Micro FocusFortify Application Security

Petr KunstatSW Consultant

+420 603 400 377

petr.kunstat@microfocus.com

My web/mobile app is secure. What about yours ?

High level IT Delivery process

Business IdeaIT Development & Functional Testing

IT Operations

Delivery Management under control

Full functional testing

Running application Everything is GREEN

Visible attack Invisible attack

4

https://www.owasp.org/index.php/Top_10_2017-Top_10Example of Denial-of-service attack

USERS

APPS DATA

Today’s digital Enterprise needs a new style of protection

6

Off Premise

Protect your most business-critical digital assets and their interactions, regardless of location device

Off Premise

BIG DATA

IaaS

SaaS

PaaS

BYOD

On Premise

Insiders

Hackers

1 2 3 4 5 6 7 8

Add Application Security to Current Security Measures

84% of breaches exploit vulnerabilities in the application layerYet the ratio of spending between perimeter security and application security is

23-to-1- Gartner Maverick Research: Stop Protecting Your Apps; It’s Time for Apps to Protect Themselves (2014)

VNP

External Apps

Application Security: Preventive MeasuresWhat does SAST & DAST means , any difference

Static Analysis – Fortify SCA

Source Code Mgt. System

Static Analysis Via Build Integration

Dynamic Analysis – WebInspect

Dynamic Testing in QA or Production

Hackers & Actual Attacks

Application is not running DEV

Application is running TEST/STAGING

Application Security: Real Time Monitoring MeasuresRASP - Run-time Application Security Protection

Application Protection –App Defender

Real-time Protection of Running Application

Hackers & Actual Attacks

Application

Runtime

Application is running PRODUCTION

Sending Security Events

Analysis and Protection

App Defender Server

Logs

How you see your world

Get the username

Get the password

Remember the User

Get Sales Data

Edit my account

Generate Reports

How an attacker sees your world

SQL Injection

Cross Site Scripting

Improper Session Handling

Data Leakage

Sensitive Information Disclosure

Weak Server Side Controls

Client Side Injection

Insufficient Data Storage

Static Application Security TestingFortify Static Code Analyzer

SAST

18

SCA Analysis

Static Application Security TestingAccurately identify root cause and remediate underlying security flaw

XML

Java

JSP

T-SQL

Results

T-SQL

Java

XML

JSP

User Input

SQL Injection24+ Languages

VBScript

HTML ASP

XMLPL/SQL

Java

C#.NETCOBOL

PHP

PythonVisual Basic

ABAP

T-SQL

C/C++

Classic ASP

CFML

VB.NET

JavaScript/AJAX

SCA Frontend

Command Injection LDAP Injection

Privacy Violation Cross-Build Injection

Session Fixation Cross-Site Request Forgery

SQL Injection Cross-Site Scripting

System Information Leak HTTP Response Split

Unhandled Exception JavaScript Hijacking

…..

…plus more than 720.000 supported API’s/Frameworks…

Vulnerability Categories

2005 – 2016, 800+

Static Application Security TestingSource code analysis

https://vulndecat.hpefod.com

https://www.owasp.org/index.php/Top_10-2017_Top_10

Fortify Security AssistantReal-time lightweight analysis of the source code

Vulnerable line of code is highlighted as developer code & provides tips for additional information

Level of criticality

Type of vulnerability, explanation and detailed remediation guidanceAll issues detected

in the project

Fortify menu for additional options

Fortify SCA

Translate

Analyze

Normalized format

Risk assesment

Fortify

AuditHuman review

Software Security Center (SSC) - Audit AssistantMachine learning assisted identification of relevant scan results

Audit Assistant

Potential Vulns.

Not an Issue

Exploitable

Indeterminate

Dynamic Application Security TestingFortify WebInspect

DAST

27

Dynamic and Runtime Analysis

TechnologyMade Simple

ComplianceManagement

BuildIntegration

Centralized ProgramManagement

Dynamic Analysis – WebInspect

Fortify WebInspect

Dynamic Testing in QA or Production

Fortify WebInspect

Crawl

Audit

Automated Discovery

Attack database VS crawl inputs

WebInspect

ReviewReview

IDE, API, CLI

UpdateVuln DB

Dynamic Analysis Dashboard – Fortify WebInspectLive dynamic scan visualization

Live scan dashboard

Live scan statistics

Detailed attack table

Vulnerabilities found in application

Coverage Analysis

Right click - remediation detailsRight click – retest/rescan of Vuln

Reporting/Export Integration

34

- Reports RTF, PDF, Excel, HTML, TXT- Exports XML, TXT, SCAN, WAF

- Easily send defects directly to development for remediation- Create defect - ALM/QC , Octane, Rational , XML (API)

CLICK HERE FOR MY REAL

EXAMPLE

Fortify EcosystemMarketplace on-line

50

Fortify Ecosystem

Fortify solutions

REST APIs with Swagger

REST APIs with Swagger

DevOps &third party

Requirements & issues- ALM Octane- JIRA- Bugzilla

Build servers- Jenkins- Bamboo- VSTS/TFS

Build tools- Gradle- ANT- Maven

Security

- Vuln Mgmt- SIEM- WAFs

IDEs- Eclipse- Visual Studio- IntelliJ- Xcode/AS

Open Source- Sonatype- Black Duck- Fortify Open Rev.

Configuration automation- Chef- Puppet- Octopus

Containers- Docker- ‘Dockerized

Security’

Cloud- Azure- AWS

DevOps &third party

Co

mm

un

ication

/Ch

atOp

s

Code repositories & apps- HPE LiveNet- GitHub- SVN

Secure Development (SAST)

Dynamic Security Testing(DAST)

Continuous Monitoring & Protection(IAST/RASP)

Requirements & issues- ALM Octane- JIRA- Bugzilla

Build servers- Jenkins- Bamboo- VSTS/TFS

Build tools- Gradle- ANT- Maven

Security

- Vuln Mgmt- SIEM- WAF

IDEs- Eclipse- Visual Studio- IntelliJ- Xcode/AS

Open Source- Sonatype- Black Duck- Fortify Open Rev.

Configuration automation- Chef- Puppet- Octopus

Containers- Docker- ‘Dockerized

Security’

Cloud- Azure- AWS

Co

mm

un

ication

/Ch

atOp

s

Code repositories & apps- HPE LiveNet- GitHub- SVN

marketplace.microfocus.com/fortify

For more information:software.microfocus.com/en-us/software/application-security

www.microfocus.com