Micro Focus Security Fortifysoftware-events-microfocus.eu/be/securethenew...Secure the new –...
48
Micro Focus Security Fortify Application Security
Transcript of Micro Focus Security Fortifysoftware-events-microfocus.eu/be/securethenew...Secure the new –...
Micro Focus SecurityFortify Application Security
Secure the new – Application security in DevOps
2
Agenda:
- Fortify in brief (Offerings)- Fortify Source Code Analyzer
- Fortify WebInspect- Using Fortify with DevOps
Managing risk in today’s digital enterprise
Rapid transformation of enterprise IT
Shift to hybrid Mobile connectivityBig data explosion
Cost and complexity of regulatory pressures
CompliancePrivacy
Data protection
Increasingly sophisticated cyber attacks
More sophisticatedMore frequent More damaging
Presenter
Presentation Notes
Risk & threats are everywhere - Going after: Financial - IP - Employee/Cust Data - Reputation & Brand damage Threats are growing exponentially, bad guys are getting smarter: Created adversary mkt place (specialized, efficient, collaborating, highly motivated & lucrative) Complex threats. External/internal threats Regulatory pressures: Regulatory drivers & industry specific compliance mandates Security Risk officers are grappling w/ complex regulatory issues (compliance regulations, privacy rulings & data protection mandates). Fall out of regulatory mandates – Fines Transformation of Enterprise IT Driving innovation & accelerating growth, be competitive & offer great value Moving to Cloud and mobile Creates new risks/threats New IT distributes data everywhere, new exposures & increase the size of the attack surfaces.
USERS
APPS DATA
Today’s digital Enterprise needs a new style of protection
4
Off Premise
Protect your most business-critical digital assetsand their interactions, regardless of location device
Off PremiseBIG DATA
IaaS
SaaS
PaaS
BYOD
On Premise
Presenter
Presentation Notes
Today – Speed & Agility matter. Orgs move to cloud & mobile. Time to value. Enhance cust experiences. Orgs deployed sec strategies focused on blocking/securing the perimeter, locking down users, access and data. New style of bus has dissolved the perimeter. NO Perimeter. Data & apps are scattered everywhere. Users interacting w/ your data/apps in the cloud/mobile devices & within your network. Orgs must secure the interactions b/w bus critical digital assets, securing the flow of info throughout your enterprise across your cust, employees, partners & suppliers.
Protect your digital enterprise
5
Prevent Detect & Respond Recover
Build it inIdentify the threats you face, assess your organization’s capabilities to protect your enterprise
Harden your applications, protect your users, and encrypt your most important data
Proactively detect and manage breachesHelp reduce time-to-breach-resolution with a tight coupling of analytics, correlation, and orchestration.
Establish situational awareness to find and shut down threats at scale
Safeguard continuityand complianceDrive resilience and business continuity across your IT environments, systems, and applications.
Reduce risk with enterprise-wide governance, risk & compliance strategies
Presenter
Presentation Notes
3 Core Principles to protecting your org PREVENT – Stop treating security as an after thought Understand your risk posture Ensure sec is built in Assess cyber capabilities - ID bus critical assets & focus on protecting them. DETECT & RESPOND - Monitor sec ops 24*7*365 - Hunting/shutting down threats before they wreak havoc. - ArcSight, SIEM, combo w/ Threat Central, threat intelligence platform, to detect known/unknown threats & respond quickly. RECOVER- Ensure bus continuity & availability of your IT enviro, critical sys & apps in a natural disaster/cyber attack/system failure. Ensure users, data, app experience min downtime.
Application Security
6
Presenter
Presentation Notes
Digging into AppSec – Of the breaches today, what is the % of attacks that exploit vuln at the app layer?
1 2 3 4 5 6 7 8
Existing network and perimeter based security is insufficient
84% of breaches exploit vulnerabilities in the application layerYet the ratio of spending between perimeter security and application security is 23-to-1
- Gartner Maverick Research: Stop Protecting Your Apps; It’s Time for Apps to Protect Themselves (2014)
VNP
Presenter
Presentation Notes
Today’s greatest security risk – Apps that run your business. It’s the Weakest Link 84% of all successful breaches exploit vuln in the app layer. - Insecure SW - AppSec is not built into your SDLC - Stealing $$, IP, cust/employee data, damage brand. Majority of security spending is spent on blocking attacks on the network, perimeter focus, looking for malware/virus. It’s good & effective for what they are designed to block, but are insufficient in terms of blocking threats against apps. Ratio of spending for perimeter sec & AppSec is in Massive Imbalance. Imbalance b/w understanding of the problem of insecure sw & amt of $ being spent on solving the issue. New style of bus has dissolved the perimeter. Users interacting w/ your data/apps in the cloud/mobile devices & w/in your network creating new exposures
The number of apps is growingIncreasing platforms and complexity …many delivery models
Procuring secure software
Certifying new releases
Securing legacy applications
Monitoring / Protecting Production Software
Legacy Software
Open SourceOutsourced Commercial
Demonstrating Compliance In-house Development
Presenter
Presentation Notes
To further compound the problem, the number and complexity of applications is growing. Ten years ago the software security challenge was about protecting static websites that were fairly innocuous and easy to scope and protect. Now, the software supply chain is much more complicated considering the outsourced development, the number of legacy applications, coupled with inhouse development that takes advantage of 3rd party, open source and commercial, off-the-shelf software. In the context of that supply chain and how modern applications are built, the security threat becomes even more complex to tackle for most security organizations. Life of a sw dev – New Features/Functionality Increase complexity Increase # of apps Deadlines, Overwhelmed, Product Delays Agile/DevOps enviro Challenges: SW is coming from (legacy, outsource, in house, open source, 3rd party) Secure the sheer # of app is mindblowing, co’s cannot keep up Complexity of apps and threats have increased Co depend on apps to run it’s bus & they’re under pressure to drive innovation & value to stay competitive & meet customer expectations. DevOps – Sec backseat Ability to secure & control these apps is slipping away from sec groups/teams There are two approaches that an org can take…
A reactive approach to AppSec is inefficient and expensive
Cost to Remediate
Requirements
Design/ Architecture
Testing 15X
Coding 7X
30XDeployments/Maintenance
We convince & pay the developer to fix it thereby delaying the release
QA finds vulnerabilities in software
Somebody builds insecure software
We convince and pay the developer to fix it
We are breached or pay to have someone tell us our code is bad
IT deploys the insecure software
Somebody builds insecure software
Presenter
Presentation Notes
In the face of that complexity, a reactive approach simply doesn’t work – and it’s not cost effective. It’s 30x more expensive to fix software after it’s deployed. Best to start security early on, by building security in - ideally during the design phase, but development is a good place to start, too. Damage is already done NIST Study & Ponemon attribution - Reactive Approach - ineffective & expensive. - Cost & incident of attacks are growing. - Avg cost of a breach is growing. - Catching up & chasing to keep up is not a solution. NIST Studies – ROI - 30x more expensive to fix a sec problem after sw has been deployed than if they addressed early in SDLC Customers understand appsec but why are they not doing it? - PRIORITIES Orgs view Sec is an expense not an investment b/c they are not getting anything back. So what is the right approach?
Secure DevelopmentContinuous feedback on the developer’s desktop at DevOps speed
1
Security TestingEmbed scalable security into the development tool chain
2Continuous Monitoring and ProtectionMonitor and protect software running in Production
3
Improve SDLC Policies
The right approach for the new SDLC – Build it in
This is application security for the new SDLC
Presenter
Presentation Notes
The right approach is Software Security Assurance. This is about embedding security into the software development lifecycle, no matter where the software comes from. The first step in doing this is testing the software at whichever lifecycle stage it’s in, whether it’s a legacy app that’s been running in your environment for a long time or software that is being built now or being procured through a vendor. Leveraging a security gate somewhere throughout the process is always the first place to start. Proactive SW Sec Assurance (SSA) Program – Ensuring the sw that runs your bus is controlled, protected & secure, no matter where the app comes from Promotes secure dev practices across the SDLC People (expertise/training), Process (define sec) & Technology (products) 1. Secure Development Secure dev practices that are repeatable 2. Security Testing Leveraging technology for appsec testing 3. Continuous Monitoring & Protection Regularly assessing security of apps in production App self protection tech – visibility to monitor sec posture of an app Close loop process. Finding & fixing issues before deployment Prove ROI Improve time to market Does not slow down the dev of apps Enable to happen faster and more securely
Micro Focus Security Fortify key advantages
Available on premise and on demand
Over a decade of successful deployments backed by the largest security research team
Only app sec provider to cover SAST, DAST, IAST and RASP
Comprehensive Proven Flexible
Presenter
Presentation Notes
Key advantages are rooted in the comprehensiveness of our technologies, not only do we offer all these, we invented and pioneered many of these technologies Proven deployments by public and private organizations – and government. Flexibility – on prem as software and as an on demand platform. No competitor can match (hybrid deployments) Comprehensive technologies that span the SDLC Proven – Decade of successful deployments (Private, private, gov’t) SSR Team – largest global team recognized by the industry as one of the top security orgs for monitoring emerging threats. Team of dedicated researchers Well regarded by the industry Their knowledge is funneled directly back in to the Fortify suite (Qtrly updates or adhoc) Flexibile - On prem, On demand, Hybrid
Micro Focus Security Fortify LeadershipOver a decade of successful deployments backed by the largest security research team
• 10 out of 10 of the largest information technology companies
• 9 out of 10 of the largest banks
• 4 out of 5 of the largest pharmaceutical companies
• 3 out of 3 of the largest independent software vendors
• 5 out of 5 of the largest telecommunication companies
2017 Gartner MQ for AST
Presenter
Presentation Notes
Co’s build their sw around the Fortify experience, expertise, and leadership Gartner and Forrester validation - strong execution - constant innovation
Micro Focus Security Fortify Application Security SolutionsOn premise and on demand
Static Analysis – SCA
Source Code Mgt. System
Static Analysis Via Build Integration
Dynamic Analysis – WebInspect
Dynamic Testing in QA or Production
Application Protection –App Defender
Real-time Protection of Running Application
Vulnerability Management
Normalization(Scoring, Guidance)
Vulnerability Database
RemediationIDE Plug-ins (Eclipse, Visual Studio, etc.)
Developers (onshore or offshore)
Correlate Target Vulnerabilities with
Common Guidance and Scoring
Defects, Metrics and KPIs Used to Measure Risk
Application Lifecycle
Development, Project and Management
Stakeholders
Software Security CenterFortify on Demand
Hackers & Actual Attacks
Correlation(Static, Dynamic, Runtime)
Threat Intelligence Rules Management
Presenter
Presentation Notes
Deliver multiple analysis tech -scalable, manageable & available on-prem/on-demand DevInspect – Brings sec to the dev, empowers them to take responsibility Static - ID sec vuln in source code in dev process Dyn – ID exploitable vuln in running sw in deployment/test environments AppDef - take runtime analysis & use it on prod apps to monitor, ID & proactively block against sec vuln & attacks On Demand – Managed service SSC – All analysis bring info back into sgl view of vuln mgnt & workflow of the remediation process. Crucial to taking all your intel & turning it into a remediation/fixes in your source code. Goal is to remove as many sec vuln in your sw, NOT ID lots of problems. 23 languages (ABAP, ASP.NET, VB.NET, C# (.NET), C/C++, Classic ASP, COBOL, CFML, HTML, Java, JavaScript/AJAX, JSP, PHP, PL/SQL, Python, Swift, T-SQL, Visual Basic, VBScript, XML) 836k+ component level APIs 900+ unique vulnerability categories Supports mgr platforms, build enviros, IDEs (Eclipse, IntelliJ Ultimate & Community, Microsoft Visual Studio, IBM Rational AppDev & SW Arch) BugTracking – Bugzilla, ALM, Micro Focus Quality Ctr, Team Foundation Server, Jira Solutions are scalable, manageable & available on Premise and On demand Here you see the Fortify security testing and vulnerability management suite. SCA for testing source code in development, WebInspect for finding vulns in running software and AppDefender runtime analysis which proactively monitors activity and blocks security vulnerabilities & attacks in real time. (all offered both on premise and through FoD) All findings can be accessed on premise in Software Security Center (SSC) or via Fortify on Demand dashboards where companies can manage workflow and risk across their enterprise. The crucial step is where the intel is used for remediation and also informs future builds. After all, the goal is to remove security vulns from software, NOT just find lots of problems.
Fortify Ecosystem
Fortify solutions
REST APIs with Swagger
REST APIs with Swagger
DevOps &third party
Requirements & issues- ALM Octane- JIRA- Bugzilla
Build servers- Jenkins- Bamboo- VSTS/TFS
Build tools- Gradle- ANT- Maven
Security- Vuln Mgmt- SIEM- WAFs
IDEs- Eclipse- Visual Studio- IntelliJ- Xcode/AS
Open Source- Sonatype- Black Duck- Fortify Open Rev.
Configuration automation- Chef- Puppet- Octopus
Containers- Docker- ‘Dockerized
Security’
Cloud- Azure- AWS
DevOps &third party
Comm
unication/ChatOps
Code repositories & apps- Micro Focus
LiveNet- GitHub- SVN
Secure Development
Security TestingContinuous Monitoring and Protection
Requirements & issues- ALM Octane- JIRA- Bugzilla
Build servers- Jenkins- Bamboo- VSTS/TFS
Build tools- Gradle- ANT- Maven
Security- Vuln Mgmt- SIEM- WAFs
IDEs- Eclipse- Visual Studio- IntelliJ- Xcode/AS
Open Source- Sonatype- Black Duck- Fortify Open Rev.
Configuration automation- Chef- Puppet- Octopus
Containers- Docker- ‘Dockerized
Security’
Cloud- Azure- AWS
Comm
unication/ChatOps
Code repositories & apps- Micro Focus LiveNet- GitHub- SVN
Presenter
Presentation Notes
There is a shift we are seeing with the new SDLC and how our customers are moving to a DevOps and a more agile development, which drives the need for new technologies and different levels of integrations across the dev lifecycle. This is happening at a fast rate. The focus is on how we pull all this together and provide a view of how our core products enable us to fit into our cust environments easily and seamlessly. We are creating innovative solutions and new features to our existing offerings, and with the announcement of our new Fortify Ecosystem, we are able to work within your customers existing enviro. Customers are using tools & new technology, and Fortify can adapt as they transition to DevOps. Fortify Ecosystem covers over 10 integration categories with the tools, apps and REST APIs orgs are leveraging today and plan to leverage in the future across DevOps and 3rd party toolchain. As orgs extend their usage of technology for their appsec needs in a DevOps wld, Fortify is meeting that challenge by offering Swagger supported REST APIs to provide highly extensible and integrated solutions that accelerate automation and results. Fortify Ecosystem provides tools, plugins and integration that enable orgs to do more with their investments in Fortify solutions by simplifying the integration process and making those tools available to customers in the Fortify marketplace. Most of our portfolio we now enable REST API with the swagger visual definition of those API to make it easier for cust to integrate and do things like integrate into Jenkins or kick off a scan in WI, helping to automate processes. We enable customers to do more with our products. Continue these efforts with LiveNet, VSTS… Definition – Swagger is a popular framework for APIs. Allows dev to interact with APIs that give a clear visibility into how an API respond to parameters and options.
Micro Focus Security Fortify DevInspect
15
Fortify Security Fortify DevInspectKey Benefits
16
Designed for the Developer
Easyto use
InstantResults Continuous Feedback
Presenter
Presentation Notes
Designed and created for Devs – - Giving devs who many know little about sec, the technology to help them develop secure code - Fully integrated into the dev IDE for ease of use (Eclipse) - Instant and continuous results with security assistant - Supports the DevOps environment - Provides thorough and robust sw security analysis of an app Instant Results (Fast) Inline analysis of the source code as the developer types providing immediate feedback Out of the box results – no config required Continuous Feedback Continuously updated security findings as code is written Tracks findings and guided developers toward remediation
Micro Focus Security Fortify DevInspectBringing application security closer to the Developer
17
Appsec solution created for developers to identify and remediate security vulnerabilities in source code within the native developers environment
Brings market-leading appsec technologies directly to the developer, ensuring secure code as your “shift left” in your dev process.
Real-time, instant security results as the developer is writing code.
Enable developers to assess for security weaknesses.
