live webinar : secure diverse and highly accessible applications with sap fortify

Live webinar : Secure Diverse and Highly

Accessible Applications with SAP Fortify

Presenter 1 : Andrew Kay, HP Application Security Solution Architect Presenter 2 : Andreas Gloege, SAP Quality Assurance Solutions

© 2014 SAP AG or an SAP affiliate company. All rights reserved. 2 Public

A few items before we begin…

There is no phone bridge for this webinar, be sure your computer speakers

are off mute

If the volume is faint, first check the volume settings on your computer, then

check the volume setting in the media player box in the upper left hand corner of

your screen

You may make the slides bigger by hitting the maximize button in the upper right

hand corner of the slide area

You may submit a question at any time in the Q&A box. We will answer

questions throughout the presentation as well as at the end.

If you accidentally close the media player, Q&A box or slide area, you can re-

open them by selecting the corresponding icon at the bottom of the screen


About the speakers

Andrew Kay, CISSP, CEH, CCSK

Application Security Solution Architect, HP Enterprise Security

Products

With over 10 years of experience in static code analysis and enterprise

code quality initiatives, Andrew is a key member in the Global HP

Enterprise Security Products consulting team and one of Australia's

leading application security specialist. He has designed and implemented

quality and secure development lifecycles for clients around the world.

Andreas Gloege

Director, Quality Assurance Solutions, SAP

Andreas is part of the SAP Quality Assurance Solutions group where he is

focused on the global strategy and best practices around testing and

quality assurance. Previously from Mercury Interactive and HP Software,

Andrew has been deeply involved in the Technical aspects of integrating

Mercury and HP solutions with SAP Applications


Agenda

1. Today’s challenges around Application Security Testing

2. Best Practices for SAP Application Security Solutions

3. Solutions Overview

4. Questions & Answers


Polling Question 1

To what extent are you currently confident that your organization’s highly

accessible applications are highly secure? (Please tick one only)

( ) Yes, I am confident that they are highly secure

( ) Yes, to a certain extent they are secure

( ) No, they are not highly secure

( ) No, I do not know


Why Software Is Attacked

7

Hardware

Software

Digital Files

Personal

Information

Network

Attacks

Today, software

is the entry point

$


84% of breaches occur at

the application layer 68% increase in mobile

application vulnerability

disclosures

Developers/QA are

focused on functionality Security professionals are

overwhelmed by applications

Application Security is the Frontier

Now and Future!


Software security vulnerability

A look at current situation

Your software is everywhere

How can you be sure that these highly accessible applications are also

highly secure?

Grown over the years

Complex

Built on changing requirements

Created based on different

development paradigms

Optimized for Performance

Extended but not reinvented

Today's business applications have a history


The Incident

• PlayStation Network breach reported in April

2011

• 77M customer accounts compromised

• PS Network completely offline for 25 days

• Total cost of damages / loss > $171M

What should never have happened….

The Attack

• DDoS attack followed by SQL Injection

• 130+ servers completely compromised

• Account data, credit cards, email addresses

stolen

• Required full network shutdown to contain

• More than just PlayStation Network…


Heartland cybercrime case

1. 2008: Albert Gonzalez and 2 Russian co-conspirators gained access to Heartland systems through a personnel application (SQl Injection)

2. Attackers injected code into data processing network and installed a sniffer malware that was able to see credit card numbers and other details.

3. After being alerted by Visa and MasterCard of suspicious card transactions activity Heartland called U.S. Secret Service and hired two breach forensics teams to investigate

4. Jan 20, 2009: Breach reported by Heartland

• At least 650 financial institutions affected

• 94M credit records stolen

• Fines levied to banks > $6M

• Total cost of damages / loss > $140M

5. At the time, Heartland breach was largest identity theft case ever


$ We convince and

pay developers to

fix it

4 $ $

Approach Today: Expensive + Reactive

Breach or pen

test proves our

code is bad

3

Somebody

builds insecure

software

1

In-house Outsourced Commercial Open source

IT deploys the

insecure

software

2

1

2

Enterprise Security – HP Confidential


30X

15X

10X

5X

2X

30x more costly to secure in production

Why it doesn’t work

After an application is released into Production, it costs 30x more than

during design.

