SlideShare uma empresa Scribd logo

Rational application-security-071411

S
Scott Althouse
Tecnologia
1 de 25
Baixar para ler offline
IBM Security Solutions IBM Rational Application Security
2 Agenda Current Trends in Application Security The Solution Strategies for Customer Success Rational AppScan Suite IBM Application Security Coverage
Executive Summary Web applications are the greatest source of risk for organizations Rational Application Security enables organizations to address root cause of this risk AppScan leverages a mix of technologies (static & dynamic) AppScan is a key part of IBM Security’s full solution view of application security 3 Rational AppScan Suite enables Comprehensive Application Vulnerability Management
The Costs from Security Breaches are Staggering 4 285 Million records compromised in 2008 Verizon 2009 data Breach Investigations Report $204 Cost per Compromised Record Ponemon 2009-2010 Cost of a data Breach Report Translates to $58.1B Cost to CoRporations
Sources of Security Breach Costs 5 Unbudgeted Costs: ,[object Object]
Government fines
Litigation
Reputational damage
Brand erosion
Cost to repair1,000,000x 10x 1x Security Flaw Damage to Enterprise Functional Flaw Development Test Deployment
Web Applications are the greatest risk to organizations 6 ,[object Object]
In 2009, 49% of all vulnerabilities were Web application vulnerabilities
SQL injection and Cross-Site Scripting are neck and neck in a race for the top spotIBM Internet Security Systems 2009 X-Force®Year End Trend & Risk Report
Why are Web Applications so Vulnerable? 7 Developers are mandated to deliver functionality on-time and on-budget - but not to develop secure applications Developers are not generally educated in secure code practices Product innovation is driving development of increasingly complicated software for a Smarter Planet Network scanners won’t find application vulnerabilities and firewalls/IPS don’t block application attacks Volumes of applications continue to be deployed that are riddled with security flaws… …and are non compliant with industry regulations
8 Clients’ security challenges in a smarter planet Key drivers for security projects Increasing Complexity Rising Costs Ensuring Compliance Spending by U.S. companies on governance, risk and compliance will grow to $29.8 billionin 2010 Soon, there will be 1 trillionconnected devices in the world, constituting an “internet of things” The cost of a data breach increased to $204 per compromised customer record Source  http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1375707,00.html
Market Drivers Regulatory & Standards Compliance eCommerce: PCI-DSS, PA-DSS Financial Services: GLBA Energy: NERC / FERC Government: FISMA User demand Rich application demand is pushing development to advanced code techniques – Web 2.0 introducing more exposures Cost cutting in current economic climate Demands increased efficiencies Cyber Blitz Hits U.S., Korea Websites -WSJ July 9th, 2009 “Web-based malware up 400%, 68% hosted on legitimate sites” — ZDnet, June 2008 Hackers Break Into Virginia Health Website, Demand Ransom — Washington Post, May, 2009
10 Agenda Current Trends in Application Security The Solution Strategies for Customer Success Rational AppScan Suite IBM Application Security Coverage
The Solution - Security for Smarter Products ,[object Object]
Security needs to be built into the development process and addressed throughout the development lifecycle
Providing security for smarter products requires comprehensive security solutions deployed in concert with application lifecycle management offerings that:
Provide integrated testing solutions for developers, QA, Security and Compliance stakeholders
Leveragemultiple appropriate testing technologies (static & dynamic analysis)
Provide effortless security that allows development to be part of the solution
Supportgovernance, reporting and dashboards
Can facilitate collaboration between development and security teams11

Recomendados

IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewAshish Patel
 
Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software securityMarco Morana
 
IBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionIBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionhearme limited company
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
Healthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeHealthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeVeracode
 
Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core Security Technologies
 
IBM Rational App Scan Tester Edition and Quality Manager
IBM Rational App Scan Tester Edition and Quality ManagerIBM Rational App Scan Tester Edition and Quality Manager
IBM Rational App Scan Tester Edition and Quality ManagerАлександр Шамрай
 
Veracode - Inglês
Veracode - InglêsVeracode - Inglês
Veracode - InglêsDeServ - Tecnologia e Servços
 

Recomendados

IBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewIBM Rational AppScan Product Overview
IBM Rational AppScan Product OverviewAshish Patel
 
Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software securityMarco Morana
 
IBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionIBM AppScan Enterprise - The total software security solution
IBM AppScan Enterprise - The total software security solutionhearme limited company
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
Healthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeHealthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeVeracode
 
Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core Security Technologies
 
IBM Rational App Scan Tester Edition and Quality Manager
IBM Rational App Scan Tester Edition and Quality ManagerIBM Rational App Scan Tester Edition and Quality Manager
IBM Rational App Scan Tester Edition and Quality ManagerАлександр Шамрай
 
Veracode - Inglês
Veracode - InglêsVeracode - Inglês
Veracode - InglêsDeServ - Tecnologia e Servços
 
Cybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply ChainCybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply ChainAnthony Braddy
 
Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance EnergyTech2015
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramMichael Davis
 
IBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security SolutionIBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security Solutionhearme limited company
 
Veracode - Overview
Veracode - OverviewVeracode - Overview
Veracode - OverviewStephen Durrant
 
Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilitySonatype
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityTyler Shields
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlcAvancercorp
 
IBM Rational AppScan Technical Overview
IBM Rational AppScan Technical OverviewIBM Rational AppScan Technical Overview
IBM Rational AppScan Technical OverviewAshish Patel
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
IBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solutionIBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solutionhearme limited company
 
Risks in the Software Supply Chain
Risks in the Software Supply ChainRisks in the Software Supply Chain
Risks in the Software Supply ChainMark Sherman
 
Veracode State of Software Security vol 4
Veracode State of Software Security vol 4Veracode State of Software Security vol 4
Veracode State of Software Security vol 4stemkat
 
IRJET-A Review of Testing Technology in Web Application System
IRJET-A Review of Testing Technology in Web Application SystemIRJET-A Review of Testing Technology in Web Application System
IRJET-A Review of Testing Technology in Web Application SystemIRJET Journal
 
Security results of_the_wqr_2015_16
Security results of_the_wqr_2015_16Security results of_the_wqr_2015_16
Security results of_the_wqr_2015_16Emily Brady
 
Applying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityApplying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityCAST
 
Qualitykiosk And Its Deliverables
Qualitykiosk And Its DeliverablesQualitykiosk And Its Deliverables
Qualitykiosk And Its Deliverablesbibhupadhi
 
Lean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program EssentialsLean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program EssentialsPhilip Beyer
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
Smart security solutions for SMBs
Smart security solutions for SMBsSmart security solutions for SMBs
Smart security solutions for SMBsJyothi Satyanathan
 

Mais conteúdo relacionado

Mais procurados

Cybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply ChainCybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply ChainAnthony Braddy
 
Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance EnergyTech2015
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramMichael Davis
 
IBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security SolutionIBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security Solutionhearme limited company
 
Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilitySonatype
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityTyler Shields
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlcAvancercorp
 
IBM Rational AppScan Technical Overview
IBM Rational AppScan Technical OverviewIBM Rational AppScan Technical Overview
IBM Rational AppScan Technical OverviewAshish Patel
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
IBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solutionIBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solutionhearme limited company
 
Risks in the Software Supply Chain
Risks in the Software Supply ChainRisks in the Software Supply Chain
Risks in the Software Supply ChainMark Sherman
 
Veracode State of Software Security vol 4
Veracode State of Software Security vol 4Veracode State of Software Security vol 4
Veracode State of Software Security vol 4stemkat
 
IRJET-A Review of Testing Technology in Web Application System
IRJET-A Review of Testing Technology in Web Application SystemIRJET-A Review of Testing Technology in Web Application System
IRJET-A Review of Testing Technology in Web Application SystemIRJET Journal
 
Security results of_the_wqr_2015_16
Security results of_the_wqr_2015_16Security results of_the_wqr_2015_16
Security results of_the_wqr_2015_16Emily Brady
 
Applying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityApplying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityCAST
 
Qualitykiosk And Its Deliverables
Qualitykiosk And Its DeliverablesQualitykiosk And Its Deliverables
Qualitykiosk And Its Deliverablesbibhupadhi
 
Lean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program EssentialsLean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program EssentialsPhilip Beyer
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 

Mais procurados (20)

Cybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply ChainCybersecurity Best Practices for 3rd Party Supply Chain
Cybersecurity Best Practices for 3rd Party Supply Chain
 
Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
 
IBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security SolutionIBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security Solution
 
Veracode - Overview
Veracode - OverviewVeracode - Overview
Veracode - Overview
 
Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain Visibility
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software Security
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlc
 
IBM Rational AppScan Technical Overview
IBM Rational AppScan Technical OverviewIBM Rational AppScan Technical Overview
IBM Rational AppScan Technical Overview
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
 
IBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solutionIBM AppScan Source - The SAST solution
IBM AppScan Source - The SAST solution
 
Risks in the Software Supply Chain
Risks in the Software Supply ChainRisks in the Software Supply Chain
Risks in the Software Supply Chain
 
Veracode State of Software Security vol 4
Veracode State of Software Security vol 4Veracode State of Software Security vol 4
Veracode State of Software Security vol 4
 
IRJET-A Review of Testing Technology in Web Application System
IRJET-A Review of Testing Technology in Web Application SystemIRJET-A Review of Testing Technology in Web Application System
IRJET-A Review of Testing Technology in Web Application System
 
Security results of_the_wqr_2015_16
Security results of_the_wqr_2015_16Security results of_the_wqr_2015_16
Security results of_the_wqr_2015_16
 
Applying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityApplying Software Quality Models to Software Security
Applying Software Quality Models to Software Security
 
Qualitykiosk And Its Deliverables
Qualitykiosk And Its DeliverablesQualitykiosk And Its Deliverables
Qualitykiosk And Its Deliverables
 
Lean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program EssentialsLean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program Essentials
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 

Semelhante a Rational application-security-071411

How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
Smart security solutions for SMBs
Smart security solutions for SMBsSmart security solutions for SMBs
Smart security solutions for SMBsJyothi Satyanathan
 
六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩baoyin
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
Next generation software testing trends
Next generation software testing trendsNext generation software testing trends
Next generation software testing trendsArun Kulkarni
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSalil Kumar Subramony
 
application-security-fallacies-and-realities-veracode
application-security-fallacies-and-realities-veracodeapplication-security-fallacies-and-realities-veracode
application-security-fallacies-and-realities-veracodesciccone
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - PrintAndrew Kanikuru
 
Fortify Continuous Delivery
Fortify Continuous DeliveryFortify Continuous Delivery
Fortify Continuous DeliveryMainstay
 
Embedded software validation best practices with NI and RQM
Embedded software validation best practices with NI and RQMEmbedded software validation best practices with NI and RQM
Embedded software validation best practices with NI and RQMPaul Urban
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Transforming Risky Mobile Apps into Self Defending Apps
Transforming Risky Mobile Apps into Self Defending AppsTransforming Risky Mobile Apps into Self Defending Apps
Transforming Risky Mobile Apps into Self Defending AppsBlueboxer2014
 
OWASP: Building Secure Web Apps
OWASP: Building Secure Web AppsOWASP: Building Secure Web Apps
OWASP: Building Secure Web Appsmlogvinov
 
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...IBM Security
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldArun Prabhakar
 
Research Article On Web Application Security
Research Article On Web Application SecurityResearch Article On Web Application Security
Research Article On Web Application SecuritySaadSaif6
 

Semelhante a Rational application-security-071411 (20)

How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
Smart security solutions for SMBs
Smart security solutions for SMBsSmart security solutions for SMBs
Smart security solutions for SMBs
 
六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
Next generation software testing trends
Next generation software testing trendsNext generation software testing trends
Next generation software testing trends
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
 
CAST HIGHLIGHT - Overview & Demos
CAST HIGHLIGHT - Overview & DemosCAST HIGHLIGHT - Overview & Demos
CAST HIGHLIGHT - Overview & Demos
 
Cost effective cyber security
Cost effective cyber securityCost effective cyber security
Cost effective cyber security
 
application-security-fallacies-and-realities-veracode
application-security-fallacies-and-realities-veracodeapplication-security-fallacies-and-realities-veracode
application-security-fallacies-and-realities-veracode
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Veracode Corporate Overview - Print
Veracode Corporate Overview - PrintVeracode Corporate Overview - Print
Veracode Corporate Overview - Print
 
Fortify Continuous Delivery
Fortify Continuous DeliveryFortify Continuous Delivery
Fortify Continuous Delivery
 
