Rational application-security-071411

1. IBM Security SolutionsIBM Rational Application Security

2. 2AgendaCurrent Trends in Application SecurityThe SolutionStrategies for Customer SuccessRational AppScan SuiteIBM Application Security Coverage

3. Executive SummaryWeb applications are the greatest source of risk for organizationsRational Application Security enables organizations to address root cause of this riskAppScan leverages a mix of technologies (static & dynamic)AppScan is a key part of IBM Security’s full solution view of application security 3Rational AppScan SuiteenablesComprehensive Application Vulnerability Management

4. The Costs from Security Breaches are Staggering4285 Million records compromised in 2008Verizon 2009 data Breach Investigations Report$204 Cost per Compromised RecordPonemon 2009-2010 Cost of a data Breach ReportTranslates to $58.1BCost to CoRporations

5. Sources of Security Breach Costs5Unbudgeted Costs: Customer notification / care

6. Government fines

7. Litigation

8. Reputational damage

9. Brand erosion

10. Cost to repair1,000,000x10x1xSecurity FlawDamage to EnterpriseFunctional FlawDevelopmentTestDeployment

11. Web Applications are the greatest risk to organizations6Web application vulnerabilities represented the largest category in vulnerability disclosures

12. In 2009, 49% of all vulnerabilities were Web application vulnerabilities

13. SQL injection and Cross-Site Scripting are neck and neck in a race for the top spotIBM Internet Security Systems 2009 X-Force®Year End Trend & Risk Report

14. Why are Web Applications so Vulnerable?7Developers are mandated to deliver functionality on-time and on-budget - but not to develop secure applicationsDevelopers are not generally educated in secure code practicesProduct innovation is driving development of increasingly complicated software for a Smarter PlanetNetwork scanners won’t find application vulnerabilities and firewalls/IPS don’t block application attacksVolumes of applications continue to be deployed that are riddled with security flaws… …and are non compliant with industry regulations

15. 8Clients’ security challenges in a smarter planet Key drivers for security projectsIncreasing ComplexityRising CostsEnsuring Compliance Spending by U.S. companies on governance, risk and compliance will grow to $29.8 billionin 2010Soon, there will be 1 trillionconnected devices in the world, constituting an “internet of things”The cost of a data breach increased to $204 per compromised customer record Source http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1375707,00.html

16. Market DriversRegulatory & Standards ComplianceeCommerce: PCI-DSS, PA-DSSFinancial Services: GLBAEnergy: NERC / FERCGovernment: FISMAUser demand Rich application demand is pushing development to advanced code techniques – Web 2.0 introducing more exposuresCost cutting in current economic climate Demands increased efficienciesCyber Blitz Hits U.S., Korea Websites -WSJJuly 9th, 2009“Web-based malware up 400%, 68% hosted on legitimate sites” — ZDnet, June 2008Hackers Break Into Virginia Health Website, Demand Ransom — Washington Post, May, 2009

18. The Solution - Security for Smarter ProductsSmarter Products require secure applications

19. Security needs to be built into the development process and addressed throughout the development lifecycle

20. Providing security for smarter products requires comprehensive security solutions deployed in concert with application lifecycle management offerings that:

21. Provide integrated testing solutions for developers, QA, Security and Compliance stakeholders

22. Leveragemultiple appropriate testing technologies (static & dynamic analysis)

23. Provide effortless security that allows development to be part of the solution

24. Supportgovernance, reporting and dashboards

25. Can facilitate collaboration between development and security teams11

26. Cost is a Significant Driver80% of development costs are spent identifying and correcting defects!*Once released as a product $7,600/defect+Law suits, loss of customer trust,damage to brandDuring the QA/Testing phase$960/defectDuring the build phase $240/defectDuring the coding phase $80/defectThe increasing costs of fixing a defect….*National Institute of Standards & Technology Source: GBS Industry standard studyDefect cost derived in assuming it takes 8 hrs to find, fix and repair a defect when found in code and unit test. Defect FFR cost for other phases calculated by using the multiplier on a blended rate of $80/hr.

