David Marshak, Senior Product Manager, IBM Security
Kris Duer, Lead Security Analytics Researcher, IBM Security
October 27, 2016
How to Leverage Cognitive Technology to Think Like a Security Expert
2 IBM Security
Application security challenges
Rapid growth in applications, releases and technology
PaceCompliance
External regulations and internal policy requirements
Resources
Small security teams, lots of applications
?
• Which applications pose the biggest business risk?
• How do we test apps for security in rapid DevOps / Agile shops without slowing down the process / business?
• How do we reduce costs and catch security problems earlier in the lifecycle?
• Where is my business risk?• How do I set internal policy
requirements for application security?
• Is my private / sensitive data exposed by apps?
• How do I check for and demonstrate application compliance?
• How do we prioritize the work for the resources I have?
• What do we test and how do we test it?
• How do we staff and improve skills and awareness?
3 IBM Security
• Cost of a Data Breach $7.2M• 80 days to detect• More than four months (123 days) to resolve
Found during Development
$80 / defectFound during Build
$240 / defectFound during QA/Test
$960 / defect
Found in Production
$7,600 / defect
80% of development costs are spent identifying and correcting defects!
Source: Ponemon InstituteSource: National Institute of Standards and Technology
Cost of Security Defects
4 IBM Security
Simplifying Application Security Testing
Easy to Use Easy to Understand Secure
ç Integrates into your Continuous Engineering Processes è
IBM Confidential
5 IBM Security
Quickly Plug Into Your Application Lifecycle
• Automated̶ No waiting on manual steps̶ Integrates with developer IDEs (Eclipse, IntelliJ,
Visual Studio)̶ Scan daily, weekly
• Plugins simplify your setup̶ e.g. UrbanCode and Maven
• Extend your environment with robust REST API
• Streamlined incorporation into existing DevOps / continuous integration frameworks
Automation drives early detection and reduces cost to fix!
IBM
6 IBM Security
Intelligent Finding Analytics: The problem
VulnerabilityAnalysis
Scansomething
GetResults
TriageResults(Lookforneedlesinthehaystack)
7 IBM Security
Intelligent Finding Analytics: The Solution
VulnerabilityAnalysis
Scansomething
IntelligentFindingAnalytics*CognitiveLearning*“SecurityExpertinaBox”
Gettriagedresults!
8 IBM Security
§ Reduce false positives
§ Minimize “unlikely attack scenarios”
§ Provide fix recommendations that resolve multiple vulnerabilities
* Patents Pending
Applying Cognitive Computing to security vulnerability analysis
Machine learning with Intelligent Finding Analytics*
Learned resultsIntelligent
FindingAnalytics
• Built on Watson Machine Learning • Trained by IBM Security Experts• Fully automated review of scan findings
Scan results
IBM Confidential
9 IBM Security
Intelligent Finding Analytics Results
IBM Confidential
• Meets or exceeds human experts
• Returns results in seconds, rather than in hours or days
• 90-95% average reduction in false positives
• Integrates right back into the development workflow
• Fix an average 8-10 issues in a single place within the code
IBM Confidential
10 IBM Security
Intelligent Finding Analytics Results• Meets or exceeds human experts
• Returns results in seconds, rather than in hours or days
• 90-95% average reduction in false positives
• Integrates right back into the development workflow
• Fix an average 8-10 issues within a single place in the code IFA
Example Real-WorldApplications ScanFindings Vulnerabilities FixRecommendations
Application1 55,132 14,050 60
Application2 12,480 1,057 35
Application3 247,350 1,271 103
IBM
12 IBM Security
Simplifying Application Security Testing
Easy to Use Easy to Understand Secure
ç Integrates into your Continuous Engineering Processes è
IBM
13 IBM Security
Overview: Application Security on Cloud Feature Summary
• Application Security Management̶ Build an inventory of application assets; classify and rank applications by business impact; organize scans by application;
obtain a security rating for each application; prioritize vulnerabilities and manage their resolution̶ View a dashboard to understand application security posture and monitor progress
• Dynamic Analyzer̶ Dynamic web application security analysis̶ Based on AppScan’s Dynamic Application Security Testing engine̶ Scan pre-production or production web apps hosted on public and private networks
• Mobile Analyzer̶ Interactive mobile applications security analysis̶ Supports Android and iOS
• Static Analyzer̶ Static security testing for applications. Java, .NET, Node.js, PHP, Ruby, JavaScript…̶ Simple and accurate capability, based on the AppScan Source engine, with IBM’s cognitive Intelligent Finding Analytics
• Consulting Services̶ IBM Application Security experts:
• Help ensure Client’s success with ASoC, from DevOps integration through to interpreting scan results• Perform application scanning and manual application penetration testing for our Clients
IBM
14 IBM Security
IBM Application Security on Cloud Consulting Services
Expert assistance in understanding and optimizing Application Security on Cloud testing and risk management features
Fast Start
Assessment ReviewExpert assistance in reviewing test reports, including understanding
and prioritizing vulnerabilities in the application.
Scan for Me“Concierge” scan service where an expert will configure & run the scan,
validate results, prioritize remediation, and conduct a walk-through
with the customer.
Application Penetration TestHuman executed, controlled tests to identify vulnerabilities.
Advisor on Demand
Deep interaction with experts on specific application security
activities such as remediation assistance and program management.
Application Risk Management & Testing
ASoC SaaS
IBM l
15 IBM Security
Learn More About IBM Application Security on Cloud & IFA:
Blog: IFA- Your Cognitive Computing Application Security Expert
Interactive White Paper: Effectively Manage AppSec Risk in the Cloud
Complimentary Trial Plan: IBM Application Security on Cloud
We encourage you to “like” & share these links with your professional colleagues:
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks ofothers.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.
IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OFANY PARTY.
FOLLOW US ON:
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
THANK YOU
IBMConfidential