hp fortify solution introduce - bccs.com.t 銷商茶會_session_i_fortify... · pdf...
TRANSCRIPT
© Copyright 2011 Hewlett-Packard Development Company, L.P.
HP Taiwan Fortify Sales
Bill Lee
HP Fortify Solution Introduce
© Copyright 2011 Hewlett-Packard Development Company, L.P.
如何防範
2
源始碼掃描(治本之法)
改善程式效能
檢查程式可能發生漏洞
協助導入軟体開發生命週期(SDLC)
軟体弱點掃描(治標之法對網頁)
找出可能發生問題(利用滲透測試)
提早預防問題發生
<script>alert(“attack”)</script>
“<script>alert(“attack”)</script>
‘<script>alert(“attack”)</script>
<img src=“javascript: alert(“attack”)”/>
/><body onload=“alert(‘attack’)”/>
NO
NO
NO
NO
NO
© Copyright 2011 Hewlett-Packard Development Company, L.P.
HP Fortify 解決方案之產品列表
3
•源始碼掃描工具
– HP Fortify Static Code Analyzer(SCA)
•網站滲透測試工具
–HP WebInspect
•應用系統弱點交叉分析工具
–HP Fortify Software Security Center Server
– HP Fortify SecurityScope
•主機式網頁防火牆
–HP Fortify Real-Time Analyzer
•雲端掃描服務
–HP fortify on demand( public cloud)
–HP CloudScan (Private cloud)
© Copyright 2011 Hewlett-Packard Development Company, L.P.
4
如何應用HP產品在軟体開發階段
HP Fortify SS
Dynamic Test
SecurityScope
HP Fortify SCA
Develop
Static Code Analyzer
HP Fortify RTA
Deploy
Real-Time Analyzer
Coding Integration QA Maintenance Deploy
HP Fortify SSC Server
Reporting Correlation
Proactive alert Management
HP WI
Penetration Test
WebInspect
© Copyright 2011 Hewlett-Packard Development Company, L.P.
Fortify 源始碼掃描
5
© Copyright 2011 Hewlett-Packard Development Company, L.P.
Fortify Architecture
6
DB
LDAP
AD
SMTP
Rulepack
Bugzilla
SSC
Audit Workbench
SCA
FPR Fortify Client
submit
Fortify RTA
Update
© Copyright 2011 Hewlett-Packard Development Company, L.P.
源始碼掃描-白箱測試
ABAP
ASP.NET,
VB.NET,
C# (.NET)
C/C++
Classic ASP
COBOL
CFML
Flex/ActionScript
HTML
Java
JavaScript/AJAX
JSP
PHP
PL/SQL
Python
T-SQL
Visual Basic
VBScript
XML
SCA Frontend
XML
Java T-SQL
JSP
Normalized Representation
Results
XML
Java
T-SQL
JSP
User Input
SQL Injection
Source Code
SCA Analysis
7 Enterprise Security – HP Confidential
© Copyright 2011 Hewlett-Packard Development Company, L.P.
8
HP Fortify SCA支援 21 種程式語言安全漏洞檢測
1. ASP.Net
2. VB.Net
3. C#.Net
4. ASP
5. VBScript
6. VB6
7. Java(Android)
8. JSP
9. JavaScript
10. HTML
11. XML
12. C/C++
13. PHP
14. T-SQL (MSSQL DB)
15. PL/SQL (Oracle DB)
16. Action Script
17. Object-C (iPhone) 2012/5 支援
18. ColdFusion 5.0 – 增購
19. Python -增購
20. COBOL -增購
21. SAP-ABAP - 增購
© Copyright 2011 Hewlett-Packard Development Company, L.P.
HP Fortify SCA 可以檢測超過 500 類的安全漏洞
兼顧安全與品質 SQL Injection
Cross-site Script
Command Injection
System Information Leak
Cross-site Request Forgery
Unused Method
Poor Error Handling
Recursive loop
Memory Leak
Buffer Overflow
Unreleased Resources
Erroneous String Compare
9
© Copyright 2011 Hewlett-Packard Development Company, L.P.
10
http://www.hpenterprisesecurity.com/vulncat/
HP Fortify SCA 檢測的安全漏洞清單
© Copyright 2011 Hewlett-Packard Development Company, L.P.
