SlideShare una empresa de Scribd logo

Powered By: PSO eOPS Security Training

Descargar como PPTX, PDF
jasonhaddix
jasonhaddix

The document provides an overview of Fortify on Demand (FoD) security assessments. It summarizes that FoD offers automated static and dynamic application security testing through their analysis tools and security experts. It provides concise summaries of their baseline, standard, and premium assessment levels that vary in coverage, user accounts tested, and inclusion of manual security testing. The document highlights some customer success stories and commonalities that organizations achieving success have in developing a secure software development lifecycle.

1 de 44
Powered By: PSO eOPS Security Training October 1st, 2012 Jason Haddix -Director of Penetration Testing © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
About the Presenter • Jason Haddix (@jhaddix) • Director of Penetration Testing at HP/Fortify on their ShadowLabs team. • Previously worked in HP’s Professional Services as a security consultant, and an engineer & pen tester for Redspin. • Frequent attender, presenter, & CTF participant at security cons such as Defcon, BlackHat, Brucon, DerbyCon, etc. • Contributor/columnist to PentesterScripting.com, Ethicalhacker.net, and Hakin9 magazine. • Serves on the advisory board for GIAC Penetration Testing curriculum as well is GSEC, GPEN, and eCPPT certified.
About the Presenter • Website: www.SecurityAegis.com • Presentations:
Why Application Security?
Source: http://xkcd.com/327/
“We've also seen 19,000 new malicious URLs each day in the first half of this year. And, 80% of those URLs are legitimate websites that were hacked or compromised .” Sophos Threat Report (First half of 2011)
...a new web threat emerges every 4 .5 seconds...
Attackers are targeting applications Applications Hardware Networks Intellectual Security Measures Property • Switch/Router security • Firewalls Customer • NIPS/NIDS Data • VPN • Net-Forensics • Business Anti-Virus/Anti-Spam • DLP Processes • Host FW • Host IPS/IDSTrade • Vuln. Assessment tools Secrets
Why do we care? Your critical business Regulations and More than 60% of applications face the Standards (PCI, applications have Internet HIPAA, SOX, etc) serious flaws
Challenges • Difficult to train and retain staff - very difficult to keep skills up-to-date • Constantly changing environment • New attacks constantly emerge • Compliance Requirements • Too many tools for various results
Introducing © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What is Fortify on Demand? • SAAS-Based, Annual subscription • Business Logic Assessments model • Large Testing team at your • Unlimited Assessments, Unlimited fingertips Users • Scale Rapidly (10, 100, 1000) • The most Comprehensive Coverage Model – Verify False Positives & • Security Branding with HP FOD Manual Penetration Testing Logo on Web Applications • Single portal for consuming results • Market leading analyzers for Static and Dynamic Testing
Mobile Thick Client Web FOD 3rd Party API Binary
Dynamic Testing } Baseline Application Standard Premium 3
Dynamic Testing • Recommended for Low Risk Websites Baseline (Marketing Sites, Brochure, Not much Application change in the application) Standard • An automated solution for Websites WebInspect security scanner Premium • All results are manually reviewed by security experts to remove false positives
Dynamic Testing • Recommended for Medium Risk Websites Baseline Application • Use of multiple automated and manual testing solutions Standard • All results are manually reviewed by security experts to remove any false positives. Includes penetration testing. Premium • Single User Perspective
Dynamic Testing • Recommended for High Risk websites Baseline Application • Designed for mission-critical Technical and business logic vulnerabilities Standard • All results are manually reviewed by security experts to remove any false positives. Higher focus on manual penetration testing. Premium • Two User Perspective • Web Services
Dynamic Testing False Manual Automated User Remediation Business Web Positive Security Scanning Accounts Scan Logic Services Removal Testing Baseline   1  Standard   1   Premium   2     Custom   -    
Terms and Definitions Automated Scanning: Fortify On Demand utilizes, as it’s core technology, HP WebInspect to perform automated crawling and technical auditing of Web Applications. False Positive Removal: For all levels of service (Baseline, Standard, Premium), security assessment results are verified by a team of expert Security Engineers before results are marked for completion within the Fortify On Demand Portal. The Fortify On Demand team confirms that all data provided in the final report is free of false positives. User Accounts: Depending the level of service, the FOD assessment team will utilize either one (1) or two (2) user accounts for exercising the target application. By utilizing more than one account profile during the testing process, the assessment team may recognize a significant number of Business Logic flaws within the application. Examples of this may be “Session Hijacking” or “Privilege Escalation”. Remediation Scan: For each completed assessment, users may opt to have discovered vulnerabilities retested to confirm remediation efforts where successful. The remediation scan process does not involve a re-scan of the entire application, but a verification of the unique (initially discovered) vulnerabilities. Manual Security Testing: For service levels “Standard” and “Premium”, advanced tools and automated scripts are utilized to assess the target application for non-standard web application security flaws. Business Logic Testing: Business Logic flaws represent a category of vulnerabilities which can not be discovered by technical or automated scanning technology. Business Logic testing may be leveraged within our Premium Level of Service and provides approximately 40 hours of manual testing by a team of expert Application Security Engineers. Web Services: The Premium level of service provides the assessment (SOAP and REST-based) of Web Services for up to ten (10) Web Service endpoints.
