The New Imperative: Automating Web Application Security
IBM Software GroupThe New Imperative: Automating Web ApplicationSecurity 2007 IBM Corporation
IBM Software Group Rational softwareAgenda Introduction to Application Security IBM Application Security Solutions Reference2
IBM Software Group Rational softwareAgenda Introduction to Application Security IBM Application Security Solutions Reference3
IBM Software Group Rational softwareApplication Security - Understanding the ProblemInfo Security nEncryption(SSL)Firewalls /IDS / IPSFirewallWeb esWeb Servers4
IBM Software GroupApplication Security Hacking Example 2007 IBM Corporation
IBM Software Group Rational software01/01/2006 union selectuserid,null,username ',' password,null from users-Application responds with user names andpasswords of other account holders!6
IBM Software Group Rational softwareState of the Application Security ThreatGrowing ThreatAnalyst Views Past customer spending focused on Networksecurity – yet 75% of attacks come through webapplications – market is now focusing on spendingon web application security“Gartner estimates that 90 percent of externallyaccessible applications today are web-enabled,and that two-thirds of them have exploitablevulnerabilities. Mitre group indicates that application issues (XSSand SQL Injection ) are the top 2 hacks“64% of developers are not confident in theirability to write secure applications” Most websites are vulnerable (Watchfire/Gartner)Microsoft Developer ResearchCost of Application Security Breach 7Security Breach Every lost record costs 138 to the organization who lost it Media Attention Brand Damage Sharp Decline in Stock Prices
IBM Software Group Rational softwarePCI Application Security Requirements8
IBM Software Group Rational softwareMotives Behind Application Hacking IncidentsSource: WASC 2007 Web Hacking Incident Annual Report9
IBM Software Group Rational softwareWhere Do These Problems Exist?Type: Customer facing services Partner portals Employee intranetsSource:1. Applications you buy – e.g. COTS2. Applications you build internally3. Applications you outsource10
IBM Software Group Rational softwareWhat’s the Root Cause of this Problem?1. Software developers were never trained (or mandated) on security2. Existing defenses do not address application level threats3. Security teams are focused on other issues (network, desktops, etc)and overwhelmed4. No defined policy, accountability or process to deal with this issue11
IBM Software Group Rational softwareApplication Security Maturity SEXCELLENCE PHASE10 %Maturity30 %30 %30 %Duration 2-3 Years12Time
IBM Software Group Rational softwareSecurity Testing Within the Software persDevelopersApplication Security Testing Maturity13Production
IBM Software Group Rational softwareApplication Security Adoption Within the SDLCPhase 1Phase 2Phase 3HighSecurity TeamSecurity TeamDifficulty& Cost ofTestSecurityTeamDevelopment TeamCriticality& Risk ofApp.DevelopmentTeamQA TeamQA TeamLowLow14% Applications TestedHigh
IBM Software Group Rational softwareAgenda Introduction to Application Security IBM Application Security Solutions Reference15
IBM Software Group Rational softwareIBM Security FrameworkExternal nagementManagementSecurityandComplianceand CompliancePeople and sSecurityHardware andSoftwareSecurity Governance, Risk & Compliance SolutionsIdentity and Access Management SolutionsData and InformationInformation Security SolutionsApplication and ProcessNetwork, Server, and End-pointPhysical InfrastructureCommon Policy, Event Handling and ReportingCommon Policy, Event Handling and Reporting16Application Security Lifecycle Mgmt SolutionsThreat and Vulnerability Mgmt & Monitoring SolutionsPhysical Security Solutions
IBM Software Group Rational softwareIBM is laying the foundation for end-to-end application security IBM Global Services – security risk assessments helping define policies and processesRational – automated vulnerability testing for web applications/web services across the development cycleIBM Technology Services/ISS – managed services for network and application vulnerability assessmentTivoli – access control and security information and event management to web applications/web servicesDataPower – provides SOA security solutionsApplication Security Management LifecycleDefine application securitystandards and requirementsDefinePolicyIBM Global ServicesContinuously monitorapplications forvulnerabilities and defendagainst attacksConfigure infrastructurefor application policies;deploy applications inproduction17Manage,Monitor &DefendDeployAnalyze &DesignBuild & TestBuild security intoapplication designand model threatsBuild and test individualand compositeapplications
IBM Software Group Rational softwareRational AppScan: Find and fix web applicationsecurity and compliance issuesWeb application and web service securitytesting9 Individual and enterprise scalablesolutions for assessing and remediatingsecurity vulnerabilities9 Different solutions for developers, testers,security professionals, and management18
