Rational application-security-071411

© 2010 IBM Corporation

IBM Rational Application Security

IBM Security Solutions



2

Agenda

Current Trends in Application Security

The Solution

Strategies for Customer Success

Rational AppScan Suite

IBM Application Security Coverage



Executive Summary

Web applications are the greatest source of risk for organizations

Rational Application Security enables organizations to address root cause of this risk

AppScan leverages a mix of technologies (static & dynamic)

AppScan is a key part of IBM Security’s full solution view of application security

3

Comprehensive Application Vulnerability Management


enables



The Costs from Security Breaches are Staggering

4

Verizon 2009 data Breach Investigations Report

Ponemon 2009-2010 Cost of a data Breach Report

$204 COST PER COMPROMISED

RECORD

285 MILLION RECORDS COMPROMISED IN 2008

TRANSLATES TO $58.1BCOST TO CORPORATIONS



Sources of Security Breach Costs

5

1,000,000x

10x

1x

Development Test Deployment

Dam

age

to E

nte

rpri

se

Functional Flaw

Security Flaw

Unbudgeted Costs:

Customer notification / care Government fines Litigation Reputational damage Brand erosion Cost to repair



Web Applications are the greatest risk to organizations

6

Web application vulnerabilities represented the largest category in vulnerability disclosures

In 2009, 49% of all vulnerabilities were Web application vulnerabilities

SQL injection and Cross-Site Scripting are neck and neck in a race for the top spot

IBM Internet Security Systems 2009 X-Force® Year End Trend & Risk Report



Why are Web Applications so Vulnerable?

Developers are mandated to deliver functionality on-time and on-budget - but not to develop secure applications

Developers are not generally educated in secure code practices Product innovation is driving development of increasingly complicated

software for a Smarter Planet Network scanners won’t find application vulnerabilities and

firewalls/IPS don’t block application attacks

7

Volumes of applications

continue to be deployed that

are riddled with security flaws…

…and are non compliant with

industry regulations



8

Clients’ security challenges in a smarter planet

Source http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1375707,00.html

Increasing Complexity

Rising Costs

Ensuring Compliance

Key drivers for security projects

Spending by U.S. companies on governance, risk and compliance will grow to $29.8 billion in 2010

The cost of a data breach increased to $204 per compromised customer record

Soon, there will be 1 trillion connected devices in the world, constituting an “internet of things”



Hackers Break Into Virginia Health Website, Demand Ransom

— Washington Post, May, 2009

Regulatory & Standards Compliance

– eCommerce: PCI-DSS, PA-DSS

– Financial Services: GLBA

– Energy: NERC / FERC

– Government: FISMA

User demand

– Rich application demand is pushing development to advanced code techniques – Web 2.0 introducing more exposures

Cost cutting in current economic climate

– Demands increased efficiencies

Market Drivers

Cyber Blitz Hits U.S., Korea Websites -WSJ

July 9th, 2009

“Web-based malware up 400%, 68% hosted on legitimate sites” — ZDnet, June 2008



10

Agenda


The Solution






The Solution - Security for Smarter Products

Smarter Products require secure applications

Security needs to be built into the development process and addressed throughout the development lifecycle

Providing security for smarter products requires comprehensive security solutions deployed in concert with application lifecycle management offerings that:

• Provide integrated testing solutions for developers, QA, Security and Compliance stakeholders

• Leverage multiple appropriate testing technologies (static & dynamic analysis)

• Provide effortless security that allows development to be part of the solution

• Support governance, reporting and dashboards

• Can facilitate collaboration between development and security teams

11



Cost is a Significant Driver

During the coding phase $80/defect

During the build phase $240/defect

Once released as a product $7,600/defect+Law suits, loss of customer trust,damage to brand

During the QA/Testing phase$960/defect

The increasing costs of fixing a defect….

80% of development costs are spent identifying and correcting defects!*

*National Institute of Standards & Technology Source: GBS Industry standard studyDefect cost derived in assuming it takes 8 hrs to find, fix and repair a defect when found in code and unit test. Defect FFR cost for other phases calculated by using the multiplier on a blended rate of $80/hr.