Static Testing Broad Support • ABAP • ASP.NET • C# • C/C++ • Classic ASP • COBOL  Unlimited static scans • Cold Fusion • Flex • HTML • Java • JavaScript/AJAX • JSP  Results verified • Objective C • PHP • PL/SQL • Python • T-SQL • VB.NET  Unlimited users • VB6 • VBScript • XML Powerful Remediation Insightful Analysis and Reports Collaboration Module Fast and Scalable 1 Day Static Turnaround Virtual Scan Farm
Custom Testing • Internal Penetration Testing • Internal • Mobile Binaries • Manual Source Code • External Penetration Testing • External • Reverse Engineering Auditing in other languages • Wireless Penetration Testing • Web Service • Malware Analysis • Vulnerability Remediation • Physical Penetration Testing • Cloud • Threat Modeling • SDLC Implementation & • Social Engineering • Embedded Device Testing Auditing • APT Breach Simulation • Secure Code Training • Vulnerability Assessment
Technologies of © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
World Renowned Technologies Fortify SCA Engine Fully mapped taxonomy of all Vulnerability categories (VulnCAT) HP WebInspect Largest set of Dynamic Engine Vulnerability Checks 8k+ (SecureBase) Leaders in Malware & 0-Day TippingPoint & ArcSight Research Vulnerability Intelligence
Fortify SCA  Detect more than 480 types of software security vulnerabilities across 20+ development languages—the most in the industry.  IDE Integration for faster identification earlier in the development lifecycle  Mobile Application support: iPhone & Android Features • Pinpoint root cause of vulnerabilities – line of code detail • Prioritize fixes sorted by risk severity • Detailed “fix” instruction -- in the development language
HP WebInspect  Largest Security Check Database (8k+ Dynamic Checks)  Independent research study showed WI to outperform other enterprise dynamic scanners in application coverage and scored a 99.26% in injection accuracy.  One of the only dynamic scanners to support web services and true REST APIs Features • Can integrate with server runtime to find more vulnerabilities, faster. (Security Scope) • Easy and simple export of vulnerabilities to TippingPoint WAF • Powerful Macro Engine to navigate custom authentication or heavy use of AJAX. Source: http://www.sectoolmarket.com/
Behind the Curtain © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Security Assessments by Security Professionals Mobile Automated Thick Client Static/Whitebox Engineers Analysis False Positive Reduction Web FOD Manual Source Code Analysis Automated Full Web/Mobile 3rd Dynamic/Blackbox Application Penetration Party Analysis Testing Binary
Dynamic Process Flow
Static Process Flow
History
(Some) Team Members • Daniel Miessler • Nick Childers • Methodology Guru (OWASP, WASC, WAHH) • Sr Researcher and Application Tester • SecLists Project Maintainer • Former Leader of Shellphish Defcon CTF Team • Dennis Antunes • Nick Denarski • Dynamic Assessment Lead • Metasploit Contributor and Trainer • Bucky Spires • Brooks Garret • Mobile Assessment Lead • DVWA Maintainer • Andre Gironda • Kevin Lynn • Sr. Application Tester • Sr. Application Tester • Cash Turner • Sr. Dynamic Application Tester
Community Contributions
Certifications
Repeatable, Highly Technical Methodologies Web Application Security Consortium Open Web Application Security Project Penetration Testers Execution Standard Web Application Hackers Handbook } Combined 7+ decades of practical application security testing experience
Success Stories © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Leading By Example Over 1000 organizations worldwide have standardized on HP Fortify:  9 of the top 10 major banks  9 of the top 10 software companies  All of the top 10 telecoms  All major branches of U.S. DOD  All 5 top insurance firms  2 out of 4 top oil and gas companies  Many top car manufactures  Big 4 accounting firms
Fortify & FoD Awards Dynamic Application Static Application Testing Testing Leader Leader “At any given time, there are 200 to 300 zero day vulnerabilities only HP knows about”
An CTO’s Perspective on FoD “I was very impressed by the knowledge and the responsiveness of both the Fortify BU sales and delivery resources. They helped me in building the business case for Application security which was key in establishing client stakeholder support for this initiative . Besides, they also partnered with the account to conduct a PoC which helped showcase our capability to the client. I am very confident based on my own positive experience that anyone in the security officer role could benefit a lot by working closely with the Fortify team to introduce our Application security capabilities to their clients”.
Commonalities of Success, Developing a Winning SDLC • Internal app security research • External hacking research HP Fortify Solutions Static Source code QA & Integration Application Audit Production validation Testing Environment Assessment Audit Static Code Dynamic Static Code Functional Test Analysis Analysis in the Integration Continuous IDE (SCA) Assessment Dynamic Penetration Hybrid Testing
The Future of Powered By: © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Mobile Application Security • More apps more problems • Pentest like it’s 1999!
Next Step? • Contact Myself or David Nester • Discuss our group internally at HP • Schedule a PoV! David Nester (david.nester@hp.com) Jason Haddix (jason.haddix@hp.com)
Questions?