27. Make Applications Secure, by DesignCycle of secure application developmentManage,Monitor& DefendDesign PhaseConsideration is given to security requirements of the application

28. Issues such as required controls and best practices are documented on par with functional requirementsDevelopment PhaseSoftware is checked during coding for:

29. Implementation error vulnerabilities

30. Compliance with security requirementsBuild & Test PhaseTesting begins for errors and compliance with security requirements across the entire application

31. Applications are also tested for exploitability in deployment scenarioDeployment PhaseConfigure infrastructure for application policies

32. Deploy applications into productionOperational PhaseContinuously monitor applications for appropriate application usage, vulnerabilities and defend against attacksDesignFunctional SpecDevelopDeployBuild & TestOutsourcing PartnerSoftware13

33. ROI Opportunity of Application Security TestingCost Savings – of testing early in the development process (ALM)80% of development costs are spent identifying and correcting defectsTesting for vulnerabilities earlier in the development process can help avoid that unnecessary expenseCost of finding & fixing problems:

34. code stage is $80, QA/Testing is $960*

35. Ex: 50 applications annually & 25 issues per application, testing at code stage saves $1.1M over testing at QA stage. Cost Savings – of automated vs. manual testingOutsourced audits can cost $10,000 to $50,000 per application

36. At $20,000 an app, 50 audits will cost $1M.

37. With 1 hire + 4 quarterly outsourced audits (ex: $120,000+$80,000), $800,000/yr can be saved (less the cost of testing software)Automated testing provides tremendous productivity savings over manual testingAutomated source code testing with periodic penetration testing allows for cost effective security analysis of applications Cost Avoidance – of a security breachThe cost to companies is $204per compromised record**The average cost per data breach is $6.6 Million**Costs as a result of a security breach can include (but are not limited to) audit fees, legal fees, regulatory fines, lost customer revenue and brand damage * Source: GBS Industry standard study ** Source: Ponemon Institute 2009-10

39. Application Security Maturity ModelCORRECTIVEBOLT ONBUILT INUNAWAREPHASEPHASEPHASESecurity testing before deploymentFully integrated security testingDoing nothingOutsourced testingView of application testing coverageTimeDuration 1-2 Years

40. BuildCodingQASecurityProductionSecurity Testing Within the Software LifecycleSDLCMost Issues are found by security auditors prior to going live.% of Issue Found by Stage of SDLC

41. BuildCodingQASecurityProductionSecurity Testing Within the Software LifecycleSDLCDesired Profile% of Issue Found by Stage of SDLC

42. BuildCodingQASecurityProductionSecurity Testing Within the Software LifecycleSDLCDevelopersDevelopersDevelopersApplication Security Testing Maturity

44. Rational ALM IntegrationsRational AppScan:Source for Automation

45. Standard EdApplication DeveloperBuildBuild ForgeDevelopmentRational AppScan: Source Ed Developer

46. Source Ed Remediation

47. Enterprise QuickScanQARational AppScan Tester Ed for RQMRational AppScan Enterprise portalRational AppScan Source Ed CoreQuality ManagerClearQuestRational AppScan:Standard Ed

48. Source Ed for SecurityComplianceSecurity

49. Security Testing Technologies... Combination Drives Greater Solution AccuracyStatic Code Analysis (Whitebox )Scanning source code for security issuesTotal PotentialSecurity IssuesDynamicAnalysisStaticAnalysisBest CoverageDynamic Analysis (Blackbox)Performing security analysis of a compiled application22

51. IBM Web application security for a smarter planetRational AppScanSecure code development and vulnerability managementIdentify vulnerabilities and malware

52. Actionable information to correct the problemsTivoli I&AMManage secure Web applicationsProtect Web applications from potential attacksEnd-to-end Web application securityOngoing management and security with a suite of identity and access management solutions

53. Block attacks that aim to exploit Web application vulnerabilities

54. Integrate Web application security with existing network infrastructureDeliver security and performance in Web services and SOAISS IPSPurpose-built XML and SOA solutions for security and performanceWebSphereDatapower24

55. 25

Rational application-security-071411

More Related Content

What's hot (20)

Similar to Rational application-security-071411 (20)

More from Scott Althouse (7)

Recently uploaded (20)

Rational application-security-071411

Editor's Notes