SlideShare une entreprise Scribd logo

Strengthening application security capabilities while improving time to value

Télécharger en tant que PPTX, PDF
IBM Security
IBM Security

IBM Security AppScan software automates application security testing by scanning applications, identifying vulnerabilities and generating reports with intelligent fix recommendations to ease remediation. Join this session to learn how to reduce your application security risk by integrating IBM Security AppScan into your software development lifecycle, focusing on a Secure by Design approach. View the on-demand webcast: https://www2.gotomeeting.com/register/553267994

BusinessTechnologie
1  sur  41
IBM Security Systems Strengthening application security capabilities while improving time to value with IBM Security AppScan 30th October 2013 © 2013 IBM Corporation
IBM Security Systems Agenda  IBM Security Framework  Why Application Security is Important  What’s New in AppScan 8.8  Why IBM?  Resources 2 © 2013 IBM Corporation
IBM Security Systems X-Force is the foundation for advanced security and threat research across the IBM Security Framework The mission of X-Force is to:  Monitor and evaluate the rapidly changing threat landscape  Research new attack techniques and develop protection for tomorrow’s security challenges  Educate our customers and the general public 3 © 2013 IBM Corporation
IBM Security Systems Security Incidents in the first half of 5 © 2013 IBM Corporation
IBM Security Systems Application Security Landscape Web application vulnerabilities dominate enterprise threat landscape. Applications in Development  In-house development  Outsourced development Production Applications  Developed in house 31% of new attacks targeted vulnerabilities in web applications (1H 2013)* Security vulnerabilities can impact a wide variety of applications:  6 Applications in Development: Inhouse and outsourced   Acquired More than 50% of all web application  Off-the-shelf categorized apps vulnerabilities are commercialas cross-site scripting. Production Applications: In-house, acquired and off-the-shelf commercial apps © 2013 IBM Corporation *IBM X-Force 2013 Mid-Year Trend and Risk Report
IBM Security Systems Mobile Security Landscape  Mobile vulnerabilities have grown rapidly since 2009, along with explosive growth in mobile applications.  Attack sophistication is increasing, particularly those targeted at Android devices.  Organizations must have a mobile application security strategy. 7 © 2013 IBM Corporation
IBM Security Systems Application Security: Core Component of Your Security Strategy 1. 2. Mobile application attacks are increasing rapidly. 3. Vulnerabilities are spread through a wide variety of applications (internal development apps and external production apps). 4. Common questions from IBM clients: Where are our vulnerabilities and how do we assess our risks? 5. 8 Web application vulnerabilities dominate enterprise threat landscape. Many organizations struggle with best practices for managing application security in their IT environments. © 2013 IBM Corporation
IBM Security Systems Cheaper to find and fix earlier in the lifecycle – When do you test? 80% of development costs are spent identifying and correcting defects!*** Average Cost of a Data Breach $7.2M** from law suits, loss of customer trust, damage to brand Find during Development Find during Build Find during QA/Test Find in Production $80 / defect $240 / defect $960 / defect $7,600 / defect *$8,000 / application *$24,000 / application *$96,000 / application *$760,000 / application *Based on X-Force analysis of 100 vulnerabilities per application 9 ** Source: Ponemon Institute 2009-10 *** Source: National Institute of Standards and Technology © 2013 IBM Corporation
IBM Security Systems Is there a disconnect? Perception vs. Reality Where are your “security risks,” compared to your “security spend”? Spend ≠ Risk Source: The State of Risk-Based Security Management, A Research Study by Ponemon Institute, 2013 Do you have defined Secure Architecture Standards? Exec ≠ Developers view Source: The State of Application Security A Research Study by Ponemon Institute, 2013 10 © 2013 IBM Corporation
IBM Security Systems Mobile Malware – 2013 Data Source: Juniper Networks Third Annual Mobile Threats Report: March 2012 through March 2013 11 © 2013 IBM Corporation
IBM Security Systems IBM X-Force 2013 Mid-Year Report  Android malware increasing  Sophistication of attacks increasing  New versions of Android helping to reduce risk  Android market is very fragmented http://securityintelligence.com/cyber-attacksresearch-reveals-top-tactics-xforce/ 2012 2010 12 © 2013 IBM Corporation
IBM Security Systems IBM’s Partnered Application Security Solution with Arxan Arxan technology:  Protects deployed mobile applications  Enhances tamperproofing  Protects against reverseengineering Source: Arxan State of Security in the App Economy – 2012  Protects against targeted malware  Goal: Develop secure applications and protect deployed mobile applications, by utilizing IBM/Arxan solution. 13 © 2013 IBM Corporation
IBM Security Systems Adopt a Secure by Design approach to enable you to design, deliver and manage smarter software and services  Build security into your application development process  Efficiently and effectively address security defects before deployment  Collaborate effectively between Security and Development Deliver New Services Faster Innovate Securely Reduce Costs  Provide Management visibility Proactively address vulnerabilities early in the development process 14 © 2013 IBM Corporation
Applications IBM Security Systems Finding more vulnerabilities using advanced techniques Total Potential Security Issues Static Analysis - Analyze Source Code - Use during development - Uses Taint Analysis / Pattern Matching Dynamic Analysis - Analyze Live Web Application - Use during testing - Uses HTTP tampering Hybrid Analysis - Correlate Dynamic and Static results - Assists remediation by identification of line of code Run-Time Analysis - Combines Dynamic Analysis with run-time agent - More results, better accuracy 15 15 Client-Side Analysis - Analyze downloaded Javascript code which runs in client - Unique in the industry © 2013 IBM Corporation
IBM Security Systems Application Security Testing Development teams Audience SDLC Security teams CODING BUILD Penetration Testers QA SECURITY Live Web Application Web crawling & Manual testing Hybrid Glass Box analysis Scanning Techniques Applications Integrated 16 Dynamic analysis (black box) Static analysis Source code vulnerabilities & code quality risks Data & Call Flow analysis tracks tainted data (white box) Programming Languages Governance & Collaboration PRODUCTION • • • • • • • • • Java/Android JSP C, C++ COBOL SAP ABAP • • • • • • C# ASP.NET VB.NET Classic ASP ColdFusion VB6, VBScript • • • • • • HTML PHP Perl PL/SQL, T-SQL Client-side JavaScript Server-side JavaScript Web Applications Web Services • • • • Web 2.0HTML5 AJAX Java Script Adobe Flash & Flex Mobile Applications • • Purchased Applications iPhone ObjectiveC Android Java Training – Applications Security & Product ( Instructor led , self paced – classroom & web based) Test policies, test templates and access control Dashboards, detailed reports & trending Manage regulatory requirements such as DIACAP, PCI, GLBA and HIPAA (40+ out-of-the-box compliance reports) Build Systems improve scan efficiencies (Rational Build Forge, Rational Team Concert, Hudson, Maven) Defect Tracking Systems track remediation (Rational Team Concert, Rational ClearQuest, HP QC, MS Team Foundation Server) IDEs remediation assistance (RAD, Rational Team Concert, Eclipse, Visual Studio Security Intelligence raise threat level (SiteProtector, QRadar, Guardium) © 2013 IBM Corporation