11
HP Fortify SCA 檢測程式碼安全漏洞的程序
轉譯階段Translation Phase[1]
分析階段Analysis Phase[2]
稽核階段Audit Phase[3]
© Copyright 2011 Hewlett-Packard Development Company, L.P.
12
HP Fortify SCA (1) 轉譯階段Translation Phase
Translation Phase
IDE & AWB
NST: Normalized Syntax Tree
SS
C
© Copyright 2011 Hewlett-Packard Development Company, L.P.
13
HP Fortify SCA (2) 分析階段Analysis Phase
Analysis Phase
IDE & AWB SS
C
© Copyright 2011 Hewlett-Packard Development Company, L.P.
14
HP Fortify SCA (3) 稽核階段Audit Phase
Audit Phase
IDE & AWB
FPR: Fortify Project Result
SS
C
© Copyright 2011 Hewlett-Packard Development Company, L.P. 15
HP Fortify SCA 檢測問題等級的區分方法
檢測問題等級的歸類方式
是以兩個座標值做為量化區分依據
(1) Likelihood
(問題準確度的可能性)
(2) Impact
(問題對部門或企業的影響衝擊性)
高準確度區: Critical / Medium
: Impact/ Low 凡有安全凡有嫌疑跡象區漏洞或品質問題的嫌疑跡象就列出的部分 必須要有資安人員再人工覆核是否有問題
Impact Critical
Low Medium
Impact
Likelihood
© Copyright 2011 Hewlett-Packard Development Company, L.P.
16
HP Fortify SCA
程式碼安全性漏洞檢測工具 檢測程式碼方式介紹
© Copyright 2011 Hewlett-Packard Development Company, L.P.
17
HP Fortify SCA 檢測程式碼漏洞3種操作模式
檢測方式1 :使用IDE-Plug-In
檢測方式2 :使用AWB Commandline Builder
檢測方式3 :使用命令列( .bat )
© Copyright 2011 Hewlett-Packard Development Company, L.P.
18
檢測方式 :使用IDE Plug-In
Visual Studio 2003/2005/2008/2010
Eclipse 2.0/3.0
IBM WSAD, RAD, RSA
© Copyright 2011 Hewlett-Packard Development Company, L.P.
19
檢測方式 :使用AWB
適用程式語言 ASP、 PHP 、JavaScript 、Java 、 JSP、XML 、T-SQL 、PL/SQL
© Copyright 2011 Hewlett-Packard Development Company, L.P.
20
檢測方式 : 使用命令列( .bat or .cmd or script )
可以設定自動排程
PS:使用微軟語言開發一定需要安裝微軟對應IDE 工具
適用程式語言: 所有 HP Fortify SCA 支援的程式語言
© Copyright 2011 Hewlett-Packard Development Company, L.P.
21
Audit workbench 程式碼安全漏洞審核分析工具
(2) 歸類發現的安全弱點 指出發生于那支程式
(3)指出安全弱點發生 的程式碼列位置
(1)掃描的程式碼潛在的安全弱點 並區分嚴重等級
(5)提供安全弱點說明解釋及修正建議
(4)多層次的追蹤分析技術
© Copyright 2011 Hewlett-Packard Development Company, L.P.
多元的分析角度
© Copyright 2011 Hewlett-Packard Development Company, L.P.
23
報表樣版元件: Report Overview
Pie 、Table、Bar
© Copyright 2011 Hewlett-Packard Development Company, L.P.
24
檢測報表說明
問題等級Critical/High/ Medium/ Low 的數目
© Copyright 2011 Hewlett-Packard Development Company, L.P.
25
檢測報表說明
程式碼安全性漏洞
類別及數量
© Copyright 2011 Hewlett-Packard Development Company, L.P.
26
安全弱點 問題說明
SQL Injection
安全弱點問題
說明
© Copyright 2011 Hewlett-Packard Development Company, L.P.
iPhone APP scan result
© Copyright 2011 Hewlett-Packard Development Company, L.P.
Fortify Sample Report (Hard code password)
© Copyright 2011 Hewlett-Packard Development Company, L.P.
Fortify Sample Report(後門檢測)
© Copyright 2011 Hewlett-Packard Development Company, L.P.
30
HP Fortify SSC Server 軟體安全管理中心介紹
© Copyright 2011 Hewlett-Packard Development Company, L.P.
