Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.

Published byMarcus Mitchell Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify."— Presentation transcript:

1

2 © 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify Software Inc 2

3 © 2009 All Right Reserved Fortify Software Inc. Before we Begin: Expectations Objectives Agenda

4 © 2009 All Right Reserved Fortify Software Inc. About Your Presenter 22 years of Engineering (“building stuff”) in the Silicon Valley –Semiconductors –Operating Systems –Development Tools –Brokerage / E-Commerce The Last 6 years working on Securing that Stuff –Founder & CTO of Fortify Software

5 © 2009 All Right Reserved Fortify Software Inc. A Simple, Reasonable, Question…. 5 Unfortunately not so simple to answer… If I run software, am I putting my business, data, customers or even life on earth at risk? If so, how serious is the threat?

6 © 2009 All Right Reserved Fortify Software Inc. Three Basic Approaches Hard to know if your “experts” are as good as the bad guy Prohibitively expensive to do on a regular basis No advantage over the bad guys Identifies the result – not the root cause “Badness-ometer” limitations and issues Automated crawler and web traffic analysis can yield Identifies the result – not the root cause Exactly what the bad guy does.. Cheap and easy way to find the most obvious issues Look for root cause issues from the “inside out” – the code Requires intimate access to the software Requires programming knowledge and expertise Exploitability information is not present as with other two. Identifies the root cause not the result Hire an expert Ethical Hacking Automate Hacking Black Box / Penetration Test Analyze the Software Static and Dynamic Analysis

7 © 2009 All Right Reserved Fortify Software Inc. Software Security Assurance (SSA) Remediate Vulnerabilities found in software Assess Software for security vulnerabilities Prevent Software security vulnerabilities The management & prevention of security risks in software Operation Construction Test

8 © 2009 All Right Reserved Fortify Software Inc. Software Security Maturity An info-sec project Generates awareness & support security initiatives Consulting, PenTesting & some manual code review Info-sec driven project with development support Forces a rework of code “Inside-out” Static and Dynamic Analysis required Proving the problem or meeting a basic regulatory requirement Recurring cost that does not “fix” anything Fixing security issues uncovered from assessments Secure the development and procurement lifecycle avoiding issues altogether Lowering risk but costs too high Info-sec-sponsored Development-led project Requires significant organizational buy-in Requires more than a point solution Minimizing business risk systematically Risk Awareness Vulnerability Assessment Risk Reduction Analysis & Remediation Prevention Secure SDL & Software

9 © 2009 All Right Reserved Fortify Software Inc. 9 Systemic Problem Software Procurement & Development Cycle Immediate Problem Existing Legacy Applications Prevention of the introduction of new risk Assessment & remediation of existing software The Challenge Compliance & Regulatory Requirements

10 © 2009 All Right Reserved Fortify Software Inc. Benefits of a “Hybrid” Approach A seamless flow from Assessment to Prevention –Facilitates growth in maturity from assessment to prevention Combined benefits at Testing phase - “Remediation Gap” –Application Testing & Software Analysis: Rapid identification of high priority issues (DAST) Precise description of root cause vulnerability in code (SAST) Reduced time and costs to remediate vulnerabilities By mapping each security issue to root cause in source code Developers understand security findings – faster fixes Security findings are more accurate – less research Security findings are more comprehensive – less rework Reduced time to fix Reduced false positives Less conflict between security and development

11 © 2009 All Right Reserved Fortify Software Inc. Dynamic Application Security Testing “Black Box” 11 Security Tester Web Application Development HP WebInspect Results Challenges -Visibility to “root cause”… -It is called “Black Box” -1 Issue may be indicative of many -Multiple issues may trace back to one problem -Communicating to developers -URLs and hacking technique vs. code errors -Validating behavior (FP)

12 © 2009 All Right Reserved Fortify Software Inc. 12 Security Tester Development

13 © 2009 All Right Reserved Fortify Software Inc. 13 Security Tester

14 © 2009 All Right Reserved Fortify Software Inc. Hybrid Integrated Security Testing 14 Source Code Development Fortify Source Code Analysis Security Tester Web Application Results Hybrid Results HP WebInspect Results

15 © 2009 All Right Reserved Fortify Software Inc. FortifyHybrid Integration Demo 15

16 © 2009 All Right Reserved Fortify Software Inc. 16 “Runtime Data” comes from Runtime Analysis Today Fortify leverages this to monitor and guard applications Fortify Runtime Analysis + WebInspect = Hybrid 2.0 Runtime Analysis is required to ensure proper mapping of SAST/DAST results Runtime Analysis allows testers and programmers to see “inside” the app Runtime analysis makes black box testing – white box testing How did we do that?

