Embed Size (px)
Citation preview
Seguridad en el ciclo de vida de las aplicacionesFortify - Application Security
Maurizio Di Stefano, CSSLP® Presales Consultant, Fortify - Application Security Micro Focus Security
Agenda
Introducción al problema de seguridad de las aplicaciones
Software Security Assurance como solución para la seguridad del ciclo de vida de las aplicaciones
Soluciones Fortify para implementar con éxito un programa Software Security Assurance
Que nos gustaría ver
Gasto en InfoSec
Impacto(# problemi & exploits)
Que estamos viendo
Gasto en InfoSec
Impacto(# problemi & exploits)
NetworksHardware
Security Measures
• Switch/Router security• Firewalls• NIPS/NIDS• VPN• Net-Forensics• Anti-Virus/Anti-Spam• DLP• Host FW• Host IPS/IDS• Vuln. Assessment tools
Perímetro
NetworksHardware
Security Measures
• Switch/Router security• Firewalls• NIPS/NIDS• VPN• Net-Forensics• Anti-Virus/Anti-Spam• DLP• Host FW• Host IPS/IDS• Vuln. Assessment tools
Nuevo perímetro: Aplicaciones
PropiedadIntelectual
Datos de clientes
Procesos de negocio
Informaciónconfidencial
Aplicaciones
Nuevo objetivo: Aplicaciones
84% de los ataques con éxito se centraban en la capa de aplicación
86% de las aplicaciones presentan vulnerabilidades críticas
• Web App Security Consortium studied security tests across 12,186 applications
• 13% of applications could be compromised completely automatically
• 86% had vulnerabilities of medium or higher severity found by completely automated scanning
Costes asociados $141
Total average cost of a data breach per
compromised record*
25,674
Average # of compromised records
per breach^
X $3.62M
Average Total Cost per breach*
* Ponemon Institute, 2017 Annual Study: $U.S. Cost of a Data Breach ^Source: The Open Security Foundation
~~
¿Que estamos haciendo?
Business Logic Flaws Security
Errors
Code Flaws
Dos semanas de hacking ético
Desarrollo 10 pers/año
30X
15X
10X
5X
2X
Aproximadamente 30 veces más caro remediar en producción
¿Cual es el coste de no hacer nada?
Después de desplegar una aplicación en producción es 30 veces más caro corregir una vulnerabilidad que durante la fase de diseño.
Co
ste
Source: NIST
ProducciónPruebasfuncionales
Integración/ Pruebasunitarias
DesarrolloRequerimientos
Application Security Testing Techniques
SAST: Static Application Security Testing DAST: Dynamic Application Security Testing
IAST: Interactive Application Security Testing RASP: Runtime Application Self-Protection
SAST
DASTIAST
RASPC
ost
e
ProducciónPruebasfuncionales
Integración/ Pruebasunitarias
DesarrolloRequerimientos
Application Security Testing Techniques
WebInspect / WebInspect Agent
Fortify SCA
Education
Application DefenderC
ost
e
ProducciónPruebasfuncionales
Integración/ Pruebasunitarias
DesarrolloRequerimientos
Static vs. Dynamic Application Security Testing
SAST – Fortify SCA
- Analyses the application code
- Comprehensive
• Finds most vulnerabilities
• Prone to False Positives
- Results
• Reference source code level details
• Easy for developer to understand
- Early Life-cycle
• Used in development and QA
- Also known as
• White-box testing
• Source Code Analysis
DAST – Fortify WebInspect
- Tests the running application
- Behaves like a Hacker
• Finds vulnerabilities most likely to be exploited
• Prone to False Negatives
- Results
• Reference URL’s and HTTP traffic
• More difficult for developer to identify cause
- Late Life-cycle
• Used in QA and production
- Also known as
• Black-box testing
• Penetration testing
SAST and DAST are highly complementary
Que es “Software Security Assurance” ?
“Las personas, procesos y tecnología que capacitan a una organización para reducir el riesgo específico asociado a las vulnerabilidades presentes en el software”
FIND FIX FORTIFY
Que es “Software Security Assurance” ?
“Las personas, procesos y tecnología que capacitan a una organización para reducir el riesgo específico asociado a las vulnerabilidades presentes en el software”
www.opensamm.org: Security Assurance Maturity Model
Initiate Define ImplementDesign Develop Test Operate
Governance
Strategy & Metrics
Policy & Compliance
Education & Guidance
Threat Assessment
Security Requirements
Secure Architecture
Design Review
Code Review
Security Testing
Vulnerability Management
Environment Hardening
Operational Enablement
Construction
Verification
Deployment
Software Security AssessmentLeverage Security Gate to validate resiliency of internal or external code before Production
1Software Security Assurance Embed security into SDLC development process
2OPEN SOURCEOUTSOURCED COMMERCIALIN-HOUSE
Runtime Application Self-ProtectionMonitor and protect software running in Production
3
IMPROVE SDLC POLICIES
The right approach > systematic, proactive
This is application security
Fortify & SDLC
Dynamic / Interactive RuntimeStatic
Production
Fortify on Demand App Defender
On Premise App Defender
Application Development
TestCodeDesignIntegration & Staging
IT Operations
On Demand
WebInspect / WebInspect AgentStatic Code Analyzer
Software Security Assurance – Application Security
GDPR (General Data Protection Regulation) y Fortify
Fortify aplicaría en los siguientes escenarios de GDPR principalmente con dos servicios:
- Fortify on Demand
- Localización automática de las vulnerabilidades en el código de una aplicación y recomendaciones a nivel de código sobre cómo solucionarlas (remediation)
- Fortify Application Defender
- Protección automática de aplicaciones JAVA y .NET, que estén corriendo en entornos de producción, desde vulnerabilidades conocidas
18
Fortify - Application Security Strategy
SOFTWARE SECURITY RESEARCH
Software Security Assessment
Software Security Assurance (SSA)
OPEN SOURCEOUTSOURCED COMMERCIALIN-HOUSE
Runtime Application Self-Protection
FindFind security vulnerabilities in any
type of software
Mobile & Web Apps, infrastructure
FixFix security flaws in source code
before it ships
Secure SDLC
FortifyFortify applications against attack
in production
App monitoring, protection
Software Security Assurance Program Management Delivered on Premise or on Demand
20
Application testing flexibility
on Demand
Fortify on Demand
on Premise
Fortify Software Security Center
FlexibleDisponible in situ (on premise), bajo demanda (on demand) o hibrida
Static Analysis – SCA
Source Code Mgt. System
Static Analysis Via Build Integration
Dynamic Analysis – WebInspect
Dynamic Testing in QA or Production
Application Protection –App Defender
Real-time Protection of Running Application
Vulnerability Management
Normalization(Scoring, Guidance)
Vulnerability Database
Remediation
IDE Plug-ins (Eclipse, Visual Studio, etc.)
Developers (onshore or offshore)
Correlate Target Vulnerabilities with
Common Guidance and Scoring
Defects, Metrics and KPIs Used to Measure Risk
Application Lifecycle
Development, Project and Management
Stakeholders
Software Security CenterFortify on Demand
Hackers & Actual Attacks
Correlation(Static, Dynamic, Runtime)
Threat Intelligence Rules Management
Fortify Solutions
Code Test Deploy
Static Code Analyzer
SCA
DynamicAnalyzer
WebInspectSIEM
ArcSight
RegularTesting
WebInspectAgent
Real-TimeAnalyzer
App Defender Agent
+
Dynamic andReal-Time
WIRT
Program Governance
Software SecurityCenter
AssessmentService
Fortify on Demand
Application #1 Application #2
QA Staff
DevelopersInfo Sec
Software Security
Assurance
Services
App Sec and Other
CBTs
Application Defender
Dashboard
Application Logging/Application
Protection
WAF
Application Security on PremiseFortify Software Security Center
24
Gestión efectiva de SSA
Fortify Software Security Center
Features• Web-based SSA dashboard with project and
program level visibility• Centralized risk profile manager maintains
complete application inventory• Automated assignment of the correct risk-
mitigation activities based on risk profiles
• Crear y gestionar el inventario de aplicaciones
• Registro único para todas las aplicaciones
• Atributos de riesgo específicos para cada aplicación
• Acceso inmediato a toda la información
• Generación automática de las políticas relevantes
• Las plantillas incorporadas son una base robusta para su personalización
• Definidas según los perfiles de riesgos y aplicadas consistentemente
• Comunicación y seguimiento en una plataforma común
• Desarrollo, Seguridad, Dirección, todos tienen acceso
• Visualización y seguimiento de tareas pendientes, aplicativos e informes
Strategy & Metrics
Fortify Software Security CenterDetalle de la vulnerabilidad
Remediation explanation and advice
Line of code vulnerability detail
Vulnerabilities identified
in the scan
Strategy & Metrics
Static Application Security TestingFortify SCA
27
Pruebas de caja blanca (SAST)
Fortify SCA
Features• Pinpoint root cause of vulnerabilities – line of
code detail• Prioritize fixes sorted by risk severity• Detailed “fix” instruction -- in the development
language
• Ahorra tiempo de desarrollo y costes al identificar
vulnerabilidades durante el desarrollo
• Los desarrolladores pueden dedicar su tiempo al
desarrollo e innovación en vez de corregir errores de
aplicaciones desplegadas en producción
• Identifica la causa raíz de las vulnerabilidades
• Soporta 763 categorías únicas de vulnerabilidad en
25 lenguajes de programación y en más de 911,000 API
individuales
Code Review
Propagación desde puntos de entrada a puntos de consumo
Identificación de la raíz del problemaCode Review
Identificación precisa del origen y sus motivos
DetallesCode Review
Priorización de los resultados y métricas de riesgo
DetallesCode Review
Sugerencias de código alternativo no vulnerable
RecomendacionesCode Review
Referencias a estándares internacionales
RecomendacionesCode Review
Static Analysis Tools & IntegrationsManage remediation and audit workflows
Audit Workbench
- Security auditor’s toolkit including scanning, remediation guidance, and reporting
Developer IDE plug-ins
- Scan, view results, and manage remediation.
Scan Wizard
- Easy scan configuration and build integration.
Rules Editor
- Build custom scan rules.
- Customize Software Security Center to fit your SDLC.
Process Designer
- Customize Software Security Center to fit your SDLC.
Code Review
What is Security Assistant?Or: How I Learned to Stop Worrying and Love the Static Code Analyzer
35
Intraclass dataflow analysis
Semantic Analysis with constant propagation
65 Vulnerability Categories enabled by default with configurable support for 49 additional categories
Eclipse 4.5.x for Java
Inline, real-time static code analysis
Code Review
Security AssistantReal-time lightweight analysis of the source code
36
All issues detected in the project
Fortify Icon added to iconbar
Vulnerable line of code highlighted& Tool tip for additional information
Detailed remediation advice
Fortify menu for additional options
Code Review
Dynamic Application Security TestingFortify WebInspect
37
Pruebas de caja negra (DAST)
Fortify WebInspect
Features• Advanced client-side scripting technology to
statically analyze JavaScript, Flash and others• Complete control over scan policies, reports and
configuration• Always up-to-date vulnerability tests and
knowledgebase• Advanced tool kit for penetration testing
• Evalúa las aplicaciones de forma dinámica:
• Simula los ataques maliciosos
• Prioriza los resultados
• Evalúa el entorno operativo de la aplicación
• Identifica errores de despliegue y configuración
Security Testing
Fortify WebInspectDynamics analysis – find critical security issues in running applications
Live Scan Dashboard
Site tree
Vulnerabilities found in application
Excluded and Allowed Hosts
Section
Detailed Attack Table
Live Scan Statistics
Security Testing
Interactive Application Security TestingFortify WebInspect Agent
40
IASTwith Fortify WebInspect Agent
41
Find More
− Supports Java and .Net applications
Find Faster Fix Faster
– Decrease scan time with active mode
– Avoid retesting reused code
– Stack trace gives line of code accuracy to tell developers where to start
– Reduce false positives
IAST
− Runtime level insight into application behavior
− Discover new vulnerability categories
− Identify and assess hidden areas of the site
Security Testing
IASTwith Fortify WebInspect Agent
42
Find More
− Runtime level insight into web application being assessed
− 2 way communication directly with WebInspect to suggest attacks
− Find vulnerabilities that would otherwise not have been detected
WebInspectAgent
Read Message
Send Message
Withdraw
Deposit
Message Center
Account Details
About
Backup
Admin
Index
Security Testing
IASTwith Fortify WebInspect Agent
43
Find Faster
− Improves scan times with active modes
− Deduplication – Avoids scanning the same class or function throughout the application
− Check Avoidance – Avoid sending multiple attacks to a specific check type if it’s determined the application can handle the attack
− Up to 35% faster AgentActive Mode
AgentPassive Mode
Security Testing
IASTwith Fortify WebInspect Agent
44
Fix Faster
− Stack Trace detail enables hybrid correlation
− Stack traces available for certain checks
− Less false positives mean less time validating results
Security Testing
Runtime Application Self ProtectionFortify Application Defender
45
Fortify Application DefenderApplication Security Simplified
ProtectionStop attacks categorically or for specific vulnerabilities.
SimplicityInstall quickly and easily with a three-step deployment, get protection up and running in minutes
VisibilityActionable and
accurate insight from within the
application to pinpoint
vulnerabilities for protection or remediation
Fort
ify
Secu
rity
Res
earc
hFo
rtify Security Fo
rtify Ru
ntim
e
HPE Application Defender
1,2,3
Environment Hardening
VulnerabilityManagement
Fortify Application DefenderRuntime Application Self Protection
Customer’s Production Server Application Defender Service
Agent & Rule Mgmt. & Config. (TLS)
Monitored & Protected Events (TLS)
Application Server
Target Application
App Defender Agent
Monitored Program Points
Actual Attacks
Environment Hardening
VulnerabilityManagement
Fortify Application Defender
Simplicity
Applications
Visibility Protection
Secure Command/Event Channel (443)
Simplicity
• Quick Installation
• Up and running in less than 5 minutes
• 3 easy steps
• Easy “In Service” Updates
• Rulepack
• Agent Binary
• Accurate application protection and grouping
Visibility
• Quick access to specific vulnerability events
• Easy filtering of real-time and historical data
• Accurate presentation of event trigger and stack trace detail
Protection
• Quick protection against attacks from within your application
• Easy identification of top vulnerability events by criticality
• Accurate results from within application logic and data flows
Fortify Application DefenderApplication Logging and Protection
• Consistent out-of-the-box logging for any application
• 69 Logging categories
• e.g. File Read/Write; HTTP Sessions Start/Stop; Login Succeed/Fail, DB sessions
• Send CEF events to ESM or Syslog
Application Logging
• Vulnerability exploit attempts and other security violations
• 30 Vulnerability categories
• e.g. SQLi; XSS; Privacy Violation
• Monitor & Protect actions
Application Protection
Customer Application
CLR/JVM
App Defender Agent
Logging Rules
Protection RulesProtected
Events
Logging Events
Monitored Events
Event Output & Visualization
Syslog
ArcSight ESM (App Defender ESM
Content)
Logger
Application Defender (SaaS/On-Prem)
Target Application
App Defender Agent
Application Server
Target Application
App Defender Agent
Application Server
Target Application
App Defender Agent
Application Server
Runtime platform delivered to meet your needsOn-Premises or SaaS
Events (CEF)
Application Defender Service
On-Premise SaaS
Log Management
SIEM
ArcSight ESM
Configurable Event Output & Visualization
HPE RulepackUpdates
Logging & Protection Events
Agent & Policy Management
RASP VS WAFDetection Method
Malicious Activity Detection MethodsNetwork based – (WAF, IPS)
• Inspect network traffic only
Generally
• Signatures
• Behavior profiling
Detect using
• Can be bypassed – False negatives
• Can block good activity – False positives
• Tuning is needed to identify relevant fields/parameters
Risks
Application
Server
WAF
http(s) http(s)
Malicious Activity Detection StrategiesRASP
• Inspect application context as well as network info
• Use different detection strategies
Generally
• Signatures
• Signature-less
• Application context
Detect using
• FN/FP possible depending on instrumentation location
Risks
Actual Attacks Application Server
Target Application
App Defender Agent
Resources
Sans Paper
https://www.sans.org/reading-room/whitepapers/analyst/protection-inside-application-security-methodologies-compared-35917
Sans Institute – Protection from the inside: Application Security Methodologies Compared - April 2015
Application Security on DemandFortify on Demand
58
Fortify on Demand
Thick-Client WebMobile
Customer Applications
Continuous Application Monitoring
Dynamic Analysis
StaticAnalysis
Digital Discovery
Analysis & Report Integration Open Source Training Vendor Management
001011000100100100100100100011111100101010011100111
010011101
001011000100100100100100100011111100101010011100111
010011101
001011000100100100100100100011111100101010011100111
010011101
001011000100100100100100100011111100101010011100111
010011101
Security Testing
Code Review
• La forma más rápida y sencilla de evaluar la
seguridad de sus aplicaciones
• Proteja su inversión: Se integra con su solución
de Fortify para extender su programa
• Reduce considerablemente el tiempo
necesario para cumplir con las regulaciones
gubernamentales y de su industria
Servicio gestionado para la seguridad del SW
Fortify on Demand
Features• Fast, accurate results without hardware or
software set up• Prioritized, correlated static and dynamic results
with remediation guidance• Can be used standalone or with Fortify on-
premise
Security Testing
Code Review
Cloud-based Portal Single interface to manage your entire application security program
Security Testing
Code Review
Servicio gestionado para la seguridad del SW
Fortify on Demand Security Testing
Code Review
Powerful reporting and remediation guidance
• Tenant
• Issues
• Usage
• Training
Insightful Dashboard
• Star Ratings
• Remediation guidance
• Detailed vulnerability data
• Recommendations
Detailed Reports
• Line of code details
• IDE Plugins
• Assign issues to developers
• Track remediation workflows
Collaboration
Comprehensive and Accurate Testing
Fortify on Demand Security Testing
Code Review
Customer
Static AnalysisPowered by Fortify SCA
Dynamic AnalysisPowered by Fortify WebInspect
• Enterprise proven technology
• 100% code coverage
• 6 analysis engines
• X-Tier Analysis
• Enterprise proven technology
• Production safe
• Three testing levels
Manual Review
• Security expert review
• Reduce false positives
• Technical Account Manager
Fortify on Demand Application Security-as-a-ServiceSecure DevOps, Fast Time-to-Value, Unmatched Comprehensiveness
Discover
Understanding your application portfolio is the
first step to securing it
Industry’s most comprehensive static, dynamic/interactive web and mobile testing delivered at the speed of development
Continuously monitors and protects software running in production
Integrated workflows to fix vulnerabilities faster and accelerate a mature AppSecprogram
Assess
Monitor & Protect
Integrate
Leading-edge developer training for secure coding best practices and
prevent vulnerabilities before check-in
Securing DevOps through broad Fortify Ecosystem integrations and automation tools
Thick-client
Web
Mobile
Remediate
Educate
Up to 25% savings in development time
2x more vulnerabilities identified
95% reduction in false positives reported
Secure Development, Security Testing,
Continuous Monitoring
Source: Continuous Delivery of Business Value with Fortify, June 2017
SaaS, on demand or hybrid implementations to fit any
environment
DiscoverUnderstanding your application portfolio is the first step to securing it
66
Discovery
Verification
Risk profile
Prioritized ranking of discovered endpoints
Our Process
For all customers:Complimentary annual discovery
AssessComprehensive testing delivered at the speed of development
Static assessments (SAST)
- Web, mobile & thick-client applications
Dynamic web assessments (DAST)
- Websites & web services
Mobile assessments (MAST)
- Client binary, network and services
Subscriptions
- Unlimited annual scans per application
Single scans
- Includes remediation scan
Assessment units
- Flexible purchase & redemption
67
Comprehensive service levels Flexible consumption models
N
FOD Service Offerings
Dynamic
Dynamic(3 Day)
Dynamic+(5 Day)
Static
Static (1 Day)
Static+(2 Day)
Mobile
Mobile(1 Day)
Mobile+(5 Day)
Fortify Ecosystem – Automation, Tools and Integrations
AssessStatic assessments find critical security weaknesses during development
69
Why Fortify on Demand SAST?
- 24 coding languages- 750+ unique vulnerability categories- Average turnaround within hours- No file or code size restrictions- Comprehensive IDE plugins- Integration with build / CI tools
* Subscription includes optional expert review of first scan only; ** Subscriptions only
Static Assessments include:
Fortify Static Code Analyzer evaluation of source, binary or bytecode
Open source analysis
Automated audit of results by Fortify Scan Analytics*
Real-time identification with Security Assistant**
Static + Assessments include:
Security expert review of prioritized results for all scans
AssessDynamic assessments simulate an attack by testing running web applications
70
* Subscriptions only; ** Single scans only
Why Fortify on Demand DAST?
- 250+ unique vulnerability categories- Test in QA, staging & production- Assess single page applications (SPAs)- Built-in support for scan blackout periods- Virtual patches for all top WAFs- External or internal network applications- Includes IAST for accuracy & coverage
or
Dynamic Assessments include:
WebInspect analysis of website
Generated authentication macro
Security expert review of prioritized results
Continuous application monitoring*
Dynamic + Assessments include:
Manual testing of website
Manual testing of web services**
AssessMobile assessments identify vulnerabilities in built and deployed applications
71
Client
Network
Services
Why Fortify on Demand MAST?
- iOS applications- Android applications- 50+ unique vulnerability categories- Designed for mobile app developers- Manual testing performed on-device
Mobile Assessments include:
Vulnerability analysis of mobile binary
Endpoint reputation analysis
Security expert review of prioritized results
Mobile + Assessments include:
Manual testing of binary, network and services
WebInspect analysis of backend services
Fortify on Demand - Mobile serviceGo beyond automated reputation and behavioral analysis
Client
• Credentials in memory
• Credentials on filesystem
• Data stored on filesystem
• Poor cert management
Network
• Cleartext credentials
• Cleartext data
• Backdoor data
• Data leakage
Server
• SQLi
• XSS
• LFI
• Authentication
• Session Management
• Logic Flaws
1. All three tiers
2. Full stand-up
3. App interaction
4. Multiple test types at each tier
5. Vulns found in one area help others
Examples of our testing – not an exhaustive list
RemediateWorkflows to fix vulnerabilities and manage a successful AppSec program
Vulnerability description
Remediation recommendations
Line of code, analysis trace
Request, response, parameters
Issue correlation
Classifications (OWASP, PCI, etc)
Additional references
73
Centralized portal to manage your AppSec program
Comprehensive metric-driven dashboards
Integrated workflows for collaboration
Customizable reporting options
IDE & QA system
integrations
Smart Fix for effective
remediation
Security policy
manager
IntegrateSecuring DevOps through the Fortify Ecosystem integrations and automation
Fortify on Demand
REST APIs with Swagger
REST APIs with Swagger
DevOps &third party
Requirements & issues- ALM Octane- JIRA- Bugzilla
Build servers- Jenkins- Bamboo- VSTS/TFS
Build tools- Gradle- ANT- Maven
IDEs- Eclipse- Visual Studio- IntelliJ- Xcode/AS
Open Source- Sonatype- Black Duck- Fortify Open Rev.
Configuration automation- Chef- Puppet- Octopus
Containers- Docker- ‘Dockerized
Security’
Cloud- Azure- AWS
DevOps &third party
Co
mm
un
ication
/Ch
atOp
s
Code repositories & apps- HPE LiveNet- GitHub- SVN
Secure Development
Security Testing
Continuous Monitoring and Protection
Requirements & issues- ALM Octane- JIRA- Bugzilla
Build servers- Jenkins- Bamboo- VSTS/TFS
Build tools
N/A for Fortify on Demand
IDEs- Eclipse- Visual Studio- IntelliJ / Android
Studio
Open Source- Sonatype- Blackduck- Fortify Open
Review
Configuration automation
N/A for Fortify on Demand
Containers
N/A for Fortify on Demand
Cloud- Azure- AWS
Co
mm
un
ication
/Ch
atOp
s
Code repositories & apps- GitHub- Bitbucket- HPE LiveNet
Security- Vuln Mgmt- SIEM- WAFs
EducateDevelop secure coding best practices to prevent vulnerabilities before check-in
Security Assistant
Real-time identification in the IDE
Supports 100+ vulnerability categories
Detailed summary and recommendations
Training Developer-focused and integrated cybersecurity training including:
- Extensive library of web-based courses spanning secure development across multiple languages
- Secure Code Warrior for a more interactive, engaging learning experience
75
Secure Code Warrior
Web-Based Courses
Vendor Security Management ProgramVerify the security of 3rd party apps with capabilities that allow for vendor control
Vendor Benefits• Demonstrates security of your software• Eliminates repetition• Safeguards proprietary code• Enhances the security of your software• Reduces the risk of a breach
Procurer Benefits• Reduces risk• Outlines a consistent approach for all vendors• A standard clause that can be included in contracts• Eliminates effort on your part• Provides a single view of compliance across
all your applications regardless of source
Vendor FoD accounts Procurer FoD accounts
Static, dynamic, and mobile analysis
Expert review
Detailed results
Vendor uploads application Results back in 1-5 days
Vendors publish reports to procurers’ accounts
Monitor & ProtectContinuously monitor and protect software running in production
77
All Fortify on Demand customers
Annual application discovery
Weekly vulnerability & risk profile scan for apps with Dynamic or Dynamic+ subscription
Continuous Application Monitoring service
Monthly application discovery
Weekly vulnerability & risk profile scan for additional web applications
Application Defender
Detect & protect from security events in real-time
Why Fortify Continuous Monitoring?
- Average discovery finds 3,000 assets- Production-friendly dynamic scanning- Automated change detection & alerting- 29 vulnerability protection categories- Precise protections from detected vulns- Mitigate risk during remediation- 60 event logging categories to SIEM
App Defender & Fortify on Demand Integration Explanation
Basics:
•Seamlessly protect production applications with App Defender from vulnerabilities discovered during Fortify on Demand assessment.
Requirements
•App Defender & Fortify on Demand tenants/accounts
•Map Fortify on Demand production applications to App Defender Agents & risk groups.
ClassLoader Manipulation: Struts
Command Injection
Insecure Deployment: Unpatched Application
Cookie Security: HTTPOnly not Set
Cross-Site Scripting
Dangerous File Inclusion: Local
Dangerous File Inclusion: Remote
Denial of Service: Parse Double
Web Server Misconfiguration: Directory Listing
Header Manipulation
Open Redirect
Poor Error Handling: Unhandled Exception
Privacy Violation
SQL Injection
System Information Leak
XML Entity Expansion Injection
XML External Entity Injection
Supported Vulnerability Categories:
App Defender & Fortify on DemandCreate and manage Application Defender protections
79
Fortify Application DefenderREST API & Swagger.io integration
REST API
• All functionality with REST API coming
• Swagger.io-based documentation of APIFirst set of endpoints
Export event details
• Enable/update category protections
• Create pointwise settings
Customer use cases
• Investigate and take action wherever they’re consuming events (e.g. SIEM)
80
Event Details• XSS• Attributes• Stack trace
Protect XSSat /request/pathfrom <ip.range>
Investigate Take Action
Seamless Integrations
Build Servers- Jenkins- TFS- Bamboo- Team City- etc
Developer IDEs- Eclipse- Visual Studio- IntelliJ
Fortify SSC
Application Defender
API & Data Export
Custom- BI tools- GRC- etc
Automated Static Scans
Open Source- Sonatype- Fortify Open Review
Upload & Remediate
Security & License Risk
Network Scanners- Nessus
Remediate
Defect Management- HPE ALM / QC / ALM
Octane
WAFs- Imperva- F5- Citrix- Barracuda- Radware- Fortinet- TippingPoint
Virtual Patch
Network Risk
Gamified developer cybersecurity training
- Secure Code Warrior
Threat intelligenceFortify Software Security Research (SSR) group
Fortify Software Security Research (SSR) group
• Cyber criminals uncover new vulnerabilities in software every day.