Fortify Software Security Center
Correlates dynamic test results with static test results, leveraging
runtime technology to help identify the connection between the two
Identify and prioritize a baseline of existing vulnerabilities
Prevent new vulnerabilities from being introduced
Remediate existing vulnerabilities and lower the baseline
Ensure that your code is in compliance with internal and external
security mandates
© Copyright 2011 Hewlett-Packard Development Company, L.P.
Security Project Dashboard
© Copyright 2011 Hewlett-Packard Development Company, L.P.
33
Multi-View : Security Issue Counts of Per1000 Lines
The Best Vendor or Develop Team !
Easily Compared Develop Teams Security Level
© Copyright 2011 Hewlett-Packard Development Company, L.P.
Collaboration Module
34
© Copyright 2011 Hewlett-Packard Development Company, L.P.
35
Management, tracking and remediation of enterprise software risk
HP Fortify Software Security Center server
Why it matters
• Offers central repository, access and visibility for all testing results so that triaging, auditing and remediation is faster
• Enables teams across organizational silos to collaborate more effectively to resolve security issues
Features
• Specify, communicate and track security activities performed on projects
• Role-based, process-driven management of software security program
• Flexible repository and exporting platform for security status, trending and compliance
Benefits
• Provides a clear, accurate picture of software risk across the
enterprise
• Lowers cost of resolving vulnerabilities
• Identify areas of improvement for accelerated reduction of
risk and costs
© Copyright 2011 Hewlett-Packard Development Company, L.P.
Software Security Center benefit
36
可全面了解所有專案的安全性,並匯整成報表顯示
對於不同專案可製定成不同的政策來進行管理。
可與內外部的人員進行協同作業,以減少溝通上的
問題。
可與Webinspect整合進行黑白箱交叉分析,讓準確
率提高,減少誤判及即時驗證的動作。
可以檢查應用程式是否符合法規之要求。
© Copyright 2011 Hewlett-Packard Development Company, L.P.
HP Fortify SCA
案例介紹
© Copyright 2011 Hewlett-Packard Development Company, L.P.
38
正式套與測試套 : 整合架構
© Copyright 2011 Hewlett-Packard Development Company, L.P.
39
架構說明
AP Developer
Group
Scan Server
( 本次新增)
內部開發人員
上傳程式碼
Fortify SCA
Windows 2003 Server
Fortify SCA
IDE Plug-In
程式碼版本控管Server
專案負責人依據專案狀況 手動簽出一份專案程式碼進行定時排程程式碼安全檢測
控管程式碼修復進度
遠端桌面連線1. Scan Log 問題排除2. 設定程式碼檢測排程
委外廠商IBM
Team Leader
委外廠商
內部開發人員
Fortify SCA
IDE Plug-In有效的程式碼安全弱點修復
AP Leader
Group
Fortify SCA
IDE Plug-In
有效的程式碼安全弱點修復
有效的程式碼安全弱點修復
▓ 依據晚上1:00定時排程, 使用命令列批次檔(.bat), 進行程式碼安全檢測
© Copyright 2011 Hewlett-Packard Development Company, L.P.
Webinspect產品介紹
40
© Copyright 2011 Hewlett-Packard Development Company, L.P.
更快的掃描, 更廣泛的評估, 真實的結果
智能掃描引擎
能有效的縮短掃描的時間
提升弱點掃描的準確性
模擬駭客的動作模式
•決策樹(Decision tree)
•隨著應用系統變化的動態分析
Industry leading scanning technology you can trust
© Copyright 2011 Hewlett-Packard Development Company, L.P.
針對Web 2.0提供唯一而準確目標分析
滿足最新科技的需求
能辨識在用戶端的原始碼當中有何安
全弱點
•針對Adobe Flash進行自動化反組譯並進行靜態
分析
•在動態建立應用程式中找出安全弱
點
– 自動模擬真實使用者的行為模式,透過
JavaScript的程式碼路徑的執行和記錄一般使
用者的使用經驗
V
Testing web applications like web applications, not like web sites
© Copyright 2011 Hewlett-Packard Development Company, L.P.