17 © 2009 All Right Reserved Fortify Software Inc. Introducing Hybrid 2.0 17 Source Code Development Pen Tester Results Hybrid+ Results Fortify Runtime Analysis HP WebInspect Results Fortify Source Code Analysis Web Application

18 © 2009 All Right Reserved Fortify Software Inc. 18 Hybrid Aggregation: The complete set of results Unified management & reporting Ability to combine SAST and DAST findings for integrated prioritization and reporting. Reduced time and cost to fix vulnerabilities Ability to follow test findings “into” the program and the code to see the root cause. Hybrid 1.0 (2005 Technology – Available since 2006) Hybrid Correlation The accurate results Hybrid Insight The actionable results Hybrid 2.0 (An HP/Fortify exclusive advantage)

19 © 2009 All Right Reserved Fortify Software Inc. Thank you !

20

Download ppt "© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify."

Similar presentations

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Testing and Quality Assurance

Testing and Quality Assurance
Delivering Enterprise Projects Using Agile Methods Brent Barton May 23, 2006.

Delivering Enterprise Projects Using Agile Methods Brent Barton May 23, 2006.
HVC2012 | 8-Nov-12 Application Performance Monitoring Ofer Maor CTO HVC2012 8 Nov 2012 Haifa, Israel.

HVC2012 | 8-Nov-12 Application Performance Monitoring Ofer Maor CTO HVC Nov 2012 Haifa, Israel.
Web Vulnerability Assessments

Web Vulnerability Assessments
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Building an Effective SDLC Program: Case Study Guy Bejerano, CSO, LivePerson Ofer Maor, CTO, Seeker Security.

Building an Effective SDLC Program: Case Study Guy Bejerano, CSO, LivePerson Ofer Maor, CTO, Seeker Security.
Software Modeling SWE5441 Lecture 3 Eng. Mohammed Timraz

Software Modeling SWE5441 Lecture 3 Eng. Mohammed Timraz
Using the Cloud and SaaS to Secure the SDLC. About Me Andy Earle HP/Fortify – Security Solutions Architect / Presales Engineer – Sell, deliver solutions.

Using the Cloud and SaaS to Secure the SDLC. About Me Andy Earle HP/Fortify – Security Solutions Architect / Presales Engineer – Sell, deliver solutions.
Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.

Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.
Gray, the New Black Gray-Box Web Vulnerability Testing Brian Chess Founder / Chief Scientist Fortify Software, an HP Company June 22, 2011.

Gray, the New Black Gray-Box Web Vulnerability Testing Brian Chess Founder / Chief Scientist Fortify Software, an HP Company June 22, 2011.
SOA e-Government Conference September 16, 2010 ™.

SOA e-Government Conference September 16, 2010 ™.
Roadmap to Continuous Integration Testing and Benefits Gowri Selka, Walgreens Natalie Koltun, Walgreens May 20th, 2014 ©2013 Walgreen Co. All rights reserved.

Roadmap to Continuous Integration Testing and Benefits Gowri Selka, Walgreens Natalie Koltun, Walgreens May 20th, 2014 ©2013 Walgreen Co. All rights reserved.
Boost your network security with NETASQ Vulnerability Manager.

Boost your network security with NETASQ Vulnerability Manager.
Customer confidential 1 Privilege Management Sean Moore Solutions Specialist.

Customer confidential 1 Privilege Management Sean Moore Solutions Specialist.
OWASP APPSEC, 2013 JEREMIAH GROSSMAN Founder and THE REAL STATE OF WEBSITE SECURITY and THE TRUTH ABOUT ACCOUNTABILITY and “BEST-PRACTICES.”

OWASP APPSEC, 2013 JEREMIAH GROSSMAN Founder and THE REAL STATE OF WEBSITE SECURITY and THE TRUTH ABOUT ACCOUNTABILITY and “BEST-PRACTICES.”
Www.softwaretestinggenius.com Understanding of Automation Framework A Storehouse of Vast Knowledge on Software Testing and Quality Assurance.

Understanding of Automation Framework A Storehouse of Vast Knowledge on Software Testing and Quality Assurance.
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
The Business of Penetration Testing

The Business of Penetration Testing

Similar presentations

Ads by Google