SlideShare une entreprise Scribd logo

HP Fortify SCA

Satya Harish
Satya Harish

Case study Spanning the Globe Travelport Protects the Traveling Public with HP Fortify SCA

Technologie
1  sur  4
Télécharger pour lire hors ligne
“As threats become more mature and more technically sophisticated, HP Fortify software helps us stay ahead of the game by assuring that all known vulnerabilities are patched or prevented. The HP Fortify solution helps us address all possible vulnerabilities before we make an application available to travel agents or the Web at large.” –Ariel Silverstone, Information Security Director, Travelport Travelport, a global provider of software solutions for travel agencies, corporations, and travel suppliers, turned to HP Fortify to the battle security threats that come with the growth in mobile and cloud computing technologies. HP Fortify Static Code Analyzer (SCA) helps save the company approximately $18 million a year, while improving the security of its software by a factor of 3.5. Case study Spanning the Globe Travelport Protects the Traveling Public with HP Fortify SCA Industry Travel and leisure Objective Improve application security to insure against growing threats caused by mobile and cloud computing technologies. Approach HP Fortify Static Code Analyzer (SCA) helps save the company approximately $18 million a year, while improving the security of its software by a factor of 3.5. IT matters • Enhances application security by a factor of 3.5, reducing vulnerabilities by more than 70% • Limits false positives to less than 3% • Easily handles a high volume of application code Business matters • Provides double digit annual savings in PCI audit costs • Enables Travelport to hold externally developed code to the same high standard as in-house applications • Supports more programming languages than any other solution in the market
2 Case study | Travelport Travelport is focused on helping travel companies and corporations deliver the exceptional experience demanded by today’s traveling public. The company operates three key businesses, representing a diverse and widely recognized group of leading brands, technologies, and services: Travelport Global Distribution Systems, Travelport Airline IT Solutions™, and GTA™, a world leader in the provision of ground travel products and services. Travel agencies, corporations, and travel suppliers everywhere rely on Travelport solutions to drive productivity, lower costs, and serve travelers globally. In turn, Travelport depends on a robust software security assurance program—of which HP Fortify Static Code Analyzer (SCA) software is a key component—to ensure that its customers can trust the valuable applications it delivers. Travelport applications are as diverse as the global community they serve, ranging from schedule and fare search programs to hotel, car, and cruise reservation software. Applications are developed in 14 different languages (including .NET, Java, COBOL, and variations of C) by the company’s distributed staff of approximately 2,000 developers. Challenges and benefits Ariel Silverstone is Information Security Director at Travelport. His organization creates, manages, tests, and trains with regard to the whole gamut of information security and data protection solutions for Travelport and its customers. It ensures compliance with every facet of local and global rules, laws, and regulations, including European Union directives, Safe Harbor, Sarbanes-Oxley, and the Payment Card Industry Data Security Standard (PCI–DSS). Says Silverstone: “We have several major challenges. The first is to protect the privacy of our customers. Secondly, we must not allow fraudulent travel to occur using our systems.” The growth in mobile and cloud computing technologies, which offers a better experience for the traveling public but makes security more problematic, represents another challenge. “As threats become more mature and more technically sophisticated, HP Fortify software helps us stay ahead of the game by assuring that all known vulnerabilities are patched or prevented,” Silverstone continues. “The HP Fortify solution helps us address all possible vulnerabilities before we make an application available to travel agents or the Web at large.” HP Fortify technology also benefits Travelport financially. “We have an aggressive software release schedule, and we were paying PCI auditors to review our code up to six or seven times a year,” says Silverstone. “By bringing most of this work in-house with HP Fortify SCA, our mathematical analysis shows that we are saving the company approximately $18 million a year, while improving the security of our software by a factor of 3.5.” In other words, Travelport has reduced the number of vulnerabilities by more than 70 percent since starting to use HP Fortify SCA on a regular basis. This enables the company to deliver online capabilities (e.g., the secure purchase of tickets) that previously would have been considered too risky from a customer perspective. Fully integrated in the lifecycle Silverstone first learned about the HP Fortify solution when he noticed that some of his PCI auditors were using it. “I clearly understood what the possibilities were, and I acted on that,” he says. “I did look at several other solutions, including Veracode. HP Fortify supported a far larger set of languages, and the seat-based HP Fortify pricing model was preferable to Veracode’s megabyte-based approach. I also talked with other high- transaction users outside the travel industry, and they all said very good things about the performance and results they had achieved with HP Fortify software.” HP Fortify SCA is fully integrated into the software development lifecycle at Travelport. When a build is ready to be promoted to production, it must go through quality and security testing in parallel. The development leads ask Information Security to review the code, which is presented via a secure form, scheduled in the lab, and tested within seven business days. The findings are prioritized and then submitted to the requesting group and the relevant vice president. Information Security requests a mitigation plan and does not approve the production load until the application has been properly remediated. According to Silverstone, HP Fortify technology is a key part of Travelport’s long-term strategic vision. “Our goal is to deliver applications that protect the data of both our travel agent customers and our joint customers, the traveling public,” he says. “The HP Fortify solution is a very important element in this