IBM Software Group Rational softwareWatchfire Application Security Testing ProductsAppScan EnterpriseWeb Application Security Testing Across the SDLC19AppScanQuickScanAppScanTester EditionAppScanStandard yAssuranceSecurityAuditProductionMonitoringTest ApplicationsAs DevelopedTest ApplicationsAs Part ofQA ProcessTest ApplicationsBeforeDeploymentMonitor orRe-AuditDeployedApplications
IBM Software Group Rational softwareAppScan - Automated Application Security Testing20
IBM Software Group Rational softwareAppScan Enterprise – Dashboards and Metrics21
IBM Software Group Rational softwareIntegrated Computer Based TrainingKey to adoption across the organization is education22
EARDWIBMDGENA ESMA ICM RVIB SEHARIBMEARW SFT O NSO TIM LUIB SOPRSE OFRV ESIC SIOES NALIBM Services,SoftwareHardware:IBM SoftwareGroup andRationalsoftwareOnly IBM has solutions to address all 12 PCI requirements23
IBM Software Group Rational softwareAgentricsApplication Security Challenge Agrentrics, a leading solution provider tothe world’s largest retailers and theirsuppliers, leverages the latest web-basedtechnology and services for its clients Solution In a competitive evaluation, AppScan wasbetter at finding vulnerabilities than anyother solution Result increased confidence and saferapplications for their high-profile retailclients24
IBM Software Group Rational softwareDepository Trust and Clearance Corporation (DTCC)Application Security Challenge: applications handle clearance and settlement ofmore than 1 quadrillion in securities transactionsper year – security is imperative need to implement security as part of theapplication development process Solution: educated 450 developers on testing security acrossthe SDLC acquired AppScan for vulnerability scanning Result: Security is designed and built into more than 225new applications per year Stabilized processes and practices leverageAppScan for industrial-strength vulnerabilityassessment and remediation for high risk andcomplex applications25
IBM Software Group Rational softwareAgenda Introduction to Application Security IBM Application Security Solutions Reference26
IBM Software Group Rational softwareIBM Rational AppScan - a Recognized Leader #1 World-wide market share revenue position (2006) according to GartnerSource: Gartner Dataquest, “Market Share: Application Development and Project and Portfolio ManagementSoftware, Worldwide, 2006,” Laurie F. Wurster, Asheesh Raina, Fabrizio Biscotti, 22 May, 2007. # 1 World-wide market share revenue position according to IDCSource: Worldwide Security and Vulnerability Management Software 2006-2010 Forecast and Analysis: ManagingSecurity Knowledge and Control, IDC #204693, December 2006 Winner of SC Magazine’s top Security Company 2007 Winner SD Times 100 security category Winner of Dr. Dobb's Journal 17th annual Jolt Award for security Watchfire named one of the top 25 innovations by Financial IT Security Magazinein its 2007 "Future Now" list Selected as a "Top Pick" in the ITDefense Product Directory for 200727
IBM Software Group Rational softwareFor additional information IBM Security rnance/security/defend.html IBM Rational ferings/testing/webapplicationsecurity/ IBM Tivoli Access Manager for roducts/access-mgr-e-bus/ IBM Internet Security wss/offerfamily/igs/a102584628
IBM Software Group Rational softwareLearn more at: IBM Rational software Architecture management IBM Rational Software Delivery Platform Rational trial downloads Process and portfolio management developerWorks Rational Change and release management IBM Rational TV Quality management IBM Rational Business Partners Copyright IBM Corporation 2007. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of anykind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, norshall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the useof IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/orcapabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future productor feature availability in any way. IBM, the IBM logo, the on-demand business logo, Rational, the Rational logo, and other IBM products and services are trademarks of the International BusinessMachines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.29
security - yet 75% of attacks come through web applications - market is now focusing on spending on web application security Mitre group indicates that application issues (XSS and SQL Injection ) are the top 2 hacks Most websites are vulnerable (Watchfire/Gartner) Cost of Application Security Breach Security Breach
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have
On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.
̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions
Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được
singular: i no imperative no imperative noli fer no imperative plural: ite no imperative no imperative nolite ferte no imperative Note that the perfect and pluperfect of eo can also be formed with a V instead e.g. iVI, i VISTI, i VIT etc The Passive Voice
MARCH 1973/FIFTY CENTS o 1 u ar CC,, tonics INCLUDING Electronics World UNDERSTANDING NEW FM TUNER SPECS CRYSTALS FOR CB BUILD: 1;: .Á Low Cóst Digital Clock ','Thé Light.Probé *Stage Lighting for thé Amateur s. Po ROCK\ MUSIC AND NOISE POLLUTION HOW WE HEAR THE WAY WE DO TEST REPORTS: - Dynacó FM -51 . ti Whárfedale W60E Speaker System' .