Embedded software validation best practices with NI and RQM
Embedded software validation best practices with NI and RQMEmbedded software validation best practices with NI and RQM
Embedded software validation best practices with NI and RQM
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Transforming Risky Mobile Apps into Self Defending Apps
Transforming Risky Mobile Apps into Self Defending AppsTransforming Risky Mobile Apps into Self Defending Apps
Transforming Risky Mobile Apps into Self Defending Apps
 
OWASP: Building Secure Web Apps
OWASP: Building Secure Web AppsOWASP: Building Secure Web Apps
OWASP: Building Secure Web Apps
 
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
 
Research Article On Web Application Security
Research Article On Web Application SecurityResearch Article On Web Application Security
Research Article On Web Application Security
 

Mais de Scott Althouse

Passing internal and external audits with reporting and dashboards nov 2011
Passing internal and external audits with reporting and dashboards nov 2011Passing internal and external audits with reporting and dashboards nov 2011
Passing internal and external audits with reporting and dashboards nov 2011Scott Althouse
 
Passing internal and external audits with reporting and dashboards nov 2011
Passing internal and external audits with reporting and dashboards nov 2011Passing internal and external audits with reporting and dashboards nov 2011
Passing internal and external audits with reporting and dashboards nov 2011Scott Althouse
 
Risk management in development of life critical systems
Risk management in development of life critical systemsRisk management in development of life critical systems
Risk management in development of life critical systemsScott Althouse
 
Rhapsody reverseengineering
Rhapsody reverseengineeringRhapsody reverseengineering
Rhapsody reverseengineeringScott Althouse
 
Saving resources with simulation webinar 092011
Saving resources with simulation webinar 092011Saving resources with simulation webinar 092011
Saving resources with simulation webinar 092011Scott Althouse
 
Ed Mayer- Getting from Good Requirements to Good Code
Ed Mayer- Getting from Good Requirements to Good CodeEd Mayer- Getting from Good Requirements to Good Code
Ed Mayer- Getting from Good Requirements to Good CodeScott Althouse
 
IBM Rational 8/16 Webinar Presentation
IBM Rational 8/16 Webinar PresentationIBM Rational 8/16 Webinar Presentation
IBM Rational 8/16 Webinar PresentationScott Althouse
 

Mais de Scott Althouse (7)

Passing internal and external audits with reporting and dashboards nov 2011
Passing internal and external audits with reporting and dashboards nov 2011Passing internal and external audits with reporting and dashboards nov 2011
Passing internal and external audits with reporting and dashboards nov 2011
 
Passing internal and external audits with reporting and dashboards nov 2011
Passing internal and external audits with reporting and dashboards nov 2011Passing internal and external audits with reporting and dashboards nov 2011
Passing internal and external audits with reporting and dashboards nov 2011
 
Risk management in development of life critical systems
Risk management in development of life critical systemsRisk management in development of life critical systems
Risk management in development of life critical systems
 
Rhapsody reverseengineering
Rhapsody reverseengineeringRhapsody reverseengineering
Rhapsody reverseengineering
 
Saving resources with simulation webinar 092011
Saving resources with simulation webinar 092011Saving resources with simulation webinar 092011
Saving resources with simulation webinar 092011
 
Ed Mayer- Getting from Good Requirements to Good Code
Ed Mayer- Getting from Good Requirements to Good CodeEd Mayer- Getting from Good Requirements to Good Code
Ed Mayer- Getting from Good Requirements to Good Code
 
IBM Rational 8/16 Webinar Presentation
IBM Rational 8/16 Webinar PresentationIBM Rational 8/16 Webinar Presentation
IBM Rational 8/16 Webinar Presentation
 

Último

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 

Último (20)