Co

st

Source: NIST

Production System

testing

Integration/

component testing

Coding Requirements


Fortify Strategy

Assess

Find security

vulnerabilities in any type

of software

SAP, Mobile, Web,

Infrastructure

Assure

Fix security flaws in

source code before it

ships

Secure SDLC

Protect

Fortify applications

against attack in

production

Logging, Threat Protection

Software Security

Assurance (SSA)

In-house Outsource

d Commerci

al

Open

source

Application

Assessment

Application

Protection

1 2 3


Polling Question 2

Do you currently face any of the following challenges (please tick all that apply) :

( ) lack of trust that diversified, highly accessible applications are secure

( ) security vulnerabilities in software that’s on the Web, on premise, or in

development

( ) weak collaboration of testing and development teams to improve software

quality

( ) meet compliance goals for internal and external security mandates

( ) all of above

Best Practices for

SAP Application Security


Testing Center of Excellence Supported by: SAP Quality Center by HP, premier edition and SAP

LoadRunner by HP, performance center edition

ASAP Includes tools, templates and accelerators to help customers define a Quality Assurance Strategy

designed to effectively manage the test management process, governance, and testing solutions that will

enable effective execution of their quality assurance lifecycle across each ASAP phase

SAP Quality Assurance Solution Portfolio

SAP Solution Manager

Business Blueprint Business Process Change

Analyzer (BPCA)

SAP ASAP Methodology

SAP Quality

Center by HP

SAP LoadRunner

by HP

SAP Test Data Migration

Server

SAP Service

Virtualization by HP

SAP Test

Acceleration &

Optimization

Operate Realization Business Blueprint Final Prep Go Live Support Project Preparation

SAP Solution Manager Adapter

SAP Fortify by HP and

SAP NW Code

Vulnerability Analyzer

Test

Manageme

nt

Functional

Testing Refresh non-

Production Data

Performance

Testing

Test

Result

Analysis

Virtualize

Processes

&Services

Confirm

Successful

Test

Executions

Application

Security

Testing


Application Security Testing Solutions

Manual Source

Code Review

DAST

Dynamic Application Security Testing

Find vulnerabilities in the

running application

SAST

Static Application Security Testing

Find vulnerabilities analyzing

the sources

including

SAP NetWeaver Application Server, Add-on for

code vulnerability analysis (CVA)

Manual Application

Penetration Testing

Automated Application

Vulnerability Scanning

Automated Source

Code Analysis

SAP Fortify by HP

Finding security issues at design time instead of in production

is easier and less expensive!


Secures diverse and highly accessible ABAP

and non-ABAP based applications

SAP Fortify by HP

Build trust across entire software

landscape

Quickly find, triage and fix security

vulnerabilities

Delivers detailed, line-of-code

guidance

Identifies critical security issues early

Integrated with development

environments like the SAP ABAP

development environment (SE80)


Capabilities of SAP Fortify by HP

Get proactive with holistic centralized software

security

Addresses the complete spectrum of

application security needs

Shared collaboration environments,

predefined templates, and audit tools

Establishes repeatable, automated

processes

Real-time, interactive dashboards show key

results

Two-tier testing approach pinpoints the root

cause of vulnerabilities with line-of-code detail

Helps meet internal and external security

and quality mandates


• Reduce risk

with minimal

effort and

operational

costs

• Deliver

measurable

business

and

strategic

value

• Meet

government

and industry

compliance

regulations

• Build a

security

culture

throughout

your

organization

Minimizing risk, driving business agility

Application security benefits

Solution Overview


Application Security Vulnerability Examples SQL Injection Explained

1

2 3

Attacker submits extra info i.e or

‘1=‘1; with a login or other input

variable

1

2 Attacker constructs SQL

arguments used to

retrieve data

3 DB schema

identified,

attacker extracts

usernames,

passwords, credit

card info


Identified input

field

First test it out

Users table

available

Application Security Vulnerability Examples SQL Injection In Action


Construct Attack

String

Extract Full Name,

Username and (hashed)