3 Case study | Travelport entire effort. It helps us create more robust, more secure software—and frankly, it makes the software easier and cheaper to fix.” To date, more than 300 applications have been scanned using HP Fortify SCA. Low false positives Travelport got the HP Fortify solution up and running quickly, and the results have exceeded expectations. “We are especially pleased with the low false positive rate,” says Silverstone. “False positives are the kiss of death to any testing solution. We were anticipating false positives in the 80 percent range, but we’re actually seeing less than 3 percent. We’ve also been pleased with HP Fortify’s ability to work in parallel and real time with our other testing processes. HP Fortify software has proven to be robust and reliable in memory utilization environments as high as 10GB.” Additionally, Silverstone believes Travelport’s use of HP Fortify technology has resulted in greater productivity, because developers are writing more secure code and therefore do not need to go through as many security test cycles. HP Fortify has delivered another important benefit to Travelport: A way to hold externally developed code to the same high standard as applications that are developed in-house. “We test third-party code before acceptance,” says Silverstone. “When we find the code is insufficiently secure—which we can now prove using HP Fortify SCA—we can request that the external developers fix it at no cost to us, based on our contractual agreement. Before, we would have to pay them to fix it. We are strongly recommending that all of our external developers acquire HP Fortify software, and I frequently recommend the solution to my peers in the industry as well.” HP Services has been a highly effective part of the complete HP Fortify solution. “The services team is extremely knowledgeable and professional,” says Silverstone. “We had one case in which we needed an answer right then and there; they called us within 10 minutes. We’re very happy with them.” Silverstone was also happy with the training provided by HP Services. “It was very good. They answered all our questions, even when we went deep into the technical realm.” Gaining competitive advantage Moving forward, Travelport is considering the deployment of HP Fortify software earlier in the development lifecycle and more pervasively throughout the organization. “HP Fortify is a very important technology partner, one that contributes significantly to the success of our business as an IT company in the travel world,” says Silverstone. “From a business perspective, HP Fortify helps us gain competitive advantage, thanks to the secure software we release. With HP Fortify software as part of our overall process, I am confident that we are generating code that is even more secure, more robust, and more reviewed and tested than the travel industry standard.” As a leader in application security, Travelport is pushing global organizations in the travel industry to make security a higher priority. “Our overall security program helps us stay ahead of the hackers and maintain our competitive edge. In all of these critical areas, HP Fortify technology has played a key role in Travelport’s continuing success in the dynamic travel industry.” —Ariel Silverstone, Information Security Director, Travelport Concludes Silverstone: “So far, we’ve tested well over 14 million lines of code. We have saved the company a tremendous amount of money. We have become an accepted benchmark and also a guide to security, both within Travelport and to some degree within the industry. Our overall security program helps us stay ahead of the hackers and maintain our competitive edge. In all of these critical areas, HP Fortify technology has played a key role in Travelport’s continuing success in the dynamic travel industry.”
Rate this documentShare with colleagues © 2011, 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. 4AA3-6920ENW, October 2013, Rev. 1 Sign up for updates hp.com/go/getupdated About Travelport Travelport helps travel agencies and corporations deliver the exceptional experience demanded by today’s traveling public. The company connects buyers and sellers of travel in 160 countries and books over 295 million air segments annually. Processing up to 1.6 billion messages per day, Travelport serves more than 60,000 travel agencies, 420 airlines, and 88,000 hotel properties. About HP Enterprise Security: HP is a leading provider of security and compliance solutions for modern enterprises that want to mitigate risk in their hybrid environments and defend against advanced threats. Based on market leading products from ArcSight, Fortify, and TippingPoint, the HP Security Intelligence and Risk Management (SIRM) Platform uniquely delivers the advanced correlation, application protection, and network defense technology to protect today’s applications and IT infrastructures from sophisticated cyber threats. Visit HP Enterprise Security at: hpenterprisesecurity.com. Case study | Travelport Customer at a glance: Applications Solutions for the global travel industry Software • HP Fortify Static Code Analyzer HP Services • Ongoing technical support • In-depth solution training

