© 2015 IBM Corporation

David Marshak – Senior Offering Manager

Jason Todd – Lead Developer

Kris Duer – Lead Developer

Protecting Mission-Critical Source Code from Application Security Vulnerabilities

2© 2015 IBM Corporation

Trends in Application Security

Making Static Analysis Easy

Development Workflow

Cognitive-driven Actionable Results

Agenda

3© 2015 IBM Corporation

Application security challenges

Rapid growth in applications,

releases and technology

PaceCompliance

External regulations and

internal policy requirements

Resources

Small security teams,

lots of applications

?

• Which applications pose

the biggest business risk?

• How do we test apps for

security in rapid DevOps /

Agile shops without slowing

down the process / business?

• How do we reduce costs

and catch security problems

earlier in the lifecycle?

• Where is my business risk?

• How do I set internal policy

requirements for application

security?

• Is my private / sensitive

data exposed by apps?

• How do I check for and

demonstrate application

compliance?

• How do we prioritize the work

for the resources I have?

• What do we test

and how do we test it?

• How do we staff and improve

skills and awareness?

4© 2015 IBM Corporation

Pushing Application Testing Earlier in the Engineering Cycle

5© 2015 IBM Corporation

• Cost of a Data Breach $7.2M

• 80 days to detect

• More than four months (123 days) to resolve

Find during Development

$80 / defect

Find during Build

$240 / defect

Find during QA/Test

$960 / defect

Find in Production

$7,600 / defect

80% of development costs

are spent identifying and

correcting defects!

Source: Ponemon Institute

Source: National Institute of Standards and Technology

Cost of Security Defects

6© 2015 IBM Corporation

Introducing IBM Static Analyzer

A new offering that dramatically simplifies and improves Static Application Security Testing (SAST).

Simplified Developer

Experience

Cognitive Computing to

Reduce Reliance on

Security Experts

IBM Application

Security on Cloud

7© 2015 IBM Corporation

Identify and remediate high-priority vulnerabilities

IBM Application Security Testing on Cloud

Simple

Fast

Comprehensive

Safe

#CoverYourAppsImprove your application security effectiveness

8© 2015 IBM Corporation

IBM Application Security on Cloud

Easy as 1, 2, 3!

Simple

Does my application contain security vulnerabilities?

Enter URL /

upload application

1

Scan the

application

2

Review

the report

3

9© 2015 IBM Corporation

Register, scan and generate results… QUICKLY

Convenient registration

for immediate access to service

Minimal to no set-up time

for your environment

Launch security scans 24 x 7 x 365

Superior results without needing

“behind the scenes” experts

Integrates into your developers’

process

Fast

Fast application scanning using Security-as-a-Service (SaaS)

10© 2015 IBM Corporation

Comprehensive

Powerful and comprehensive

Proven scanning engine powered by IBM Security AppScan

Highly accurate identification

of dozens of OWASP Top 10

vulnerabilities

Regular IBM X-Force Threat

Intelligence updates

Prioritized results focus the team on high-risk vulnerabilities

Open Web Application Security

Project (OWASP)

Top 10

IBM X-Force Threat Intelligence

IBM Security AppScan

11© 2015 IBM Corporation

Runs on IBM SoftLayer architecture

Provides end-to-end encryption

Meets strict IBM SaaS security standards

Your source code never leaves

your control / premises

Uploaded application artifacts

are not stored or cached in the service

Robust protection for your sensitive application assets

Safe

12© 2015 IBM Corporation

Available on IBM Cloud Marketplacewww.ibm.com/marketplace/cloud/application-security-on-cloud/us/en-us

• IAST analysis of

Mobile Applications

• Android, iOS

• IR Gen & Analysis from

Byte code

• Java

• .NET (coming soon)

• Fully automated crawling

& Scanning

• Pre-Production &

Production Templates

Mobile Analyzer

Dynamic Analyzer

StaticAnalyzer

Application Security Testing in the Cloud

Pick your

Application

Choose

your

Analysis

engine

Web ApplicationMobile Application Desktop Application

1

2

13© 2015 IBM Corporation

“Compile” class, jar,

war, earIRXSource

Findings Report

Upload/download manually or automatically

Maven, Urban Code, CLI

Intelligent

Findings

Analytics

Analysis

IR

Gen

Static Analyzer

Architecture

Development

Environment

IBM Cloud

Report

© 2015 IBM Corporation

Development WorkflowDEMO

15© 2015 IBM Corporation

Trends in Application Security

Making Static Analysis Easy

Development Workflow

Cognitive-driven Actionable Results

Agenda

16© 2015 IBM Corporation

Reduce false positives

Minimize “unlikely attack scenarios”

Provide fix recommendations that resolve multiple vulnerabilities

• Patents pending

Applying Cognitive Computing to security vulnerability analysis

Machine learning with Intelligent Findings Analytics*

Learned results

Intelligent

Findings

Analytics

• Fully automated review of

scan findings

• Trained by IBM Security

Experts

Scan results

17© 2015 IBM Corporation

Intelligent Findings Analytics Results

• Meets or exceeds human experts

• Returns results in seconds, rather than hours or days

• 90-95% average reduction in false positives

• Integrates right back into the development workflow

• Fix an average 8-10 issues in a single place in the code

IFA

Example Real World Applications

ScanFindings

Vulnerabilities Fix Recommendations

Application 1 55,132 14,050 60

Application 2 12,480 1,057 35

18© 2015 IBM Corporation

Take Away– Static Application Security Testing Made Easy

Simplified Developer

Experience

Cognitive Computing to

Reduce Reliance on

Security Experts

IBM Application

Security on Cloud

© 2015 IBM Corporation

Additional Resources

20© 2015 IBM Corporation

Nov. 17th Webinar: The 411 on Mobile AppSec Testing for iOS Devices

Blog: AppSec Testing on Cloud and the Future of Pen Testing

Learn More about Application Security Testing on Cloud

21© 2015 IBM Corporation

Learn Even More about Application Security Testing on Cloud

DataSheet/Infographic: Case Closed with IBM AppSec on Cloud

YouTube: Identify & Remediate Application Security Vulnerabilities Effectively

New Cloud Marketplace Web Page

Blog: A Lever to Move the World: Automating AppSec Testing in the Cloud

© 2015 IBM Corporation

Questions-and-Answers Session

23© 2015 IBM Corporation

www.ibm.com/security

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes

only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use

of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement

governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in

all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole

discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any

way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United

States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response

to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated

or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure

and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to

be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,

products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE

MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.