Intégration de la sécurité applicative dans le cycle de vie logiciel: maîtrise des risques et réduction des coûts HP Fortify Static Code Analyzer, plug-in Microsoft.Net pour la détection automatique et l’éradication à la source, les erreurs de codage qui pourraient donner lieu à des brèches de sécurité. Session présentée par le partenaire : HP.
Speakers : Haleh Nematollahy (HP)
Développement sécurisé avec Microsoft.Net et HP Fortify
1.
2. HP Fortify
Software Security Center
et Microsoft VS .Net
Haleh Nematollahy
Security Solutions Architect
HP Enterprise Security Products Fortify
Sécurité
5. SECURITÉ LE DEFI
Sécurisation des
applications
héritées
In-house
Development
Certification
Nouvelles
Releases
Validation
Comformité
Achat de logiciels
Securisées
Outsourced
Open source
Commercial
#mstechdays
Sécurité
6. L'APPROCHE ACTUELLE> RÉACTIVE,
CHÈRE
2
Quelqu'un construit
logiciel avec des failles
In-house
Outsourced
Commercial
IT déploie le mauvais
logiciel
1
3
Open source
$
$$
4
convaincre et payer un
développeur pour corriger
#mstechdays
Sécurité
Nous nous faisons pirater
ou nous payons quelqu'un
pour nous dire que notre
code est mauvais
7. FIXING THINGS LATE IS
30x more costly to secure in production
FRUSTRATING
Cost
30X
15X
10X
5X
2X
Requirements
•
Coding
Integration/ component
testing
System
testing
Production
Une fois qu’une application est en production, le cout de remédiassions est 30x plus
élevé .
Source: NIST
#mstechdays
Sécurité
8. APPROCHE INTÉRIMAIRE> PLUS SÛR
ET RENTABLE
In-house
Outsourced
Commercial
Mettre en œuvre des points de
sécurité pour déterminer si le
logiciel est résistant avant de
déployer en production
Open source
4
Surveiller et protéger les
logiciels fonctionnant en
production
#mstechdays
2
1
Logiciels existants ou
nouvellement créés
3
Travailler avec les
Développeurs afin de
localiser et de corriger les
vulnérabilités
Sécurité
Good code
9. HP FORTIFY SOFTWARE SECURITY
Trouver et corriger les problèmes de sécurité dans le
CENTER Fortify les applications contre les attaques
développement,
• Économiser la sécurité, les audits et les
pen tests
IN-HOUSE
COMMERCIAL
#mstechdays
OUTSOURCED
OPEN SOURCE
• Réduit les risques de logiciel avec un
minimum d'effort et de coût
• Protèger les applications contre les
attaques en supprimant les failles de
sécurité lors du développement
Sécurité
10. Fortify Solutions
Static Analysis
Dynamic Analysis
Runtime Analysis
Actual Attacks
Source Code
Mgt System
Static Analysis Via
Build Integration
Dynamic Testing In
QA Or Production
Real-Time Protection
Of Running Application
Vulnerability Management
Normalization
Remediation
IDE Plug-ins
for MS Visual Studio
Application Lifecycle
(Scoring, Guidance)
Correlate Target
Vulnerabilities With
Common Guidance
and Scoring
Vulnerability
Database
Correlation
Defects,
Metrics And
KPIs Used To
Measure Risk
(Static, Dynamic, Runtime)
Developers
(onshore or offshore)
Threat Intelligence
Rules Management
Development, Project
and Management
Stakeholders
Hackers
11. SOFTWARE SCANNING PROCESS
Check in Code
Scheduled Check-out, Code Repository
Build and Scan
Build / Scan on TFS
MS VS Developers
.fpr file
Static Code Analysis
(SCA)
Repeat as
Necessary
Upload
Scan
Results
Developer
Fixes Bug /
Security
Finding
Bug Tracking
using MS TFS
Submit
Findings to
Bug Tracker
Fortify SSC
#mstechdays
Scan Fix
Auditor
Reviews Results
Sécurité
Auditor /Security
13. HP FORTIFY SOFTWARE SECURITY
CENTER ET MS VS .NET
•
Scan/Analyser Webgoat.Net avec Fortify SCA dans MS VS 2013 .Net
•
Réviser résultats dans VS 2013
•
Fix SQLi, XSS dans VS 2013
•
Scan/analyser avec Fortify SCA dans MS VS 2013
•
Upload/télécharger les résultats sur Fortify Software Security Center
•
Démonstration de Software Security Center
•
Générer des Reports
#mstechdays
Sécurité
Design/UX/UI
14. FIND, FIX AND FORTIFY
HP Fortify Software Security Center
1
Find & Fix Trouver et corriger les problèmes de sécurité dans MS.
Net développement
2
Fortify Fortifier les applications contre les attaques
3
Save Économiser le développement
4
Reduce Réduire le risque des applications
#mstechdays
Sécurité
Hi, my name is [Name]. I work as a [Title/ Role] at HP, in the Enterprise Security Products business unit. Today, I’ll be talking about application security and why governments and modern enterprises need it. What is application security? Simply put, it is about ensuring that every single line of code is secure and every single software application– whether it is built for the desktop, cloud or mobile device— is safe from cyber attackers and hackers. The goal here is about eliminating exploitablesecurity risk in software at the application code level, making it immune to attack even if intruders get past perimeter defenses.
As an industry we have become much more effective at protection at the network and operating systems level. From NIPS, AV and DLP, these security have served a purpose and continue to do so. However, the bad guys continue to innovate, infiltrate and attack. They are increasingly attacking the new ‘weakest link’….the applications. According to Gartner, 84% new of breaches take advantage of threat that are associated with the applications. A February 2013 Frost & Sullivan study released in Information Week stated that 69% of CISOs listed application security as their biggest threatThe are a number of reasons why applications are the new weakest link 3 key takeaways are:The proliferation of software apps. From legacy SW to mobile apps for your iPhone, security teams now have to try to keep up with fast application delivery. Not all applications are tested before launched.Security teams have not historically been responsible for software securityWhen you combine this with the increased leverage of attack tools like Zeus, or the favorite of Anonymous…..something different is going on and we need to pay attention to these changes if we are going to improve our success rate. The challenge then centers on applications and visibility into the risks…
Fortify gives you advanced technologies to ensure your applications are secure. Fortify inspects applications at the source code level (static testing) and while they are running (dynamic testing). Fortify supports more languages than any other application security vendor with significant strengths in the area of mobile application security. But it’s not just built for custom applications, Fortify and determine if vulnerabilities exist in commercial, custom and open source activities. And even more differentiated, Fortify can be delivered as a software you purchase or as a service. With unmatched flexibility and depth of coverage, Fortify ensures you have a world class application security program in place.
Fortify gives you advanced technologies to ensure your applications are secure. Fortify inspects applications at the source code level (static testing) and while they are running (dynamic testing). Fortify supports more languages than any other application security vendor with significant strengths in the area of mobile application security. But it’s not just built for custom applications, Fortify and determine if vulnerabilities exist in commercial, custom and open source activities. And even more differentiated, Fortify can be delivered as a software you purchase or as a service. With unmatched flexibility and depth of coverage, Fortify ensures you have a world class application security program in place.