2. HP Application Security Center
Part of the industry’s most comprehensive IT management portfolio
Business outcomes
STRATEGY APPLICATIONS OPERATIONS
Quality Business Service Business Service IT Service
Management Management Automation Management
Operations Orchestration
Project & Portfolio Quality
Management Center Business
Center Availability Client
Center Automation
Center
CIO Office Performance Service
Center Operations
Management
Center
Center
Data Center
SOA
Application Network Automation
Center
Security Center Management Center
Center
CTO Office SAP, Oracle, SOA, J2EE, .Net Universal CMDB
4. Security Risks have never been greater
Everything has evolved
Attacks
Loose
collaboration
among groups Reliance on web
based systems for
Individual
gain business
Individual
fame transactions
Time Drivers
Internal Increase in data
Wide variety of
measures
Variety of breaches, online
regulations by
regulations under fraud and online
industry and
development
Regulations begin to
attacks
geography
come into force
New ones under
Regulation
development
5. The Risks are Real
PCI dead
line loom
ing
hit by PCI Requ cked
r Hannaford ire
becomes ment 6.6 site ha
Groce ef Ob ama web
reach 30, 200 fective on June
computer b 8,
sites to b requires web ar ac k
n may es
vulnerab canned for edirects B
Chain s ays intrusio Hacker R
cards; ilities or site to
e xpose 4.2m protected Obama's m using c
ross-
es seen ton.co
1,80 0 fraud cas hillaryclin lnerability
site scripting vu
usiness W eb 2
m s out of b .0 vuln
Cardsyste e rable
bbyists to
ov e from ho My S p a
Hackers M . ce site
sh
Ja v a S c
professio
nals ript wo ut down by
vulnera r m e xp
years, 40 bilities loit
t on for 2 company
Hack wen ds stolen, AJAX c i n t he s i ng
cor ode ites
million re
business.
n ow out of
6. Cross-Site Scripting (XSS)
• Attacker injects a script in your browser via
vulnerable web application.
− Normally due to faulty input or output validation
• This script accesses information in your browser
− Installs Web Keylogger, Steal Cookies, etc
6
7. XSS example
<script
type=quot;text/javascriptquot;>alert('hello');</script>
11 December
7 2008
9. MySpace XSS Worm
• 10/04, 12:34 pm: You have 73 friends.
I decided to release my little popularity program. I'm going to be famous...among my friends.
• 1 hour later, 1:30 am: You have 73 friends and 1 friend request.
One of my friends' girlfriend looks at my profile. She's obviously checking me out. I approve her
inadvertent friend request and go to bed grinning.
• 7 hours later, 8:35 am: You have 74 friends and 221 friend requests.
Woah. I did not expect this much. I'm surprised it even worked.. 200 people have been infected in 8
hours. That means I'll have 600 new friends added every day. Woah.
• 1 hour later, 9:30 am: You have 74 friends and 480 friend requests.
Oh wait, it's exponential, isn't it. Shit.
• 1 hour later, 10:30 am: You have 518 friends and 561 friend requests.
Oh crap. I'm getting messages from people pissed off that I'm their friend when they didn't add me.
I'm also getting emails saying quot;Hey, how the hell did you get onto my myspace....not that I mind,
you're hotquot;. From guys. But more girls than guys. This actually isn't so bad. The girls part.
• 3 hours later, 1:30 pm: You have 2,503 friends and 6,373 friend requests.
I'm canceling my account. This has gotten out of control.
• 5 hours later, 6:20 pm: I timidly go to my profile to view the friend requests. 2,503 friends.
917,084 friend requests.
I refresh three seconds later. 918,268. I refresh three seconds later. 919,664 (screenshot below).
A few minutes later, I refresh. 1,005,831.
• It's official. I'm popular.
11 December
9 2008
10. The Costs to the Enterprise are Enormous
• Costs incurred for
− Discovery, response, and notification
− Lost employee productivity
− Regulatory fines
− Customer losses
• The total cost* of a data breach ranges from $90 to $305
per compromised record
• Cost of a single breach may run into millions or even
billions of dollars
From scans of over 31,000 sites, over 85% showed a
vulnerability that could give hackers the ability to read, modify
and transmit sensitive data.
