender Server Configurable Event Output & Visualization ArcSight ESM App Defender Agent App Defender Agent Rulepack Updates Application Security Events (CEF) SIEM Application Server Target Application Logging & Protection Events Syslog App Defender Agent On-Premise SaaS

Fortify Application Defender Context-Sensitive rules for increased coverage and accuracy Input Target Application Output Detect injections Sanitize input Detect persistent Reduce false positives RASP Application Server Database File System Detect 2 nd order attacks Fully decoded, assembled Detect privacy violations Privileged resource access 35

Application Security on Demand Micro Focus Security Fortify on Demand 36

Micro Focus Security Fortify on Demand Application security-as-a-service Understanding your application portfolio is the first step to securing it Discover Assess Comprehensive static, dynamic web and mobile testing delivered at the speed of development Continuously monitor and protect software running in production Monitor & Protect Web Remediate Workflows to fix vulnerabilities and manage a successful AppSec program Mobile Thick-client Develop secure coding best practices to prevent vulnerabilities before check-in Educate Integrate Securing DevOps through the Fortify Ecosystem integrations and automation

Micro Focus Security Fortify on Demand Features and Benefits Get started in one day Easy to use management platform Accurate, comprehensive scan results 24/7 Personalized support Flexible delivery

Cloud-based Portal Single interface to manage your entire application security program Easily identify and prioritize where to take action. Easily track which of your applications are passing or failing your security policy Customize your data view with application attributes you define (business unit, region, etc.). Each application is rated on a scale from 1 to 5. A rating of 1 means the application has critical vulnerabilities, while 5 means it s secure You decide the appropriate criticality levels for your business.

Seamless Integrations Connect the development, operations and security ecosystem Open Source - Sonatype - Fortify Open Review Application Defender Network Scanners - Nessus - Qualys - Rapid7 - Tripwire Build Servers - Jenkins - TFS - Bamboo - Team City - etc Security & License Risk Automated Static Scans Upload & Remediate Network Risk API & Data Export Virtual Patch Remediate Custom - GRC tools - BI tools - etc WAFs - Imperva - F5 - Citrix - Barracuda - Radware - Fortinet - TippingPoint Developer IDEs - Eclipse - Visual Studio Fortify SSC Defect Management - Micro Focus ALM / QC - JIRA - etc

41 Fortify Professional Services

Micro Focus Security Fortify Professional Services Adding professional services can help you need to close the loop on application security Detecting Vulnerabilities Fixing Applications Analyzing Results HP Professional Services Assistance making application security tools and processes work the way you need them to. Tuned Rules Customized Rules Security Policy Applied Prioritized Findings Automation / DevOps False Positive Removal Tuning Technology

Micro Focus Security Fortify Professional Services Offerings Quick Start Programs Fortify and WebInspect Applications security consultants build Fortify or WebInspect into the SDLC of your selected pilot application, audit the results, and train your team for success. Fortify on Demand We ll help you build an effective process on-site around the security testing services that will allow you to make the most of your static and dynamic scan results, including a tailored vulnerability training class to help you get started on the road to remediation Framework Software Security Assurance (SSA) Assessment A two week engagement designed to assess your organization s SSA maturity and develop a roadmap that you can use to build a successful software assurance program. Application Security Residents Do you need an long term application security subject matter experts? We can provide experienced SME s for both static and dynamic analysis. On-site Managed Service We can build and/or manage your software assurance program providing the people, processes, and technology to make you successful.

Protect your digital enterprise at scale Toronto Virginia Texas Costa Rica UK Germany Bulgaria India Malaysia Technology Consulting Managed Services Australia Leader Visionary Leader Leader 5000+ application security and network access control (Gartner) data security (Gartner) SIEM (Gartner) managed security services (Forrester) security professionals 10 managed global SOCs 42 business continuity and recovery centers 44

45 Fortify Ecosystem

Fortify Ecosystem DevOps & third party Code repositories & apps - Micro Focus LiveNet - GitHub - SVN Requirements & issues - ALM Octane - JIRA - Bugzilla Build servers - Jenkins - Bamboo - VSTS/TFS REST APIs with Swagger Build tools - Gradle - ANT - Maven Security - Vuln Mgmt - SIEM - WAFs Fortify solutions Secure Development Security Testing REST APIs with Swagger Continuous Monitoring and Protection Communication/ChatOps DevOps & third party IDEs - Eclipse - Visual Studio - IntelliJ - Xcode/AS Open Source - Sonatype - Black Duck - Fortify Open Rev. Configuration automation - Chef - Puppet - Octopus Containers - Docker - Dockerized Security Cloud - Azure - AWS Micro Focus.com/software/fortifyecosystem

Build Server integration SCA with Microsoft VSTS Native in MSFT VSTS, no installation required Integrates with CI/CD DevOps processes

For more information: https://software.microfocus.com/en-us/solutions/application-security 48

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback