The document provides an overview of Fortify on Demand (FoD) security assessments. It summarizes that FoD offers automated static and dynamic application security testing through their analysis tools and security experts. It provides concise summaries of their baseline, standard, and premium assessment levels that vary in coverage, user accounts tested, and inclusion of manual security testing. The document highlights some customer success stories and commonalities that organizations achieving success have in developing a secure software development lifecycle.
2. About the Presenter
• Jason Haddix (@jhaddix)
• Director of Penetration Testing at HP/Fortify on their ShadowLabs team.
• Previously worked in HP’s Professional Services as a security consultant,
and an engineer & pen tester for Redspin.
• Frequent attender, presenter, & CTF participant at security cons such as
Defcon, BlackHat, Brucon, DerbyCon, etc.
• Contributor/columnist to PentesterScripting.com, Ethicalhacker.net, and
Hakin9 magazine.
• Serves on the advisory board for GIAC Penetration Testing curriculum as
well is GSEC, GPEN, and eCPPT certified.
6. “We've also seen 19,000 new malicious URLs
each day in the first half of this year. And,
80% of those URLs are legitimate websites
that were hacked or compromised .”
Sophos Threat Report (First half of 2011)
7. ...a new web threat emerges every 4 .5
seconds...
9. Why do we care?
Your critical business Regulations and More than 60% of
applications face the Standards (PCI, applications have
Internet HIPAA, SOX, etc) serious flaws
10. Challenges
• Difficult to train and retain staff - very difficult to keep skills up-to-date
• Constantly changing environment
• New attacks constantly emerge
• Compliance Requirements
• Too many tools for various results
12. What is Fortify on Demand?
• SAAS-Based, Annual subscription • Business Logic Assessments
model
• Large Testing team at your
• Unlimited Assessments, Unlimited fingertips
Users
• Scale Rapidly (10, 100, 1000)
• The most Comprehensive Coverage
Model – Verify False Positives & • Security Branding with HP FOD
Manual Penetration Testing Logo on Web Applications
• Single portal for consuming results
• Market leading analyzers for Static and
Dynamic Testing
13. Mobile
Thick
Client
Web FOD
3rd
Party
API
Binary
15. Dynamic Testing
• Recommended for Low Risk Websites
Baseline (Marketing Sites, Brochure, Not much
Application change in the application)
Standard • An automated solution for Websites
WebInspect security scanner
Premium • All results are manually reviewed by
security experts to remove false positives
16. Dynamic Testing
• Recommended for Medium Risk
Websites
Baseline
Application • Use of multiple automated and manual
testing solutions
Standard • All results are manually reviewed by
security experts to remove any false
positives. Includes penetration testing.
Premium • Single User Perspective
17. Dynamic Testing
• Recommended for High Risk
websites
Baseline
Application • Designed for mission-critical Technical
and business logic vulnerabilities
Standard • All results are manually reviewed by
security experts to remove any false
positives. Higher focus on manual
penetration testing.
Premium
• Two User Perspective
• Web Services
19. Terms and Definitions
Automated Scanning: Fortify On Demand utilizes, as it’s core technology, HP WebInspect to perform automated crawling and technical auditing
of Web Applications.
False Positive Removal: For all levels of service (Baseline, Standard, Premium), security assessment results are verified by a team of expert
Security Engineers before results are marked for completion within the Fortify On Demand Portal. The Fortify On Demand team confirms that all
data provided in the final report is free of false positives.
User Accounts: Depending the level of service, the FOD assessment team will utilize either one (1) or two (2) user accounts for exercising the
target application. By utilizing more than one account profile during the testing process, the assessment team may recognize a significant
number of Business Logic flaws within the application. Examples of this may be “Session Hijacking” or “Privilege Escalation”.
Remediation Scan: For each completed assessment, users may opt to have discovered vulnerabilities retested to confirm remediation efforts
where successful. The remediation scan process does not involve a re-scan of the entire application, but a verification of the unique (initially
discovered) vulnerabilities.
Manual Security Testing: For service levels “Standard” and “Premium”, advanced tools and automated scripts are utilized to assess the target
application for non-standard web application security flaws.
Business Logic Testing: Business Logic flaws represent a category of vulnerabilities which can not be discovered by technical or automated
scanning technology. Business Logic testing may be leveraged within our Premium Level of Service and provides approximately 40 hours of
manual testing by a team of expert Application Security Engineers.
Web Services: The Premium level of service provides the assessment (SOAP and REST-based) of Web Services for up to ten (10) Web Service
endpoints.