IBM Security Systems AppScan Source Mobile Support Ensure mobile applications are not susceptible to malware!  Support for Android and Native Apple iOS apps  Security SDK research & risk assessment of over 20k Android APIs and 20k iOS APIs  Mac OS X platform support  Xcode interoperability & build automation support  Full call and data flow analysis of Objective-C  JavaScript  Java   Identify where sensitive data is being leaked 17 © 2013 IBM Corporation
IBM Security Systems AppScan integrations with other IBM Security Systems products • Application discovery and context • Risk-based vulnerability analysis • Security policies and alerts QRadar SiteProtector • Network activity monitoring • Web application protection 18 AppScan • Application vulnerability assessments Guardium • Database vulnerability assessments • Database activity monitoring • Data protection policies © 2013 IBM Corporation
IBM Security Systems AppScan - QRadar Vulnerability Manager integration Features:  QVM Scanner provides network asset scanning and uncredentialed web application and database scanning  AppScan provides comprehensive credentialed web application scanning  AppScan vulnerability database integrated into QVM  QVM reports, dashboards and vulnerability management features all utilise AppScan vulnerabilities  QVM enables network usage, security and threat context data to be applied to AppScan vulnerabilities • Application Vulnerability • Identified Risk Benefits:  Single view of vulnerability posture, improved incident response time  Prioritize web application vulnerability remediation and mitigation with rich context information 19 © 2013 IBM Corporation
What’s New in AppScan 8.8 © 2013 IBM Corporation
IBM Security Systems AppScan 8.8 - Strengthening application security capabilities while improving time to value 1 Improve time to value on static analysis Streamlined triage features to quickly identity security risk Faster and easier configuration of Java applications 2 Quickly identify confirmed vulnerabilities  Identify top security risks by leveraging latest industry standards from OWASP top 10 and Mobile top 10 for 2013  Out of the box filters and scan confirmations ensure security compliance and best practices 3 Enhanced encryption to protect your security assets  Support for industry standard Transport Layer Security (TLS) protocol 1.2 21  Compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a Corporation © 2013 IBM
IBM Security Systems AppScan 8.8: U.S. Federal Compliance Update  Enhanced encryption (support for TLS 1.2)  Compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a.  DISA STIG V3.5 out-of-the-box report (Source only) 22 © 2013 IBM Corporation
IBM Security Systems AppScan Source 8.8: Consumability & Usability Features  New Vulnerability Matrix with extensive Tool Tips  More options to optimize viewing of important trace information Collapsible Trace view 23 © 2013 IBM Corporation
IBM Security Systems AppScan Source 8.8: Improved Time to Value  Scan Configurations Enhanced: Android, Large application, Normal, Quick, Web  New: Follow all virtual call targets, iOS, Maximize findings, Maximize traces, Show all errors and warnings in console, Medium-tolarge application, User input vulnerabilities, Service code   Filter Support Updated existing filters to improve accuracy  Added new filters: OWASP Top 10 2013, OWASP Top 10 Mobile Risks  Added filter information to assessment results and reports  Vulnerability types automatically set  New Out-of-the-box reports DISA STIG V3.5  OWASP Top 10 2013  OWASP Top 10 Mobile Risks, RC1  24 © 2013 IBM Corporation
IBM Security Systems AppScan Source 8.8: Platform Updates  Operating System Updates Windows Server 2012  Red Hat Enterprise Linux 6.4   Updated IDE Support Visual Studio 2012  Eclipse 4.2, 4.2.2, 4.3  Rational Application Developer 8.5.1, 9.0   Defect Tracking System Updates Rational ClearQuest 8.0.1  Rational Team Concert 4.0.2, 4.0.3, 4.0.4  Enhanced Framework Support Spring MVC 3  Additional feature support for Spring MVC 2.5  ASP.NET MVC  .NET 4.5  Java JAX-RS (V1.0 & 1.1)  Java JAX-WS (V2.2)  Enhanced Web Services support including WSDL    Other Updates Rational License Key Server 8.1.4  WebLogic 11, 12  WebSphere 8, 8.5  Tomcat 7  25  Support for .NET 4.5  Microsoft Window authentication via AppScan Enterprise © 2013 IBM Corporation
IBM Security Systems AppScan Enterprise 8.8: Summary  Importing a scan configuration from AppScan Standard desktop client  Leverage the scalability of AppScan Enterprise Dynamic Analysis Scanner by importing and scheduling scans configured with the AppScan Standard desktop client.  Windows-based authentication for both DAST and SAST clients  Set up Windows authentication (based on Active Directory) when deploying both DAST and SAST clients. Installing and setting up Jazz Team Server is NOT required!  Enhanced REST API for QA automation  Reuse quality assurance functional test scripts to implement Dynamic Analysis security testing automation via new REST API interfaces.  Finer custom user type settings  More flexibility for configuring decentralized AppScan Enterprise administration .  Compliance report update  OWASP Top 10 (2013) 26 © 2013 IBM Corporation
IBM Security Systems AppScan Enterprise 8.8: Importing a scan configuration from AppScan Standard client 27 © 2013 IBM Corporation
IBM Security Systems AppScan Enterprise 8.8: Windows based authentication for both DAST and SAST clients 28 © 2013 IBM Corporation
IBM Security Systems AppScan Enterprise 8.8: Enhanced REST API for QA automation The problem  The task of recording scripts (HTTP traffic) for the purposes of security testing is duplication of the same task being performed for the purpose of functional testing.  QA teams would like to leverage their functional test scripts (based on HTTP traffic) for the purposes of security testing. 29 © 2013 IBM Corporation
IBM Security Systems AppScan Enterprise 8.8: Enhanced REST API for QA automation The solution – new REST API interfaces to help:  Integrate AppScan with various QA automation tools to remove duplication of work  Automate the creation of AppScan security scan jobs based on captured HTTP traffic 30 © 2013 IBM Corporation
IBM Security Systems AppScan Standard 8.8: Summary  Session management improvements – Action Based Login (ABL)  Parameter and cookie tracking new options  User Experience related enhancements: Session detection pattern – In Session or Out of Session Manual Test dialog now has Search fields for both request and response content. Use External Browser option is exposed in the UI     TLS 1.1 and 1.2 are now supported in addition to TLS 1.0 and SSL 3.0   31 SSL 2.0 has been deprecated in this release, but can still be configured Generic Services Client update: Version 8.5 is now used for setting up web services scans © 2013 IBM Corporation
IBM Security Systems AppScan Standard 8.8: Action Based Login  Session handling is one the key factors for a successful scan.  In previous versions, when a login sequence was recorded, AppScan would use the recorded HTTP traffic to replay the same sequence of requests each time a login playback was needed.  With Action Based Login AppScan actually uses the browser and performs the same actions as recorded by the user.  Internal tests show dramatic improvement in AppScan’s ability to successfully record and replay the login sequence.  ABL combined with the ‘old’ traffic based login is used automatically by AppScan and there is no need for user intervention. 32 © 2013 IBM Corporation
IBM Security Systems Try AppScan 8.8 Now!  Free download available  http://www.ibm.com/developerworks/downloads/r/appscan/  The IBM Security AppScan download is a fully functional, unlimited version of the IBM Security AppScan Standard product.  The only restriction is that scanning is limited to one site, Altoro Mutual at http://demo.testfire.net. We provide this site to testers so that you can explore the testing process without fear of bringing down a production site. 33 © 2013 IBM Corporation
Why IBM? © 2013 IBM Corporation
IBM Security Systems Gartner has recognized IBM as a leader in the Magic Quadrant for Application Security Testing (AST) Magic Quadrant for Application Security Testing Neil MacDonald, Joseph Feiman July 2, 2013 “The market for application security testing is changing rapidly. Technology trends, such as mobile applications, advanced Web applications and dynamic languages, are forcing the need to combine dynamic and static testing capabilities, which is reshaping the overall market.” This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The link to the Gartner report is available upon request from IBM. 35 Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose © 2013 IBM Corporation
IBM Security Systems Why IBM Security AppScan? Complete and integrated Application Security Testing (AST) solution in the market Complete AST offering Integrated AST solution Best fit for enterprises 1.AppScan is a rich set of application testing management products that can scale. 1.AppScan is part of the larger IBM Security Systems vision that encompasses the enterprise security intelligence, mobile, Big Data and Cloud 1.AppScan meets enterprise needs with flexible deployment models and the most advanced testing. 2.AppScan also offers special editions for specific users. 3.IBM has the strongest ability to execute including X-Force. 2.AppScan can be integrated with enterprise risk management and intelligence via integrations 2.AppScan is available in both on-premise and managed services offerings 3.AppScan has the highest degree of accuracy 4.AppScan also has the best attack vector coverage 36 © 2013 IBM Corporation
IBM Security Systems Cisco Scaling application vulnerability management across a large enterprise The need: With a small security team and an application portfolio of nearly 2,500 applications, security staff worried they were becoming a “bottleneck” in application security testing. The solution: Using IBM® Security AppScan® Enterprise, Cisco empowered its developers and QA personnel to test applications and address security issues before deployment. The benefits:  Drove a 33 percent decrease in number of issues found  Reduced post-deployment remediation costs significantly “We’ve seen a 33 percent decrease in the number of issues found and a huge reduction in remediation costs post deployment.” —Sujata Ramamoorthy, Director, Information Security, Cisco Solution components:  IBM® Security AppScan® Standard  IBM Security AppScan Enterprise  Freed security experts to focus on deep application vulnerability assessments Download the Complete Case Study 37 WGP03056-USEN-00 © 2013 IBM Corporation
Resources © 2013 IBM Corporation
IBM Security Systems Related Webinar Available On Demand Mobile Application Security and Data Protection Challenges http://www-03.ibm.com/security/2013webinarseries/details/index.html Securing mobile applications requires an understanding of the unique characteristics of mobile computing. Addressing application security early in the software development life cycle is even more important for mobile applications. However securing mobile applications is different from securing mobile devices. In this presentation Tom will highlight the mobile security risks for end users and enterprises, show you some great examples of simple but effective mobile threats, and discuss application development steps every organization should take to protect their customers and their company. 39 © 2013 IBM Corporation
IBM Security Systems Additional Information  Documents  EMA Impact Brief - IBM Security AppScan 8.7 Adds Support for iOS Mobile Apps https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swgWW_Security_Organic&S_PKG=ov14494&S_TACT=102PW29W  AppScan Source Data Sheet http://public.dhe.ibm.com/common/ssi/ecm/en/rad14105usen/RAD14105USEN.PDF  AppScan Standard Data Sheet http://public.dhe.ibm.com/common/ssi/ecm/en/rad14019usen/RAD14019USEN.PDF  AppScan Enterprise Data Sheet ftp://public.dhe.ibm.com/common/ssi/ecm/en/rad14113usen/RAD14113USEN.PDF  Posts  2013 Gartner Application Security Testing MQ and the Evolution of Software Security http://securityintelligence.com/2013-gartner-application-security-testing-mq-and-the-evolution-of-software-security/  Gartner Publishes 2013 Magic Quadrant for Application Security Testing (AST) http://securityintelligence.com/gartner-magic-quadrant-for-application-security-testing-2013/  Podcasts  2013 Gartner Magic Quadrant for Application Security Testing  http://www.blogtalkradio.com/calebbarlow/2013/07/25/2013-gartner-magic-quadrant-for-application-security-testing  Application + Threat + Security intelligence = Priceless  http://www.blogtalkradio.com/calebbarlow/2012/08/13/threat-application-security-intelligence-priceless  Taking Application Security from the Whiteboard to Reality  40 http://www.blogtalkradio.com/calebbarlow/2012/06/11/taking-application-security-from-the-whiteboard-to-reality © 2013 IBM Corporation
IBM Security Systems Videos Overview of IBM Security AppScan http://www.youtube.com/watch?v=9R4IjZpKt8I  How College Board is Building Security into Application Development http://www.youtube.com/watch?v=TtqhlcTnbg8  Building Better, More Secure Applications http://www.youtube.com/watch?v=UcN2uUolgKk  Using Application Security Testing to Increase Deployment Speed http://www.youtube.com/watch?v=VImy3ilYUSk  IBM Security AppScan 8.7 for iOS mobile application support http://www.youtube.com/watch?v=I73tbAmJIGw  IBM Security AppScan 8.7 for iOS Applications http://www.youtube.com/watch?v=egnEH-GGQEI  IBM Security AppScan: Analysis Perspective http://www.youtube.com/watch?v=UZD53ZgV848  41 © 2013 IBM Corporation
IBM Security Systems Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. ibm.com/security © Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are © 2013 IBM Corporation 42 trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Recommandé

Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
Claire Hunsaker
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
jpubal
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
IBM Security
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
IBM Security
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
IBM Security
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM Resilient
IBM Security
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
IBM Security
 

Recommandé

Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
Claire Hunsaker
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
jpubal
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
IBM Security
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
IBM Security
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
IBM Security
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM Resilient
IBM Security
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
IBM Security
 
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
IBM Security
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon Black
IBM Security
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
IBM Security
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?
IBM Security
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
IBM Security
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
IBM Security
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
IBM Security
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
IBM Security
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
IBM Security
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
IBM Security
 
IBM QRadar UBA
IBM QRadar UBA IBM QRadar UBA
IBM QRadar UBA
IBM Security
 
Mobile Vision 2020
Mobile Vision 2020Mobile Vision 2020
Mobile Vision 2020
IBM Security
 
Retail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityRetail Mobility, Productivity and Security
Retail Mobility, Productivity and Security
IBM Security
 
Close the Loop on Incident Response
Close the Loop on Incident ResponseClose the Loop on Incident Response
Close the Loop on Incident Response
IBM Security
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats
IBM Security
 
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
IBM Security
 
See How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsSee How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile Metrics
IBM Security
 
Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware
IBM Security
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
IBM Security
 
Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017
IBM Security
 
Arti Languages Pre Seed Teaser Deck 2024.pdf
Arti Languages Pre Seed Teaser Deck 2024.pdfArti Languages Pre Seed Teaser Deck 2024.pdf
Arti Languages Pre Seed Teaser Deck 2024.pdf
will854175
 
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Falcon Invoice Discounting
 

Contenu connexe

Plus de IBM Security

Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon Black
IBM Security
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
IBM Security
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
IBM Security
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
IBM Security
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
IBM Security
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
IBM Security
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats
IBM Security
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
IBM Security
 

Plus de IBM Security (20)

Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon Black
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
 
IBM QRadar UBA
IBM QRadar UBA IBM QRadar UBA
IBM QRadar UBA
 
Mobile Vision 2020
Mobile Vision 2020Mobile Vision 2020
Mobile Vision 2020
 
Retail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityRetail Mobility, Productivity and Security
Retail Mobility, Productivity and Security
 
Close the Loop on Incident Response
Close the Loop on Incident ResponseClose the Loop on Incident Response
Close the Loop on Incident Response
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats
 
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Appli...
 
See How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsSee How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile Metrics
 
Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware Valuing Data in the Age of Ransomware
Valuing Data in the Age of Ransomware
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
 
Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017Top 12 Cybersecurity Predictions for 2017
Top 12 Cybersecurity Predictions for 2017
 

Dernier

unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
Abortion pills in Kuwait Cytotec pills in Kuwait
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
uneakwhite
 
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All TimeCall 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
gargpaaro
 
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pillsMifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Abortion pills in Kuwait Cytotec pills in Kuwait
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
pr788182
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
daisycvs
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
daisycvs
 
Mckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingMckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for Viewing
Nauman Safdar
 
Cracking the 'Career Pathing' Slideshare
Cracking the 'Career Pathing' SlideshareCracking the 'Career Pathing' Slideshare
Cracking the 'Career Pathing' Slideshare
Workforce Group
 

Dernier (20)

Arti Languages Pre Seed Teaser Deck 2024.pdf
Arti Languages Pre Seed Teaser Deck 2024.pdfArti Languages Pre Seed Teaser Deck 2024.pdf
Arti Languages Pre Seed Teaser Deck 2024.pdf
 
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
 
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All TimeCall 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investors
 
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pillsMifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
Buy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail AccountsBuy gmail accounts.pdf buy Old Gmail Accounts
Buy gmail accounts.pdf buy Old Gmail Accounts
 
Getting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAI
Getting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAIGetting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAI
Getting Real with AI - Columbus DAW - May 2024 - Nick Woo from AlignAI
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
 
