Manual to automated web application security testing: the story of EDS’s successful use of...
-
Upload
hp-software-solutions -
Category
Documents
-
view
1.714 -
download
0
description
Transcript of Manual to automated web application security testing: the story of EDS’s successful use of...
1 ©2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Jeff BassettProgram Manager
HP Enterprise Services
Manual to automated web application security testing: the story of EDS’s successful use of integrated security platform
2
Agenda
– Background
• Application Landscape
• HP ES Response
– Get Compliant / Stay Compliant
• The Beginning
• Solution Selected
– A Different Approach
• AMP
• Why SaaS?
– The Results
– The Vision Evolves
–Summary
3
Background
Client CIO made
commitment to Board
of Directors to provide
an evaluation for key
applications in late
Summer 2009
Industry security issues
were widely reported in
media and served as
catalyst for action
Client’s audit staff
was aggressive in
identifying security
concerns
Large manufacturing
client needed to evaluate
its entire web-based
application portfolio for
vulnerabilities
Target date for assessment
of entire portfolio set for
end of 2009
Vulnerability Scans to Ensure
Security Compliance
4
Application Landscape
–Web-based application
portfolio• Responsible for approximately
375 applications
• Diverse Topology
− Java / ASP / .NET – full spectrum
of Versions
− Numerous brand name COTS
− Packages from smaller shops
− Mainframe web-access
• Many ―low touch‖ applications
• Newer applications were
developed using a vulnerability
and penetration testing
methodology
5
Items to Consider
How Do We Respond?
Significant Factors
There was no institutionalized methodology for security testing applications in maintenance mode
In addition to evaluating applications we maintained, we
needed to evaluate vendor (COTS) software using the same
criteria
HP ES needed to move fast – both to determine the state of the
portfolio, and meet the client’s expectations
HP ES expected the effort to be finite in duration, and web
application security would become ―business as usual‖
HP ES needed a solution to mature the client's environment
from a non-compliant state to a manageable, measureable and
consistently secure state (compliant)
6
Get Compliant/Stay Compliant
STAY
• Reactive
• Remediation Process
• Closing Known Findings
• System Issue Tracking
• Preventative
• Standard Tooling
• Change Certification Tollgates
Get Compliant Stay Compliant
COMPLIANTGET
7
In the Beginning (or Two Guys with Laptops)
– To have application scanning performed
by a central team
• Started with two team members with strong
applications security background and interests
• Goal is to build a ―scan factory‖
– Not to deploy the tool to the ―field‖
• Unlikely we could have trained application teams
on tool use AND how to remediate
• We needed to build creditability with the client by
driving consistency and reliability of scan results
• Program needed to be objective – there are
instances where application teams aren’t pleased
with findings
HP ES Program Decides
8
HP ES Selects Solution
– Lessons learned:
• The amount of time required to set up and perform the scans greater than
envisioned
• Scanning should be in pre--production environment
• More findings identified than expected
• Analyzed situation
• Determined tool based testing was only viable option
• Selected HP’s WebInspect
• Scanning efforts began with two North America employees running WebInspecton laptops
• Approach and Methodology refined
• HP ES team based in Bangalore was engaged
• Scanning volumes increased
Web Based Application Portfolio Scan
Jan 2009 Feb 2009 Mar 2009
9
HP ES Requires More Effective Solution
• Effective at finding issues
• All results were actionable
• Client and programming teams pleased with reports
• Low cost solution
Successes
• Difficult to manage multiple laptops activity
• Requires significant resources to perform scans
• Does not support Strategic Objectives
Challenges
Selected Assessment Management Platform (AMP)
• WebInspect information could be uploaded
• Scan macros can be re-used
WebInspect Situational Analysis
WebInspect was successful but a
more robust solution is required
10
Assessment Management Platform (AMP)
– Proposal received from HP’s SaaS Organization for an end-to-end
solution
• Provided software and hosting of the AMP console
• Allowed for very rapid deployment of consoles and quick scanning ability
• Provided cost-effective solution – no capital expenditures required
• Included SaaS experts to perform scans
− Leveraging these resources provided additional layer of objectivity for the
results
− Existing WebInspect team members were assigned to help resolve findings
and educate programming team
ES engaged HP’s SaaS Team to provide the AMP solution to perform application scans
11
Why SaaS?
– Need for speed• To meet the timeframes, we needed to scan applications quickly
• We needed to identify where we had problems, and to get results into the hands of our programming teams
• The SaaS AMP Platform existed – no HP ES project was required to deploy
• SaaS had the ability to bring knowledgeable people to the program quickly
– Need to Scale• We were able to implement a solution to to deal with the scanning volume in just a few weeks
12
Get Compliant—the ResultsSummary of Scan Results
13
Stay Compliant—the Vision Evolves
There is a library of serially reusable scan macros that can be leveraged by the programming teams
HP ES programming teams can utilize AMP to conduct scans as they need, or as their client requests
SaaS experts have created and used the crawl macros which are made available
Essentially, the programming teams can ―grab‖ the macros, make minimal changes, scan their applications using AMP
(the ―button push‖)
SaaS experts are available as needed (major changes
to applications, new applications)
All reporting is available using
AMP; customized reports can be
created as needed
STAYCOMPLIANTGET
14
SaaS/HP Software—Staying with the Best
– Both HP Software and the SaaS Teams have shown remarkable willingness to work with us
• Examples:
− During our early WebInspect ramp up, HP Software had a model that allowed us to purchase limited term licenses. We were able to buy a number of licenses, with terms as short as 30 days
− In early 2010, as we explained our vision for ―Stay Compliant‖, and described a pricing model we thought would work best for business units, they developed a new method for us
– The Teams have been proactive at soliciting ideas for product and service improvements
– SaaS Team members have participated in our Program
• The TAM attends program meetings
• There is significant collaboration between SaaS scanning experts and the HP ES technical team
15
We’ve Almost Come Full Circle
– Our Program started with a need to evaluate our web applications
portfolio
– We created a Central Team using WebInspect
– We migrated to AMP using HP’s Software As A Service capability
– SaaS was integral to getting our portfolio compliant
– We are winding our central program down – Stay Compliant is
Business As Usual
– HP ES will continue to use AMP via the SaaS offering, and will continue
to use SaaS’ scanning expertise
In Summary
16 ©2010 Hewlett-Packard Development Company, L.P.
To learn more on this topic, and to connect with your peers after
the conference, visit the HP Software Solutions Community:
www.hp.com/go/swcommunity
17