Upload
leslie-butler
View
214
Download
0
Embed Size (px)
Citation preview
“If you haven’t taken a look at these guys, I think you should, before that ‘bad thing’ happens to your company.”
- CIO Magazine
“The company making security a built-in feature to software”
- CNBC Powerlunch
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
© FORTIFY SOFTWARE INCORPORATED 2006, All Rights Reserved
2
Fortify - the Software Security Market Leader
The technology innovator that defined the segment
Multiple award winning products span the development lifecycleOver 150 patent claims filed to date
Largest & most demanding customer base Sustained 300% revenue growth10:1 win ratio in head-to-head bake-offsThe world’s largest code bases (19M SLOC)
Blue chip technical & management teamAverage 25 years software experienceAdvised by the world’s top security experts
“Fortify is the clear winner for many
reasons, including their superior analysis and reporting capabilities,
and their understanding and support of how security fits into the
software development lifecycle.”
- Mary Ann Davidson, CSO, Oracle
4
Applications become increasingly critical and pervasive and a prime target for
hackers and malicious insiders creating a staggering increase in lost information and
system downtime.
In-Secure is In-Complete and Not Good Enough
Root cause of security problemsGartner - 75% of breaches due to poorly written applicationsNIST - 92% of vulnerabilities are in software
Leading enterprises take action today!Awareness now at 70%Over 20% implementing or actively investigating
If you are not, you will soon…Demands of customers/partnersRegulatory requirementsIndustry best practices
5
What is your risk exposure now?Baselines and benchmark metrics
Across the enterprise Purchased and custom developed
Key constituents have competing requirements
Management - visibility & risk reduction
Infosec - assurance and accountability
Development - agility and flexibility
How will you introduce security discipline in software development?
New concepts and requirements
Increased responsibility and accountability
Tough Challenges Require an Experienced Partner
“Most companies get this wrong. Success requires executive mandate and clear
controls for establishing accountability for security in development.”
- Gary McGraw, Author and CTO, Cigital
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
The Top 5 Software Security Traps and Pitfalls
7
Built-In Software Security Flaws Have Companies Up In Arms
More than half of those responding to InformationWeek Research's Global Security Survey 2006 say vendors should be held legally or financially responsible for products' security vulnerabilities.
InformationWeek Jul 10, 2006 12:01 AM
In-Secure is In-Complete - What is Your Brand Worth?
Software vulnerabilities make for good headlines
76+ articles in Feb 2006 alone
Pressure is mountingCustomers quick to blame vendors
Risk exposure awareness at 90%
Microsoft establishing best practicesAggressively promoting “SDL”
You will be doing SDL…Customers/partners will ask Regulatory requirements will demand itDifferentiator for you or your competitor
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
8
What priority is security given in your development ranks?
Security is not just another bug…
Key constituents have competing requirements
Management - visibility & risk reduction
Infosec - assurance and accountability
Development - agility and flexibility
How will you introduce security discipline in software development?
New concepts and requirements
Increased responsibility and accountability
Tough Challenges Require an Experienced Partner
“If we have a group that is knowingly ignoring the SDL or de-
prioritizing it, at best we have an accountability problem and at worst
an HR problem.”
- Mike Nash, Corporate VP, Microsoft
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
10
Secure Development Lifecycle (SDL)
The Goal of (SDL): “Building Security In”
Software Development Lifecycle (SDL)
Security Training
Threat Modeling
Risk Analysis
Source CodeAnalysis & Review
Security Testing
Application Security Event Monitoring
11
Fortify ApplicationSecurity Deployment Suite
CODECODE FUNCTIONALTEST
FUNCTIONALTEST
PENETRATIONTEST
PENETRATIONTEST DEPLOYDEPLOYDESIGNDESIGNPLANPLAN
Metrics and Reporting
Fortify Software Security Analysis Suite
Fortify SoftwareSecurity Manager
Fortify SoftwareSecurity Test Suite
Source Code Analysisand RunTime Analysis
Security Testing and RunTime Analysis
Application Monitoring and Protection
“Other vendors are promising integrated lifecycle solutions while Fortify has been
delivering on that promise for years.”
Andrew Binstock, InfoWorld Magazine
Fortify Completes Your Software - Makes it Secure
12
Fortify Scales from the Desktop to the Enterprise
Fortify EnterpriseFortify Professional
Fortify Source Code Analyzer
Fortify Team
Q ui ckTi me™ and aTI FF (Uncompressed) decompressor
are needed to see thi s pi cture.
Q ui ckTi me™ and aTI FF (Uncompressed) decompressor
are needed to see thi s pi cture.
Q ui ckTi me™ and aTI FF (Uncompressed) decompressor
are needed to see thi s pi cture.
Fortify RunTime Analyzer
Fortify Security Tester
Fortify Software Security Analysis Suite
Fortify Application Security Deployment Suite
Fortify Software Security Manager
Reporting & MetricsLifecycle ManagementPolicy-Driven Analysis
Rules ManagementInfosec Project Auditing
Source Code & RunTime Analysis Developer Desktop and Build Server
Triage, Review and Audit GUI
Dev Pro Version
Individual developers, testers, and auditors
Software development teams
Integrated Enterprise Deployments
Q ui ckTi me™ and aTI FF (Uncompressed) decompressor
are needed to see thi s pi cture.