Rice Manufacturers in India | Shree Krishna Exports
Rice Manufacturers in India | Shree Krishna ExportsRice Manufacturers in India | Shree Krishna Exports
Rice Manufacturers in India | Shree Krishna Exports
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
 
Mckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingMckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for Viewing
 
Cracking the 'Career Pathing' Slideshare
Cracking the 'Career Pathing' SlideshareCracking the 'Career Pathing' Slideshare
Cracking the 'Career Pathing' Slideshare
 
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business Growth
 

Strengthening application security capabilities while improving time to value

  • 1. IBM Security Systems Strengthening application security capabilities while improving time to value with IBM Security AppScan 30th October 2013 © 2013 IBM Corporation
  • 2. IBM Security Systems Agenda  IBM Security Framework  Why Application Security is Important  What’s New in AppScan 8.8  Why IBM?  Resources 2 © 2013 IBM Corporation
  • 3. IBM Security Systems X-Force is the foundation for advanced security and threat research across the IBM Security Framework The mission of X-Force is to:  Monitor and evaluate the rapidly changing threat landscape  Research new attack techniques and develop protection for tomorrow’s security challenges  Educate our customers and the general public 3 © 2013 IBM Corporation
  • 4. IBM Security Systems Security Incidents in the first half of 5 © 2013 IBM Corporation
  • 5. IBM Security Systems Application Security Landscape Web application vulnerabilities dominate enterprise threat landscape. Applications in Development  In-house development  Outsourced development Production Applications  Developed in house 31% of new attacks targeted vulnerabilities in web applications (1H 2013)* Security vulnerabilities can impact a wide variety of applications:  6 Applications in Development: Inhouse and outsourced   Acquired More than 50% of all web application  Off-the-shelf categorized apps vulnerabilities are commercialas cross-site scripting. Production Applications: In-house, acquired and off-the-shelf commercial apps © 2013 IBM Corporation *IBM X-Force 2013 Mid-Year Trend and Risk Report
  • 6. IBM Security Systems Mobile Security Landscape  Mobile vulnerabilities have grown rapidly since 2009, along with explosive growth in mobile applications.  Attack sophistication is increasing, particularly those targeted at Android devices.  Organizations must have a mobile application security strategy. 7 © 2013 IBM Corporation
  • 7. IBM Security Systems Application Security: Core Component of Your Security Strategy 1. 2. Mobile application attacks are increasing rapidly. 3. Vulnerabilities are spread through a wide variety of applications (internal development apps and external production apps). 4. Common questions from IBM clients: Where are our vulnerabilities and how do we assess our risks? 5. 8 Web application vulnerabilities dominate enterprise threat landscape. Many organizations struggle with best practices for managing application security in their IT environments. © 2013 IBM Corporation
  • 8. IBM Security Systems Cheaper to find and fix earlier in the lifecycle – When do you test? 80% of development costs are spent identifying and correcting defects!*** Average Cost of a Data Breach $7.2M** from law suits, loss of customer trust, damage to brand Find during Development Find during Build Find during QA/Test Find in Production $80 / defect $240 / defect $960 / defect $7,600 / defect *$8,000 / application *$24,000 / application *$96,000 / application *$760,000 / application *Based on X-Force analysis of 100 vulnerabilities per application 9 ** Source: Ponemon Institute 2009-10 *** Source: National Institute of Standards and Technology © 2013 IBM Corporation
  • 9. IBM Security Systems Is there a disconnect? Perception vs. Reality Where are your “security risks,” compared to your “security spend”? Spend ≠ Risk Source: The State of Risk-Based Security Management, A Research Study by Ponemon Institute, 2013 Do you have defined Secure Architecture Standards? Exec ≠ Developers view Source: The State of Application Security A Research Study by Ponemon Institute, 2013 10 © 2013 IBM Corporation
  • 10. IBM Security Systems Mobile Malware – 2013 Data Source: Juniper Networks Third Annual Mobile Threats Report: March 2012 through March 2013 11 © 2013 IBM Corporation
  • 11. IBM Security Systems IBM X-Force 2013 Mid-Year Report  Android malware increasing  Sophistication of attacks increasing  New versions of Android helping to reduce risk  Android market is very fragmented http://securityintelligence.com/cyber-attacksresearch-reveals-top-tactics-xforce/ 2012 2010 12 © 2013 IBM Corporation
  • 12. IBM Security Systems IBM’s Partnered Application Security Solution with Arxan Arxan technology:  Protects deployed mobile applications  Enhances tamperproofing  Protects against reverseengineering Source: Arxan State of Security in the App Economy – 2012  Protects against targeted malware  Goal: Develop secure applications and protect deployed mobile applications, by utilizing IBM/Arxan solution. 13 © 2013 IBM Corporation
  • 13. IBM Security Systems Adopt a Secure by Design approach to enable you to design, deliver and manage smarter software and services  Build security into your application development process  Efficiently and effectively address security defects before deployment  Collaborate effectively between Security and Development Deliver New Services Faster Innovate Securely Reduce Costs  Provide Management visibility Proactively address vulnerabilities early in the development process 14 © 2013 IBM Corporation
  • 14. Applications IBM Security Systems Finding more vulnerabilities using advanced techniques Total Potential Security Issues Static Analysis - Analyze Source Code - Use during development - Uses Taint Analysis / Pattern Matching Dynamic Analysis - Analyze Live Web Application - Use during testing - Uses HTTP tampering Hybrid Analysis - Correlate Dynamic and Static results - Assists remediation by identification of line of code Run-Time Analysis - Combines Dynamic Analysis with run-time agent - More results, better accuracy 15 15 Client-Side Analysis - Analyze downloaded Javascript code which runs in client - Unique in the industry © 2013 IBM Corporation
  • 15. IBM Security Systems Application Security Testing Development teams Audience SDLC Security teams CODING BUILD Penetration Testers QA SECURITY Live Web Application Web crawling & Manual testing Hybrid Glass Box analysis Scanning Techniques Applications Integrated 16 Dynamic analysis (black box) Static analysis Source code vulnerabilities & code quality risks Data & Call Flow analysis tracks tainted data (white box) Programming Languages Governance & Collaboration PRODUCTION • • • • • • • • • Java/Android JSP C, C++ COBOL SAP ABAP • • • • • • C# ASP.NET VB.NET Classic ASP ColdFusion VB6, VBScript • • • • • • HTML PHP Perl PL/SQL, T-SQL Client-side JavaScript Server-side JavaScript Web Applications Web Services • • • • Web 2.0HTML5 AJAX Java Script Adobe Flash & Flex Mobile Applications • • Purchased Applications iPhone ObjectiveC Android Java Training – Applications Security & Product ( Instructor led , self paced – classroom & web based) Test policies, test templates and access control Dashboards, detailed reports & trending Manage regulatory requirements such as DIACAP, PCI, GLBA and HIPAA (40+ out-of-the-box compliance reports) Build Systems improve scan efficiencies (Rational Build Forge, Rational Team Concert, Hudson, Maven) Defect Tracking Systems track remediation (Rational Team Concert, Rational ClearQuest, HP QC, MS Team Foundation Server) IDEs remediation assistance (RAD, Rational Team Concert, Eclipse, Visual Studio Security Intelligence raise threat level (SiteProtector, QRadar, Guardium) © 2013 IBM Corporation