Presenter
Presentation Notes
Here’s where DevInspect comes into play. DI empowers your developers. - Designed for Devs so they can build secure sw Comprehensive security toolkit integrating best of breed testing technologies to produce instant security results and allows for continuous testing during development so devs can be efficient and take action quickly with real-time insight. Help build security into DevOps environment, turning security into a culture Empower dev to run security scan independently, easily, quickly and continuously so they can ID & eliminate appsec vuln even earlier in the development lifecycle (at the source) Example – Word Doc Spell Check that ID’s misspelled words that can be immediately fixed Immediate, continuous feedback, and guidance as devs are coding Educate/learn to reduce risks from being introduced into their code Dev will learn not to write the same security vulnerabilities in their code - Devs take responsibility for their own code Easy Install Process - Installed DI on the dev desktop with IDE plug-in Open Eclipse Select Install New Software from the Help menu Add the DI Plugin from the local repository Download the security content DI can be configured Providing robust static assessment that can be triggered through the IDE at any time
Micro Focus Security Fortify DevInspectReal-time lightweight analysis of the source code
Vulnerable line of code is highlighted as developer code & provides tips for additional information
Level of criticality
Type of vulnerability, explanation and detailed remediation guidanceAll issues detected
in the project
Fortify menu for additional options
Static Application Security Testing
Micro Focus Security Fortify Static Code Analyzer
19
MostComprehensive
MostAccurate
Easy to Use for Developers
BuildIntegration
Scales to any Application
Static Analysis – Fortify SCA
Micro Focus Security Fortify Static Code Analyzer (SCA)
Source Code Mgt. System
Static Analysis Via Build Integration
Presenter
Presentation Notes
- Automated Static code analyzer, ID critical issues early in SDLC when they are easiest & least expensive to fix - Actionable results - viewed & remediated early & quickly - Pinpts root cause of vuln, prioritizes results & provides best practices - Educate dev - Bring dev/sec teams together for a unified approach to finding & fixing sec vuln - Easily integrates into any enviro through scripts, plug-ins, GUI tools so dev can get up & running Build Tools – ANT, Jenkins, Maven, MSBuild, Xcodebuild, Team Foundation Server IDEs – Eclipse, IntelliJ (Ultimate & Community), Microsoft Visual Studio, IBM Rational App Dev (RAD) and IBM RationalSoftware Architect (RSA) Bug Tracking – Bugzilla, ALM, Micro Focus Quality Ctr, Team Foundation Server, JIRA
SCA Analysis
Static Application Security TestingAccurately identify root cause and remediate underlying security flaw
XML
Java
JSP
T-SQL
Results
T-SQL
Java
XML
JSP
User Input
SQL Injection22+ Languages
VBScriptHTML ASP
XMLPL/SQL
JavaC#.NET
COBOLPHPPython
Visual Basic
ABAPT-SQL
C/C++
Classic ASP
CFML
VB.NET
JavaScript/AJAX
SCA Frontend
Presenter
Presentation Notes
ABAPASP.NET VB.NET C# (.NET) C/C++ Classic ASP COBOL CFMLHTML JavaJavaScript/AJAXJSP PHP PL/SQL Python T-SQL Visual BasicVBScript XML - As of Oct 2016, SCA identifies 709 unique vuln categories, 23 programming languages, 840k individual APIs Build Tools – ANT, Jenkins, Maven, MSBuild, Xcodebuild, Team Foundation Server IDEs – Eclipse, IntelliJ (Ultimate & Community), Microsoft Visual Studio, IBM Rational App Dev (RAD), IBM RationalSW Architect (RSA) Bug Tracking – Bugzilla, ALM, Micro Focus Quality Ctr, Team Foundation Server, JIRA
Static Analysis Tools & IntegrationsManage remediation and audit workflows
Audit WorkbenchSecurity auditor’s toolkit including scanning, remediation guidance, and reporting
Security AssistantInstantly find vulnerabilities in real-time as developers code
Developer IDE plug-insScan, view results, and manage remediation.
Scan WizardEasy scan configuration and build integration.
Rules EditorBuild custom scan rules.Customize Software Security Center to fit your SDLC.
Process DesignerCustomize Software Security Center to fit your SDLC.
Presenter
Presentation Notes
Show/Say This is not all of them
Dynamic Application Security Testing
Micro Focus Security Fortify WebInspect
23
Dynamic and Runtime Analysis
TechnologyMade Simple
ComplianceManagement
BuildIntegration
Centralized ProgramManagement
Dynamic Analysis – WebInspect
Micro Focus Security Fortify WebInspect
Dynamic Testing in QA or Production
Presenter
Presentation Notes