花費最少的時間在掃瞄設定,把時間用在修正弱點問題
簡易使用的“指導精靈”
集中於被要求的掃描的結果,
並非只是設定
非安全專家也能透過導引,進行
成功的掃描
消除對掃描設定的困擾,並減少
相關進階設定的步驟
© Copyright 2011 Hewlett-Packard Development Company, L.P.
44
URL Rewriting/RESTful Web Services Support
What it is
• Many dynamic sites use URL rewriting, thus creating variable elements in the URL. • A RESTful web service can contain parameter names and variable values. Therefore, when WebInspect scans a page it must be able to determine which elements are variable so that its attack agents can thoroughly check for vulnerabilities. • To enable this, you can use the Custom Parameters rule creator to define rules that identify these elements. • You can also import them from common configuration files, such as a WADL definition file. In addition to the rules you define, • WebInspect will also automatically identify custom parameters and suggest them as recommendations.
Who cares • Security teams in RESTful framework environments • Stakeholders with mobile web applications (but NOT those with native mobile apps
Problem it solves:
• Inability to scan Web applications using RESTful framework principles • Inability to account for variables in rewritten URLs
Web Services and Advanced Scanning
© Copyright 2011 Hewlett-Packard Development Company, L.P.
45
Large Scale Confirmation
What it is
• Extension of single retest functionality from WebInspect 9.00 and AMP 9.10 • With this release, quickly retest all your vulnerabilities in a scan. • This enables you to determine if a vulnerability still exists without having to conduct a new scan from scratch: reducing scan time and improving accuracy..
Who cares • Security tester at the stage gate trying to determine if vulnerabilities have been fixed • Application Owners that would like confirmation that the reported vulnerabilities have been fixed.
Problem it solves:
• Long test cycles, retesting vulnerability by vulnerability
Differential Analysis and Control
© Copyright 2011 Hewlett-Packard Development Company, L.P.
46
Results Comparison
What it is
• Provides visual representation of vulnerability differences found between two scans of the same site. .
• The information is presented as an interactive dashboard and
the common vulnerability view.
Who cares
• Security tester evaluating critical site • Application security manager who must prioritize security fixes
Problem it solves:
• Addresses lack of confidence some customers have in our vulnerabilities • Chaotic vulnerability overload
Differential Analysis and Control
© Copyright 2011 Hewlett-Packard Development Company, L.P.
Start remediation of vuln’s immediately 即時的掃描檢視
即時掃描 儀表板
網站 樹狀結構
目前已發現的 安全弱點
排除&允許的網站列表區塊
詳細的 攻擊列表
即時 掃描統計
© Copyright 2011 Hewlett-Packard Development Company, L.P.
分享知識和加速問題修正
專家等級安全知識
安全弱點的 詳細知識
如何確認或 找出問題
這個安全弱點會如何影響
如何修復 這個問題
(包括了程式碼樣本和針對不同團隊的資訊)
其他的參考資訊和最佳實踐方法
© Copyright 2011 Hewlett-Packard Development Company, L.P.
Powerful, scalable, flexible, and extensible
提供企業等級, 可客製化報表
提供您企業所需的客製化報表
•簡易使用的報表設計工具
•可透過個性化編輯提供個人化報表
多重的報表輸出選項 • 包括了 RTF, PDF, Excel, HTML, TXT
可以整合其他外部的資料來源
能透過 SmartUpdate加以更新
© Copyright 2011 Hewlett-Packard Development Company, L.P.
HP WebInspect 自動化產生報表-法規
50
© Copyright 2011 Hewlett-Packard Development Company, L.P.
檢視, 分析和管理掃描資料
掃描歷史資料管理
能輕易的針對大型資料庫加以管理掃描資料
群組,排序和 整理掃描資料
提供明確的掃描細部資訊的檢視
© Copyright 2011 Hewlett-Packard Development Company, L.P.
HP SmartUpdate
確保能提供最新安全弱點和駭客攻擊手法的最新技術驗證 HP SmartUpdate
HP Web Security Research Group
安全弱點的檢測 弱點修正的相關知識
駭客攻擊手法
“藉由技術的投入, 提升了正確性和效率”
安全弱點的研究 產品的研究
• 業界知名的講師或作者
Blackhat, RSA, ShmooCon
HP Application
Security Center
Solutions 手動下載 或外部載入
© Copyright 2011 Hewlett-Packard Development Company, L.P.