Recomendados

Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing ReportAman Srivastava
 
Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust ModelYash
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Testing Microservices
Testing MicroservicesTesting Microservices
Testing MicroservicesNagarro
 

Recomendados

Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing ReportAman Srivastava
 
Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust ModelYash
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Testing Microservices
Testing MicroservicesTesting Microservices
Testing MicroservicesNagarro
 
Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Nicholas Davis
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Jannis Kirschner
 
Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
 
Security Awareness Training.pptx
Security Awareness Training.pptxSecurity Awareness Training.pptx
Security Awareness Training.pptxMohammedYaseen638128
 
Introduction to Azure Blueprints
Introduction to Azure BlueprintsIntroduction to Azure Blueprints
Introduction to Azure BlueprintsCheah Eng Soon
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYMaganathin Veeraragaloo
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
 
Mis Capstone Presentation
Mis Capstone PresentationMis Capstone Presentation
Mis Capstone PresentationBenHnat
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Close your security gaps and get 100% of your traffic protected with Cloudflare
Close your security gaps and get 100% of your traffic protected with CloudflareClose your security gaps and get 100% of your traffic protected with Cloudflare
Close your security gaps and get 100% of your traffic protected with CloudflareCloudflare
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfslametarrokhim1
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat ModelingMiriam Celi, CISSP, GISP, MSCS, MBA
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
 