Passwords

Application Security Vulnerability Examples SQL Injection In Action


Enterprise Application Security System Application Security Assessment Summary

SAST and

DAST

SQL Injection


Enterprise Application Security System Application Security Vulnerability Review

Application

Line of Code

Details


Management, tracking and remediation of enterprise software risk Enterprise Application Security System


Application Security Reporting

Enterprise Application Security System


What does Fortify stand for?

Fixes reduced from weeks to hours

Recurring vulnerabilities get eliminated virtually

Improves productivity by automating application security

Tightly integrated into standard testing infrastructure

Yes! Its used internally by SAP!

Find, triage and fix security vulnerability no matter

where or how your applications are deployed

OS agnostic and works with different programming languages,

development platforms that your teams use everyday


Polling Question 3

Would you like SAP to run a security scan on one NetWeaver application in your

environment ?

( ) Yes, please contact me via email to do that

( ) Yes, please contact me via phone to do that

( ) No, not at the moment


Polling Question 4

Would you like to be contacted by SAP regarding SAP Fortify by HP ?

( ) Yes, please contact me via email

( ) Yes, please contact me via phone

( ) No, not at the moment

© 2014 SAP AG or an SAP affiliate company. All rights reserved.

Q&A

Andrew Kay

Application Security Solution Architect, HP Enterprise

Security Products

Andreas Gloege

Director, Quality Assurance Solutions, SAP

APPENDIX


What are application risks?

Application Security Vulnerability Examples

Injection Flaws

• SQL Injection

• Header Manipulation

• Command Injection

• LDAP and Resource

Injection

• Dynamic Code Evaluation

• Xpath and XML Injection

• Query String Injection

• Log Forging

Broken Auth & Session

Mangmnt

• Excessive Session Timeout

• Persistent Authentication

• Sensitive File Persistence

• Session Cookies Disabled

• Anonymous Message/Transport

Client

• Weak Cryptographic Hash

• Insufficient Session ID’s

Direct Object

Reference

• Access Control

• File Disclosure

• Path Manipulation

• Unsafe Reflection

• Process Control

Insecure Crypto Storage &

Comms

• Weak / Missing Encryption and Crypto

Hashes

• Weak Tokens and missing timestamps

• Passwords– Hardcoded, Null/Empty,

Plain Text

• Insecure Randomness

• Credentials– Hardcoded, Easy to guess

• Cookie Security – Not using SSL,

Persistent

• Web Server Misconfiguration

• Insecure Transport Info Leak & Improper

Errors

• Privacy Violation & System Info

Leak

• Debug Info and Trace Output

• Poor Error Handling

• Unhandled Exceptions

• Overly Broad Logging

• Race Conditions

• Screen and Keyboard Caching

Cross Site

Scripting

• Reflected XSS

• Persistent XSS

• DOM


Supported Languages

Application Security Language Coverage

• ASP.NET

• Classic ASP

• Flex / ActionScript

• JavaScript / AJX

• PHP

• Python

• VB6

• XML

• ABAP

• C / C++

• ColdFusion

• Java

• Objective-C

• PL / SQL

• T-SQL

• VBScript

• C#

• COBOL

• HTML

• JSP

• PL / SQL

• T-SQL

• VB.NET

live webinar : secure diverse and highly accessible applications with sap fortify

Technology

sap ag

sap applications

sap affiliate company

sap andreas

public software

application security

hp solutions

hp software