Enterprise Software Security
• Accenture
–What are we protecting and Why?
–Case Studies & Examples
–Fortify more then a “software vendor”!
–The Fortify platform
What are we protecting?
• It’s more than just about Money!
– Personal Information (Customer Data)
– Financial/Banking Information
– Company/Trade Secrets
– Corporate Data
• Consider this?
– Can you business operate without the useof software on a daily basis?
– What would happen if you software juststopped working one day?
Making the Case for Software Security
• Risk of a Major Data Breach is increasing 146% since 2001
• Cost of a data breach could be $11 Million US #1
• A breach will cost more then protecting against attack
• Attacks are focused at the Application Layer (> 76% Gartner)
• NIST: 92% of vulnerabilities in application code
• It’s not all about SQL Injection & Cross Site Scripting
• False sense of security, existing security gates don’t protect you
• 2009 expected to be the year of identity theft and significant increase in web based attacks for financial benefit
Heartland Payment Systems
• Very Late 2007 – SQL Injection via a customer facing web page in our corporate (non-payments) environment. Bad guys were in our corporate network.
• Early 2008 – Hired largest approved QSA to perform penetration testing of corporate environment
• Spring 2008 – Learned of Sniffer Attack on Hannaford’s , Created a Dedicated Chief Security Officer Position and filled that position
• April 30, 2008 – Passed 6th Consecutive “Annual Review” by Largest QSA
• Very Late 2007 – Mid-May 2008 – Bad guys studied our corporate network
• Mid-May 2008 – Penetration of our Payments Network
Heartland Events!
• Late October 2008 – Informed by a card brand that several issuers suspected a potential breach of one or more processors. We received sample fraud transactions to help us determine if there was a problem in our payments network. A high percentage of these samples never touched our payments network.
• No evidence could be found of an intrusion despite vigorous efforts by HPS employees and then two forensics companies to find a problem.
• January 9, 2009 – We were told that “no problems were found” and that a final report reflecting that opinion would be forthcoming within days.
• January 12, 2009 – January 20, 2009 – Learned of breach, notified card brands, notified law enforcement and made public announcement.
Case Study – ANZ Bank
• What are the Drivers?
– PCI Compliance Obligations
– APRA Regulations & Requirements after review
– Software security threat #3 risk on Fortune 500
– Internal Risk Drivers
• Initial Steps
– Enablement of new program called “SAFE Program”
– Introduction of Developer Training through organization
– “Adoption of Culture Change” critical
– Implementation of world class technology & Governance
ANZ Bank Integration & Technologies
• Platforms/Development Languages
– Microsoft.NET, Classic ASP, VB, C++
– Java, JSP, J2EE
– Mainframe languages (COBOL, C etc)
– All Platforms such as Windows, UNIX, LINUX etc
• Integration with Existing Technologies
– Quality Centre Integration
– Other bug tracking software (find bugs etc)
– Build integration (ANT, Maven, Cruise Control, MSBUILD)
– Web based delivery technologies (XML API F360 Server)
Vision Guidance
• Creating a successful vision is hard, get help! Or use the recommended strategy online at www.opensamm.org
• SAMM (Software Assurance Maturity Model), the building blocks for a successful Software Security Strategy
PCI ComplianceQuickly Demonstrate PCI Compliance
• Instantly Protect Deployed Applications
– Ensure compliance with PCI DSS Section 6.6
– Application defense module
• Identify and Remediate Vulnerabilities
– Ensures compliance with Sections 3, 6.3.7, 6.5, 6.6, 11.3.2
– View vulnerabilities in context of PCI compliance
– Static and dynamic testing
• Complete Self-Assessment Questionnaire
– Assign responsibilities
– View outstanding activities
– Generate detailed reports to demonstrate PCI activities
Fortify 360 Platform
• Identify the Most Vulnerabilities
• Collaborate and Remediate more Code
• Instantly Protect Deployed Applications
• Effectively Manage SSA Programs
• Achieve Compliance Quickly
Technology SupportSCA, PTA and RTA
• Static Analysis (Fortify 360 SCA)
– Microsoft .NET (All languages), Classic ASP, VB, COM
– C/C++
– Java, J2EE, JSF, Javascript etc
– XML, HTML, Other web technologies
– SQL TSQL/PSQL
– Cold Fusion, PHP, COBOL and more coming..
• Testing/Production (Fortify 360 RTA/PTA)
– Web based technologies only, supporting
– .NET and Java primarily with some minor other languages (CF)
Open Discussion
• What is currently done during development lifecycles?
• How can/does Fortify integrate and provide value to the existing development practices within Accenture?
• How do customers benefit from having Fortify scanned as a part of the development process?
• Technical Questions?