• To guard against such relentless ingenuity requires ongoing, in-depth analysis into evolving
application security risks.
• All Fortify testing products leverage the latest threat intelligence furnished by the Fortify
Software Security Research (SSR) group. A global team recognized by the industry as one of the
top security organizations for monitoring emerging threats.
• Fortify Software Security Content (Fortify Secure Coding Rulepacks [SCA], SecureBase
[WebInspect], Application Defender) supports:
• 961 (SCA 763, WebInspect 182, WebInspect Agent 26, Application Defender 100)
vulnerability categories across 25 programming languages and spans more than 911,000
individual APIs.
Fortify Ecosystem
Fortify EcosystemSecuring DevOps through the Fortify Ecosystem integrations and automation
Fortify solutions
REST APIs with Swagger
REST APIs with Swagger
DevOps &third party
Requirements & issues- ALM Octane- JIRA- Bugzilla
Build servers- Jenkins- Bamboo- VSTS/TFS
Build tools- Gradle- ANT- Maven
IDEs- Eclipse- Visual Studio- IntelliJ- Xcode/AS
Open Source- Sonatype- Black Duck- Fortify Open Rev.
Configuration automation- Chef- Puppet- Octopus
Containers- Docker- ‘Dockerized
Security’
Cloud- Azure- AWS
DevOps &third party
Co
mm
un
ication
/Ch
atOp
s
Code repositories & apps- HPE LiveNet- GitHub- SVN
Secure Development
Security Testing
Continuous Monitoring and Protection
Requirements & issues- ALM Octane- JIRA- Bugzilla
Build servers- Jenkins- Bamboo- VSTS/TFS
Build tools- Gradle- Ant- Maven- Msbuild
IDEs- Eclipse- Visual Studio- IntelliJ / Android
Studio
Open Source- Sonatype- Blackduck- Fortify Open
Review
Configuration automation- Chef- Puppet- Octopus
Containers - Docker- ‘DockerizedSecurity’- Mesosphere
Cloud- Azure- AWS
Co
mm
un
ication
/Ch
atOp
s
Code repositories & apps- GitHub- Bitbucket- HPE LiveNet
Security- Vuln Mgmt- SIEM- WAFs
¿Por qué Fortify?
Trayectoria
• Fortify ha definido este mercado desde su fundación en el 2003
• Consistentemente referenciado por Gartner como líder en el cuadrante mágico de AST (Application Security Testing)
• La mayor cobertura de lenguajes, APIs, frameworks , librerias y entornos
• El mayor equipo de I+D en seguridad aplicativa
• Mas de 1000 organizaciones usan Fortify. Entre ellas:
• 10 de las 10 mayores empresas IT• 9 de los 10 mayores bancos• 3 de los 3 mayores ISVs• 3 de los 5 mayores lideres en la industria
aeroespacial y defensa• Todas las ramas del ejercito de US• 5 de las 5 mayores operadoras telefonicas• 3 de las 6 mayores formas de seguridad• 2 de las 3 mayores aseguradoras
Referencias
La opinión de Gartner
• “Fortify Software Security Center is a recognized mind share and market share leader in the AST market.”
• “Fortify Software Security Center offers the broadest range of supported programming languages”
• “Fortify Software Security Center technologies are integrated with the most popular SLC platforms, such as those from Micro Focus, IBM and Microsoft.”
• “Fortify Software Security Center also a technology that increases the accuracy of vulnerability detection”
• “Fortify Software Security Center has a large worldwide AST installed base with customers in the U.S., Europe and Asia/Pacific.”
GraciasMaurizio Di Stefano, CSSLP®
Presales Consultant, Fortify - Application Security
Micro Focus Security