Btpsec Sample Penetration Test Report
Btpsec Sample Penetration Test ReportBtpsec Sample Penetration Test Report
Btpsec Sample Penetration Test Reportbtpsec
 
Migrating Enterprise Applications to AWS: Best Practices & Techniques (ENT303...
Migrating Enterprise Applications to AWS: Best Practices & Techniques (ENT303...Migrating Enterprise Applications to AWS: Best Practices & Techniques (ENT303...
Migrating Enterprise Applications to AWS: Best Practices & Techniques (ENT303...Amazon Web Services
 
Fortify - Source Code Analyzer
Fortify - Source Code AnalyzerFortify - Source Code Analyzer
Fortify - Source Code Analyzern|u - The Open Security Community
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspectrohit_ta
 

Más contenido relacionado

La actualidad más candente

Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Nicholas Davis
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Jannis Kirschner
 
Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
 
Introduction to Azure Blueprints
Introduction to Azure BlueprintsIntroduction to Azure Blueprints
Introduction to Azure BlueprintsCheah Eng Soon
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
 
Mis Capstone Presentation
Mis Capstone PresentationMis Capstone Presentation
Mis Capstone PresentationBenHnat
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Close your security gaps and get 100% of your traffic protected with Cloudflare
Close your security gaps and get 100% of your traffic protected with CloudflareClose your security gaps and get 100% of your traffic protected with Cloudflare
Close your security gaps and get 100% of your traffic protected with CloudflareCloudflare
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfslametarrokhim1
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
 
Btpsec Sample Penetration Test Report
Btpsec Sample Penetration Test ReportBtpsec Sample Penetration Test Report
Btpsec Sample Penetration Test Reportbtpsec
 
Migrating Enterprise Applications to AWS: Best Practices & Techniques (ENT303...
Migrating Enterprise Applications to AWS: Best Practices & Techniques (ENT303...Migrating Enterprise Applications to AWS: Best Practices & Techniques (ENT303...
Migrating Enterprise Applications to AWS: Best Practices & Techniques (ENT303...Amazon Web Services
 

La actualidad más candente (20)

Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity Shaping Your Future in Banking Cybersecurity
Shaping Your Future in Banking Cybersecurity
 
Security Awareness Training.pptx
Security Awareness Training.pptxSecurity Awareness Training.pptx
Security Awareness Training.pptx
 
Introduction to Azure Blueprints
Introduction to Azure BlueprintsIntroduction to Azure Blueprints
Introduction to Azure Blueprints
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATION
 
Mis Capstone Presentation
Mis Capstone PresentationMis Capstone Presentation
Mis Capstone Presentation
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Close your security gaps and get 100% of your traffic protected with Cloudflare
Close your security gaps and get 100% of your traffic protected with CloudflareClose your security gaps and get 100% of your traffic protected with Cloudflare
Close your security gaps and get 100% of your traffic protected with Cloudflare
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVC
 
Btpsec Sample Penetration Test Report
Btpsec Sample Penetration Test ReportBtpsec Sample Penetration Test Report
Btpsec Sample Penetration Test Report
 
Migrating Enterprise Applications to AWS: Best Practices & Techniques (ENT303...
Migrating Enterprise Applications to AWS: Best Practices & Techniques (ENT303...Migrating Enterprise Applications to AWS: Best Practices & Techniques (ENT303...
Migrating Enterprise Applications to AWS: Best Practices & Techniques (ENT303...
 