  • 16. IBM Security Systems AppScan Source Mobile Support Ensure mobile applications are not susceptible to malware!  Support for Android and Native Apple iOS apps  Security SDK research & risk assessment of over 20k Android APIs and 20k iOS APIs  Mac OS X platform support  Xcode interoperability & build automation support  Full call and data flow analysis of Objective-C  JavaScript  Java   Identify where sensitive data is being leaked 17 © 2013 IBM Corporation
  • 17. IBM Security Systems AppScan integrations with other IBM Security Systems products • Application discovery and context • Risk-based vulnerability analysis • Security policies and alerts QRadar SiteProtector • Network activity monitoring • Web application protection 18 AppScan • Application vulnerability assessments Guardium • Database vulnerability assessments • Database activity monitoring • Data protection policies © 2013 IBM Corporation
  • 18. IBM Security Systems AppScan - QRadar Vulnerability Manager integration Features:  QVM Scanner provides network asset scanning and uncredentialed web application and database scanning  AppScan provides comprehensive credentialed web application scanning  AppScan vulnerability database integrated into QVM  QVM reports, dashboards and vulnerability management features all utilise AppScan vulnerabilities  QVM enables network usage, security and threat context data to be applied to AppScan vulnerabilities • Application Vulnerability • Identified Risk Benefits:  Single view of vulnerability posture, improved incident response time  Prioritize web application vulnerability remediation and mitigation with rich context information 19 © 2013 IBM Corporation
  • 19. What’s New in AppScan 8.8 © 2013 IBM Corporation
  • 20. IBM Security Systems AppScan 8.8 - Strengthening application security capabilities while improving time to value 1 Improve time to value on static analysis Streamlined triage features to quickly identity security risk Faster and easier configuration of Java applications 2 Quickly identify confirmed vulnerabilities  Identify top security risks by leveraging latest industry standards from OWASP top 10 and Mobile top 10 for 2013  Out of the box filters and scan confirmations ensure security compliance and best practices 3 Enhanced encryption to protect your security assets  Support for industry standard Transport Layer Security (TLS) protocol 1.2 21  Compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a Corporation © 2013 IBM
  • 21. IBM Security Systems AppScan 8.8: U.S. Federal Compliance Update  Enhanced encryption (support for TLS 1.2)  Compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a.  DISA STIG V3.5 out-of-the-box report (Source only) 22 © 2013 IBM Corporation
  • 22. IBM Security Systems AppScan Source 8.8: Consumability & Usability Features  New Vulnerability Matrix with extensive Tool Tips  More options to optimize viewing of important trace information Collapsible Trace view 23 © 2013 IBM Corporation
  • 23. IBM Security Systems AppScan Source 8.8: Improved Time to Value  Scan Configurations Enhanced: Android, Large application, Normal, Quick, Web  New: Follow all virtual call targets, iOS, Maximize findings, Maximize traces, Show all errors and warnings in console, Medium-tolarge application, User input vulnerabilities, Service code   Filter Support Updated existing filters to improve accuracy  Added new filters: OWASP Top 10 2013, OWASP Top 10 Mobile Risks  Added filter information to assessment results and reports  Vulnerability types automatically set  New Out-of-the-box reports DISA STIG V3.5  OWASP Top 10 2013  OWASP Top 10 Mobile Risks, RC1  24 © 2013 IBM Corporation
  • 24. IBM Security Systems AppScan Source 8.8: Platform Updates  Operating System Updates Windows Server 2012  Red Hat Enterprise Linux 6.4   Updated IDE Support Visual Studio 2012  Eclipse 4.2, 4.2.2, 4.3  Rational Application Developer 8.5.1, 9.0   Defect Tracking System Updates Rational ClearQuest 8.0.1  Rational Team Concert 4.0.2, 4.0.3, 4.0.4  Enhanced Framework Support Spring MVC 3  Additional feature support for Spring MVC 2.5  ASP.NET MVC  .NET 4.5  Java JAX-RS (V1.0 & 1.1)  Java JAX-WS (V2.2)  Enhanced Web Services support including WSDL    Other Updates Rational License Key Server 8.1.4  WebLogic 11, 12  WebSphere 8, 8.5  Tomcat 7  25  Support for .NET 4.5  Microsoft Window authentication via AppScan Enterprise © 2013 IBM Corporation
  • 25. IBM Security Systems AppScan Enterprise 8.8: Summary  Importing a scan configuration from AppScan Standard desktop client  Leverage the scalability of AppScan Enterprise Dynamic Analysis Scanner by importing and scheduling scans configured with the AppScan Standard desktop client.  Windows-based authentication for both DAST and SAST clients  Set up Windows authentication (based on Active Directory) when deploying both DAST and SAST clients. Installing and setting up Jazz Team Server is NOT required!  Enhanced REST API for QA automation  Reuse quality assurance functional test scripts to implement Dynamic Analysis security testing automation via new REST API interfaces.  Finer custom user type settings  More flexibility for configuring decentralized AppScan Enterprise administration .  Compliance report update  OWASP Top 10 (2013) 26 © 2013 IBM Corporation
  • 26. IBM Security Systems AppScan Enterprise 8.8: Importing a scan configuration from AppScan Standard client 27 © 2013 IBM Corporation
  • 27. IBM Security Systems AppScan Enterprise 8.8: Windows based authentication for both DAST and SAST clients 28 © 2013 IBM Corporation
  • 28. IBM Security Systems AppScan Enterprise 8.8: Enhanced REST API for QA automation The problem  The task of recording scripts (HTTP traffic) for the purposes of security testing is duplication of the same task being performed for the purpose of functional testing.  QA teams would like to leverage their functional test scripts (based on HTTP traffic) for the purposes of security testing. 29 © 2013 IBM Corporation
  • 29. IBM Security Systems AppScan Enterprise 8.8: Enhanced REST API for QA automation The solution – new REST API interfaces to help:  Integrate AppScan with various QA automation tools to remove duplication of work  Automate the creation of AppScan security scan jobs based on captured HTTP traffic 30 © 2013 IBM Corporation
  • 30. IBM Security Systems AppScan Standard 8.8: Summary  Session management improvements – Action Based Login (ABL)  Parameter and cookie tracking new options  User Experience related enhancements: Session detection pattern – In Session or Out of Session Manual Test dialog now has Search fields for both request and response content. Use External Browser option is exposed in the UI     TLS 1.1 and 1.2 are now supported in addition to TLS 1.0 and SSL 3.0   31 SSL 2.0 has been deprecated in this release, but can still be configured Generic Services Client update: Version 8.5 is now used for setting up web services scans © 2013 IBM Corporation
