Upload
phungtruc
View
226
Download
0
Embed Size (px)
Citation preview
Micro FocusFortify Application Security
Petr KunstatSW Consultant
+420 603 400 377
High level IT Delivery process
Business IdeaIT Development & Functional Testing
IT Operations
Delivery Management under control
Full functional testing
Running application Everything is GREEN
Visible attack Invisible attack
4
https://www.owasp.org/index.php/Top_10_2017-Top_10Example of Denial-of-service attack
USERS
APPS DATA
Today’s digital Enterprise needs a new style of protection
6
Off Premise
Protect your most business-critical digital assets and their interactions, regardless of location device
Off Premise
BIG DATA
IaaS
SaaS
PaaS
BYOD
On Premise
Insiders
Hackers
1 2 3 4 5 6 7 8
Add Application Security to Current Security Measures
84% of breaches exploit vulnerabilities in the application layerYet the ratio of spending between perimeter security and application security is
23-to-1- Gartner Maverick Research: Stop Protecting Your Apps; It’s Time for Apps to Protect Themselves (2014)
VNP
External Apps
Application Security: Preventive MeasuresWhat does SAST & DAST means , any difference
Static Analysis – Fortify SCA
Source Code Mgt. System
Static Analysis Via Build Integration
Dynamic Analysis – WebInspect
Dynamic Testing in QA or Production
Hackers & Actual Attacks
Application is not running DEV
Application is running TEST/STAGING
Application Security: Real Time Monitoring MeasuresRASP - Run-time Application Security Protection
Application Protection –App Defender
Real-time Protection of Running Application
Hackers & Actual Attacks
Application
Runtime
Application is running PRODUCTION
Sending Security Events
Analysis and Protection
App Defender Server
Logs
How you see your world
Get the username
Get the password
Remember the User
Get Sales Data
Edit my account
Generate Reports
How an attacker sees your world
SQL Injection
Cross Site Scripting
Improper Session Handling
Data Leakage
Sensitive Information Disclosure
Weak Server Side Controls
Client Side Injection
Insufficient Data Storage
SCA Analysis
Static Application Security TestingAccurately identify root cause and remediate underlying security flaw
XML
Java
JSP
T-SQL
Results
T-SQL
Java
XML
JSP
User Input
SQL Injection24+ Languages
VBScript
HTML ASP
XMLPL/SQL
Java
C#.NETCOBOL
PHP
PythonVisual Basic
ABAP
T-SQL
C/C++
Classic ASP
CFML
VB.NET
JavaScript/AJAX
SCA Frontend
Command Injection LDAP Injection
Privacy Violation Cross-Build Injection
Session Fixation Cross-Site Request Forgery
SQL Injection Cross-Site Scripting
System Information Leak HTTP Response Split
Unhandled Exception JavaScript Hijacking
…..
…plus more than 720.000 supported API’s/Frameworks…
Vulnerability Categories
2005 – 2016, 800+
Static Application Security TestingSource code analysis
https://vulndecat.hpefod.com
https://www.owasp.org/index.php/Top_10-2017_Top_10
Fortify Security AssistantReal-time lightweight analysis of the source code
Vulnerable line of code is highlighted as developer code & provides tips for additional information
Level of criticality
Type of vulnerability, explanation and detailed remediation guidanceAll issues detected
in the project
Fortify menu for additional options
Software Security Center (SSC) - Audit AssistantMachine learning assisted identification of relevant scan results
Audit Assistant
Potential Vulns.
Not an Issue
Exploitable
Indeterminate
Dynamic and Runtime Analysis
TechnologyMade Simple
ComplianceManagement
BuildIntegration
Centralized ProgramManagement
Dynamic Analysis – WebInspect
Fortify WebInspect
Dynamic Testing in QA or Production
Fortify WebInspect
Crawl
Audit
Automated Discovery
Attack database VS crawl inputs
WebInspect
ReviewReview
IDE, API, CLI
UpdateVuln DB
Dynamic Analysis Dashboard – Fortify WebInspectLive dynamic scan visualization
Live scan dashboard
Live scan statistics
Detailed attack table
Vulnerabilities found in application
Coverage Analysis
Right click - remediation detailsRight click – retest/rescan of Vuln
Reporting/Export Integration
34
- Reports RTF, PDF, Excel, HTML, TXT- Exports XML, TXT, SCAN, WAF
- Easily send defects directly to development for remediation- Create defect - ALM/QC , Octane, Rational , XML (API)
CLICK HERE FOR MY REAL
EXAMPLE
Fortify Ecosystem
Fortify solutions
REST APIs with Swagger
REST APIs with Swagger
DevOps &third party
Requirements & issues- ALM Octane- JIRA- Bugzilla
Build servers- Jenkins- Bamboo- VSTS/TFS
Build tools- Gradle- ANT- Maven
Security
- Vuln Mgmt- SIEM- WAFs
IDEs- Eclipse- Visual Studio- IntelliJ- Xcode/AS
Open Source- Sonatype- Black Duck- Fortify Open Rev.
Configuration automation- Chef- Puppet- Octopus
Containers- Docker- ‘Dockerized
Security’
Cloud- Azure- AWS
DevOps &third party
Co
mm
un
ication
/Ch
atOp
s
Code repositories & apps- HPE LiveNet- GitHub- SVN
Secure Development (SAST)
Dynamic Security Testing(DAST)
Continuous Monitoring & Protection(IAST/RASP)
Requirements & issues- ALM Octane- JIRA- Bugzilla
Build servers- Jenkins- Bamboo- VSTS/TFS
Build tools- Gradle- ANT- Maven
Security
- Vuln Mgmt- SIEM- WAF
IDEs- Eclipse- Visual Studio- IntelliJ- Xcode/AS
Open Source- Sonatype- Black Duck- Fortify Open Rev.
Configuration automation- Chef- Puppet- Octopus
Containers- Docker- ‘Dockerized
Security’
Cloud- Azure- AWS
Co
mm
un
ication
/Ch
atOp
s
Code repositories & apps- HPE LiveNet- GitHub- SVN
marketplace.microfocus.com/fortify