Destacado

HP WebInspect
HP WebInspectHP WebInspect
HP WebInspectrohit_ta
 
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Nagaraju Repala
 
Hp Fortify Cloud Application Security
Hp Fortify Cloud Application SecurityHp Fortify Cloud Application Security
Hp Fortify Cloud Application SecurityEd Wong
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Zack Meyers
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify PillarEd Wong
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 

Destacado (10)

Fortify - Source Code Analyzer
Fortify - Source Code AnalyzerFortify - Source Code Analyzer
Fortify - Source Code Analyzer
 
HP WebInspect
HP WebInspectHP WebInspect
HP WebInspect
 
Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)Hp fortify source code analyzer(sca)
Hp fortify source code analyzer(sca)
 
Hp Fortify Cloud Application Security
Hp Fortify Cloud Application SecurityHp Fortify Cloud Application Security
Hp Fortify Cloud Application Security
 
Sonar
Sonar Sonar
Sonar
 
Fortify technology
Fortify technologyFortify technology
Fortify technology
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify Pillar
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 

Similar a Powered By: PSO eOPS Security Training

Geekit_Testing_Services-3
Geekit_Testing_Services-3Geekit_Testing_Services-3
Geekit_Testing_Services-3Sally Mohamed
 
Rational App Scan&Policy Tester
Rational App Scan&Policy TesterRational App Scan&Policy Tester
Rational App Scan&Policy TesterKristina O'Regan
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016rajeshnikam
 
Track and Trace Solution Details
Track and Trace Solution DetailsTrack and Trace Solution Details
Track and Trace Solution DetailsPropix Technologies
 
AUTOMATED_VIRTUAL_SECURITY_TESTING_PLATFORM.pptx
AUTOMATED_VIRTUAL_SECURITY_TESTING_PLATFORM.pptxAUTOMATED_VIRTUAL_SECURITY_TESTING_PLATFORM.pptx
AUTOMATED_VIRTUAL_SECURITY_TESTING_PLATFORM.pptxGhanaKiran1
 
iSYSTEM Company and Product Overview v12.02
iSYSTEM Company and Product Overview v12.02iSYSTEM Company and Product Overview v12.02
iSYSTEM Company and Product Overview v12.02iSYSTEM AG
 
Neil Tompson - SoftTest Ireland
Neil Tompson - SoftTest IrelandNeil Tompson - SoftTest Ireland
Neil Tompson - SoftTest IrelandDavid O'Dowd
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
Quality in dev ops east 2017
Quality in dev ops east 2017Quality in dev ops east 2017
Quality in dev ops east 2017Amir Rozenberg
 
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...Mike Spaulding
 
Mobile Services & E-Services Case Study By Osama Abushaban
Mobile Services & E-Services Case Study By Osama AbushabanMobile Services & E-Services Case Study By Osama Abushaban
Mobile Services & E-Services Case Study By Osama AbushabanOsama Abushaban
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSalil Kumar Subramony
 
IPNEC - Security Services
IPNEC - Security ServicesIPNEC - Security Services
IPNEC - Security ServicesAbdus Saboor
 
Smith Secure
Smith SecureSmith Secure
Smith Securedfeldbaum
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerDenim Group
 
Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Virtual Forge
 

Similar a Powered By: PSO eOPS Security Training (20)

Geekit_Testing_Services-3
Geekit_Testing_Services-3Geekit_Testing_Services-3
Geekit_Testing_Services-3
 
Geekit -Testing Services
Geekit -Testing ServicesGeekit -Testing Services
Geekit -Testing Services
 
Rational App Scan&Policy Tester
Rational App Scan&Policy TesterRational App Scan&Policy Tester
Rational App Scan&Policy Tester
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action
 
Track and Trace Solution Details
Track and Trace Solution DetailsTrack and Trace Solution Details
Track and Trace Solution Details
 
AUTOMATED_VIRTUAL_SECURITY_TESTING_PLATFORM.pptx
AUTOMATED_VIRTUAL_SECURITY_TESTING_PLATFORM.pptxAUTOMATED_VIRTUAL_SECURITY_TESTING_PLATFORM.pptx
AUTOMATED_VIRTUAL_SECURITY_TESTING_PLATFORM.pptx
 
iSYSTEM Company and Product Overview v12.02
iSYSTEM Company and Product Overview v12.02iSYSTEM Company and Product Overview v12.02
iSYSTEM Company and Product Overview v12.02
 