Automated Dyn Testing is for QA/Sec Professionals Test dyn behavior of a running app to ID config issues & sec vuln. IDs sec vuln & prioritize most critical issues. Simulates a real-wld security attack, web apps & services. (detail about vuln, implications, best practices & coding ex) Supports 35 compliance templates WI Agent (Interactive AppSec Testing) integrates dyn testing & runtime analysis to ID more vuln & expose exploits better than dyn testing alone Find More - Crawling more of the app, expand attack surface (hidden directories & pages, OATH Authentication, Unused Parameters/Backdoor, Privacy violation) Certain vulncat have escaped the realm of dyn scanning, Agent find those vuln Provides more details so dev can fix vuln faster (line of code detail & rtn stack trace info back to vuln), Find Faster - Faster time to value Deduplication – Reduce # of attacks sent, by avoiding scanning the same class/function in a different part of the app. Sit on the web server & integrates w/ the runtime of the app. It can tell when the same class/function will be executed by an attack even if they come from diff areas of the app), down to the code being executed. Check Avoidance – Reduce # of attacks sent by avoiding sending multiple attacks to a specific check type if the agent determines the app can handle the attack. Info loaded into SSC & used w/ SCA scan result, issues are correlated
Dynamic Analysis Dashboard – Micro Focus Security Fortify WebInspectLive dynamic scan visualization Live scan dashboard
Live scan statistics
Detailed attack table
Vulnerabilities found in application
Coverage Analysis
Presenter
Presentation Notes
Dynamic Analysis Management view
Interactive Application Security Testing
Micro Focus Security Fortify WebInspect agent
26
IASTwith Micro Focus Security Fortify WebInspect agent
27
Find More
− Supports Java and .Net applications
Find Faster Fix Faster
– Decrease scan time with active mode
– Avoid retesting reused code
– Stack trace gives line of code accuracy to tell developers where to start
– Reduce false positives
IAST
− Runtime level insight into application behavior
− Discover new vulnerability categories− Identify and assess hidden areas of the
site
WebInspectAgent
Read Message
Send Message
Withdraw
Deposit
Message Center
Account Details
About
Backup
Admin
IndexMicro Focus WebInspect
Presenter
Presentation Notes
WI Agent (Interactive AppSec Testing) integrates dyn testing & runtime analysis to ID more vuln & expose exploits better than dyn testing alone Find More - Crawling more of the app, expand attack surface (hidden directories & pages, OATH Authentication, Unused Parameters/Backdoor, Privacy violation) Certain vulncat have escaped the realm of dyn scanning, Agent find those vuln Provides more details so dev can fix vuln faster (line of code detail & rtn stack trace info back to vuln), Find Faster - Faster time to value Deduplication – Reduce # of attacks sent, by avoiding scanning the same class/function in a different part of the app. Sit on the web server & integrates w/ the runtime of the app. It can tell when the same class/function will be executed by an attack even if they come from diff areas of the app), down to the code being executed. Check Avoidance – Reduce # of attacks sent by avoiding sending multiple attacks to a specific check type if the agent determines the app can handle the attack. Info loaded into SSC & used w/ SCA scan result, issues are correlated
Application Security on Premise
Micro Focus Fortify Software Security Center
28
Vulnerability Management
Micro Focus Security Fortify Software Security CenterApplication Security on Premise
Find to Fix Workflow Automation
Integration Reporting Simplified Program Management
Remediation Application Lifecycle
Developers (onshore or offshore)
Software Security Center
Development, Project and Management Stakeholders
Presenter
Presentation Notes
Centralized mgnt repository providing visibility/accurate pic to the entire appsec testing prog Highlights risk using dashboards/reports Sec & dev teams to collaborate, measure, resolve security issues across teams/apps Reviews, manages & tracks sec testing activities Triage & Audit Prioritize remediation efforts Measure improvements Trending Compliance goals (internal and security mandates)
Micro Focus Security Fortify Software Security CenterVulnerability detail
Remediation explanation and advice
Line of code vulnerability detail
Vulnerabilities identified
in the scan
Micro Focus Security Fortify Software Security CenterReporting and Program Management
Vulnerability status by application
Global dashboard highlights risk across
software portfolio
Runtime Application Self Protection
Micro Focus Security Fortify Application Defender
32
Micro Focus Security Application DefenderApplication Security Simplified
ProtectionStop attacks categorically or for specific vulnerabilities.
