© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice

Application Security and TestingTest Management Summit

© 2007 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice

TSE managing director Tomio Amano blamed the glitch on a software upgrade for processing data from securities companies which was introduced in October

Application Security - Who Cares?

From The Times

December 3, 2007

Secrets of Shell and Rolls-Royce come under attack from China’s spies

James Rossiter

Rolls-Royce and Royal Dutch Shell have fallen victim to Chinese espionage attacks, The Times has learnt.

Sustained spying assaults on Britain’s largest engineering company and on the world’s second-biggest oil multinational occurred earlier this year as part of a campaign to obtain confidential commercial information, sources said

40M creditcards hacked

Breach at third party payment processor affects 22 million Visa

cards and 14 million MasterCards.June 20, 2005: 3:18 PM EDT By Jeanne Sahadi, CNN/Money senior writer

10.15 – 10.25 10m 2 of 9

HP Confidential3 April 10, 2023

Application Security is the weakness of Security

HP Confidential

Web Application Vulnerabilities on the Rise

4

• Web is easiest entry point− Networks are secure.

Hackers know Web applications are not.

• Organizations under pressure− More Web applications− More regulatory

requirements− More customer & partner

demands− More pressure from

shareholdersSources: Computer Emergency Response Team Coordination Center (CERT/CC), National Vulnerability Database, Open-Source Vulnerability Database, and the Symantec Vulnerability Database.

Growth of Web Application Vulnerabilities

HP Confidential

What are organizations doing about these threats?

5

Leading organizations secure the lifecycle

•92% of security defects exist in the application

•Save $$ by fixing security defects before they get to production

1 X

Development

6.5X

Testing

15X

100X

Design Deployment

HP Confidential6

Challenge of Building a Scalable Security Program

HP Confidential

Tools available today to support application security quality issues

• Source code analysis −static review of application vulnerabilities at the code phase

−Find and fix

• Security testing tools−Functional validation of security requirements

−Some integrated with test management solutions

−Remedial updates to cover new threats

• Post deployment security −Penetration testing as an ongoing preventative measure

−Regular updates and re-test imperative

HP Confidential

Points to consider

• Where does security fit in to the application lifecycle?• What is your security policy ?

−how do you consider it when approaching software quality?

• Should quality be considered only at the testing stage?−What about pre and post testing?

• Internal vs external security – −Where are the vulnerabilities in your org?−People?−Applications?−Data?

• Is there enough awareness of this issue within your org−Application vulnerabilities account for 75% of all issues

HP Confidential

Open to the floor

• Security testing experiences−What works well

• Why?−Challenges

• How can they be overcome?Who is responsible?

Does it have to become front line news before it is taken seriously?

HP Confidential