Neil Tompson - SoftTest Ireland
Neil Tompson - SoftTest IrelandNeil Tompson - SoftTest Ireland
Neil Tompson - SoftTest Ireland
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
 
Quality in dev ops east 2017
Quality in dev ops east 2017Quality in dev ops east 2017
Quality in dev ops east 2017
 
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
 
Mobile Services & E-Services Case Study By Osama Abushaban
Mobile Services & E-Services Case Study By Osama AbushabanMobile Services & E-Services Case Study By Osama Abushaban
Mobile Services & E-Services Case Study By Osama Abushaban
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
 
IPNEC - Security Services
IPNEC - Security ServicesIPNEC - Security Services
IPNEC - Security Services
 
Imaginea qa&automation
Imaginea qa&automationImaginea qa&automation
Imaginea qa&automation
 
Smith Secure
Smith SecureSmith Secure
Smith Secure
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability Manager
 
Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?Is your SAP system vulnerable to cyber attacks?
Is your SAP system vulnerable to cyber attacks?
 

Powered By: PSO eOPS Security Training

  • 1. Powered By: PSO eOPS Security Training October 1st, 2012 Jason Haddix -Director of Penetration Testing © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 2. About the Presenter • Jason Haddix (@jhaddix) • Director of Penetration Testing at HP/Fortify on their ShadowLabs team. • Previously worked in HP’s Professional Services as a security consultant, and an engineer & pen tester for Redspin. • Frequent attender, presenter, & CTF participant at security cons such as Defcon, BlackHat, Brucon, DerbyCon, etc. • Contributor/columnist to PentesterScripting.com, Ethicalhacker.net, and Hakin9 magazine. • Serves on the advisory board for GIAC Penetration Testing curriculum as well is GSEC, GPEN, and eCPPT certified.
  • 3. About the Presenter • Website: www.SecurityAegis.com • Presentations:
  • 6. “We've also seen 19,000 new malicious URLs each day in the first half of this year. And, 80% of those URLs are legitimate websites that were hacked or compromised .” Sophos Threat Report (First half of 2011)
  • 7. ...a new web threat emerges every 4 .5 seconds...
  • 8. Attackers are targeting applications Applications Hardware Networks Intellectual Security Measures Property • Switch/Router security • Firewalls Customer • NIPS/NIDS Data • VPN • Net-Forensics • Business Anti-Virus/Anti-Spam • DLP Processes • Host FW • Host IPS/IDSTrade • Vuln. Assessment tools Secrets
  • 9. Why do we care? Your critical business Regulations and More than 60% of applications face the Standards (PCI, applications have Internet HIPAA, SOX, etc) serious flaws
  • 10. Challenges • Difficult to train and retain staff - very difficult to keep skills up-to-date • Constantly changing environment • New attacks constantly emerge • Compliance Requirements • Too many tools for various results
  • 11. Introducing © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 12. What is Fortify on Demand? • SAAS-Based, Annual subscription • Business Logic Assessments model • Large Testing team at your • Unlimited Assessments, Unlimited fingertips Users • Scale Rapidly (10, 100, 1000) • The most Comprehensive Coverage Model – Verify False Positives & • Security Branding with HP FOD Manual Penetration Testing Logo on Web Applications • Single portal for consuming results • Market leading analyzers for Static and Dynamic Testing
  • 13. Mobile Thick Client Web FOD 3rd Party API Binary
  • 14. Dynamic Testing } Baseline Application Standard Premium 3
  • 15. Dynamic Testing • Recommended for Low Risk Websites Baseline (Marketing Sites, Brochure, Not much Application change in the application) Standard • An automated solution for Websites WebInspect security scanner Premium • All results are manually reviewed by security experts to remove false positives
  • 16. Dynamic Testing • Recommended for Medium Risk Websites Baseline Application • Use of multiple automated and manual testing solutions Standard • All results are manually reviewed by security experts to remove any false positives. Includes penetration testing. Premium • Single User Perspective
