Fortify technology
Download as PPTX, PDF1 like1,141 views
This document discusses enterprise software security and provides examples of how organizations like Accenture and ANZ Bank have implemented software security programs using Fortify's platform. It describes what organizations are protecting (e.g. personal information, financial data), the risks of data breaches, and case studies of past breaches at companies like Heartland Payment Systems. It then outlines how ANZ Bank established a "SAFE Program" using Fortify to integrate security practices into development and meet compliance obligations. The document promotes Fortify as a software security partner that can help achieve compliance, identify vulnerabilities, and effectively manage security programs.
Fortify technology
- 1. “Enterprise Software Security For the real-world!” Justin Derry jderry@fortify.com
- 2. Enterprise Software Security • Accenture –What are we protecting and Why? –Case Studies & Examples –Fortify more then a “software vendor”! –The Fortify platform
- 3. What are we protecting? • It’s more than just about Money! – Personal Information (Customer Data) – Financial/Banking Information – Company/Trade Secrets – Corporate Data • Consider this? – Can you business operate without the use of software on a daily basis? – What would happen if you software just stopped working one day?
- 4. Making the Case for Software Security • Risk of a Major Data Breach is increasing 146% since 2001 • Cost of a data breach could be $11 Million US #1 • A breach will cost more then protecting against attack • Attacks are focused at the Application Layer (> 76% Gartner) • NIST: 92% of vulnerabilities in application code • It’s not all about SQL Injection & Cross Site Scripting • False sense of security, existing security gates don’t protect you • 2009 expected to be the year of identity theft and significant increase in web based attacks for financial benefit
- 5. Heartland Payment Systems • Very Late 2007 – SQL Injection via a customer facing web page in our corporate (non-payments) environment. Bad guys were in our corporate network. • Early 2008 – Hired largest approved QSA to perform penetration testing of corporate environment • Spring 2008 – Learned of Sniffer Attack on Hannaford’s , Created a Dedicated Chief Security Officer Position and filled that position • April 30, 2008 – Passed 6th Consecutive “Annual Review” by Largest QSA • Very Late 2007 – Mid-May 2008 – Bad guys studied our corporate network • Mid-May 2008 – Penetration of our Payments Network
- 6. Heartland Events! • Late October 2008 – Informed by a card brand that several issuers suspected a potential breach of one or more processors. We received sample fraud transactions to help us determine if there was a problem in our payments network. A high percentage of these samples never touched our payments network. • No evidence could be found of an intrusion despite vigorous efforts by HPS employees and then two forensics companies to find a problem. • January 9, 2009 – We were told that “no problems were found” and that a final report reflecting that opinion would be forthcoming within days. • January 12, 2009 – January 20, 2009 – Learned of breach, notified card brands, notified law enforcement and made public announcement.
- 7. Case Study – ANZ Bank • What are the Drivers? – PCI Compliance Obligations – APRA Regulations & Requirements after review – Software security threat #3 risk on Fortune 500 – Internal Risk Drivers • Initial Steps – Enablement of new program called “SAFE Program” – Introduction of Developer Training through organization – “Adoption of Culture Change” critical – Implementation of world class technology & Governance
- 8. ANZ Timeline of Events
- 9. ANZ Bank Integration & Technologies • Platforms/Development Languages – Microsoft.NET, Classic ASP, VB, C++ – Java, JSP, J2EE – Mainframe languages (COBOL, C etc) – All Platforms such as Windows, UNIX, LINUX etc • Integration with Existing Technologies – Quality Centre Integration – Other bug tracking software (find bugs etc) – Build integration (ANT, Maven, Cruise Control, MSBUILD) – Web based delivery technologies (XML API F360 Server)
- 10. Fortify more then a software Vendor! Multi Platforms, Technology and Governance
- 12. Vision Guidance • Creating a successful vision is hard, get help! Or use the recommended strategy online at www.opensamm.org • SAMM (Software Assurance Maturity Model), the building blocks for a successful Software Security Strategy
- 13. PCI Compliance Quickly Demonstrate PCI Compliance • Instantly Protect Deployed Applications – Ensure compliance with PCI DSS Section 6.6 – Application defense module • Identify and Remediate Vulnerabilities – Ensures compliance with Sections 3, 6.3.7, 6.5, 6.6, 11.3.2 – View vulnerabilities in context of PCI compliance – Static and dynamic testing • Complete Self-Assessment Questionnaire – Assign responsibilities – View outstanding activities – Generate detailed reports to demonstrate PCI activities
- 14. Fortify 360 Platform • Identify the Most Vulnerabilities • Collaborate and Remediate more Code • Instantly Protect Deployed Applications • Effectively Manage SSA Programs • Achieve Compliance Quickly
- 15. Vulnerability Detection Identify the Most Vulnerabilities
- 16. Technology Support SCA, PTA and RTA • Static Analysis (Fortify 360 SCA) – Microsoft .NET (All languages), Classic ASP, VB, COM – C/C++ – Java, J2EE, JSF, Javascript etc – XML, HTML, Other web technologies – SQL TSQL/PSQL – Cold Fusion, PHP, COBOL and more coming.. • Testing/Production (Fortify 360 RTA/PTA) – Web based technologies only, supporting – .NET and Java primarily with some minor other languages (CF)
- 17. Fortify Technology Analysis Result Analysis Tracer Source Code Summary and details API List
- 18. Reporting What does it look like?
- 19. Open Discussion • What is currently done during development lifecycles? • How can/does Fortify integrate and provide value to the existing development practices within Accenture? • How do customers benefit from having Fortify scanned as a part of the development process? • Technical Questions?
Editor's Notes
- #11: Talk here a little about last year and what we talked about with SSA.