-- Web Application Security Consortium
-- Web Application Security Consortium
*Forrester Research, “Calculating The Cost Of A Security Breach” April, 2007
11. Applications are the target
Applications:
Unprotected and ignored
Servers:
Protected by intrusion prevention
Network:
Secured by firewall
“75% of hacks
happen at the
application.”
- Gartner “Security at the Application Level”
12. Vulnerabilities exist within the apps themselves,
so security can’t be “bolted on”
Application teams must bridge the gap
Security Application
professionals don’t developers and QA
know the professionals don’t
applications know security
11 December
12 2008
13. HP Application Security Center
Security for the Application lifecycle
Enterprise application security assurance
Code Test Production
HP Application Security Center
HP Application Security Center
Source code QA Production
validation testing assessment
DevInspect
DevInspect QAInspect
QAInspect WebInspect
WebInspect
Assessment Management Platform
Continuous
Updates Assessment Management Platform
HP Web Security
Research Group Enterprise security assurance
Enterprise security assurance
• Internal app security research and reporting
and reporting
• External hacking research
14. DevInspect
Find, Fix and Protect: Accelerate Secure Application Development
Key Benefits
• Find security defects in
development
− Unique Hybrid Analysis technology (Static
Code Analysis + Dynamic Testing) provides
the most accurate results
• Fix Defects Automatically
− HP SecureObjects technology fixes defects,
hardens applications against attack
• Supports most popular web
development languages
− C#, VB.NET, Java
• Integrations with leading IDE's
− Microsoft Visual Studio (2005, and 2008)
− IBM Rational Application Developer
− Eclipse
15. HP QAInspect
Automated security testing for quality assurance teams and engineers
Key benefits
• Automated Security Defect discovery
− Automatically finds and prioritizes
security defects in a Web application
• Integrated with Quality Center
− Manage security testing within existing
QM methodology
− Correct security defects early in
application lifecycle
• Lower Application Risk
− Ensures compliance with government
regulations
− Less exposure to application downtime
• Targeted Security Testing
− Holistic or targeted application security
tests depending upon requirements
• Built in Knowledgebase
− Built-in Security Expertise combines
daily updates of vulnerability checks
with unique intelligent engines.
− Comprehensive defect information and
remediation advice about each
vulnerability
16. HP WebInspect Security Testers
For Security Professionals and Advanced
Key Benefits
• Find security defects during production or
before you go live
− Determine the current security status of
your web or web service applications
− Remediation advice for Development, QA
and Operations
• Accelerate Regulatory Compliance
− Includes reports for more than 20 laws,
regulations, and best practices, like SOX,
HIPAA, PCI
• Support for the latest web technologies
− Supports the latest AJAX and JavaScript
rich internet applications
• Advanced Security Toolkit
− High automated while allowing hands-on
control
− Advanced toolkit for penetration testers
• Create customized reports and policies
− Custom checks, report templates, policies,
compliance reports
17. HP Assessment Management Platform
Assess and manage application security risk across the enterprise
Key Benefits
• Controlled Visibility
− Centralize all application security data
− View and report on assessments
conducted anytime by anyone
− Strict access control of sensitive data
• Scalability
− Multi-scanner arrays amplify existing
personnel to scan more systems faster
• Managed Self-Service
− Allow low usage customers can scan
themselves via web portal
• Control Sensitive Security Activities
− Set user permissions, enforce policies
and restrict activities
− DevInspect, QAInspect, AMP Sensors
and WebInspect
SC Awards 2008 winner for “Best Enterprise Security Solution”
18. HP Application Security Center
HP Application Security Center
Dashboard
Assessment Management Platform
Policy and Centralized Vulnerability and Alerts and Distributed
compliance administration risk management reporting scanning
DevInspect QAInspect WebInspect
Microsoft IBM HP Quality Center Production Application
Eclipse
Visual Studio RAD Assessment
Foundation
Intelligent Hybrid Security
Reporting SecureBase SmartUpdate Open APIs
engines analysis toolkit
19. Secure your outcome with Application