Recommandé

Fortify - Source Code Analyzer
Fortify - Source Code AnalyzerFortify - Source Code Analyzer
Fortify - Source Code Analyzern|u - The Open Security Community
 
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Nagaraju Repala
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsjasonhaddix
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during developmentIT Weekend
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFixVirtual Forge
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)Madhavan Marimuthu
 
Source Code Scanners
Source Code ScannersSource Code Scanners
Source Code ScannersPawel Krawczyk
 

Recommandé

Fortify - Source Code Analyzer
Fortify - Source Code AnalyzerFortify - Source Code Analyzer
Fortify - Source Code Analyzern|u - The Open Security Community
 
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Nagaraju Repala
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsjasonhaddix
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during developmentIT Weekend
 
Application Security Management with ThreadFix
Application Security Management with ThreadFixApplication Security Management with ThreadFix
Application Security Management with ThreadFixVirtual Forge
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)Madhavan Marimuthu
 
Source Code Scanners
Source Code ScannersSource Code Scanners
Source Code ScannersPawel Krawczyk
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify PillarEd Wong
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Denim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
Poster Analysis Source Code
Poster Analysis Source CodePoster Analysis Source Code
Poster Analysis Source Codekirstysals
 
Optimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixOptimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixDenim Group
 
Hp Fortify Cloud Application Security
Hp Fortify Cloud Application SecurityHp Fortify Cloud Application Security
Hp Fortify Cloud Application SecurityEd Wong
 
use case point estimation
use case point estimationuse case point estimation
use case point estimationعبدالغني الهجار
 
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP InstallationenABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP InstallationenVirtual Forge
 
Workday-hrtechnologyconferencedebihirshlagflextronics
Workday-hrtechnologyconferencedebihirshlagflextronicsWorkday-hrtechnologyconferencedebihirshlagflextronics
Workday-hrtechnologyconferencedebihirshlagflextronicsSatya Harish
 
WorkDay-surviving and thriving in a world of change
WorkDay-surviving and thriving in a world of changeWorkDay-surviving and thriving in a world of change
WorkDay-surviving and thriving in a world of changeSatya Harish
 
Book scrum tutorial
Book scrum tutorialBook scrum tutorial
Book scrum tutorialSatya Harish
 
O - Oracle application testing suite test starter kits for oracle e business ...
O - Oracle application testing suite test starter kits for oracle e business ...O - Oracle application testing suite test starter kits for oracle e business ...
O - Oracle application testing suite test starter kits for oracle e business ...Satya Harish
 
Qualcomm
QualcommQualcomm
QualcommSatya Harish
 
Book HH - SQL MATERIAL
Book HH - SQL MATERIALBook HH - SQL MATERIAL
Book HH - SQL MATERIALSatya Harish
 
Book HH- vb2008me preview
Book HH- vb2008me previewBook HH- vb2008me preview
Book HH- vb2008me previewSatya Harish
 
Book HH- vb6 preview
Book HH- vb6 previewBook HH- vb6 preview
Book HH- vb6 previewSatya Harish
 
G03.2014 Intelligent Business Process Management Suites
G03.2014 Intelligent Business Process Management SuitesG03.2014 Intelligent Business Process Management Suites
G03.2014 Intelligent Business Process Management SuitesSatya Harish
 
G05.2013 Critical Capabilities for SIEM
G05.2013 Critical Capabilities for SIEMG05.2013 Critical Capabilities for SIEM
G05.2013 Critical Capabilities for SIEMSatya Harish
 
G07.2013 Application Security Testing
G07.2013 Application Security TestingG07.2013 Application Security Testing
G07.2013 Application Security TestingSatya Harish
 
G05.2015 Secure Web Gateways
G05.2015 Secure Web GatewaysG05.2015 Secure Web Gateways
G05.2015 Secure Web GatewaysSatya Harish
 
G11.2013 Application Development Life Cycle Management
G11.2013 Application Development Life Cycle ManagementG11.2013 Application Development Life Cycle Management
G11.2013 Application Development Life Cycle ManagementSatya Harish
 
G10.2013 Application Delivery Controllers
G10.2013 Application Delivery ControllersG10.2013 Application Delivery Controllers
G10.2013 Application Delivery ControllersSatya Harish
 

Contenu connexe

En vedette

Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify PillarEd Wong
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Denim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
Poster Analysis Source Code
Poster Analysis Source CodePoster Analysis Source Code
Poster Analysis Source Codekirstysals
 
Optimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixOptimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixDenim Group
 
Hp Fortify Cloud Application Security
Hp Fortify Cloud Application SecurityHp Fortify Cloud Application Security
Hp Fortify Cloud Application SecurityEd Wong
 
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP InstallationenABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP InstallationenVirtual Forge
 

En vedette (8)

Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify Pillar
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
 
Poster Analysis Source Code
Poster Analysis Source CodePoster Analysis Source Code
Poster Analysis Source Code
 
Optimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixOptimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFix
 
Hp Fortify Cloud Application Security
Hp Fortify Cloud Application SecurityHp Fortify Cloud Application Security
Hp Fortify Cloud Application Security
 
use case point estimation
use case point estimationuse case point estimation
use case point estimation
 
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP InstallationenABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
ABAP Qualitäts-Benchmark: Eine Analyse von über 200 SAP Installationen
 

Plus de Satya Harish

Workday-hrtechnologyconferencedebihirshlagflextronics
Workday-hrtechnologyconferencedebihirshlagflextronicsWorkday-hrtechnologyconferencedebihirshlagflextronics
Workday-hrtechnologyconferencedebihirshlagflextronicsSatya Harish
 
WorkDay-surviving and thriving in a world of change
WorkDay-surviving and thriving in a world of changeWorkDay-surviving and thriving in a world of change
WorkDay-surviving and thriving in a world of changeSatya Harish
 
Book scrum tutorial
Book scrum tutorialBook scrum tutorial
Book scrum tutorialSatya Harish
 
O - Oracle application testing suite test starter kits for oracle e business ...
O - Oracle application testing suite test starter kits for oracle e business ...O - Oracle application testing suite test starter kits for oracle e business ...
O - Oracle application testing suite test starter kits for oracle e business ...Satya Harish
 
Book HH - SQL MATERIAL
Book HH - SQL MATERIALBook HH - SQL MATERIAL
Book HH - SQL MATERIALSatya Harish
 
Book HH- vb2008me preview
Book HH- vb2008me previewBook HH- vb2008me preview
Book HH- vb2008me previewSatya Harish
 
