2. 2 Agenda Current Trends in Application Security The Solution Strategies for Customer Success Rational AppScan Suite IBM Application Security Coverage
3. Executive Summary Web applications are the greatest source of risk for organizations Rational Application Security enables organizations to address root cause of this risk AppScan leverages a mix of technologies (static & dynamic) AppScan is a key part of IBM Security’s full solution view of application security 3 Rational AppScan Suite enables Comprehensive Application Vulnerability Management
4. The Costs from Security Breaches are Staggering 4 285 Million records compromised in 2008 Verizon 2009 data Breach Investigations Report $204 Cost per Compromised Record Ponemon 2009-2010 Cost of a data Breach Report Translates to $58.1B Cost to CoRporations
10. Cost to repair1,000,000x 10x 1x Security Flaw Damage to Enterprise Functional Flaw Development Test Deployment
11.
12. In 2009, 49% of all vulnerabilities were Web application vulnerabilities
13. SQL injection and Cross-Site Scripting are neck and neck in a race for the top spotIBM Internet Security Systems 2009 X-Force®Year End Trend & Risk Report
14. Why are Web Applications so Vulnerable? 7 Developers are mandated to deliver functionality on-time and on-budget - but not to develop secure applications Developers are not generally educated in secure code practices Product innovation is driving development of increasingly complicated software for a Smarter Planet Network scanners won’t find application vulnerabilities and firewalls/IPS don’t block application attacks Volumes of applications continue to be deployed that are riddled with security flaws… …and are non compliant with industry regulations
15. 8 Clients’ security challenges in a smarter planet Key drivers for security projects Increasing Complexity Rising Costs Ensuring Compliance Spending by U.S. companies on governance, risk and compliance will grow to $29.8 billionin 2010 Soon, there will be 1 trillionconnected devices in the world, constituting an “internet of things” The cost of a data breach increased to $204 per compromised customer record Source http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1375707,00.html
16. Market Drivers Regulatory & Standards Compliance eCommerce: PCI-DSS, PA-DSS Financial Services: GLBA Energy: NERC / FERC Government: FISMA User demand Rich application demand is pushing development to advanced code techniques – Web 2.0 introducing more exposures Cost cutting in current economic climate Demands increased efficiencies Cyber Blitz Hits U.S., Korea Websites -WSJ July 9th, 2009 “Web-based malware up 400%, 68% hosted on legitimate sites” — ZDnet, June 2008 Hackers Break Into Virginia Health Website, Demand Ransom — Washington Post, May, 2009
17. 10 Agenda Current Trends in Application Security The Solution Strategies for Customer Success Rational AppScan Suite IBM Application Security Coverage
18.
19. Security needs to be built into the development process and addressed throughout the development lifecycle
20. Providing security for smarter products requires comprehensive security solutions deployed in concert with application lifecycle management offerings that:
26. Cost is a Significant Driver 80% of development costs are spent identifying and correcting defects!* Once released as a product $7,600/defect + Law suits, loss of customer trust, damage to brand During the QA/Testing phase $960/defect During the build phase $240/defect During the coding phase $80/defect The increasing costs of fixing a defect…. *National Institute of Standards & Technology Source: GBS Industry standard study Defect cost derived in assuming it takes 8 hrs to find, fix and repair a defect when found in code and unit test. Defect FFR cost for other phases calculated by using the multiplier on a blended rate of $80/hr.