Security Center
A complete application lifecycle solution
DevInspect’s hybrid analysis ensures code under
development is secure
QAInspect verifies the security of the entire
application during QA
WebInspect provides pre- and post-production
application and environment security analysis
Assessment Management Platform enforces
security policies and manages activities across the
lifecycle
20. Server and general HTTP
• Secure Sockets Layer (SSL) certificate issues
What Do We Check for • SSL protocols
• SSL ciphers
• Server misconfiguration
Data injection and manipulation attacks • Directory indexing and enumeration
• Reflected cross-site scripting (XSS) • Denial of Service (DoS)
• Persistent cross-site scripting (XSS) • HTTP response splitting
• Cross-site request forgery • Encoding attacks
• SQL injection • Windows 8.3 file name
• Blind SQL injection • DOS device handle DoS
• Buffer overflows • Canonicalization attacks
• Integer overflows • URL redirection attacks
• Log injection • Password autocomplete
• Remote File Include (RFI) injection • Cookie security
• Server Side Include (SSI) injection • Custom fuzzing
• Operating system command injection • Path manipulation—traversal
• Local File Include (LFI) • Path truncation
• Ajax auditing
Sessions and authentication • WebDAV auditing
• Session strength • Web services auditing
• Authentication attacks • File enumeration
• Insufficient authentication • Information disclosure
• Insufficient session expiration • Directory and path traversal
• Spam gateway detection
• Brute force authentication attacks
• Known application and platform vulnerabilities
20
21. Compliance Manager: Addresses the Following
Best
Practices and Legal Regulatory Initiatives:
• Health Insurance Portability and • Sarbanes-Oxley Act, Section 404
Accountability Act (HIPAA) • 21CFR11
• Federal Information Security Management Act • NIST 800-53
(FISMA)
• Director of Central Intelligence Directive
• North America Electric Reliability Council 6/3 (DCID)
(NERC)
• California Online Privacy Protection Act
• Safe Harbor
• Children’s Online Privacy Protection Act
• Payment Card Industry (PCI) Data Security (COPPA)
Policy
• Japan Personal Information Protection Act
• UK Data Protection Act (JPIPA)
• Basel II • Personal Information Protection and
• ISO 17799 Electronic Documents Act (PIPEDA)
• OWASP top 10
• California SB1386
• Gramm-Leach Bliley Act (GLBA)
21
22. HP Web Security Research Group
• Formerly known as SPI Labs
• Industry
leading research
group focused on the latest HP Web Security
web security vulnerabilities and Research Group
technologies
• Ensures that the latest
vulnerability updates are
delivered within 24 hours of
their discovery to your desktop
using HP SmartUpdate
23. HP Application Security Services
HP Application Security Services can help you jumpstart your
Application Security programs and see results quickly
24. The HP difference
Application Security Center leadership
Accelerates the
Used by the worlds
Award winning process of managing
leading companies*
your application risk
• 5 of the top 6 banks SC Magazine “Reduced the security
• 5 of the top 6 Awarded ASC validation cycle for
diversified financials and AMP the critical web
• 3 of the top 4 food 2008 winner for applications from one
markets week to one hour”
“Best Enterprise
• 4 of the top 6 Security Solution”
insurance companies - Jes Beirholm, End2End
• 5 of the top 7 overall
* Forbes Global 2000
25. JC Penney
On-Line Retailer
“I can’t say enough good things about WebInspect. It’s an incredible tool. It’s
unbelievably fast. And it’s so much more accurate than anything else that
we’ve tried.”
Security Engineer for intrusion prevention team
Objective Approach Results
• Required to comply with • Began using HP WebInspect • Complete web application
Payment Card Industry (PCI) for automated assessments assessments in hours—not days
Standard • Used HP Assessment or weeks
• Manual web application Management Platform to build • Rapid assessment enables
assessments were too an enterprise-wide secure web continuous compliance with PCI
expensive and time consuming application development DSS and other regulations
lifecycle
• Purchased HP DevInspect to
help developers build secure
applications
26. Sony Pictures
Global Entertainment Company
“The key has been our ability to gain security visibility into the
development and quality assurance processes, and express quality in
terms of actionable security defects that need to be fixed.”