Book HH- vb6 preview
Book HH- vb6 previewBook HH- vb6 preview
Book HH- vb6 previewSatya Harish
 
G03.2014 Intelligent Business Process Management Suites
G03.2014 Intelligent Business Process Management SuitesG03.2014 Intelligent Business Process Management Suites
G03.2014 Intelligent Business Process Management SuitesSatya Harish
 
G05.2013 Critical Capabilities for SIEM
G05.2013 Critical Capabilities for SIEMG05.2013 Critical Capabilities for SIEM
G05.2013 Critical Capabilities for SIEMSatya Harish
 
G07.2013 Application Security Testing
G07.2013 Application Security TestingG07.2013 Application Security Testing
G07.2013 Application Security TestingSatya Harish
 
G05.2015 Secure Web Gateways
G05.2015 Secure Web GatewaysG05.2015 Secure Web Gateways
G05.2015 Secure Web GatewaysSatya Harish
 
G11.2013 Application Development Life Cycle Management
G11.2013 Application Development Life Cycle ManagementG11.2013 Application Development Life Cycle Management
G11.2013 Application Development Life Cycle ManagementSatya Harish
 
G10.2013 Application Delivery Controllers
G10.2013 Application Delivery ControllersG10.2013 Application Delivery Controllers
G10.2013 Application Delivery ControllersSatya Harish
 
G06.2014 Security Information and Event Management
G06.2014 Security Information and Event ManagementG06.2014 Security Information and Event Management
G06.2014 Security Information and Event ManagementSatya Harish
 
G05.2013 Security Information and Event Management
G05.2013 Security Information and Event ManagementG05.2013 Security Information and Event Management
G05.2013 Security Information and Event ManagementSatya Harish
 
Gartner HH 2015 - 2005 Hype Cycle
Gartner HH 2015 - 2005 Hype CycleGartner HH 2015 - 2005 Hype Cycle
Gartner HH 2015 - 2005 Hype CycleSatya Harish
 
G05.2015 - Magic quadrant for cloud infrastructure as a service
G05.2015 - Magic quadrant for cloud infrastructure as a serviceG05.2015 - Magic quadrant for cloud infrastructure as a service
G05.2015 - Magic quadrant for cloud infrastructure as a serviceSatya Harish
 
G05.2014 - Magic quadrant for cloud infrastructure as a service
G05.2014 - Magic quadrant for cloud infrastructure as a serviceG05.2014 - Magic quadrant for cloud infrastructure as a service
G05.2014 - Magic quadrant for cloud infrastructure as a serviceSatya Harish
 
PERIODIC TABLE OF SEO SUCCESS FACTOR
PERIODIC TABLE OF SEO SUCCESS FACTORPERIODIC TABLE OF SEO SUCCESS FACTOR
PERIODIC TABLE OF SEO SUCCESS FACTORSatya Harish
 

Plus de Satya Harish (20)

Workday-hrtechnologyconferencedebihirshlagflextronics
Workday-hrtechnologyconferencedebihirshlagflextronicsWorkday-hrtechnologyconferencedebihirshlagflextronics
Workday-hrtechnologyconferencedebihirshlagflextronics
 
WorkDay-surviving and thriving in a world of change
WorkDay-surviving and thriving in a world of changeWorkDay-surviving and thriving in a world of change
WorkDay-surviving and thriving in a world of change
 
Book scrum tutorial
Book scrum tutorialBook scrum tutorial
Book scrum tutorial
 
O - Oracle application testing suite test starter kits for oracle e business ...
O - Oracle application testing suite test starter kits for oracle e business ...O - Oracle application testing suite test starter kits for oracle e business ...
O - Oracle application testing suite test starter kits for oracle e business ...
 