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Integrates and manages multiple Fortify Team SuitesApplication Monitoring and
Defense
Fortify Software Security Test Suite
RunTime AnalysisSecurity Testing
Security Debugging The “Purify” for Security
Q ui ckTi me™ and aTI FF (Uncompressed) decompressor
are needed to see thi s pi cture.
Q ui ckTi me™ and aTI FF (Uncompressed) decompressor
are needed to see thi s pi cture.
Visual Studio Team Suite 2005
13
Teams Delivers Code You Can Trust with Fortify
Development
Fortify SCA Dev ProTargeted, accurate analysis tuned for low false positives
Fortify Source Code AnalyzerComprehensive, accurate analysis tuned for low false negatives
Fortify Audit WorkbenchFast and effective triage, review, and audit
Test
Build Server
Security Lead
DevelopersDesktop
FPR
Management
Fortify Security TesterThorough and effective WhiteBox™ testing leveraging existing QA scripts
Fortify RunTime AnalyzerEnhanced WhiteBox™ testing through concurrent dynamic analysis
Security Testers
Fortify Application DefenseReal-time security event monitoring and protection through production-grade runtime analysis
Security Ops Team
Production
(Visual Studio, Borland, Eclipse, IBM WSS)
14
Fortify is Proven in the Most Demanding Environments
Define
Design
TestDeploy
CodeMonitor
Security
Management
Operations Development
QA
Fortify has proven to meet the needs of enterprise deployments
Extensible solutions that span the development lifecycle (SDL) Solutions for the developers, testers auditorsMore languages, platforms, frameworks and tools than anyone elseSuperior architecture and proven experience with the most demanding customers
Fortify delivers what the others miss - complete and accurate results
The award winning Fortify Source Code Analysis SuitePatent-pending RunTime AnalysisPatent-pending X-Tier AnalysisPatent-pending WhiteBox Security Testing
15
Fortify in the Enterprise – Security In Development
DefineDesign
TestDeploy
CodeMonitor
Security
Fortify SCA Dev Enterprise
Targeted analysis tuned for low false positives at the desktop
Fortify Source Code Analyzer
Fortify RunTime Analyzer
Fortify Audit WorkBench
Comprehensive and accurate results for low false negatives at code review
Development
Development Teams
Security Auditors
Fortify Software Security Manager
Fortify Rules Builder
Central visibility and control required to manage an enterprise deployment
Management
Security Leads
“After an extensive evaluation, we found that Fortify not only had the lowest false positives, but routinely found issues the others missed…”
Kevin O’NeilInvestors Bank &Trust
16
Fortify in the Enterprise– Security In QA / Test
DefineDesign
TestDeploy
CodeMonitor
Security
Fortify Security Tester
Thorough and effective security testing leveraging existing QA scripts
Fortify Source Code Analyzer
Fortify RunTime Analyzer
QA
Penetration Testing Teams
Security Auditors
Source Code and RunTime Analysis deliver actionable and meaningful WhiteBox™ testing results
Fortify Software Security Manager
Fortify Rules Builder
Central visibility and control required to manage an enterprise deployment
Management
Security Leads
“Fortify tears the cover off black-box testing and offers results that help fix the issues…”
IDC, 2006
17
Fortify in the Enterprise – Security In Production
DefineDesign
TestDeploy
CodeMonitor
Security
Fortify Software Security Manager
Fortify Application Defense
1st embedded application security monitor providing unparalleled insight and protection
Operations
Security
“Fortify delivers on the promises made by application firewalls – it’s accurate, scalable and easy to implement.”
- Aditya Palande, ProTrade
18
Define
Design
TestDeploy
CodeMonitor
Software security audits and tests performed at key milestonesCollect and track metrics and enforce policiesStop faulty code from entering into production
Getting Started is Easy – Security Assurance Gates
Security
Management
Development
Visibility on business risk and software security improvement goals.
Crucial feedback on vulnerabilities and progress towards goals. Augmented with training security is introduced with guidance of the infosec team.
20
The dilemma:Accuracy or completeness?
Are you going to miss security issues or make make developers upset?
You don’t need to compromise accuracy for completeness!
Accuracy is meaningless if the results are not complete
Complete results are useless if they are not accurate
Fast, easy and accurate for developers
Complete and accurate for security staff
The Solution You Can Trust - Complete and Accurate
Why is completeness a requirement for security?
