rational application-security-071411
TRANSCRIPT
© 2010 IBM Corporation
IBM Rational Application Security
IBM Security Solutions
© 2010 IBM Corporation
IBM Security Solutions
2
Agenda
Current Trends in Application Security
The Solution
Strategies for Customer Success
Rational AppScan Suite
IBM Application Security Coverage
© 2010 IBM Corporation
IBM Security Solutions
Executive Summary
Web applications are the greatest source of risk for organizations
Rational Application Security enables organizations to address root cause of this risk
AppScan leverages a mix of technologies (static & dynamic)
AppScan is a key part of IBM Security’s full solution view of application security
3
Comprehensive Application Vulnerability Management
Rational AppScan Suite
enables
© 2010 IBM Corporation
IBM Security Solutions
The Costs from Security Breaches are Staggering
4
Verizon 2009 data Breach Investigations Report
Ponemon 2009-2010 Cost of a data Breach Report
$204 COST PER COMPROMISED
RECORD
285 MILLION RECORDS COMPROMISED IN 2008
TRANSLATES TO $58.1BCOST TO CORPORATIONS
© 2010 IBM Corporation
IBM Security Solutions
Sources of Security Breach Costs
5
1,000,000x
10x
1x
Development Test Deployment
Dam
age
to E
nte
rpri
se
Functional Flaw
Security Flaw
Unbudgeted Costs:
Customer notification / care Government fines Litigation Reputational damage Brand erosion Cost to repair
© 2010 IBM Corporation
IBM Security Solutions
Web Applications are the greatest risk to organizations
6
Web application vulnerabilities represented the largest category in vulnerability disclosures
In 2009, 49% of all vulnerabilities were Web application vulnerabilities
SQL injection and Cross-Site Scripting are neck and neck in a race for the top spot
IBM Internet Security Systems 2009 X-Force® Year End Trend & Risk Report
© 2010 IBM Corporation
IBM Security Solutions
Why are Web Applications so Vulnerable?
Developers are mandated to deliver functionality on-time and on-budget - but not to develop secure applications
Developers are not generally educated in secure code practices Product innovation is driving development of increasingly complicated
software for a Smarter Planet Network scanners won’t find application vulnerabilities and
firewalls/IPS don’t block application attacks
7
Volumes of applications
continue to be deployed that
are riddled with security flaws…
…and are non compliant with
industry regulations
© 2010 IBM Corporation
IBM Security Solutions
8
Clients’ security challenges in a smarter planet
Source http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1375707,00.html
Increasing Complexity
Rising Costs
Ensuring Compliance
Key drivers for security projects
Spending by U.S. companies on governance, risk and compliance will grow to $29.8 billion in 2010
The cost of a data breach increased to $204 per compromised customer record
Soon, there will be 1 trillion connected devices in the world, constituting an “internet of things”
© 2010 IBM Corporation
IBM Security Solutions
Hackers Break Into Virginia Health Website, Demand Ransom
— Washington Post, May, 2009
Regulatory & Standards Compliance
– eCommerce: PCI-DSS, PA-DSS
– Financial Services: GLBA
– Energy: NERC / FERC
– Government: FISMA
User demand
– Rich application demand is pushing development to advanced code techniques – Web 2.0 introducing more exposures
Cost cutting in current economic climate
– Demands increased efficiencies
Market Drivers
Cyber Blitz Hits U.S., Korea Websites -WSJ
July 9th, 2009
“Web-based malware up 400%, 68% hosted on legitimate sites” — ZDnet, June 2008
© 2010 IBM Corporation
IBM Security Solutions
10
Agenda
Current Trends in Application Security
The Solution
Strategies for Customer Success
Rational AppScan Suite
IBM Application Security Coverage
© 2010 IBM Corporation
IBM Security Solutions
The Solution - Security for Smarter Products
Smarter Products require secure applications
Security needs to be built into the development process and addressed throughout the development lifecycle
Providing security for smarter products requires comprehensive security solutions deployed in concert with application lifecycle management offerings that:
• Provide integrated testing solutions for developers, QA, Security and Compliance stakeholders
• Leverage multiple appropriate testing technologies (static & dynamic analysis)
• Provide effortless security that allows development to be part of the solution
• Support governance, reporting and dashboards
• Can facilitate collaboration between development and security teams
11
© 2010 IBM Corporation
IBM Security Solutions
Cost is a Significant Driver
During the coding phase $80/defect
During the build phase $240/defect
Once released as a product $7,600/defect+Law suits, loss of customer trust,damage to brand
During the QA/Testing phase$960/defect
The increasing costs of fixing a defect….
80% of development costs are spent identifying and correcting defects!*
*National Institute of Standards & Technology Source: GBS Industry standard studyDefect cost derived in assuming it takes 8 hrs to find, fix and repair a defect when found in code and unit test. Defect FFR cost for other phases calculated by using the multiplier on a blended rate of $80/hr.