SimplicityInstall quickly and easily with a three-step deployment, get protection up and running in minutes
VisibilityActionable and
accurate insight from within the
application to pinpoint
vulnerabilities for protection or remediation
Mic
ro F
ocus
Sec
urity
Res
earc
hM
icro Focus Security Fortify Runtime
Micro Focus Application Defender
1,2,3
Presenter
Presentation Notes
Runtime App Self Protection (RASP) for Prod Apps - Real-time view Simplicity, Visibility and Protection Java & .NET / SaaS Solution / On-Premise / Standalone offering/ No changes to code Monitor/Protect apps w/ known/unknown vuln in prod Provides insight w/in app & allows you to ID & stop attacks that network security cannot see. Sees the whole attack/query & blocks it. Export vuln data & send to dev to fix. (Not avail for WAF) Leverages the logic in sw to accurately ID & mitigate malicious behavior. Provides user behavior & logging for sec analysis AppDef Agent sits on the enterprise app server Cust use both App Logging & App Protection functionality to provide centralized & consistent visibility into the use and abuse of the apps deployed across the enterprise while protecting from
Target Application
App Defender Agent
Application Server
Target Application
App Defender Agent
Application Server
Target Application
App Defender Agent
Application Server
Fortify Application DefenderMonitor and Protect your Applications
Application Security Events (CEF)
Syslog
SIEM
ArcSight ESM
Configurable Event Output & Visualization
Rulepack Updates
Logging & Protection Events
Agent Orchestration & Policy Management
Application Defender Server
On-Premise SaaS
Application Server
Fortify Application DefenderContext-Sensitive rules for increased coverage and accuracy
35
Target Application
RASP
Input
Detect injections
Sanitize input
Output
Detect persistent
Reduce false positives
Database
Detect 2nd order attacks
Fully decoded, assembled
File System
Detect privacy violations
Privileged resource access
Application Security on Demand
Micro Focus Security Fortify on Demand
36
Micro Focus Security Fortify on DemandApplication security-as-a-service
DiscoverUnderstanding your
application portfolio is the first step to securing it
Comprehensive static, dynamic web and mobile testing delivered at the speed of development
Continuously monitor and protect software running in
production
Workflows to fix vulnerabilities and manage a successful AppSecprogram
Assess
Monitor & Protect
IntegrateEducateDevelop secure coding best practices
to prevent vulnerabilities before check-in
Securing DevOps through the Fortify Ecosystem integrations and automation
Thick-client
Web
Mobile
Remediate
Presenter
Presentation Notes
Fortify on Demand offers end to end application security, delivered as a service. Through a centralized, cloudbased platform, companies can manage risk across their entire application security portfolio beginning with discovery of web applications Discover Assess Remediate Integrate (automate), Educate (part of DevOps), Monitor – Drop Protect? The solution employs Fortify scanning technologies - WebInspect for dynamic scans and Static Code Analyzer for static scans, along with manual review and false positive removal Fortify on Demand differentiates It’s a Simple/Easy/Quick/Flexible/Scalable way to run an AppSec program w/o having to install or manage any software. FOD is an extension of your sec team Some of the features and benefits of Fortify on Demand are: Get started in one day– customers just login, create an application and upload their code or point us to their URL - no lengthy procurement, approvals or deployments Grows w/ the biz – Fortify on Demand scales to meet the needs of the business with the flexibility to migrate easily and quickly to the Fortify on-premise solution Backed by a large team - MIs the human reviewer who is responsible for verifying results in a web-based interface/dedicated portal. No additional fee, it comes with the service Easy to manage: no hardware, no software, no maintenance Fast: Static Results typically in less than 24 hours
Micro Focus Security Fortify on DemandFeatures and Benefits
Accurate, comprehensive scan
resultsEasy to use
management platformGet started in one day 24/7 Personalized
support
Flexible delivery
Cloud-based Portal Single interface to manage your entire application security program
Easily identify and prioritize where to
take action.Customize your data view with application attributes you define (business unit, region, etc.).
Each application is rated on a scale from 1 to 5. A rating of 1 means the application has critical vulnerabilities, while 5 means it’s secure
You decide the appropriate criticality levels for your business.
Easily track which of your applications are
passing or failing your security policy
Presenter
Presentation Notes
In addition to our testing technologies, Fortify on Demand also provides the security intelligence you need to effectively and definitively resolve the application security problem. Dashboards provides an at-a-glance view of all your application security testing projects Detailed reports to ensure that you meet security compliance Collaboration and recommendation tools to help developers be more productive FOD provides intel you need to effectively resolve the appsec problem. Dashboards provides an at-a-glance view of all your appsec testing projs Detailed reports to ensure you meet security compliance Collaboration/recommendation to help devs be more productive New/existing issues Open & closed issues Avg days to close Criticality – customized Filter by region, bus unit Issues most common Star rating ( 1 bad, 5 secure) Trending info Challenge ID vuln as false pos with TAM Compliant (pass/fail policy TAB)
Seamless IntegrationsConnect the development, operations and security ecosystem
Build Servers- Jenkins- TFS- Bamboo- Team City- etc
Developer IDEs- Eclipse- Visual Studio
Fortify SSC
Application Defender
API & Data Export
Custom- GRC tools- BI tools- etc
Automated Static Scans
Open Source- Sonatype- Fortify Open Review
Upload & Remediate
Security & License Risk
Network Scanners- Nessus- Qualys- Rapid7- Tripwire
Remediate
Defect Management- Micro Focus ALM / QC- JIRA- etc
WAFs- Imperva- F5- Citrix- Barracuda- Radware- Fortinet- TippingPoint
Virtual Patch
Network Risk
Fortify Professional Services
41
Micro Focus Security Fortify Professional Services Adding professional services can help you need to close the loop on application security
DetectingVulnerabilities
AnalyzingResults
TuningTechnology
Fixi
ngAp
plic
atio
ns
HP Professional ServicesAssistance making application security tools and processes work the way you need them to. • Tuned Rules• Customized Rules• Security Policy Applied
• Prioritized Findings• Automation / DevOps• False Positive Removal
Presenter
Presentation Notes
- SSA Assessment - Security Training - Quickstart prog to get you up and running - Product training/ install/ config/ usage - AppSec Resident – On site
Micro Focus Security Fortify Professional Services Offerings
Quick Start Programs• Fortify and WebInspect – Applications security consultants build Fortify or WebInspect into the SDLC of your selected pilot
application, audit the results, and train your team for success.• Fortify on Demand – We’ll help you build an effective process on-site around the security testing services that will allow you to
make the most of your static and dynamic scan results, including a tailored vulnerability training class to help you get started on the road to remediation
Framework Software Security Assurance (SSA) Assessment – A two week engagement designed to assess your organization’s SSA maturity and develop a roadmap that you can use to build a successful software assurance program.