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 

Rational application-security-071411

  • 1. IBM Security Solutions IBM Rational Application Security
  • 2. 2 Agenda Current Trends in Application Security The Solution Strategies for Customer Success Rational AppScan Suite IBM Application Security Coverage
  • 3. Executive Summary Web applications are the greatest source of risk for organizations Rational Application Security enables organizations to address root cause of this risk AppScan leverages a mix of technologies (static & dynamic) AppScan is a key part of IBM Security’s full solution view of application security 3 Rational AppScan Suite enables Comprehensive Application Vulnerability Management
  • 4. The Costs from Security Breaches are Staggering 4 285 Million records compromised in 2008 Verizon 2009 data Breach Investigations Report $204 Cost per Compromised Record Ponemon 2009-2010 Cost of a data Breach Report Translates to $58.1B Cost to CoRporations
  • 5.
  • 10. Cost to repair1,000,000x 10x 1x Security Flaw Damage to Enterprise Functional Flaw Development Test Deployment
  • 11.
  • 12. In 2009, 49% of all vulnerabilities were Web application vulnerabilities
  • 13. SQL injection and Cross-Site Scripting are neck and neck in a race for the top spotIBM Internet Security Systems 2009 X-Force®Year End Trend & Risk Report
  • 14. Why are Web Applications so Vulnerable? 7 Developers are mandated to deliver functionality on-time and on-budget - but not to develop secure applications Developers are not generally educated in secure code practices Product innovation is driving development of increasingly complicated software for a Smarter Planet Network scanners won’t find application vulnerabilities and firewalls/IPS don’t block application attacks Volumes of applications continue to be deployed that are riddled with security flaws… …and are non compliant with industry regulations
  • 15. 8 Clients’ security challenges in a smarter planet Key drivers for security projects Increasing Complexity Rising Costs Ensuring Compliance Spending by U.S. companies on governance, risk and compliance will grow to $29.8 billionin 2010 Soon, there will be 1 trillionconnected devices in the world, constituting an “internet of things” The cost of a data breach increased to $204 per compromised customer record Source  http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1375707,00.html
  • 16. Market Drivers Regulatory & Standards Compliance eCommerce: PCI-DSS, PA-DSS Financial Services: GLBA Energy: NERC / FERC Government: FISMA User demand Rich application demand is pushing development to advanced code techniques – Web 2.0 introducing more exposures Cost cutting in current economic climate Demands increased efficiencies Cyber Blitz Hits U.S., Korea Websites -WSJ July 9th, 2009 “Web-based malware up 400%, 68% hosted on legitimate sites” — ZDnet, June 2008 Hackers Break Into Virginia Health Website, Demand Ransom — Washington Post, May, 2009
  • 17. 10 Agenda Current Trends in Application Security The Solution Strategies for Customer Success Rational AppScan Suite IBM Application Security Coverage
  • 18.
  • 19. Security needs to be built into the development process and addressed throughout the development lifecycle
  • 20. Providing security for smarter products requires comprehensive security solutions deployed in concert with application lifecycle management offerings that:
  • 21. Provide integrated testing solutions for developers, QA, Security and Compliance stakeholders
  • 22. Leveragemultiple appropriate testing technologies (static & dynamic analysis)
  • 23. Provide effortless security that allows development to be part of the solution
  • 25. Can facilitate collaboration between development and security teams11
  • 26. Cost is a Significant Driver 80% of development costs are spent identifying and correcting defects!* Once released as a product $7,600/defect + Law suits, loss of customer trust, damage to brand During the QA/Testing phase $960/defect During the build phase $240/defect During the coding phase $80/defect The increasing costs of fixing a defect…. *National Institute of Standards & Technology Source: GBS Industry standard study Defect cost derived in assuming it takes 8 hrs to find, fix and repair a defect when found in code and unit test. Defect FFR cost for other phases calculated by using the multiplier on a blended rate of $80/hr.
  • 27.
  • 28.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34. code stage is $80, QA/Testing is $960*
  • 35.
  • 36. At $20,000 an app, 50 audits will cost $1M.
  • 37. With 1 hire + 4 quarterly outsourced audits (ex: $120,000+$80,000), $800,000/yr can be saved (less the cost of testing software)Automated testing provides tremendous productivity savings over manual testing Automated source code testing with periodic penetration testing allows for cost effective security analysis of applications Cost Avoidance – of a security breach The cost to companies is $204per compromised record** The average cost per data breach is $6.6 Million** Costs as a result of a security breach can include (but are not limited to) audit fees, legal fees, regulatory fines, lost customer revenue and brand damage * Source: GBS Industry standard study ** Source: Ponemon Institute 2009-10
  • 38. 15 Agenda Current Trends in Application Security The Solution Strategies for Customer Success Rational AppScan Suite IBM Application Security Coverage
  • 39. Application Security Maturity Model CORRECTIVE BOLT ON BUILT IN UNAWARE PHASE PHASE PHASE Security testing before deployment Fully integrated security testing Doing nothing Outsourced testing View of application testing coverage Time Duration 1-2 Years
  • 40. Build Coding QA Security Production Security Testing Within the Software Lifecycle SDLC Most Issues are found by security auditors prior to going live. % of Issue Found by Stage of SDLC
  • 41. Build Coding QA Security Production Security Testing Within the Software Lifecycle SDLC Desired Profile % of Issue Found by Stage of SDLC
  • 42. Build Coding QA Security Production Security Testing Within the Software Lifecycle SDLC Developers Developers Developers Application Security Testing Maturity
  • 43. 20 Agenda Current Trends in Application Security The Solution Strategies for Customer Success Rational AppScan Suite IBM Application Security Coverage
  • 44.
  • 45.
  • 46. Source Ed Remediation
  • 47.
  • 48. Source Ed for SecurityCompliance Security
  • 49.
  • 50. 23 Agenda Current Trends in Application Security The Solution Strategies for Customer Success Rational AppScan Suite IBM Application Security Coverage
  • 51.
  • 52.
  • 53. Block attacks that aim to exploit Web application vulnerabilities
  • 54.
  • 55. 25