HP WebInspect checks for Data injection and manipulation attacks
53
© Copyright 2011 Hewlett-Packard Development Company, L.P.
Webinspect Type
New platform for webinspect
54
© Copyright 2011 Hewlett-Packard Development Company, L.P.
Webinspect Type- Name user
© Copyright 2011 Hewlett-Packard Development Company, L.P.
Webinspect Type- Concurrent License
© Copyright 2011 Hewlett-Packard Development Company, L.P.
Webinspect Type- Concurrent License
© Copyright 2011 Hewlett-Packard Development Company, L.P.
Defect Management
Local & RemoteTarget Sites
HP Sensors
CIO/CISO/Auditor
WebInspect
Developers
App Security
WebInspect
Software Security Center Delivers· Vulnerability Management· Reporting & Dashboards· Repository for Static, Dynamic, & Manual Results
WebInspect Enterprise Delivers· Scalable Dynamic Test Execution· Web-based Test configuration· Web-based Test monitoring and results triage
Web Services
SSC
WI Ent
Workflows
Software Security Center
with WI Ent.
Webinspect Type- Enterprise
© Copyright 2011 Hewlett-Packard Development Company, L.P.
User Management
Two Sets of Accounts
• Software Security Center
• Role Based Permissions
• Project / Project Version Access
Control
• WebInspect Enterprise
• Scan configuration & Visualization
When Interacting with SSC
through WI Enterprise, you need
SSC credentials…
© Copyright 2011 Hewlett-Packard Development Company, L.P.
Project Onboarding
• Unified List of Projects & Project
Versions
• Project onboarding is originated
in Software Security Center
• Two Step Process; Create the
project version in SSC and then
make it available for testing in WI
Enterprise.
• Requires both SSC & WI
Enterprise Permissions & user
accounts
© Copyright 2011 Hewlett-Packard Development Company, L.P.
Task Management : Scan Request
• Enable Developers to request
scans from App Security Testers
• Customize the Input Form.
• Centralize all scan requests into a
single list for App Security Testers.
• Project must be onboarded in
order to request a scan
• Requires both SSC & WI
Enterprise Permissions & user
accounts
© Copyright 2011 Hewlett-Packard Development Company, L.P.
HP Webinspect 台灣成功案例
© Copyright 2011 Hewlett-Packard Development Company, L.P.
63
面臨的問題
原先有做黑箱的滲透測試,但發現覆蓋率不足
遊戲產品重心,由代理逐漸轉向到自製產品
自製產品上線前的自我檢核
內部尚無建置資安程式碼檢測機制
駭客利用程式弱點盜取、修改遊戲道具資料
Web 版遊戲,有安全漏洞 (injection, XSS)的風險
C++ 遊戲主程式,常因 Buffer Overflow 當機
因自製遊戲,外包比重越來越多,安全性品質管控不易
希望導入 Code Review 的自動化工具
© Copyright 2011 Hewlett-Packard Development Company, L.P.
64
HP Fortify Solution
趨勢管理
預警機制
© Copyright 2011 Hewlett-Packard Development Company, L.P.
65
HP Fortify Solution 導入概述
導入單位 : 企業資訊安全部
白箱:Tool – HP Fortify SCA
黑箱:Tool – HP WebInspect
人工覆核:both (黑白箱比對)
主要用途 : 協助確保內部開發的軟體沒有安全漏洞
軟體開發 : 目前大部分自行開發,小部分委外開發
程式語言 : .Net、Java、MS VC++、Linux C++
© Copyright 2011 Hewlett-Packard Development Company, L.P.
66
系統架構
© Copyright 2011 Hewlett-Packard Development Company, L.P.
67
使用效益
趨勢管理 : 即時掌控專案的資訊安全現況
© Copyright 2011 Hewlett-Packard Development Company, L.P.
68
導入 HP Fortify Solution 效益
自動化地程式碼安全弱點審核(Code Review) 節省大量時間
提供程式碼安全的驗證數據與報表,為內部開發團隊或委外廠
商驗收的品質把關
直接指出問題程式碼列並提供問題解釋說明及修改建議
提供程式碼安全知識與修復技能的學習平台
程式碼安全漏洞的趨勢分析圖,讓資安人員管理更簡單
© Copyright 2011 Hewlett-Packard Development Company, L.P.
Thank you !