VP of Enterprise Architecture and Planning
Objective Approach Results
• Coordinate 25 development • Implemented HP WebInspect • Maintained fast-moving
teams Across eight business and HP QAInspect for HP production schedule
units Quality Center • Enabled QA & dev teams to
• Needed an easily managed, • Integrated Security testing with standardize the defect
quick-to-deploy, accurate web existing quality assurance management process
application vulnerability processes and activities • Helped ensure compliance with
scanner • Automated web application Sarbanes-Oxley & privacy laws
• Needed to promote security testing from within HP from other countries
collaboration across the Quality Center using HP
company’s development, QAInspect
security, audit, & management
teams.
27. Hewlett-Packard
Global Technology Company
HP is a technology solutions provider to consumers, businesses and
institutions globally. The company’s offerings span IT infrastructure, global
services, business and home computing, and imaging & printing.
Objective Approach Results
• Reduce risk to the business by • By implementing the HP • Significantly reduced the risk to
meeting the demand of Assessment Management the business by allowing all
scanning thousands of Platform HP was able to applications to receive a
applications a year integrate security testing into security assessment before
• Assists application developer existing go live processes going live
community with embedding • HP used the AMP WebServices • Fewer security defects—
security throughout system API to integrate AMP with Application launched without
development life cycle and in existing systems and automate any significant security defects
turn helps with creating secure assessment configuration • Integrated Security testing—has
applications. become a core part of the
application deployment process
for all of HP
28. Key things to remember
Web Security Risk has never
been greater
The ASC is an integrated
solution for the entire
application security lifecycle
Scales from small teams to the
entire organization
32. HP Software approach to Application
quality management
Strategic End-user Business
control Demand Portfolio Requirements Validation
management
application
impact
change
points mapping management
Define/ Develop/
Strategy Plan Launch Operate
design test
Projects
and
The real programs
application
Portfolio
lifecycle New
mgmt. deployment Fix/
Fix/ Fix/
patch patch patch
Demand Minor release Minor release
Full Quality process Accelerated Quality process
Three pillars Does it work? Does it perform? Is it secure?
of quality FUNCTIONALITY PERFORMANCE SECURITY
33. Integrating Security Into the Quality Process
Align with management and stakeholders
STRATEGY / REQUIREMENTS RISK-BASED TEST MANAGEMENT Go/
No OPERATIONS
DEMAND MANAGEMENT TEST PLANNING AND EXECUTION Go
Strategic Business Create manual
Connect to production
demand requirements test cases
Execute
• New apps functional
Integrate with demand
• New Automate tests
Functional Assess and
services regression test
requirements Analyze risk
• Integrations cases
Operational
demand Establish
Performance
testing Production
requirements Create Execute tests,
priorities monitoring
• Defects performance diagnose and
• Enhancements scripts and resolve
• Change scenarios problems
Security Create
requests
requirements test plans Service desk
Enterprise
Architecture Quality Teams
Policies Other non-
Security- functional Identify and
related Operational
requirements customize Execute
Business Risk security
security security scans
Enterprise management
policies
Security
Security Policies
/Privacy Hybrid Analysis
Security Teams
Compliance
Requirements Dynamic
Threat Model Attack Surface Analysis
Static Analysis
(Black Box
Testing)
Developers
DEFECT MANAGEMENT
34. HP Application Security Center
HP Application Security Center
Dashboard
Assessment Management Platform
Policy and Centralized Vulnerability and Alerts and Distributed
compliance administration risk management reporting scanning
DevInspect QAInspect WebInspect
Microsoft IBM HP Quality Center Production Application
Eclipse
Visual Studio RAD Assessment
Foundation
Intelligent Hybrid Security
Reporting SecureBase SmartUpdate Open APIs
engines analysis toolkit