Notas do Editor

  1. Web applications are the greatest source of risk for organizations today. And Rational application security can allow organizations to address the root cause of this risk. That’s a significant statement because there are different application security solutions out there that are more protection and patch that don’t address the root case. recard).  We leverage a mix of technologies both static and dynamic to enable the right use cases. So not only do we speak to the technologies but we focus on building the right solution for the right stakeholder whether you’re talking to a security auditor, build manager, developer, QUA tester. We’ve built our portfolios to support these different - these cases.  And beyond that AppScan is the key part of IBM’s full solution view of application security so we’re not just a point solution like many of thetier two competitors that we see in the market. We’re a full solution for application vulnerability management but we’re also full solution for application security from vulnerability management to identity and access management to application firewalls and IPSs. So there’s a full story that we’ll get into shortly but in summary: we’re a comprehensive application vulnerability management solution.
  2. some new stats that may be new to your customer f they’re not already aware of the severity and prevalence. Verizon business report, in their report from 2009 they found that there were 285 million records that were compromised. We married this data point with Ponemon’s research that cost of a compromised record cost to an organization is $204 per record and that translates to over $58 billion cost to corporations. That’s a pretty significant problem and one that CIOs, (CSOs) can’t ignore
  3. There’re multiple sources of breach cost but the key point on this slide is that you should fix security issues early in the process. If that doesn’t happen, if this gets in the field and there’s a breach as a result, the cost of a security flaw is exponentially higher then what is typically seen for a functional flaw.  And these cost organizations come in in many different forms from government litigation, brand damage, revenue, cost repair and audits
  4. More data from IBM X source year end report. About half - Web application vulnerabilities is the largest category. Vulnerability disclosures represent about half of all vulnerabilities that exist for the organization.
  5. Why are applications so vulnerable? Developers are mandated to deliver functionality on time and on budget, not to develop secure applications. So security is not a priority for them.  They’re also not generally education in secure code practices. Additionally, product innovation, the whole smarter planet discussion is driving development of increasingly complex software. We’re all over that. When developers limits are being stretched, they’re focusing on the functionality of those applications, not the security, and increasing complexity generally increases risk within these applications.  And of course the discussion that we continue to see, network scanners don’t find application vulnerabilities and the firewall IPSs don’t block application attack.  So what’s happening is that we just continue to see volumes of applications that are deployed which are riddled with security flaws and they’re also non-compliant in industry regulations. 
  6. These new risks are significant drivers for security products. There’s increase in complexity. And then of course, compliance continues to be a main focal point in these discussions.
  7. Security should be build into the development process vs. bolted on. Testing for vulnerabilities should be a seamless part of development that happens throughout the development lifecycle.Integrated testing solution for developers, QA, Security and Compliance stakeholdersIntegrated solution that allows for testing at all steps of Software Delivery from coding, build, QA, audit to production. Leverage best of both leading testing technologiesSolutions leverage a combination of Blackbox + Whitebox technologiesEffortless Security Developers should not have to be security experts Tools should be easy to configure, results should be accurateGovernance, reporting and dashboardsCentral control over test policiesVisibility through dashboards and reportsFacilitate collaboration between development and security teamsIssues can be assigned and tracked