37. With 1 hire + 4 quarterly outsourced audits (ex: $120,000+$80,000), $800,000/yr can be saved (less the cost of testing software)Automated testing provides tremendous productivity savings over manual testing Automated source code testing with periodic penetration testing allows for cost effective security analysis of applications Cost Avoidance – of a security breach The cost to companies is $204per compromised record** The average cost per data breach is $6.6 Million** Costs as a result of a security breach can include (but are not limited to) audit fees, legal fees, regulatory fines, lost customer revenue and brand damage * Source: GBS Industry standard study ** Source: Ponemon Institute 2009-10
38. 15 Agenda Current Trends in Application Security The Solution Strategies for Customer Success Rational AppScan Suite IBM Application Security Coverage
39. Application Security Maturity Model CORRECTIVE BOLT ON BUILT IN UNAWARE PHASE PHASE PHASE Security testing before deployment Fully integrated security testing Doing nothing Outsourced testing View of application testing coverage Time Duration 1-2 Years
40. Build Coding QA Security Production Security Testing Within the Software Lifecycle SDLC Most Issues are found by security auditors prior to going live. % of Issue Found by Stage of SDLC
41. Build Coding QA Security Production Security Testing Within the Software Lifecycle SDLC Desired Profile % of Issue Found by Stage of SDLC
42. Build Coding QA Security Production Security Testing Within the Software Lifecycle SDLC Developers Developers Developers Application Security Testing Maturity
43. 20 Agenda Current Trends in Application Security The Solution Strategies for Customer Success Rational AppScan Suite IBM Application Security Coverage
50. 23 Agenda Current Trends in Application Security The Solution Strategies for Customer Success Rational AppScan Suite IBM Application Security Coverage
Web applications are the greatest source of risk for organizations today. And Rational application security can allow organizations to address the root cause of this risk. That’s a significant statement because there are different application security solutions out there that are more protection and patch that don’t address the root case. recard). We leverage a mix of technologies both static and dynamic to enable the right use cases. So not only do we speak to the technologies but we focus on building the right solution for the right stakeholder whether you’re talking to a security auditor, build manager, developer, QUA tester. We’ve built our portfolios to support these different - these cases. And beyond that AppScan is the key part of IBM’s full solution view of application security so we’re not just a point solution like many of thetier two competitors that we see in the market. We’re a full solution for application vulnerability management but we’re also full solution for application security from vulnerability management to identity and access management to application firewalls and IPSs. So there’s a full story that we’ll get into shortly but in summary: we’re a comprehensive application vulnerability management solution.
some new stats that may be new to your customer f they’re not already aware of the severity and prevalence. Verizon business report, in their report from 2009 they found that there were 285 million records that were compromised. We married this data point with Ponemon’s research that cost of a compromised record cost to an organization is $204 per record and that translates to over $58 billion cost to corporations. That’s a pretty significant problem and one that CIOs, (CSOs) can’t ignore
There’re multiple sources of breach cost but the key point on this slide is that you should fix security issues early in the process. If that doesn’t happen, if this gets in the field and there’s a breach as a result, the cost of a security flaw is exponentially higher then what is typically seen for a functional flaw. And these cost organizations come in in many different forms from government litigation, brand damage, revenue, cost repair and audits
More data from IBM X source year end report. About half - Web application vulnerabilities is the largest category. Vulnerability disclosures represent about half of all vulnerabilities that exist for the organization.
Why are applications so vulnerable? Developers are mandated to deliver functionality on time and on budget, not to develop secure applications. So security is not a priority for them. They’re also not generally education in secure code practices. Additionally, product innovation, the whole smarter planet discussion is driving development of increasingly complex software. We’re all over that. When developers limits are being stretched, they’re focusing on the functionality of those applications, not the security, and increasing complexity generally increases risk within these applications. And of course the discussion that we continue to see, network scanners don’t find application vulnerabilities and the firewall IPSs don’t block application attack. So what’s happening is that we just continue to see volumes of applications that are deployed which are riddled with security flaws and they’re also non-compliant in industry regulations.
These new risks are significant drivers for security products. There’s increase in complexity. And then of course, compliance continues to be a main focal point in these discussions.
Security should be build into the development process vs. bolted on. Testing for vulnerabilities should be a seamless part of development that happens throughout the development lifecycle.Integrated testing solution for developers, QA, Security and Compliance stakeholdersIntegrated solution that allows for testing at all steps of Software Delivery from coding, build, QA, audit to production. Leverage best of both leading testing technologiesSolutions leverage a combination of Blackbox + Whitebox technologiesEffortless Security Developers should not have to be security experts Tools should be easy to configure, results should be accurateGovernance, reporting and dashboardsCentral control over test policiesVisibility through dashboards and reportsFacilitate collaboration between development and security teamsIssues can be assigned and tracked
