David Marshak, Senior Product Manager, IBM Security

Kris Duer, Lead Security Analytics Researcher, IBM Security

October 27, 2016

How to Leverage Cognitive Technology to Think Like a Security Expert

2 IBM Security

Application security challenges

Rapid growth in applications, releases and technology

PaceCompliance

External regulations and internal policy requirements

Resources

Small security teams, lots of applications

?

• Which applications pose the biggest business risk?

• How do we test apps for security in rapid DevOps / Agile shops without slowing down the process / business?

• How do we reduce costs and catch security problems earlier in the lifecycle?

• Where is my business risk?• How do I set internal policy

requirements for application security?

• Is my private / sensitive data exposed by apps?

• How do I check for and demonstrate application compliance?

• How do we prioritize the work for the resources I have?

• What do we test and how do we test it?

• How do we staff and improve skills and awareness?

3 IBM Security

• Cost of a Data Breach $7.2M• 80 days to detect• More than four months (123 days) to resolve

Found during Development

$80 / defectFound during Build

$240 / defectFound during QA/Test

$960 / defect

Found in Production

$7,600 / defect

80% of development costs are spent identifying and correcting defects!

Source: Ponemon InstituteSource: National Institute of Standards and Technology

Cost of Security Defects

4 IBM Security

Simplifying Application Security Testing

Easy to Use Easy to Understand Secure

ç Integrates into your Continuous Engineering Processes è

IBM Confidential

5 IBM Security

Quickly Plug Into Your Application Lifecycle

• Automated̶ No waiting on manual steps̶ Integrates with developer IDEs (Eclipse, IntelliJ,

Visual Studio)̶ Scan daily, weekly

• Plugins simplify your setup̶ e.g. UrbanCode and Maven

• Extend your environment with robust REST API

• Streamlined incorporation into existing DevOps / continuous integration frameworks

Automation drives early detection and reduces cost to fix!

IBM

6 IBM Security

Intelligent Finding Analytics: The problem

VulnerabilityAnalysis

Scansomething

GetResults

TriageResults(Lookforneedlesinthehaystack)

7 IBM Security

Intelligent Finding Analytics: The Solution

VulnerabilityAnalysis

Scansomething

IntelligentFindingAnalytics*CognitiveLearning*“SecurityExpertinaBox”

Gettriagedresults!

8 IBM Security

§ Reduce false positives

§ Minimize “unlikely attack scenarios”

§ Provide fix recommendations that resolve multiple vulnerabilities

* Patents Pending

Applying Cognitive Computing to security vulnerability analysis

Machine learning with Intelligent Finding Analytics*

Learned resultsIntelligent

FindingAnalytics

• Built on Watson Machine Learning • Trained by IBM Security Experts• Fully automated review of scan findings

Scan results

IBM Confidential

9 IBM Security

Intelligent Finding Analytics Results

IBM Confidential

• Meets or exceeds human experts

• Returns results in seconds, rather than in hours or days

• 90-95% average reduction in false positives

• Integrates right back into the development workflow

• Fix an average 8-10 issues in a single place within the code

IBM Confidential

10 IBM Security

Intelligent Finding Analytics Results• Meets or exceeds human experts

• Returns results in seconds, rather than in hours or days

• 90-95% average reduction in false positives

• Integrates right back into the development workflow

• Fix an average 8-10 issues within a single place in the code IFA

Example Real-WorldApplications ScanFindings Vulnerabilities FixRecommendations

Application1 55,132 14,050 60

Application2 12,480 1,057 35

Application3 247,350 1,271 103

IBM

IFA Demonstration

12 IBM Security

Simplifying Application Security Testing

Easy to Use Easy to Understand Secure

ç Integrates into your Continuous Engineering Processes è

IBM

13 IBM Security

Overview: Application Security on Cloud Feature Summary

• Application Security Management̶ Build an inventory of application assets; classify and rank applications by business impact; organize scans by application;

obtain a security rating for each application; prioritize vulnerabilities and manage their resolution̶ View a dashboard to understand application security posture and monitor progress

• Dynamic Analyzer̶ Dynamic web application security analysis̶ Based on AppScan’s Dynamic Application Security Testing engine̶ Scan pre-production or production web apps hosted on public and private networks

• Mobile Analyzer̶ Interactive mobile applications security analysis̶ Supports Android and iOS

• Static Analyzer̶ Static security testing for applications. Java, .NET, Node.js, PHP, Ruby, JavaScript…̶ Simple and accurate capability, based on the AppScan Source engine, with IBM’s cognitive Intelligent Finding Analytics

• Consulting Services̶ IBM Application Security experts:

• Help ensure Client’s success with ASoC, from DevOps integration through to interpreting scan results• Perform application scanning and manual application penetration testing for our Clients

IBM

14 IBM Security

IBM Application Security on Cloud Consulting Services

Expert assistance in understanding and optimizing Application Security on Cloud testing and risk management features

Fast Start

Assessment ReviewExpert assistance in reviewing test reports, including understanding

and prioritizing vulnerabilities in the application.

Scan for Me“Concierge” scan service where an expert will configure & run the scan,

validate results, prioritize remediation, and conduct a walk-through

with the customer.

Application Penetration TestHuman executed, controlled tests to identify vulnerabilities.

Advisor on Demand

Deep interaction with experts on specific application security

activities such as remediation assistance and program management.

Application Risk Management & Testing

ASoC SaaS

IBM l

15 IBM Security

Learn More About IBM Application Security on Cloud & IFA:

Blog: IFA- Your Cognitive Computing Application Security Expert

Interactive White Paper: Effectively Manage AppSec Risk in the Cloud

Complimentary Trial Plan: IBM Application Security on Cloud

We encourage you to “like” & share these links with your professional colleagues:

Question & Answer Session

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks ofothers.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.

IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OFANY PARTY.

FOLLOW US ON:

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

THANK YOU

IBMConfidential