© 2010 IBM Corporation
IBM Security Solutions
Design Phase Consideration is given to security requirements of the
application
Issues such as required controls and best practices are documented on par with functional requirements
Development Phase Software is checked during coding for:
Implementation error vulnerabilities Compliance with security requirements
Build & Test Phase Testing begins for errors and compliance with security
requirements across the entire application
Applications are also tested for exploitability in deployment scenario
Deployment Phase Configure infrastructure for application policies Deploy applications into production
Operational Phase Continuously monitor applications for appropriate
application usage, vulnerabilities and defend against attacks
Manage,Monitor
& DefendDesign
Develop
Build & Test
Deploy
Make Applications Secure, by Design Cycle of secure application development
Outsourcing Partner
Functional Spec
Software
13
© 2010 IBM Corporation
IBM Security Solutions
ROI Opportunity of Application Security Testing
Cost Avoidance – of a security breach
Costs as a result of a security breach can include (but are not limited to) audit fees, legal fees, regulatory fines, lost customer revenue and brand damage
Cost Savings – of automated vs. manual testing
Automated testing provides tremendous productivity savings over manual testingAutomated source code testing with periodic penetration testing allows for cost effective security analysis of applications
The cost to companies is $204 per compromised record**
The average cost per data breach is $6.6 Million**
Outsourced audits can cost $10,000 to $50,000 per application
At $20,000 an app, 50 audits will cost $1M. With 1 hire + 4 quarterly outsourced audits (ex:
$120,000+$80,000), $800,000/yr can be saved (less the cost of testing software)
* Source: GBS Industry standard study ** Source: Ponemon Institute 2009-10
Cost Savings – of testing early in the development process (ALM)80% of development costs are spent identifying and correcting defectsTesting for vulnerabilities earlier in the development process can help avoid that unnecessary expense
Cost of finding & fixing problems:code stage is $80, QA/Testing is $960*Ex: 50 applications annually & 25 issues per application,
testing at code stage saves $1.1M over testing at QA stage.
© 2010 IBM Corporation
IBM Security Solutions
15
Agenda
Current Trends in Application Security
The Solution
Strategies for Customer Success
Rational AppScan Suite
IBM Application Security Coverage
© 2010 IBM Corporation
IBM Security Solutions
Application Security Maturity Model
CORRECTIVEPHASE
BOLT ONPHASE
BUILT INPHASEUNAWARE
Time
Vie
w o
f ap
plic
atio
n t
estin
g co
vera
ge
Duration 1-2 Years
Doing nothing Outsourced testing Security testing before deployment
Fully integrated security testing
© 2010 IBM Corporation
IBM Security Solutions
Security Testing Within the Software Lifecycle
Build
SDLC
Coding QA Security Production
Most Issues are found by security auditors prior to
going live.
% o
f Iss
ue F
ound
by
Sta
ge o
f SD
LC
© 2010 IBM Corporation
IBM Security Solutions
Security Testing Within the Software Lifecycle
Build
SDLC
Coding QA Security Production
Desired Profile
% o
f Iss
ue F
ound
by
Sta
ge o
f SD
LC
© 2010 IBM Corporation
IBM Security Solutions
Security Testing Within the Software Lifecycle
Build
Developers
SDLC
Developers
Developers
Coding QA Security Production
Application Security Testing Maturity
© 2010 IBM Corporation
IBM Security Solutions
20
Agenda
Current Trends in Application Security
The Solution
Strategies for Customer Success
Rational AppScan Suite
IBM Application Security Coverage
© 2010 IBM Corporation
IBM Security Solutions
Rational AppScan Enterprise portal
QA
Build
Rational AppScan Source Ed Core
Rational AppScan Tester Ed for RQM
Rational AppScan:- Source for Automation- Standard Ed
Rational ALM Integrations
DevelopmentRational AppScan:- Source Ed Developer- Source Ed Remediation- Enterprise QuickScan
Application Developer
Build Forge
Quality ManagerClearQuest
Security
Rational AppScan:- Standard Ed- Source Ed for Security Compliance
© 2010 IBM Corporation
IBM Security Solutions
Security Testing Technologies... Combination Drives Greater Solution Accuracy
Static Code Analysis (Whitebox )
Scanning source code for security issues
Dynamic Analysis (Blackbox) Performing security analysis of a
compiled application
Total PotentialSecurity Issues
DynamicAnalysis
StaticAnalysis
Best Coverage
22
© 2010 IBM Corporation
IBM Security Solutions
23
Agenda
Current Trends in Application Security
The Solution
Strategies for Customer Success
Rational AppScan Suite
IBM Application Security Coverage
© 2010 IBM Corporation
IBM Security Solutions
IBM Web application security for a smarter planet
Secure code development and
vulnerability management
Protect Web applications from potential attacks
Deliver security and performance in Web services and SOA
Manage secure Web applications
• Identify vulnerabilities and malware
• Actionable information to correct the problems
• Block attacks that aim to exploit Web application vulnerabilities
• Integrate Web application security with existing network infrastructure
• Purpose-built XML and SOA solutions for security and performance
• Ongoing management and security with a suite of identity and access management solutions
End-to-end Web application security
Rational AppScan
ISS IPS
WebSphere Datapower
Tivoli I&AM
24
© 2010 IBM Corporation
IBM Security Solutions
25