© 2001-2013 OutSystems - All rights reserved

Web Application Security:

HP & OutSystems

to the Rescue!

João Portela / Nuno Antunes

feat. Jaume Ayerbe (HP)

http://bit.ly/webappsecurity

www.outsystems.com

© 2001-2013 OutSystems - All rights reserved

Application Security Why should you care about it?

Jaume Ayerbe

HP Enterprise Security Products

@j_ayerbe

© 2001-2013 OutSystems - All rights reserved

Networks

Hardware

Security Measures

• Switch/Router security

• Firewalls

• NIPS/NIDS

• VPN

• Net-Forensics

• Anti-Virus/Anti-Spam

• DLP

• Host FW

• Host IPS/IDS

• Vuln. Assessment tools

Hackers are targeting applications

© 2001-2013 OutSystems - All rights reserved

Networks

Hardware

Security Measures

• Switch/Router security

• Firewalls

• NIPS/NIDS

• VPN

• Net-Forensics

• Anti-Virus/Anti-Spam

• DLP

• Host FW

• Host IPS/IDS

• Vuln. Assessment tools

Hackers are targeting applications

Intellectual

Property

Customer

Data

Business

Processes

Trade

Secrets

Applications

© 2001-2013 OutSystems - All rights reserved

We convince &

pay the developer

to fix it

4

We are breached or

pay to have

someone tell us

our code is

insecure

3

Today’s approach: expensive, reactive

IT deploys the

insecure

software

2

Somebody builds

insecure software

1

© 2001-2013 OutSystems - All rights reserved

After an application is released into Production,

it costs 30x more than during design.

30x more costly to secure in production

Why it doesn’t work

Source: NIST

30X

15X

10X

5X

2X

Co

st

Production System

testing

Integration/ component

testing

Coding Requirements

© 2001-2013 OutSystems - All rights reserved

HP Fortify Security Center

• Protects business critical applications from

advanced cyber attacks by removing security

vulnerabilities from software

• Accelerates time-to-value for achieving

secure applications

• Increases development productivity by

enabling security to be built into software,

rather than added on after it is deployed

• Delivers risk intelligence from application

development to improve operational security

Identifies and eliminates risk in existing applications and prevents the introduction

of risk during application development, in-house or from vendors.

IN-HOUSE OUTSOURCED

COMMERCIAL OPEN SOURCE

© 2001-2013 OutSystems - All rights reserved

How HP Fortify can help

Use SCA to ensure

that every single line

of code is developed

securely, whether

internal or from 3rd

party or built for on

premise, the cloud or

mobility

Use WI to simulate

attacks against web

applications. WI can

identify any SQL

Injection

opportunities from

any poorly coded

Web application

software

Use SSC to build

security into the

software in

development and

production from the

ground up

1 2 3

© 2001-2013 OutSystems - All rights reserved

Applications Security

joao.portela@outsystems.com

© 2001-2013 OutSystems - All rights reserved

Networks

Hardware

Security Measures

• Switch/Router security

• Firewalls

• NIPS/NIDS

• VPN

• Net-Forensics

• Anti-Virus/Anti-Spam

• DLP

• Host FW

• Host IPS/IDS

• Vuln. Assessment tools

Intellectual

Property

Customer

Data

Business

Processes

Trade

Secrets

Applications

OutSystems Platform Security Overview

OutSystems Platform Generated Applications

Access

HTTPS/SSL

Internal

Network

Controlled

Attack

Surface

Exposure

Authentication

Integrated

Authentication

Centralized

Security

Governance

Data & Logic

SQL/Code

Injection

Prevention

Data

Encryption

Automatic

Security

Exception

Handling

© 2001-2013 OutSystems - All rights reserved

What's New?

© 2001-2013 OutSystems - All rights reserved

OutSystems Platform Security What’s New?

HP Fortify is now part

of our quality assurance process

© 2001-2013 OutSystems - All rights reserved

OutSystems Platform Security Systematic code security testing

Source

Control Build

Regression

Tests

Release

HP

Fortify

HP Vulnerabilities Rules

Tests Tests

Tests Tests

© 2001-2013 OutSystems - All rights reserved

What did we find?

© 2001-2013 OutSystems - All rights reserved

OutSystems Platform Security Findings

Percentage of vulnerability patterns

found in the generated applications

less than 7%

© 2001-2013 OutSystems - All rights reserved

OutSystems Platform Security Acceptance Criteria

No Critical

No High

No Medium

© 2001-2013 OutSystems - All rights reserved

OutSystems Platform Security Results

0

0.1

0.2

0.3

0.4

0.5

0.6

7.0 8.0

Issues/Vulnerabilities per 1K Lines of Code

Identified Issues Not a vulnerability Resolved vulnerabilities

© 2001-2013 OutSystems - All rights reserved

Bottom line

© 2001-2013 OutSystems - All rights reserved

Systematic testing of security vulnerabilities

+

Aggressive acceptance criteria enforced

+

Continuous monitoring and improvement

=

Applications Security Under Control

© 2001-2013 OutSystems - All rights reserved

Takeaways

nuno.antunes@outsystems.com

© 2001-2013 OutSystems - All rights reserved

#1

Security is not optional and

should be addressed early

© 2001-2013 OutSystems - All rights reserved

#2

OutSystems Platform’s generated code

is inherently secure and under control

© 2001-2013 OutSystems - All rights reserved

Code Security Process Traditionally

Always start

from scratch

you test it

you fix it

New

Application

New

secured

Application

Another

Application

© 2001-2013 OutSystems - All rights reserved

Code Security Process With the OutSystems Platform

you test it

we fix it

via

security

patch

All your

applications

are fixed

New

Application

New

secured

Application

© 2001-2013 OutSystems - All rights reserved

#3

You benefit from the same security

level that our most heavy-regulated

customers need to comply with

© 2001-2013 OutSystems - All rights reserved

#4

The cost to deliver secure web

applications is compressed

© 2001-2013 OutSystems - All rights reserved

Thank You

http://bit.ly/webappsecurity

www.outsystems.com