Qualcomm
QualcommQualcomm
Qualcomm
 
Book HH - SQL MATERIAL
Book HH - SQL MATERIALBook HH - SQL MATERIAL
Book HH - SQL MATERIAL
 
Book HH- vb2008me preview
Book HH- vb2008me previewBook HH- vb2008me preview
Book HH- vb2008me preview
 
Book HH- vb6 preview
Book HH- vb6 previewBook HH- vb6 preview
Book HH- vb6 preview
 
G03.2014 Intelligent Business Process Management Suites
G03.2014 Intelligent Business Process Management SuitesG03.2014 Intelligent Business Process Management Suites
G03.2014 Intelligent Business Process Management Suites
 
G05.2013 Critical Capabilities for SIEM
G05.2013 Critical Capabilities for SIEMG05.2013 Critical Capabilities for SIEM
G05.2013 Critical Capabilities for SIEM
 
G07.2013 Application Security Testing
G07.2013 Application Security TestingG07.2013 Application Security Testing
G07.2013 Application Security Testing
 
G05.2015 Secure Web Gateways
G05.2015 Secure Web GatewaysG05.2015 Secure Web Gateways
G05.2015 Secure Web Gateways
 
G11.2013 Application Development Life Cycle Management
G11.2013 Application Development Life Cycle ManagementG11.2013 Application Development Life Cycle Management
G11.2013 Application Development Life Cycle Management
 
G10.2013 Application Delivery Controllers
G10.2013 Application Delivery ControllersG10.2013 Application Delivery Controllers
G10.2013 Application Delivery Controllers
 
G06.2014 Security Information and Event Management
G06.2014 Security Information and Event ManagementG06.2014 Security Information and Event Management
G06.2014 Security Information and Event Management
 
G05.2013 Security Information and Event Management
G05.2013 Security Information and Event ManagementG05.2013 Security Information and Event Management
G05.2013 Security Information and Event Management
 
Gartner HH 2015 - 2005 Hype Cycle
Gartner HH 2015 - 2005 Hype CycleGartner HH 2015 - 2005 Hype Cycle
Gartner HH 2015 - 2005 Hype Cycle
 
G05.2015 - Magic quadrant for cloud infrastructure as a service
G05.2015 - Magic quadrant for cloud infrastructure as a serviceG05.2015 - Magic quadrant for cloud infrastructure as a service
G05.2015 - Magic quadrant for cloud infrastructure as a service
 
G05.2014 - Magic quadrant for cloud infrastructure as a service
G05.2014 - Magic quadrant for cloud infrastructure as a serviceG05.2014 - Magic quadrant for cloud infrastructure as a service
G05.2014 - Magic quadrant for cloud infrastructure as a service
 
PERIODIC TABLE OF SEO SUCCESS FACTOR
PERIODIC TABLE OF SEO SUCCESS FACTORPERIODIC TABLE OF SEO SUCCESS FACTOR
PERIODIC TABLE OF SEO SUCCESS FACTOR
 

Dernier

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Dernier (20)

