Date post: | 22-Jan-2018 |
Category: |
Technology |
Upload: | ibm-security |
View: | 1,324 times |
Download: | 0 times |
© 2015 IBM Corporation
David Marshak – Senior Offering Manager
Jason Todd – Lead Developer
Kris Duer – Lead Developer
Protecting Mission-Critical Source Code from Application Security Vulnerabilities
2© 2015 IBM Corporation
Trends in Application Security
Making Static Analysis Easy
Development Workflow
Cognitive-driven Actionable Results
Agenda
3© 2015 IBM Corporation
Application security challenges
Rapid growth in applications,
releases and technology
PaceCompliance
External regulations and
internal policy requirements
Resources
Small security teams,
lots of applications
?
• Which applications pose
the biggest business risk?
• How do we test apps for
security in rapid DevOps /
Agile shops without slowing
down the process / business?
• How do we reduce costs
and catch security problems
earlier in the lifecycle?
• Where is my business risk?
• How do I set internal policy
requirements for application
security?
• Is my private / sensitive
data exposed by apps?
• How do I check for and
demonstrate application
compliance?
• How do we prioritize the work
for the resources I have?
• What do we test
and how do we test it?
• How do we staff and improve
skills and awareness?
5© 2015 IBM Corporation
• Cost of a Data Breach $7.2M
• 80 days to detect
• More than four months (123 days) to resolve
Find during Development
$80 / defect
Find during Build
$240 / defect
Find during QA/Test
$960 / defect
Find in Production
$7,600 / defect
80% of development costs
are spent identifying and
correcting defects!
Source: Ponemon Institute
Source: National Institute of Standards and Technology
Cost of Security Defects
6© 2015 IBM Corporation
Introducing IBM Static Analyzer
A new offering that dramatically simplifies and improves Static Application Security Testing (SAST).
Simplified Developer
Experience
Cognitive Computing to
Reduce Reliance on
Security Experts
IBM Application
Security on Cloud
7© 2015 IBM Corporation
Identify and remediate high-priority vulnerabilities
IBM Application Security Testing on Cloud
Simple
Fast
Comprehensive
Safe
#CoverYourAppsImprove your application security effectiveness
8© 2015 IBM Corporation
IBM Application Security on Cloud
Easy as 1, 2, 3!
Simple
Does my application contain security vulnerabilities?
Enter URL /
upload application
1
Scan the
application
2
Review
the report
3
9© 2015 IBM Corporation
Register, scan and generate results… QUICKLY
Convenient registration
for immediate access to service
Minimal to no set-up time
for your environment
Launch security scans 24 x 7 x 365
Superior results without needing
“behind the scenes” experts
Integrates into your developers’
process
Fast
Fast application scanning using Security-as-a-Service (SaaS)
10© 2015 IBM Corporation
Comprehensive
Powerful and comprehensive
Proven scanning engine powered by IBM Security AppScan
Highly accurate identification
of dozens of OWASP Top 10
vulnerabilities
Regular IBM X-Force Threat
Intelligence updates
Prioritized results focus the team on high-risk vulnerabilities
Open Web Application Security
Project (OWASP)
Top 10
IBM X-Force Threat Intelligence
IBM Security AppScan
11© 2015 IBM Corporation
Runs on IBM SoftLayer architecture
Provides end-to-end encryption
Meets strict IBM SaaS security standards
Your source code never leaves
your control / premises
Uploaded application artifacts
are not stored or cached in the service
Robust protection for your sensitive application assets
Safe
12© 2015 IBM Corporation
Available on IBM Cloud Marketplacewww.ibm.com/marketplace/cloud/application-security-on-cloud/us/en-us
• IAST analysis of
Mobile Applications
• Android, iOS
• IR Gen & Analysis from
Byte code
• Java
• .NET (coming soon)
• Fully automated crawling
& Scanning
• Pre-Production &
Production Templates
Mobile Analyzer
Dynamic Analyzer
StaticAnalyzer
Application Security Testing in the Cloud
Pick your
Application
Choose
your
Analysis
engine
Web ApplicationMobile Application Desktop Application
1
2
13© 2015 IBM Corporation
“Compile” class, jar,
war, earIRXSource
Findings Report
Upload/download manually or automatically
Maven, Urban Code, CLI
Intelligent
Findings
Analytics
Analysis
IR
Gen
Static Analyzer
Architecture
Development
Environment
IBM Cloud
Report
15© 2015 IBM Corporation
Trends in Application Security
Making Static Analysis Easy
Development Workflow
Cognitive-driven Actionable Results
Agenda
16© 2015 IBM Corporation
Reduce false positives
Minimize “unlikely attack scenarios”
Provide fix recommendations that resolve multiple vulnerabilities
• Patents pending
Applying Cognitive Computing to security vulnerability analysis
Machine learning with Intelligent Findings Analytics*
Learned results
Intelligent
Findings
Analytics
• Fully automated review of
scan findings
• Trained by IBM Security
Experts
Scan results
17© 2015 IBM Corporation
Intelligent Findings Analytics Results
• Meets or exceeds human experts
• Returns results in seconds, rather than hours or days
• 90-95% average reduction in false positives
• Integrates right back into the development workflow
• Fix an average 8-10 issues in a single place in the code
IFA
Example Real World Applications
ScanFindings
Vulnerabilities Fix Recommendations
Application 1 55,132 14,050 60
Application 2 12,480 1,057 35
18© 2015 IBM Corporation
Take Away– Static Application Security Testing Made Easy
Simplified Developer
Experience
Cognitive Computing to
Reduce Reliance on
Security Experts
IBM Application
Security on Cloud
20© 2015 IBM Corporation
Nov. 17th Webinar: The 411 on Mobile AppSec Testing for iOS Devices
Blog: AppSec Testing on Cloud and the Future of Pen Testing
Learn More about Application Security Testing on Cloud
21© 2015 IBM Corporation
Learn Even More about Application Security Testing on Cloud
DataSheet/Infographic: Case Closed with IBM AppSec on Cloud
YouTube: Identify & Remediate Application Security Vulnerabilities Effectively
New Cloud Marketplace Web Page
Blog: A Lever to Move the World: Automating AppSec Testing in the Cloud
23© 2015 IBM Corporation
www.ibm.com/security
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.