© 2015 IBM Corporation

@FlorinCoadaApplication Security CTPIBM Security

Jul 16, 2015

Building Security into Your DevOps Toolchain

© 2015 IBM Corporation 2

DevOps is like Formula 1

§ Communication

§ Collaboration

§ Integration

§ Automation

© 2015 IBM Corporation 3

What about security?

§ Formula 1?– In formula one the breaks are

one of the most important security features

§ Why do we need breaks in DevOps?– Because breaks enable us to go faster

§ What's the cost for a car going off the track?– A few seconds off the lap, a few positions

the tile and some time more....

§ What can we learn from this?– Security must be a part of the foundation.

© 2015 IBM Corporation 4

Application Security Landscape

????????????????????????????????????????????XSS and SQL Injection Exploitations

Mobile Devices Targeted

Web Application Vulnerabilities

????????????????????????????????????????????Mobile Malware Increasing

Malicious code is infecting more than

11.6 millionmobile devicesat any given time

Source: InfoSec, "Mobile Malware Infects Millions; LTE Spurs Growth," January 2014

Mobile devices and the apps we rely on are under attack

90% of the top mobile

apps have been hackedSource: Arxan Technologies, “App Economy under Attack: Report Reveals

More than 90 Percent of the Top 100 Mobile Apps Have Been Hacked”

Web Application Vulnerabilities

XSS and SQL injection exploits are continuing in high numbers

Source: IBM X-Force Threat Intelligence Quarterly, 1Q 2014Source: IBM X-Force Threat

Intelligence Quarterly, 1Q 2014

33%of vulnerability

disclosers are web application vulnerabilities

© 2015 IBM Corporation 5

Application Security Landscape

Sampling of 2013 security incidents by attack type, time and impact

Note: Size of circle estimates relative impact of incident in terms of cost to business.

Attack types SQL injection

Spear phishing

DDoS Physical access

Malware XSS Watering hole

Undisclosed

January February March April May June July August September October November December

SQL injection accounted for 13% of attacks in 2013

Source: IBM X-Force Threat Intelligence Quarterly 1Q 2014

© 2015 IBM Corporation 6

Start simple, be efficient

§ Start from the foundation

§ Application Security is not an add-on

§ No, security is not here to slow you down.

§ DAST first.

§ Use the existing work flow– APIs, CLIs It's cheaper to build a security from the start

© 2015 IBM Corporation 7

Security is part of the journey, not a step at the end

Status

Build

Build

App B

App A

App C

Test UAT

Test UAT

Build Test UAT Staging Production

Data Breach

© 2015 IBM Corporation 8

Security is part of the journey, not a step at the end

Status

Build

Build

App B

App A

App C

I/F

I/F

Test UAT

Test UAT

Build Test UAT Staging Production

© 2015 IBM Corporation 9

Application Security best practices

§ Walk before you run– Pilot projects to hone work flows– Start with the obvious suspects– Prove and highlight success stories

§ Centralized Expertise– Develop Application Security SMEs– Centralized policy decisions

§ Broad Education– Expect push back– Focused education on work flows– Focus on critical issues

© 2015 IBM Corporation 10

Application Security best practices

§ Automation– Mature organizations have security scanning automated – Integrate into build process– Clarify remediation responsibilities

§ Feedback– Build an “open” internal security community– Wikis/Issues Reporting/Best Practice Sharing– Champion success stories / Action failures

§ Don't give up!

© 2015 IBM Corporation

IBM Application Security Framework

© 2015 IBM Corporation 12

IBM Application Security Framework

Utilize resources effectively to identify and mitigate risk

Application Security Management

DatabaseActivity

Monitoring

DatabaseActivity

Monitoring

WebApplication

Firewall

WebApplication

FirewallSIEMSIEM

MobileApplicationProtection

MobileApplicationProtection

Monitor and ProtectDeployed Applications

StaticAnalysis

StaticAnalysis

Dynamic AnalysisDynamic Analysis

Mobile Application

Analysis

Mobile Application

AnalysisInteractiveAnalysis

InteractiveAnalysis

IntrusionPreventionIntrusion

Prevention

TestApplications in Development

Business Impact Assessment

AssetInventory

Compliance Determination

Status and Progress Measurement

Vulnerability Prioritization

© 2015 IBM Corporation 13

AppScan Adoption Example

Level 1

Basic ad-hoc DAST and IAST testing of key applications

Level 3

Integration with QRadar for deeper security analysis and app monitoring

Formalized application security initiative – application inventory and asset classification

Level 2

Application Security Maturity

© 2015 IBM Corporation 14

AppScan Adoption Example

Application Security Maturity

Database monitoring and virtual vulnerability patching

Level 6

Mobile app testing and protection

Level 5

Start testing earlier in the software development lifecycle using SAST

Level 4

© 2015 IBM Corporation 15

Small security team responsiblefor managing nearly

2,500 applications

Business challenge

Executing an effective application security program

Empowered developers and QA personnel to test applications and address security issues before deployment

• Drove a 33 percent decrease in number of security issues found

• Reduced post-deployment remediation costs significantly

• Freed security experts to focus on deep application vulnerability assessments

Solution benefits (IBM Security AppScan Enterprise)

• Security team did not have enough security experts on staff to handle the workload• Security staff was becoming a “bottleneck” in application security

Client Example: A leading networking company

© 2015 IBM Corporation 16

Executing an effective application security program

Improved web application quality

Business challenge

Provide developers across the university with a standard, centralized solution for scanning web applications for vulnerabilities

Solution benefits (IBM Security AppScan Enterprise)

Increased the number of scans each year, fixed problems in application code, resulting in a 60 percent decrease in the number of vulnerabilities identified

“After doing our research, we determined that IBM was leader in the field of dynamic application scanning.”

Alex Jalso, Assistant DirectorOffice of Information Security

Client Example: A state-run university in the U.S.

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

THANK YOUwww.ibm.com/security