  • 31. IBM Security Systems AppScan Standard 8.8: Action Based Login  Session handling is one the key factors for a successful scan.  In previous versions, when a login sequence was recorded, AppScan would use the recorded HTTP traffic to replay the same sequence of requests each time a login playback was needed.  With Action Based Login AppScan actually uses the browser and performs the same actions as recorded by the user.  Internal tests show dramatic improvement in AppScan’s ability to successfully record and replay the login sequence.  ABL combined with the ‘old’ traffic based login is used automatically by AppScan and there is no need for user intervention. 32 © 2013 IBM Corporation
  • 32. IBM Security Systems Try AppScan 8.8 Now!  Free download available  http://www.ibm.com/developerworks/downloads/r/appscan/  The IBM Security AppScan download is a fully functional, unlimited version of the IBM Security AppScan Standard product.  The only restriction is that scanning is limited to one site, Altoro Mutual at http://demo.testfire.net. We provide this site to testers so that you can explore the testing process without fear of bringing down a production site. 33 © 2013 IBM Corporation
  • 33. Why IBM? © 2013 IBM Corporation
  • 34. IBM Security Systems Gartner has recognized IBM as a leader in the Magic Quadrant for Application Security Testing (AST) Magic Quadrant for Application Security Testing Neil MacDonald, Joseph Feiman July 2, 2013 “The market for application security testing is changing rapidly. Technology trends, such as mobile applications, advanced Web applications and dynamic languages, are forcing the need to combine dynamic and static testing capabilities, which is reshaping the overall market.” This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The link to the Gartner report is available upon request from IBM. 35 Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose © 2013 IBM Corporation
  • 35. IBM Security Systems Why IBM Security AppScan? Complete and integrated Application Security Testing (AST) solution in the market Complete AST offering Integrated AST solution Best fit for enterprises 1.AppScan is a rich set of application testing management products that can scale. 1.AppScan is part of the larger IBM Security Systems vision that encompasses the enterprise security intelligence, mobile, Big Data and Cloud 1.AppScan meets enterprise needs with flexible deployment models and the most advanced testing. 2.AppScan also offers special editions for specific users. 3.IBM has the strongest ability to execute including X-Force. 2.AppScan can be integrated with enterprise risk management and intelligence via integrations 2.AppScan is available in both on-premise and managed services offerings 3.AppScan has the highest degree of accuracy 4.AppScan also has the best attack vector coverage 36 © 2013 IBM Corporation
  • 36. IBM Security Systems Cisco Scaling application vulnerability management across a large enterprise The need: With a small security team and an application portfolio of nearly 2,500 applications, security staff worried they were becoming a “bottleneck” in application security testing. The solution: Using IBM® Security AppScan® Enterprise, Cisco empowered its developers and QA personnel to test applications and address security issues before deployment. The benefits:  Drove a 33 percent decrease in number of issues found  Reduced post-deployment remediation costs significantly “We’ve seen a 33 percent decrease in the number of issues found and a huge reduction in remediation costs post deployment.” —Sujata Ramamoorthy, Director, Information Security, Cisco Solution components:  IBM® Security AppScan® Standard  IBM Security AppScan Enterprise  Freed security experts to focus on deep application vulnerability assessments Download the Complete Case Study 37 WGP03056-USEN-00 © 2013 IBM Corporation
  • 37. Resources © 2013 IBM Corporation
  • 38. IBM Security Systems Related Webinar Available On Demand Mobile Application Security and Data Protection Challenges http://www-03.ibm.com/security/2013webinarseries/details/index.html Securing mobile applications requires an understanding of the unique characteristics of mobile computing. Addressing application security early in the software development life cycle is even more important for mobile applications. However securing mobile applications is different from securing mobile devices. In this presentation Tom will highlight the mobile security risks for end users and enterprises, show you some great examples of simple but effective mobile threats, and discuss application development steps every organization should take to protect their customers and their company. 39 © 2013 IBM Corporation
  • 39. IBM Security Systems Additional Information  Documents  EMA Impact Brief - IBM Security AppScan 8.7 Adds Support for iOS Mobile Apps https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swgWW_Security_Organic&S_PKG=ov14494&S_TACT=102PW29W  AppScan Source Data Sheet http://public.dhe.ibm.com/common/ssi/ecm/en/rad14105usen/RAD14105USEN.PDF  AppScan Standard Data Sheet http://public.dhe.ibm.com/common/ssi/ecm/en/rad14019usen/RAD14019USEN.PDF  AppScan Enterprise Data Sheet ftp://public.dhe.ibm.com/common/ssi/ecm/en/rad14113usen/RAD14113USEN.PDF  Posts  2013 Gartner Application Security Testing MQ and the Evolution of Software Security http://securityintelligence.com/2013-gartner-application-security-testing-mq-and-the-evolution-of-software-security/  Gartner Publishes 2013 Magic Quadrant for Application Security Testing (AST) http://securityintelligence.com/gartner-magic-quadrant-for-application-security-testing-2013/  Podcasts  2013 Gartner Magic Quadrant for Application Security Testing  http://www.blogtalkradio.com/calebbarlow/2013/07/25/2013-gartner-magic-quadrant-for-application-security-testing  Application + Threat + Security intelligence = Priceless  http://www.blogtalkradio.com/calebbarlow/2012/08/13/threat-application-security-intelligence-priceless  Taking Application Security from the Whiteboard to Reality  40 http://www.blogtalkradio.com/calebbarlow/2012/06/11/taking-application-security-from-the-whiteboard-to-reality © 2013 IBM Corporation
  • 40. IBM Security Systems Videos Overview of IBM Security AppScan http://www.youtube.com/watch?v=9R4IjZpKt8I  How College Board is Building Security into Application Development http://www.youtube.com/watch?v=TtqhlcTnbg8  Building Better, More Secure Applications http://www.youtube.com/watch?v=UcN2uUolgKk  Using Application Security Testing to Increase Deployment Speed http://www.youtube.com/watch?v=VImy3ilYUSk  IBM Security AppScan 8.7 for iOS mobile application support http://www.youtube.com/watch?v=I73tbAmJIGw  IBM Security AppScan 8.7 for iOS Applications http://www.youtube.com/watch?v=egnEH-GGQEI  IBM Security AppScan: Analysis Perspective http://www.youtube.com/watch?v=UZD53ZgV848  41 © 2013 IBM Corporation
  • 41. IBM Security Systems Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. ibm.com/security © Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are © 2013 IBM Corporation 42 trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Notes de l'éditeur

