HP Confidential 3 11 January 2014 Application Security is the weakness of Security
HP Confidential Web Application Vulnerabilities on the Rise 4 Web is easiest entry point Networks are secure. Hackers know Web applications are not. Organizations under pressure More Web applications More regulatory requirements More customer & partner demands More pressure from shareholders Sources: Computer Emergency Response Team Coordination Center (CERT/CC), National Vulnerability Database, Open-Source Vulnerability Database, and the Symantec Vulnerability Database. Growth of Web Application Vulnerabilities
HP Confidential What are organizations doing about these threats? 5 Leading organizations secure the lifecycle 92% of security defects exist in the application Save $$ by fixing security defects before they get to production 1 X Development 6.5X Testing 15X 100X Design Deployment
HP Confidential 6 Challenge of Building a Scalable Security Program
HP Confidential Tools available today to support application security quality issues Source code analysis static review of application vulnerabilities at the code phase Find and fix Security testing tools Functional validation of security requirements Some integrated with test management solutions Remedial updates to cover new threats Post deployment security Penetration testing as an ongoing preventative measure Regular updates and re-test imperative
HP Confidential Points to consider Where does security fit in to the application lifecycle? What is your security policy ? how do you consider it when approaching software quality? Should quality be considered only at the testing stage? What about pre and post testing? Internal vs external security – Where are the vulnerabilities in your org? People? Applications? Data? Is there enough awareness of this issue within your org Application vulnerabilities account for 75% of all issues
HP Confidential Open to the floor Security testing experiences What works well Why? Challenges How can they be overcome? Who is responsible? Does it have to become front line news before it is taken seriously?