live webinar : secure diverse and highly accessible applications with sap fortify
TRANSCRIPT
Live webinar : Secure Diverse and Highly
Accessible Applications with SAP Fortify
Presenter 1 : Andrew Kay, HP Application Security Solution Architect Presenter 2 : Andreas Gloege, SAP Quality Assurance Solutions
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 2 Public
A few items before we begin…
There is no phone bridge for this webinar, be sure your computer speakers
are off mute
If the volume is faint, first check the volume settings on your computer, then
check the volume setting in the media player box in the upper left hand corner of
your screen
You may make the slides bigger by hitting the maximize button in the upper right
hand corner of the slide area
You may submit a question at any time in the Q&A box. We will answer
questions throughout the presentation as well as at the end.
If you accidentally close the media player, Q&A box or slide area, you can re-
open them by selecting the corresponding icon at the bottom of the screen
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 3 Public
About the speakers
Andrew Kay, CISSP, CEH, CCSK
Application Security Solution Architect, HP Enterprise Security
Products
With over 10 years of experience in static code analysis and enterprise
code quality initiatives, Andrew is a key member in the Global HP
Enterprise Security Products consulting team and one of Australia's
leading application security specialist. He has designed and implemented
quality and secure development lifecycles for clients around the world.
Andreas Gloege
Director, Quality Assurance Solutions, SAP
Andreas is part of the SAP Quality Assurance Solutions group where he is
focused on the global strategy and best practices around testing and
quality assurance. Previously from Mercury Interactive and HP Software,
Andrew has been deeply involved in the Technical aspects of integrating
Mercury and HP solutions with SAP Applications
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 4 Public
Agenda
1. Today’s challenges around Application Security Testing
2. Best Practices for SAP Application Security Solutions
3. Solutions Overview
4. Questions & Answers
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 5 Public
Polling Question 1
To what extent are you currently confident that your organization’s highly
accessible applications are highly secure? (Please tick one only)
( ) Yes, I am confident that they are highly secure
( ) Yes, to a certain extent they are secure
( ) No, they are not highly secure
( ) No, I do not know
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 6 Public
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 7 Public
Why Software Is Attacked
7
Hardware
Software
Digital Files
Personal
Information
Network
Attacks
Today, software
is the entry point
$
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 8 Public
84% of breaches occur at
the application layer 68% increase in mobile
application vulnerability
disclosures
Developers/QA are
focused on functionality Security professionals are
overwhelmed by applications
Application Security is the Frontier
Now and Future!
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 9 Public
Software security vulnerability
A look at current situation
Your software is everywhere
How can you be sure that these highly accessible applications are also
highly secure?
Grown over the years
Complex
Built on changing requirements
Created based on different
development paradigms
Optimized for Performance
Extended but not reinvented
Today's business applications have a history
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 10 Public
The Incident
• PlayStation Network breach reported in April
2011
• 77M customer accounts compromised
• PS Network completely offline for 25 days
• Total cost of damages / loss > $171M
What should never have happened….
The Attack
• DDoS attack followed by SQL Injection
• 130+ servers completely compromised
• Account data, credit cards, email addresses
stolen
• Required full network shutdown to contain
• More than just PlayStation Network…
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 11 Public
Heartland cybercrime case
1. 2008: Albert Gonzalez and 2 Russian co-conspirators gained access to Heartland systems through a personnel application (SQl Injection)
2. Attackers injected code into data processing network and installed a sniffer malware that was able to see credit card numbers and other details.
3. After being alerted by Visa and MasterCard of suspicious card transactions activity Heartland called U.S. Secret Service and hired two breach forensics teams to investigate
4. Jan 20, 2009: Breach reported by Heartland
• At least 650 financial institutions affected
• 94M credit records stolen
• Fines levied to banks > $6M
• Total cost of damages / loss > $140M
5. At the time, Heartland breach was largest identity theft case ever
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 12 Public
$ We convince and
pay developers to
fix it
4 $ $
Approach Today: Expensive + Reactive
Breach or pen
test proves our
code is bad
3
Somebody
builds insecure
software
1
In-house Outsourced Commercial Open source
IT deploys the
insecure
software
2
1
2
Enterprise Security – HP Confidential
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 13 Public
30X
15X
10X
5X
2X
30x more costly to secure in production
Why it doesn’t work
After an application is released into Production, it costs 30x more than
during design.