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

HP Fortify SCA

  • 1. “As threats become more mature and more technically sophisticated, HP Fortify software helps us stay ahead of the game by assuring that all known vulnerabilities are patched or prevented. The HP Fortify solution helps us address all possible vulnerabilities before we make an application available to travel agents or the Web at large.” –Ariel Silverstone, Information Security Director, Travelport Travelport, a global provider of software solutions for travel agencies, corporations, and travel suppliers, turned to HP Fortify to the battle security threats that come with the growth in mobile and cloud computing technologies. HP Fortify Static Code Analyzer (SCA) helps save the company approximately $18 million a year, while improving the security of its software by a factor of 3.5. Case study Spanning the Globe Travelport Protects the Traveling Public with HP Fortify SCA Industry Travel and leisure Objective Improve application security to insure against growing threats caused by mobile and cloud computing technologies. Approach HP Fortify Static Code Analyzer (SCA) helps save the company approximately $18 million a year, while improving the security of its software by a factor of 3.5. IT matters • Enhances application security by a factor of 3.5, reducing vulnerabilities by more than 70% • Limits false positives to less than 3% • Easily handles a high volume of application code Business matters • Provides double digit annual savings in PCI audit costs • Enables Travelport to hold externally developed code to the same high standard as in-house applications • Supports more programming languages than any other solution in the market
  • 2. 2 Case study | Travelport Travelport is focused on helping travel companies and corporations deliver the exceptional experience demanded by today’s traveling public. The company operates three key businesses, representing a diverse and widely recognized group of leading brands, technologies, and services: Travelport Global Distribution Systems, Travelport Airline IT Solutions™, and GTA™, a world leader in the provision of ground travel products and services. Travel agencies, corporations, and travel suppliers everywhere rely on Travelport solutions to drive productivity, lower costs, and serve travelers globally. In turn, Travelport depends on a robust software security assurance program—of which HP Fortify Static Code Analyzer (SCA) software is a key component—to ensure that its customers can trust the valuable applications it delivers. Travelport applications are as diverse as the global community they serve, ranging from schedule and fare search programs to hotel, car, and cruise reservation software. Applications are developed in 14 different languages (including .NET, Java, COBOL, and variations of C) by the company’s distributed staff of approximately 2,000 developers. Challenges and benefits Ariel Silverstone is Information Security Director at Travelport. His organization creates, manages, tests, and trains with regard to the whole gamut of information security and data protection solutions for Travelport and its customers. It ensures compliance with every facet of local and global rules, laws, and regulations, including European Union directives, Safe Harbor, Sarbanes-Oxley, and the Payment Card Industry Data Security Standard (PCI–DSS). Says Silverstone: “We have several major challenges. The first is to protect the privacy of our customers. Secondly, we must not allow fraudulent travel to occur using our systems.” The growth in mobile and cloud computing technologies, which offers a better experience for the traveling public but makes security more problematic, represents another challenge. “As threats become more mature and more technically sophisticated, HP Fortify software helps us stay ahead of the game by assuring that all known vulnerabilities are patched or prevented,” Silverstone continues. “The HP Fortify solution helps us address all possible vulnerabilities before we make an application available to travel agents or the Web at large.” HP Fortify technology also benefits Travelport financially. “We have an aggressive software release schedule, and we were paying PCI auditors to review our code up to six or seven times a year,” says Silverstone. “By bringing most of this work in-house with HP Fortify SCA, our mathematical analysis shows that we are saving the company approximately $18 million a year, while improving the security of our software by a factor of 3.5.” In other words, Travelport has reduced the number of vulnerabilities by more than 70 percent since starting to use HP Fortify SCA on a regular basis. This enables the company to deliver online capabilities (e.g., the secure purchase of tickets) that previously would have been considered too risky from a customer perspective. Fully integrated in the lifecycle Silverstone first learned about the HP Fortify solution when he noticed that some of his PCI auditors were using it. “I clearly understood what the possibilities were, and I acted on that,” he says. “I did look at several other solutions, including Veracode. HP Fortify supported a far larger set of languages, and the seat-based HP Fortify pricing model was preferable to Veracode’s megabyte-based approach. I also talked with other high- transaction users outside the travel industry, and they all said very good things about the performance and results they had achieved with HP Fortify software.” HP Fortify SCA is fully integrated into the software development lifecycle at Travelport. When a build is ready to be promoted to production, it must go through quality and security testing in parallel. The development leads ask Information Security to review the code, which is presented via a secure form, scheduled in the lab, and tested within seven business days. The findings are prioritized and then submitted to the requesting group and the relevant vice president. Information Security requests a mitigation plan and does not approve the production load until the application has been properly remediated. According to Silverstone, HP Fortify technology is a key part of Travelport’s long-term strategic vision. “Our goal is to deliver applications that protect the data of both our travel agent customers and our joint customers, the traveling public,” he says. “The HP Fortify solution is a very important element in this