  • 17. Dynamic Testing • Recommended for High Risk websites Baseline Application • Designed for mission-critical Technical and business logic vulnerabilities Standard • All results are manually reviewed by security experts to remove any false positives. Higher focus on manual penetration testing. Premium • Two User Perspective • Web Services
  • 18. Dynamic Testing False Manual Automated User Remediation Business Web Positive Security Scanning Accounts Scan Logic Services Removal Testing Baseline   1  Standard   1   Premium   2     Custom   -    
  • 19. Terms and Definitions Automated Scanning: Fortify On Demand utilizes, as it’s core technology, HP WebInspect to perform automated crawling and technical auditing of Web Applications. False Positive Removal: For all levels of service (Baseline, Standard, Premium), security assessment results are verified by a team of expert Security Engineers before results are marked for completion within the Fortify On Demand Portal. The Fortify On Demand team confirms that all data provided in the final report is free of false positives. User Accounts: Depending the level of service, the FOD assessment team will utilize either one (1) or two (2) user accounts for exercising the target application. By utilizing more than one account profile during the testing process, the assessment team may recognize a significant number of Business Logic flaws within the application. Examples of this may be “Session Hijacking” or “Privilege Escalation”. Remediation Scan: For each completed assessment, users may opt to have discovered vulnerabilities retested to confirm remediation efforts where successful. The remediation scan process does not involve a re-scan of the entire application, but a verification of the unique (initially discovered) vulnerabilities. Manual Security Testing: For service levels “Standard” and “Premium”, advanced tools and automated scripts are utilized to assess the target application for non-standard web application security flaws. Business Logic Testing: Business Logic flaws represent a category of vulnerabilities which can not be discovered by technical or automated scanning technology. Business Logic testing may be leveraged within our Premium Level of Service and provides approximately 40 hours of manual testing by a team of expert Application Security Engineers. Web Services: The Premium level of service provides the assessment (SOAP and REST-based) of Web Services for up to ten (10) Web Service endpoints.
  • 20. Static Testing Broad Support • ABAP • ASP.NET • C# • C/C++ • Classic ASP • COBOL  Unlimited static scans • Cold Fusion • Flex • HTML • Java • JavaScript/AJAX • JSP  Results verified • Objective C • PHP • PL/SQL • Python • T-SQL • VB.NET  Unlimited users • VB6 • VBScript • XML Powerful Remediation Insightful Analysis and Reports Collaboration Module Fast and Scalable 1 Day Static Turnaround Virtual Scan Farm
  • 21. Custom Testing • Internal Penetration Testing • Internal • Mobile Binaries • Manual Source Code • External Penetration Testing • External • Reverse Engineering Auditing in other languages • Wireless Penetration Testing • Web Service • Malware Analysis • Vulnerability Remediation • Physical Penetration Testing • Cloud • Threat Modeling • SDLC Implementation & • Social Engineering • Embedded Device Testing Auditing • APT Breach Simulation • Secure Code Training • Vulnerability Assessment
  • 22. Technologies of © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 23. World Renowned Technologies Fortify SCA Engine Fully mapped taxonomy of all Vulnerability categories (VulnCAT) HP WebInspect Largest set of Dynamic Engine Vulnerability Checks 8k+ (SecureBase) Leaders in Malware & 0-Day TippingPoint & ArcSight Research Vulnerability Intelligence
  • 24. Fortify SCA  Detect more than 480 types of software security vulnerabilities across 20+ development languages—the most in the industry.  IDE Integration for faster identification earlier in the development lifecycle  Mobile Application support: iPhone & Android Features • Pinpoint root cause of vulnerabilities – line of code detail • Prioritize fixes sorted by risk severity • Detailed “fix” instruction -- in the development language