Co
st
Source: NIST
Production System
testing
Integration/
component testing
Coding Requirements
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 14 Public
Fortify Strategy
Assess
Find security
vulnerabilities in any type
of software
SAP, Mobile, Web,
Infrastructure
Assure
Fix security flaws in
source code before it
ships
Secure SDLC
Protect
Fortify applications
against attack in
production
Logging, Threat Protection
Software Security
Assurance (SSA)
In-house Outsource
d Commerci
al
Open
source
Application
Assessment
Application
Protection
1 2 3
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 15 Public
Polling Question 2
Do you currently face any of the following challenges (please tick all that apply) :
( ) lack of trust that diversified, highly accessible applications are secure
( ) security vulnerabilities in software that’s on the Web, on premise, or in
development
( ) weak collaboration of testing and development teams to improve software
quality
( ) meet compliance goals for internal and external security mandates
( ) all of above
Best Practices for
SAP Application Security
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 17 Public
Testing Center of Excellence Supported by: SAP Quality Center by HP, premier edition and SAP
LoadRunner by HP, performance center edition
ASAP Includes tools, templates and accelerators to help customers define a Quality Assurance Strategy
designed to effectively manage the test management process, governance, and testing solutions that will
enable effective execution of their quality assurance lifecycle across each ASAP phase
SAP Quality Assurance Solution Portfolio
SAP Solution Manager
Business Blueprint Business Process Change
Analyzer (BPCA)
SAP ASAP Methodology
SAP Quality
Center by HP
SAP LoadRunner
by HP
SAP Test Data Migration
Server
SAP Service
Virtualization by HP
SAP Test
Acceleration &
Optimization
Operate Realization Business Blueprint Final Prep Go Live Support Project Preparation
SAP Solution Manager Adapter
SAP Fortify by HP and
SAP NW Code
Vulnerability Analyzer
Test
Manageme
nt
Functional
Testing Refresh non-
Production Data
Performance
Testing
Test
Result
Analysis
Virtualize
Processes
&Services
Confirm
Successful
Test
Executions
Application
Security
Testing
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 18 Public
Application Security Testing Solutions
Manual Source
Code Review
DAST
Dynamic Application Security Testing
Find vulnerabilities in the
running application
SAST
Static Application Security Testing
Find vulnerabilities analyzing
the sources
including
SAP NetWeaver Application Server, Add-on for
code vulnerability analysis (CVA)
Manual Application
Penetration Testing
Automated Application
Vulnerability Scanning
Automated Source
Code Analysis
SAP Fortify by HP
Finding security issues at design time instead of in production
is easier and less expensive!
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 19 Public
Secures diverse and highly accessible ABAP
and non-ABAP based applications
SAP Fortify by HP
Build trust across entire software
landscape
Quickly find, triage and fix security
vulnerabilities
Delivers detailed, line-of-code
guidance
Identifies critical security issues early
Integrated with development
environments like the SAP ABAP
development environment (SE80)
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 20 Public
Capabilities of SAP Fortify by HP
Get proactive with holistic centralized software
security
Addresses the complete spectrum of
application security needs
Shared collaboration environments,
predefined templates, and audit tools
Establishes repeatable, automated
processes
Real-time, interactive dashboards show key
results
Two-tier testing approach pinpoints the root
cause of vulnerabilities with line-of-code detail
Helps meet internal and external security
and quality mandates
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 21 Public
• Reduce risk
with minimal
effort and
operational
costs
• Deliver
measurable
business
and
strategic
value
• Meet
government
and industry
compliance
regulations
• Build a
security
culture
throughout
your
organization
Minimizing risk, driving business agility
Application security benefits
Solution Overview
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 23 Public
Application Security Vulnerability Examples SQL Injection Explained
1
2 3
Attacker submits extra info i.e or
‘1=‘1; with a login or other input
variable
1
2 Attacker constructs SQL
arguments used to
retrieve data
3 DB schema
identified,
attacker extracts
usernames,
passwords, credit
card info
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 24 Public
Identified input
field
First test it out
Users table
available
Application Security Vulnerability Examples SQL Injection In Action
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 25 Public
Construct Attack
String
Extract Full Name,
Username and (hashed)
Passwords
Application Security Vulnerability Examples SQL Injection In Action
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 26 Public
Enterprise Application Security System Application Security Assessment Summary
SAST and
DAST
SQL Injection
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 27 Public
Enterprise Application Security System Application Security Vulnerability Review
Application
Line of Code
Details
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 28 Public
Management, tracking and remediation of enterprise software risk Enterprise Application Security System
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 29 Public
Application Security Reporting
Enterprise Application Security System
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 30 Public
What does Fortify stand for?
