FORTIFY Isaca konferencia 2019 ISACA BUDAPEST CHAPTER 2019.05.28. HARGITAI ZSOLT: TECHNOLÓGIÁK ÉS FOLYAMATOK AZ ALKALMAZÁS BIZTONSÁG NÖVELÉSÉRE
FORTIFY
I s a c a ko n fe r e n c i a 2 0 1 9
ISACA BUDAPEST CHAPTER
2019.05.28.
HARGITAI ZSOLT: TECHNOLÓGIÁK ÉS FOLYAMATOK AZ ALKALMAZÁS BIZTONSÁG NÖVELÉSÉRE
FORTIFY
FORTIFY
Technológiák és folyamatok az alkalmazás biztonság növelésére
FORTIFY
We aren’t saying Application Security is easy…
Get Started with Seamless AppSec in One Day
NOT easy (no silver bullet)
Varies by organization (size, dev style, culture, AppSec maturity, etc)
It’s a (long) process
We simplified the story
…but you can start in a day and make significant progress
FORTIFY
There is a major breach almost every week!
4Source: https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ Data for 2017-2018
FORTIFY
Securing organizations requires a holistic approach…
What are your top security initiatives?
Where is your software assurance program prioritized
on that list?
Manage Identities
• Govern privileges, enforce access controls, and unify identity stores.
Secure Applications
• Embed strong security and best practices into DevOps processes.
Protect Data
• Discover data, determine access, and guard it wherever it resides.
FORTIFY
Traditional security methods fail to defend against attacks targeting applications
Application layer attacks are perceived as normal traffic and pass through network, perimeter, data and endpoint security systems.
FORTIFY
The majority of breaches use exploits against defects in software
Source: U.S. Department of Homeland Security’s U.S. Computer Emergency Response Team (US-CERT)
90%
of security incidents result from exploits against defects in the design or code of software.1
FORTIFY
The majority of applications have security issues*!
Source: “2018 Application Security Research Update” by the Fortify Software Security Research team
89%79%
Web applications Mobile applications
* At least one critical or high severity issue
FORTIFY
Security can’t get in the way of business goals
https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/staying-ahead-on-cyber-security
01000010 01110101 01101001 01101100 01100100 00100000 01110011 01100101 01100011 01110101 01110010 01101001 Build security into your way of thinking and operating… 01110100 01111001 00100000 01101001 01101110 01110100 01101111 00100000 01111001 01101111 01110101 01110010 00100000 01110111 01100001 01111001 00100000 01101111 without restricting agility and innovation. 01100110 00100000 01110100 01101000 01101001 01101110 01101011 01101001 01101110 01100111 00100000 01100001 01101110 01100100
FORTIFY
Security must fit YOUR software development lifecycle regardless of development methodology
Production
Application Development
Test, Integration& Staging
CodeDesign
IT Operations
Software Development Lifecycle (SDLC)
AgileLean
Continuous integration/Continuous delivery (CI/CD)
DevOpsWaterfall
FORTIFY
Build Security INTO the software lifecycle
Web Dynamic Testing(DAST)
Runtime Protection(RASP)
Static Code Analysis(SAST)
Production
Application Development
Test, Integration& Staging
CodeDesign
IT Operations
Software Development Lifecycle (SDLC)
Interactive Application Security Testing (IAST)
Software Composition Analysis for Open Source & 3rd Party software
FORTIFY
Dynamic Analysis (DAST)
Static and Dynamic analysis complement each other
• simulates attacks on a running web application or service to identify exploitable vulnerabilities (doesn't require code)
• can be integrated into Dev, QA and Production
• enables portfolio risk management (1000s of applications), including legacy apps
Static Analysis (SAST)
• shows you exactly where to find an issue in the code (line-of-code detail)
• identify and eliminate vulnerabilities in source, binary, or byte code
• language-specific remediation strategies
FORTIFY
“Shift Left” earlier in development lifecycle means faster & cheaper
Test pre-production(code change, every stage of dev cycle,
or pre-production gate)
Wait till after production
75% 25%
* But…35% test less than half of their apps
Source: “2019 The State of Application Security in the Enterprise,” Micro Focus Fortify
FORTIFY
Getting Started in One Day
14
FORTIFY
What can you do today?
15
1. Follow an Established Maturity Model
2. Identifying Your Security Champions
3. Assessment Exercise
4. Define Your Initial Scope
5. Find the Right Tools to Fit These Requirements
FORTIFY
1. Maturity Model
16
FORTIFY
Start with a Security Maturity Model
https://www.bsimm.com/
BSIMM: (Building Security in Maturity Model)
https://owaspsamm.org/
OWASP SAMM (Software Assurance Maturity Model)
FORTIFY
A maturity model accelerates your learning curve
Iterative while working toward long-term goals
Create plans tailored to the organization
Framework to communicate to non-security-people
Is simple, well-defined, and measurable
FORTIFY
2. Security Champions
FORTIFY
What is a Security Champion?
According to OWASP
“Security Champions are active members of a team that may help to make decisions about when to engage the Security Team”
21
Why are Security Champions Important?
• Scaling Security Through Multiple Teams
• Engaging “Non-Security” Folks
• Establishing a Security Culture
FORTIFY
OWASP Security Champion Playbook
The Security Champions Playbook describes the main steps for fast establishment of a Security Champions program regardless of the company size and maturity of the existing security processes.
FORTIFY
3. Security Assessment
FORTIFY
Preparing for an Assessment
• Create a core assessment team
• Review existing security policies
• Create a database of IT assets
• Understand threats and vulnerabilities
• Estimate the Impact
• Determine the likelihood
• Plan the controls
24
Types of Assessments
• Internal
• 3rd Party Vendor
FORTIFY
4. Define Your Initial Scope
25
FORTIFY
Define Your Initial Scope
What Applications and Development Teams to Start with
Whether to use SAST, DAST
What Integrations are Crucial for your organization
As a Service, On-Premise, or Hybrid
Enabling Your Developers
What does success look like for your organization?
FORTIFY
5. Find the right tools
27
FORTIFY
• Get scan results in minutes
• Adjust scans to achieve desired coverage for both SAST and DAST
• Apply machine learning to identify and prioritize the most relevant issues with Audit Assistant
Fortify provides Seamless Application Security
• Start in a day with Fortify on Demand with actionable results
FastEasy to Get Started
• Real-time security in the IDE for developers with Security Assistant
• Robust integration ecosystem
Easy to Use
• OWASP Benchmark: Fortify SCA true positive rate is 100%
Accurate
• SaaS, on-premise, or hybrid
• Flexible to grow
Scalable
FORTIFY
Fortify is recognized for delivering value
• 10 out of 10 of the largest information technology companies
• 9 out of 10 of the largest banks
• 4 out of 5 of the largest pharmaceutical companies
• 3 out of 3 of the largest independent software vendors
• 5 out of 5 of the largest telecommunication companies
2018 Gartner Magic Quadrant for AST
Fortify
FORTIFY
Q&A