  • 3. 3 Case study | Travelport entire effort. It helps us create more robust, more secure software—and frankly, it makes the software easier and cheaper to fix.” To date, more than 300 applications have been scanned using HP Fortify SCA. Low false positives Travelport got the HP Fortify solution up and running quickly, and the results have exceeded expectations. “We are especially pleased with the low false positive rate,” says Silverstone. “False positives are the kiss of death to any testing solution. We were anticipating false positives in the 80 percent range, but we’re actually seeing less than 3 percent. We’ve also been pleased with HP Fortify’s ability to work in parallel and real time with our other testing processes. HP Fortify software has proven to be robust and reliable in memory utilization environments as high as 10GB.” Additionally, Silverstone believes Travelport’s use of HP Fortify technology has resulted in greater productivity, because developers are writing more secure code and therefore do not need to go through as many security test cycles. HP Fortify has delivered another important benefit to Travelport: A way to hold externally developed code to the same high standard as applications that are developed in-house. “We test third-party code before acceptance,” says Silverstone. “When we find the code is insufficiently secure—which we can now prove using HP Fortify SCA—we can request that the external developers fix it at no cost to us, based on our contractual agreement. Before, we would have to pay them to fix it. We are strongly recommending that all of our external developers acquire HP Fortify software, and I frequently recommend the solution to my peers in the industry as well.” HP Services has been a highly effective part of the complete HP Fortify solution. “The services team is extremely knowledgeable and professional,” says Silverstone. “We had one case in which we needed an answer right then and there; they called us within 10 minutes. We’re very happy with them.” Silverstone was also happy with the training provided by HP Services. “It was very good. They answered all our questions, even when we went deep into the technical realm.” Gaining competitive advantage Moving forward, Travelport is considering the deployment of HP Fortify software earlier in the development lifecycle and more pervasively throughout the organization. “HP Fortify is a very important technology partner, one that contributes significantly to the success of our business as an IT company in the travel world,” says Silverstone. “From a business perspective, HP Fortify helps us gain competitive advantage, thanks to the secure software we release. With HP Fortify software as part of our overall process, I am confident that we are generating code that is even more secure, more robust, and more reviewed and tested than the travel industry standard.” As a leader in application security, Travelport is pushing global organizations in the travel industry to make security a higher priority. “Our overall security program helps us stay ahead of the hackers and maintain our competitive edge. In all of these critical areas, HP Fortify technology has played a key role in Travelport’s continuing success in the dynamic travel industry.” —Ariel Silverstone, Information Security Director, Travelport Concludes Silverstone: “So far, we’ve tested well over 14 million lines of code. We have saved the company a tremendous amount of money. We have become an accepted benchmark and also a guide to security, both within Travelport and to some degree within the industry. Our overall security program helps us stay ahead of the hackers and maintain our competitive edge. In all of these critical areas, HP Fortify technology has played a key role in Travelport’s continuing success in the dynamic travel industry.”
  • 4. Rate this documentShare with colleagues © 2011, 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. 4AA3-6920ENW, October 2013, Rev. 1 Sign up for updates hp.com/go/getupdated About Travelport Travelport helps travel agencies and corporations deliver the exceptional experience demanded by today’s traveling public. The company connects buyers and sellers of travel in 160 countries and books over 295 million air segments annually. Processing up to 1.6 billion messages per day, Travelport serves more than 60,000 travel agencies, 420 airlines, and 88,000 hotel properties. About HP Enterprise Security: HP is a leading provider of security and compliance solutions for modern enterprises that want to mitigate risk in their hybrid environments and defend against advanced threats. Based on market leading products from ArcSight, Fortify, and TippingPoint, the HP Security Intelligence and Risk Management (SIRM) Platform uniquely delivers the advanced correlation, application protection, and network defense technology to protect today’s applications and IT infrastructures from sophisticated cyber threats. Visit HP Enterprise Security at: hpenterprisesecurity.com. Case study | Travelport Customer at a glance: Applications Solutions for the global travel industry Software • HP Fortify Static Code Analyzer HP Services • Ongoing technical support • In-depth solution training