Design Phase Consideration is given to security requirements of the

application

Issues such as required controls and best practices are documented on par with functional requirements

Development Phase Software is checked during coding for:

Implementation error vulnerabilities Compliance with security requirements

Build & Test Phase Testing begins for errors and compliance with security

requirements across the entire application

Applications are also tested for exploitability in deployment scenario

Deployment Phase Configure infrastructure for application policies Deploy applications into production

Operational Phase Continuously monitor applications for appropriate

application usage, vulnerabilities and defend against attacks

Manage,Monitor

& DefendDesign

Develop

Build & Test

Deploy

Make Applications Secure, by Design Cycle of secure application development

Outsourcing Partner

Functional Spec

Software

13



ROI Opportunity of Application Security Testing

Cost Avoidance – of a security breach

Costs as a result of a security breach can include (but are not limited to) audit fees, legal fees, regulatory fines, lost customer revenue and brand damage

Cost Savings – of automated vs. manual testing

Automated testing provides tremendous productivity savings over manual testingAutomated source code testing with periodic penetration testing allows for cost effective security analysis of applications

The cost to companies is $204 per compromised record**

The average cost per data breach is $6.6 Million**

Outsourced audits can cost $10,000 to $50,000 per application

At $20,000 an app, 50 audits will cost $1M. With 1 hire + 4 quarterly outsourced audits (ex:

$120,000+$80,000), $800,000/yr can be saved (less the cost of testing software)

* Source: GBS Industry standard study ** Source: Ponemon Institute 2009-10

Cost Savings – of testing early in the development process (ALM)80% of development costs are spent identifying and correcting defectsTesting for vulnerabilities earlier in the development process can help avoid that unnecessary expense

Cost of finding & fixing problems:code stage is $80, QA/Testing is $960*Ex: 50 applications annually & 25 issues per application,

testing at code stage saves $1.1M over testing at QA stage.



15

Agenda


The Solution






Application Security Maturity Model

CORRECTIVEPHASE

BOLT ONPHASE

BUILT INPHASEUNAWARE

Time

Vie

w o

f ap

plic

atio

n t

estin

g co

vera

ge

Duration 1-2 Years

Doing nothing Outsourced testing Security testing before deployment

Fully integrated security testing



Security Testing Within the Software Lifecycle

Build

SDLC

Coding QA Security Production

Most Issues are found by security auditors prior to

going live.

% o

f Iss

ue F

ound

by

Sta

ge o

f SD

LC




Build

SDLC


Desired Profile

% o

f Iss

ue F

ound

by

Sta

ge o

f SD

LC




Build

Developers

SDLC

Developers

Developers


Application Security Testing Maturity



20

Agenda


The Solution






Rational AppScan Enterprise portal

QA

Build

Rational AppScan Source Ed Core

Rational AppScan Tester Ed for RQM

Rational AppScan:- Source for Automation- Standard Ed

Rational ALM Integrations

DevelopmentRational AppScan:- Source Ed Developer- Source Ed Remediation- Enterprise QuickScan

Application Developer

Build Forge

Quality ManagerClearQuest

Security

Rational AppScan:- Standard Ed- Source Ed for Security Compliance



Security Testing Technologies... Combination Drives Greater Solution Accuracy

Static Code Analysis (Whitebox )

Scanning source code for security issues

Dynamic Analysis (Blackbox) Performing security analysis of a

compiled application

Total PotentialSecurity Issues

DynamicAnalysis

StaticAnalysis

Best Coverage

22



23

Agenda


The Solution






IBM Web application security for a smarter planet

Secure code development and

vulnerability management

Protect Web applications from potential attacks

Deliver security and performance in Web services and SOA

Manage secure Web applications

• Identify vulnerabilities and malware

• Actionable information to correct the problems

• Block attacks that aim to exploit Web application vulnerabilities

• Integrate Web application security with existing network infrastructure

• Purpose-built XML and SOA solutions for security and performance

• Ongoing management and security with a suite of identity and access management solutions

End-to-end Web application security

Rational AppScan

ISS IPS

WebSphere Datapower

Tivoli I&AM

24



25

Rational application-security-071411

Technology

solution security

security breaches

security flaws

security teams11

security needs

effortless security

clients security challenges

development costs