20. Static Testing
Broad Support
• ABAP • ASP.NET • C#
• C/C++ • Classic ASP • COBOL
Unlimited static scans • Cold Fusion • Flex • HTML
• Java • JavaScript/AJAX • JSP
Results verified • Objective C • PHP • PL/SQL
• Python • T-SQL • VB.NET
Unlimited users • VB6 • VBScript • XML
Powerful Remediation
Insightful Analysis and Reports Collaboration Module
Fast and Scalable
1 Day Static Turnaround Virtual Scan Farm
21. Custom Testing
• Internal Penetration Testing • Internal • Mobile Binaries • Manual Source Code
• External Penetration Testing • External • Reverse Engineering Auditing in other languages
• Wireless Penetration Testing • Web Service • Malware Analysis • Vulnerability Remediation
• Physical Penetration Testing • Cloud • Threat Modeling • SDLC Implementation &
• Social Engineering • Embedded Device Testing Auditing
• APT Breach Simulation • Secure Code Training
• Vulnerability Assessment
23. World Renowned Technologies
Fortify SCA Engine Fully mapped taxonomy of all
Vulnerability categories
(VulnCAT)
HP WebInspect Largest set of Dynamic
Engine Vulnerability Checks 8k+
(SecureBase)
Leaders in Malware & 0-Day
TippingPoint & ArcSight Research
Vulnerability Intelligence
24. Fortify SCA
Detect more than 480 types of software security
vulnerabilities across 20+ development
languages—the most in the industry.
IDE Integration for faster identification earlier in
the development lifecycle
Mobile Application support: iPhone & Android
Features
• Pinpoint root cause of vulnerabilities – line
of code detail
• Prioritize fixes sorted by risk severity
• Detailed “fix” instruction -- in the
development language
25. HP WebInspect
Largest Security Check Database (8k+ Dynamic Checks)
Independent research study showed WI to outperform other
enterprise dynamic scanners in application coverage and scored a
99.26% in injection accuracy.
One of the only dynamic scanners to support web services and true
REST APIs
Features
• Can integrate with server runtime to find more vulnerabilities,
faster. (Security Scope)
• Easy and simple export of vulnerabilities to TippingPoint WAF
• Powerful Macro Engine to navigate custom authentication or
heavy use of AJAX.
Source: http://www.sectoolmarket.com/
31. (Some) Team Members
• Daniel Miessler • Nick Childers
• Methodology Guru (OWASP, WASC, WAHH) • Sr Researcher and Application Tester
• SecLists Project Maintainer • Former Leader of Shellphish Defcon CTF Team
• Dennis Antunes • Nick Denarski
• Dynamic Assessment Lead • Metasploit Contributor and Trainer
• Bucky Spires • Brooks Garret
• Mobile Assessment Lead • DVWA Maintainer
• Andre Gironda • Kevin Lynn
• Sr. Application Tester • Sr. Application Tester
• Cash Turner
• Sr. Dynamic Application Tester
37. Leading By Example
Over 1000 organizations worldwide have standardized on HP Fortify:
9 of the top 10 major banks
9 of the top 10 software companies
All of the top 10 telecoms
All major branches of U.S. DOD
All 5 top insurance firms
2 out of 4 top oil and gas companies
Many top car manufactures
Big 4 accounting firms
38. Fortify & FoD Awards
Dynamic Application Static Application Testing
Testing Leader Leader
“At any given time, there are 200 to 300 zero day vulnerabilities only HP knows about”
39. An CTO’s Perspective on FoD
“I was very impressed by the knowledge and the
responsiveness of both the Fortify BU sales and delivery
resources. They helped me in building the business case
for Application security which was key in establishing
client stakeholder support for this initiative . Besides, they
also partnered with the account to conduct a PoC which
helped showcase our capability to the client. I am very
confident based on my own positive experience that
anyone in the security officer role could benefit a lot by
working closely with the Fortify team to introduce our
Application security capabilities to their clients”.
40. Commonalities of Success, Developing a Winning SDLC
• Internal app security research
• External hacking research
HP Fortify Solutions
Static
Source code QA & Integration Application Audit Production
validation Testing Environment
Assessment
Audit Static Code
Dynamic Static Code Functional Test Analysis
Analysis in the Integration Continuous
IDE (SCA) Assessment
Dynamic
Penetration
Hybrid
Testing
43. Next Step?
• Contact Myself or David Nester
• Discuss our group internally at HP
• Schedule a PoV!
David Nester (david.nester@hp.com)
Jason Haddix (jason.haddix@hp.com)
In today’s information-centric world, Hackers are after data and business logic, which they can manipulate and control. You’re talking about stealing your Intellectual Property, your Customer Data (credit card, SSN, address, etc.), Business Processes and Trade Secrets. With software, protecting one point in the system is not sufficient. The whole pathway to the data must be secure. If there is any vulnerability along that path, then the entire system is vulnerable. Hackers are ingenious in discovering new pathways. Years ago, they started at the network and hardware levels, but we have been successful in handling the problem (grayed out area), now they are going right to the app layer.This can be useful in explaining things like why encryption is not going to help you with app sec.