Fixes reduced from weeks to hours
Recurring vulnerabilities get eliminated virtually
Improves productivity by automating application security
Tightly integrated into standard testing infrastructure
Yes! Its used internally by SAP!
Find, triage and fix security vulnerability no matter
where or how your applications are deployed
OS agnostic and works with different programming languages,
development platforms that your teams use everyday
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 31 Public
Polling Question 3
Would you like SAP to run a security scan on one NetWeaver application in your
environment ?
( ) Yes, please contact me via email to do that
( ) Yes, please contact me via phone to do that
( ) No, not at the moment
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 32 Public
Polling Question 4
Would you like to be contacted by SAP regarding SAP Fortify by HP ?
( ) Yes, please contact me via email
( ) Yes, please contact me via phone
( ) No, not at the moment
© 2014 SAP AG or an SAP affiliate company. All rights reserved.
Q&A
Andrew Kay
Application Security Solution Architect, HP Enterprise
Security Products
Andreas Gloege
Director, Quality Assurance Solutions, SAP
© 2014 SAP AG or an SAP affiliate company. All rights reserved.
Thank You!
Contact :
Justin Bullock
APPENDIX
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 37 Public
What are application risks?
Application Security Vulnerability Examples
Injection Flaws
• SQL Injection
• Header Manipulation
• Command Injection
• LDAP and Resource
Injection
• Dynamic Code Evaluation
• Xpath and XML Injection
• Query String Injection
• Log Forging
Broken Auth & Session
Mangmnt
• Excessive Session Timeout
• Persistent Authentication
• Sensitive File Persistence
• Session Cookies Disabled
• Anonymous Message/Transport
Client
• Weak Cryptographic Hash
• Insufficient Session ID’s
Direct Object
Reference
• Access Control
• File Disclosure
• Path Manipulation
• Unsafe Reflection
• Process Control
Insecure Crypto Storage &
Comms
• Weak / Missing Encryption and Crypto
Hashes
• Weak Tokens and missing timestamps
• Passwords– Hardcoded, Null/Empty,
Plain Text
• Insecure Randomness
• Credentials– Hardcoded, Easy to guess
• Cookie Security – Not using SSL,
Persistent
• Web Server Misconfiguration
• Insecure Transport Info Leak & Improper
Errors
• Privacy Violation & System Info
Leak
• Debug Info and Trace Output
• Poor Error Handling
• Unhandled Exceptions
• Overly Broad Logging
• Race Conditions
• Screen and Keyboard Caching
Cross Site
Scripting
• Reflected XSS
• Persistent XSS
• DOM
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 38 Public
Supported Languages
Application Security Language Coverage
• ASP.NET
• Classic ASP
• Flex / ActionScript
• JavaScript / AJX
• PHP
• Python
• VB6
• XML
• ABAP
• C / C++
• ColdFusion
• Java
• Objective-C
• PL / SQL
• T-SQL
• VBScript
• C#
• COBOL
• HTML
• JSP
• PL / SQL
• T-SQL
• VB.NET