  1. Advanced Security and Threat Research, which includes the X-Force team, is the foundation for many of the pillars in the security product portfolio.As the team tasked with staying on top of the latest threats and vulnerabilities, the information it provides is a critical aspect of providing protection to the other parts of the framework. The rest of this deck will talk to the specific capabilities of this team, as well as some specific integration points between the X-Force research and the products to which they add value.
  2. The way we are able to provide such broad coverage is through our research organizatoinThis represents about 6,000 people worldwideA big component of the research used in the XGS is from X-Force - Established in 1997 - Top engineers doing applied security research into attack trends and techniques and coming up with counter-measures - Also involves technology such as our web crawler, which is a key component to our reputation capabilitiesAlso includes data from other parts of IBM, such as our managed services org - 13B events every day across 133 countries drives intelligence (rep, vulns, etc.) that ends up in the productIn addition, IBM research is also constantly working on new innovations with a security slant, resulting in over 1000 patents to dateSo when a customer buys the XGS, they are essentially getting all of this research in a box
  3. 2012 was a record year for reported data breaches and security incidents, with a 40 percent increase in total volume over 2011.1 In the first half of 2013, security incidents have already surpassed the total number reported in 2011 and are on track to surpass 2012.This year kicked off with a number of high profile sophisticated attacks on major websites, media, and tech companies
  4. No single automated analysis technique can find all possible vulnerabilities. Each technique has its own strengths and blind spots, which is why a single point tool can leave you exposed.To find the most vulnerabilities, you should employ all the analysis techniques available today. IBM has combined a leading Static Analysis solution (developed by Ounce Labs) with a leading Dynamic Analysis solution (developed by Watchfire). IBM has combined these two established technologies, and has since added Hybrid analysis to combine and correlate their results. In 2011, IBM added new techniques for client-side analysis (aka Javascript Analyzer) and most recently run-time analysis (aka Glassbox).Static Analysis examines the source code for potential vulnerabilities. Static analysis can be used earlier in the development cycle, because you don’t need a running application. Static analysis can also produce a large volume of results, which can overwhelm development teams. Also, developers may question whether an identified vulnerability can be exploited (i.e. the “issue” could be mitigated somewhere else in the code, so it may not manifest itself as a true vulnerability).Dynamic Analysis tests a running application, by probing it in similar ways to what a hacker would use. With Dynamic Analysis results, it is easier to connect the vulnerability and a potential exploit. Dynamic Analysis is reliant on an ability to automatically traverse an application and test possible inputs. With Dynamic Analysis, the auditor is always asking “did I get proper test coverage”. Because Dynamic Analysis requires a running application, it typically cannot be used until an application is ready for functional testing (i.e. later in the development cycle).Hybrid Analysis brings together Dynamic and Static to correlate and verify the results. Issues identified using dynamic analysis can be traced to the offending line of code. Issues identified in static analysis can be validated with an external test.Client-side Analysis (aka JSA) analyzes code which is downloaded to the client. As more functionality is performed client-side, the prospect of client-side vulnerabilities and exploits increases. This capability, new in 2011, is unique in the market.Run-time Analysis (aka Glassbox) places a run-time agent on the application machine, and analyzes the application as it is being tested. This combines the aspects of Dynamic and Static analysis at run-time, finding more vulnerabilities with greater accuracy. Glassbox analysis was introduced in the most recent release of AppScan, at the end of 2011.