1 ©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice

Jeff BassettProgram Manager

HP Enterprise Services

Manual to automated web application security testing: the story of EDS’s successful use of integrated security platform

2

Agenda

– Background

• Application Landscape

• HP ES Response

– Get Compliant / Stay Compliant

• The Beginning

• Solution Selected

– A Different Approach

• AMP

• Why SaaS?

– The Results

– The Vision Evolves

–Summary

3

Background

Client CIO made

commitment to Board

of Directors to provide

an evaluation for key

applications in late

Summer 2009

Industry security issues

were widely reported in

media and served as

catalyst for action

Client’s audit staff

was aggressive in

identifying security

concerns

Large manufacturing

client needed to evaluate

its entire web-based

application portfolio for

vulnerabilities

Target date for assessment

of entire portfolio set for

end of 2009

Vulnerability Scans to Ensure

Security Compliance

4

Application Landscape

–Web-based application

portfolio• Responsible for approximately

375 applications

• Diverse Topology

− Java / ASP / .NET – full spectrum

of Versions

− Numerous brand name COTS

− Packages from smaller shops

− Mainframe web-access

• Many ―low touch‖ applications

• Newer applications were

developed using a vulnerability

and penetration testing

methodology

5

Items to Consider

How Do We Respond?

Significant Factors

There was no institutionalized methodology for security testing applications in maintenance mode

In addition to evaluating applications we maintained, we

needed to evaluate vendor (COTS) software using the same

criteria

HP ES needed to move fast – both to determine the state of the

portfolio, and meet the client’s expectations

HP ES expected the effort to be finite in duration, and web

application security would become ―business as usual‖

HP ES needed a solution to mature the client's environment

from a non-compliant state to a manageable, measureable and

consistently secure state (compliant)

6

Get Compliant/Stay Compliant

STAY

• Reactive

• Remediation Process

• Closing Known Findings

• System Issue Tracking

• Preventative

• Standard Tooling

• Change Certification Tollgates

Get Compliant Stay Compliant

COMPLIANTGET

7

In the Beginning (or Two Guys with Laptops)

– To have application scanning performed

by a central team

• Started with two team members with strong

applications security background and interests

• Goal is to build a ―scan factory‖

– Not to deploy the tool to the ―field‖

• Unlikely we could have trained application teams

on tool use AND how to remediate

• We needed to build creditability with the client by

driving consistency and reliability of scan results

• Program needed to be objective – there are

instances where application teams aren’t pleased

with findings

HP ES Program Decides

8

HP ES Selects Solution

– Lessons learned:

• The amount of time required to set up and perform the scans greater than

envisioned

• Scanning should be in pre--production environment

• More findings identified than expected

• Analyzed situation

• Determined tool based testing was only viable option

• Selected HP’s WebInspect

• Scanning efforts began with two North America employees running WebInspecton laptops

• Approach and Methodology refined

• HP ES team based in Bangalore was engaged

• Scanning volumes increased

Web Based Application Portfolio Scan

Jan 2009 Feb 2009 Mar 2009

9

HP ES Requires More Effective Solution

• Effective at finding issues

• All results were actionable

• Client and programming teams pleased with reports

• Low cost solution

Successes

• Difficult to manage multiple laptops activity

• Requires significant resources to perform scans

• Does not support Strategic Objectives

Challenges

Selected Assessment Management Platform (AMP)

• WebInspect information could be uploaded

• Scan macros can be re-used

WebInspect Situational Analysis

WebInspect was successful but a

more robust solution is required

10

Assessment Management Platform (AMP)

– Proposal received from HP’s SaaS Organization for an end-to-end

solution

• Provided software and hosting of the AMP console

• Allowed for very rapid deployment of consoles and quick scanning ability

• Provided cost-effective solution – no capital expenditures required

• Included SaaS experts to perform scans

− Leveraging these resources provided additional layer of objectivity for the

results

− Existing WebInspect team members were assigned to help resolve findings

and educate programming team

ES engaged HP’s SaaS Team to provide the AMP solution to perform application scans

11

Why SaaS?

– Need for speed• To meet the timeframes, we needed to scan applications quickly

• We needed to identify where we had problems, and to get results into the hands of our programming teams

• The SaaS AMP Platform existed – no HP ES project was required to deploy

• SaaS had the ability to bring knowledgeable people to the program quickly

– Need to Scale• We were able to implement a solution to to deal with the scanning volume in just a few weeks

12

Get Compliant—the ResultsSummary of Scan Results

13

Stay Compliant—the Vision Evolves

There is a library of serially reusable scan macros that can be leveraged by the programming teams

HP ES programming teams can utilize AMP to conduct scans as they need, or as their client requests

SaaS experts have created and used the crawl macros which are made available

Essentially, the programming teams can ―grab‖ the macros, make minimal changes, scan their applications using AMP

(the ―button push‖)

SaaS experts are available as needed (major changes

to applications, new applications)

All reporting is available using

AMP; customized reports can be

created as needed

STAYCOMPLIANTGET

14

SaaS/HP Software—Staying with the Best

– Both HP Software and the SaaS Teams have shown remarkable willingness to work with us

• Examples:

− During our early WebInspect ramp up, HP Software had a model that allowed us to purchase limited term licenses. We were able to buy a number of licenses, with terms as short as 30 days

− In early 2010, as we explained our vision for ―Stay Compliant‖, and described a pricing model we thought would work best for business units, they developed a new method for us

– The Teams have been proactive at soliciting ideas for product and service improvements

– SaaS Team members have participated in our Program

• The TAM attends program meetings

• There is significant collaboration between SaaS scanning experts and the HP ES technical team

15

We’ve Almost Come Full Circle

– Our Program started with a need to evaluate our web applications

portfolio

– We created a Central Team using WebInspect

– We migrated to AMP using HP’s Software As A Service capability

– SaaS was integral to getting our portfolio compliant

– We are winding our central program down – Stay Compliant is

Business As Usual

– HP ES will continue to use AMP via the SaaS offering, and will continue

to use SaaS’ scanning expertise

In Summary

16 ©2010 Hewlett-Packard Development Company, L.P.

To learn more on this topic, and to connect with your peers after

the conference, visit the HP Software Solutions Community:

www.hp.com/go/swcommunity

17