  • 25. HP WebInspect  Largest Security Check Database (8k+ Dynamic Checks)  Independent research study showed WI to outperform other enterprise dynamic scanners in application coverage and scored a 99.26% in injection accuracy.  One of the only dynamic scanners to support web services and true REST APIs Features • Can integrate with server runtime to find more vulnerabilities, faster. (Security Scope) • Easy and simple export of vulnerabilities to TippingPoint WAF • Powerful Macro Engine to navigate custom authentication or heavy use of AJAX. Source: http://www.sectoolmarket.com/
  • 26. Behind the Curtain © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 27. Security Assessments by Security Professionals Mobile Automated Thick Client Static/Whitebox Engineers Analysis False Positive Reduction Web FOD Manual Source Code Analysis Automated Full Web/Mobile 3rd Dynamic/Blackbox Application Penetration Party Analysis Testing Binary
  • 31. (Some) Team Members • Daniel Miessler • Nick Childers • Methodology Guru (OWASP, WASC, WAHH) • Sr Researcher and Application Tester • SecLists Project Maintainer • Former Leader of Shellphish Defcon CTF Team • Dennis Antunes • Nick Denarski • Dynamic Assessment Lead • Metasploit Contributor and Trainer • Bucky Spires • Brooks Garret • Mobile Assessment Lead • DVWA Maintainer • Andre Gironda • Kevin Lynn • Sr. Application Tester • Sr. Application Tester • Cash Turner • Sr. Dynamic Application Tester
  • 34. Repeatable, Highly Technical Methodologies Web Application Security Consortium Open Web Application Security Project Penetration Testers Execution Standard Web Application Hackers Handbook } Combined 7+ decades of practical application security testing experience
  • 35.
  • 36. Success Stories © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 37. Leading By Example Over 1000 organizations worldwide have standardized on HP Fortify:  9 of the top 10 major banks  9 of the top 10 software companies  All of the top 10 telecoms  All major branches of U.S. DOD  All 5 top insurance firms  2 out of 4 top oil and gas companies  Many top car manufactures  Big 4 accounting firms
  • 38. Fortify & FoD Awards Dynamic Application Static Application Testing Testing Leader Leader “At any given time, there are 200 to 300 zero day vulnerabilities only HP knows about”
  • 39. An CTO’s Perspective on FoD “I was very impressed by the knowledge and the responsiveness of both the Fortify BU sales and delivery resources. They helped me in building the business case for Application security which was key in establishing client stakeholder support for this initiative . Besides, they also partnered with the account to conduct a PoC which helped showcase our capability to the client. I am very confident based on my own positive experience that anyone in the security officer role could benefit a lot by working closely with the Fortify team to introduce our Application security capabilities to their clients”.
  • 40. Commonalities of Success, Developing a Winning SDLC • Internal app security research • External hacking research HP Fortify Solutions Static Source code QA & Integration Application Audit Production validation Testing Environment Assessment Audit Static Code Dynamic Static Code Functional Test Analysis Analysis in the Integration Continuous IDE (SCA) Assessment Dynamic Penetration Hybrid Testing
  • 41. The Future of Powered By: © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 42. Mobile Application Security • More apps more problems • Pentest like it’s 1999!
  • 43. Next Step? • Contact Myself or David Nester • Discuss our group internally at HP • Schedule a PoV! David Nester (david.nester@hp.com) Jason Haddix (jason.haddix@hp.com)

Notas del editor

  1. In today’s information-centric world, Hackers are after data and business logic, which they can manipulate and control. You’re talking about stealing your Intellectual Property, your Customer Data (credit card, SSN, address, etc.), Business Processes and Trade Secrets. With software, protecting one point in the system is not sufficient. The whole pathway to the data must be secure. If there is any vulnerability along that path, then the entire system is vulnerable. Hackers are ingenious in discovering new pathways. Years ago, they started at the network and hardware levels, but we have been successful in handling the problem (grayed out area), now they are going right to the app layer.This can be useful in explaining things like why encryption is not going to help you with app sec.