Post on 23-Jan-2015
description
© 2001-2013 OutSystems - All rights reserved
Web Application Security:
HP & OutSystems
to the Rescue!
João Portela / Nuno Antunes
feat. Jaume Ayerbe (HP)
http://bit.ly/webappsecurity
www.outsystems.com
© 2001-2013 OutSystems - All rights reserved
Application Security Why should you care about it?
Jaume Ayerbe
HP Enterprise Security Products
@j_ayerbe
© 2001-2013 OutSystems - All rights reserved
Networks
Hardware
Security Measures
• Switch/Router security
• Firewalls
• NIPS/NIDS
• VPN
• Net-Forensics
• Anti-Virus/Anti-Spam
• DLP
• Host FW
• Host IPS/IDS
• Vuln. Assessment tools
Hackers are targeting applications
© 2001-2013 OutSystems - All rights reserved
Networks
Hardware
Security Measures
• Switch/Router security
• Firewalls
• NIPS/NIDS
• VPN
• Net-Forensics
• Anti-Virus/Anti-Spam
• DLP
• Host FW
• Host IPS/IDS
• Vuln. Assessment tools
Hackers are targeting applications
Intellectual
Property
Customer
Data
Business
Processes
Trade
Secrets
Applications
© 2001-2013 OutSystems - All rights reserved
We convince &
pay the developer
to fix it
4
We are breached or
pay to have
someone tell us
our code is
insecure
3
Today’s approach: expensive, reactive
IT deploys the
insecure
software
2
Somebody builds
insecure software
1
© 2001-2013 OutSystems - All rights reserved
After an application is released into Production,
it costs 30x more than during design.
30x more costly to secure in production
Why it doesn’t work
Source: NIST
30X
15X
10X
5X
2X
Co
st
Production System
testing
Integration/ component
testing
Coding Requirements
© 2001-2013 OutSystems - All rights reserved
HP Fortify Security Center
• Protects business critical applications from
advanced cyber attacks by removing security
vulnerabilities from software
• Accelerates time-to-value for achieving
secure applications
• Increases development productivity by
enabling security to be built into software,
rather than added on after it is deployed
• Delivers risk intelligence from application
development to improve operational security
Identifies and eliminates risk in existing applications and prevents the introduction
of risk during application development, in-house or from vendors.
IN-HOUSE OUTSOURCED
COMMERCIAL OPEN SOURCE
© 2001-2013 OutSystems - All rights reserved
How HP Fortify can help
Use SCA to ensure
that every single line
of code is developed
securely, whether
internal or from 3rd
party or built for on
premise, the cloud or
mobility
Use WI to simulate
attacks against web
applications. WI can
identify any SQL
Injection
opportunities from
any poorly coded
Web application
software
Use SSC to build
security into the
software in
development and
production from the
ground up
1 2 3
© 2001-2013 OutSystems - All rights reserved
Applications Security
joao.portela@outsystems.com
© 2001-2013 OutSystems - All rights reserved
Networks
Hardware
Security Measures
• Switch/Router security
• Firewalls
• NIPS/NIDS
• VPN
• Net-Forensics
• Anti-Virus/Anti-Spam
• DLP
• Host FW
• Host IPS/IDS
• Vuln. Assessment tools
Intellectual
Property
Customer
Data
Business
Processes
Trade
Secrets
Applications
OutSystems Platform Security Overview
OutSystems Platform Generated Applications
Access
HTTPS/SSL
Internal
Network
Controlled
Attack
Surface
Exposure
Authentication
Integrated
Authentication
Centralized
Security
Governance
Data & Logic
SQL/Code
Injection
Prevention
Data
Encryption
Automatic
Security
Exception
Handling
© 2001-2013 OutSystems - All rights reserved
What's New?
© 2001-2013 OutSystems - All rights reserved
OutSystems Platform Security What’s New?
HP Fortify is now part
of our quality assurance process
© 2001-2013 OutSystems - All rights reserved
OutSystems Platform Security Systematic code security testing
Source
Control Build
Regression
Tests
Release
HP
Fortify
HP Vulnerabilities Rules
Tests Tests
Tests Tests
© 2001-2013 OutSystems - All rights reserved
What did we find?
© 2001-2013 OutSystems - All rights reserved
OutSystems Platform Security Findings
Percentage of vulnerability patterns
found in the generated applications
less than 7%
© 2001-2013 OutSystems - All rights reserved
OutSystems Platform Security Acceptance Criteria
No Critical
No High
No Medium
© 2001-2013 OutSystems - All rights reserved
OutSystems Platform Security Results
0
0.1
0.2
0.3
0.4
0.5
0.6
7.0 8.0
Issues/Vulnerabilities per 1K Lines of Code
Identified Issues Not a vulnerability Resolved vulnerabilities
© 2001-2013 OutSystems - All rights reserved
Bottom line
© 2001-2013 OutSystems - All rights reserved
Systematic testing of security vulnerabilities
+
Aggressive acceptance criteria enforced
+
Continuous monitoring and improvement
=
Applications Security Under Control
© 2001-2013 OutSystems - All rights reserved
Takeaways
nuno.antunes@outsystems.com
© 2001-2013 OutSystems - All rights reserved
#1
Security is not optional and
should be addressed early
© 2001-2013 OutSystems - All rights reserved
#2
OutSystems Platform’s generated code
is inherently secure and under control
© 2001-2013 OutSystems - All rights reserved
Code Security Process Traditionally
Always start
from scratch
you test it
you fix it
New
Application
New
secured
Application
Another
Application
© 2001-2013 OutSystems - All rights reserved
Code Security Process With the OutSystems Platform
you test it
we fix it
via
security
patch
All your
applications
are fixed
New
Application
New
secured
Application
© 2001-2013 OutSystems - All rights reserved
#3
You benefit from the same security
level that our most heavy-regulated
customers need to comply with
© 2001-2013 OutSystems - All rights reserved
#4
The cost to deliver secure web
applications is compressed
© 2001-2013 OutSystems - All rights reserved
Thank You
http://bit.ly/webappsecurity
www.outsystems.com