Application Security Residents – Do you need an long term application security subject matter experts? We can provide experienced SME’s for both static and dynamic analysis.
On-site Managed Service – We can build and/or manage your software assurance program providing the people, processes, and technology to make you successful.
Texas
UK
Australia
Toronto
Virginia
Costa Rica
Germany
Bulgaria
Malaysia
India
Protect your digital enterprise at scale
44
TechnologyConsulting
Managed Services
10managed
global SOCs
42business continuity
and recovery centers
Leadermanaged security
services (Forrester)SIEM
(Gartner)
Leaderdata security
(Gartner)
Visionaryapplication security and network access
control (Gartner)
Leader 5000+security
professionals
Presenter
Presentation Notes
Only Micro Focus has the scale and breadth of expertise to protect global enterprise and governments. To help you disrupt your adversaries, we position you to hinder adversary attacks with real-time threat disruption like self-healing security technology based on expert, crowd-sourced security intelligence. This increases your security’s effectiveness and protects data from external and internal theft. To help you understand, manage, and reduce risks, HP security consulting has 5,000 security industry specialists, providing initial security assessments, security transformation programs and full environment management. HP’s scale also gives us a unique understanding of your legal and regulatory requirements—so we always have the services you need to stay in compliance. And by extending your capabilities through our managed security services, you get ahead of threats and avoid costly non-compliance consequences. In fact, 92% of our clients’ major incidents are resolved within 2 hours of identification with HP Managed Security Services.
Fortify Ecosystem
45
Fortify Ecosystem
Fortify solutions
REST APIs with Swagger
REST APIs with Swagger
DevOps &third party
Requirements & issues- ALM Octane- JIRA- Bugzilla
Build servers- Jenkins- Bamboo- VSTS/TFS
Build tools- Gradle- ANT- Maven
Security- Vuln Mgmt- SIEM- WAFs
IDEs- Eclipse- Visual Studio- IntelliJ- Xcode/AS
Open Source- Sonatype- Black Duck- Fortify Open Rev.
Configuration automation- Chef- Puppet- Octopus
Containers- Docker- ‘Dockerized
Security’
Cloud- Azure- AWS
DevOps &third party
Comm
unication/ChatOps
Code repositories & apps- Micro Focus
LiveNet- GitHub- SVN
Secure Development
Security TestingContinuous Monitoring and Protection
Requirements & issues- ALM Octane- JIRA- Bugzilla
Build servers- Jenkins- Bamboo- VSTS/TFS
Build tools- Gradle- ANT- Maven
Security- Vuln Mgmt- SIEM- WAFs
IDEs- Eclipse- Visual Studio- IntelliJ- Xcode/AS
Open Source- Sonatype- Black Duck- Fortify Open Rev.
Configuration automation- Chef- Puppet- Octopus
Containers- Docker- ‘Dockerized
Security’
Cloud- Azure- AWS
Comm
unication/ChatOps
Code repositories & apps- Micro Focus
LiveNet- GitHub- SVN
Micro Focus.com/software/fortifyecosystem
Build Server integration SCA with Microsoft VSTS
• Native in MSFT VSTS, no installation required• Integrates with CI/CD DevOps processes
For more information:
https://software.microfocus.com/en-us/solutions/application-security
48