Complete
Accu
rate
acceptable risk
acceptable utility
In-adequate Solutions
QA Tools
Pen-TestingProducts
Other Security Analysis Products
21
Fortify Source Code Analysis - The Gold Standard
Source Code
C, C++, .NetJava, JSP,PL/SQL, T-SQL, XML, CFML
Secure Coding Rules
Fortify finds what the others miss - complete and accurate results
5 analyzers deliver breadth and accuracyOver 3,000 security rules covering 118 vulnerability categories Over 20 quality categories through integration with FindBugsExtensible so you can write your own custom analysis rules
Fortify fits the way you work and supports the tools you use today
Separate auditor and developer versionsPlatforms: Windows, Solaris, Red Hat Linux, Mac OS X, HP-UX, IBM AIXFrameworks: EJB (BEA, WebSphere), Cold Fusion, Struts, Hybernate, SpringIDEs: Visual Studio, Eclipse, IBM, Borland
Source Code Analyzers
Broad and deep coverage for the security auditor so you don’t miss a
thing
Directed analysis on
the desktop so you don’t slow
down development
Tuning Options
semanticdataflow
controlflow
config structure
22
ASP JSP
Front End
Java, C#,
C/C++
Business Logic
PLSQL TSQL
Back End
Only Fortify’s patent-pending X-Tier™ Analysis allows complete coverage of all critical code paths
X-Tier™ Analysis For Confidence in the Results
Real world applications are multi-language and multi-tier
Web Applications (3-tier)EIA, SOA and Web Services
Little or no assurance if you can’t model data-flow across the tiers
Attacks are at the top of the stackVulnerabilities can be deep in the system
Fortify RunTime and Source Code Analyzers support X-tier analysis
The only vendor with this technology *(numerous patents pending)
23
See The Entire Picture With Fortify RunTime Analysis
Attack Patterns & Signature DB
Complete and Accurate Results
Finds vulnerabilities that can’t be found in the code
Environmental and runtime errorsErrors is 3rd party (binary) code
Finds vulnerabilities that penetration testing misses
Any server-side event that does not alter HTTP response (XSS, SQL Injection, Process Injection, …)Logging private data
Has far greater accuracy and lower false positives than any other techniques
Nothing more accurate than a monitor at the call site when security event occurs
RunTime Monitors
attacksurface
securityevent
honeytoken
dataprivacy
statisticalcorrelation
Binary
Java, .NET
Security Events
Optional runtime protections provide greater assurance of
deployed applications
“In-house” or 3rd party
24
3rd party librariesQu ickTim e™ an d a
d ecom p r essorar e n eed ed t o see t h is p ict u r e.
execu t ab le ( W A R /exe/d ll )
W eb GUI
W eb S er vices
R DB MS
File I/O
Net wor k I/O
Security Testing Without Fortify = Black Box
Attacks and visibility limited to what can be seen on the web GUIMisses Attack surface: Files (EDI and Config), Database, RPC/IPC, EIA (Tibco, Tuxedo, etc)Cannot find internal security event - ie. logging a credit card into a clear text log file
Blind attacks have zero knowledge of program internalsDoes an input field go to a DB, process invocation, crypto routine, I/O, nowhere?Source file? line of code? call tree? data-flow path? - ALL MISSING FROM REPORTS
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
25
3rd party librariesQu ickTim e™ an d a
d ecom p r essorar e n eed ed t o see t h is p ict u r e.
execu t ab le ( W A R /exe/d ll )
W eb GUI
W eb S er vices
R DB MS
File I/O
Net wor k I/O
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Only Fortify Delivers WhiteBox™ Security Testing
Binary
Java, .NET
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Fortify Source CodeAnalyzer
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Fortify RunTimeAnalyzer
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
SourceJava, C/C++, C#, VB.Net, PLSQL, TSQL
Coverage statistics for attack surface and all security relevant operations
Full visibility into what happened “on the inside”
Source Code Analysis provides a blue-print for targeted attacks
“Source Code” view of security issues
27
Benefit From Our Experience and Expertise
2003 2004 2005 2006 2007
Fortify Establishes The MarketSupported by pre-eminent security researchers,
Fortify Software delivers the world’s first commercial software security analyzer.
Actively Engaging LeadersWorking closely with early adopters, Fortify delivers an integrated suite
filing over 150 patent claims.
Source Code Analysis Suite
Security Tester
The award winning market defining platform that the others are still struggling to copy.
Application Defense
The first security testing solution to deliver white box security testing and
deliver it to QA professionals
Event monitoring and protections for legacy
applications and packaged software.
Software Analysis RedefinedFortify Software Analysis
Suite 5.0
29
Solutions That Grow With You
Proven options for a quick and painless startSoftware Security Assurance Gates
The most effective way there is to reduce software risk exposure
Discretionary Development Deployment200% increase* in security training retention
Enterprise Software Vulnerability Base-Line AuditAnalysis of legacy systems for base line reporting and risk assessment
Seamless transition to an enterprise software security programIntegrated Development - Infosec Deployment
Flexibility for development, comprehensive assurance for infosec
Enterprise metrics and reportingFull visibility across all projects with and ability to manage through policy
* Arkasoft Security Training Survey - 2005
30
Expertise and Guidance Every Step of the Way
Define
Design
TestDeploy
CodeMonitor
Security
Fortify ServicesFortify Rapid-Start DeploymentFortify 3rd Party Code Verification ServicesFortify Managed Auditing Services
Management
Fortify Global Partners
31
Compare… Others
Fortify is The One That You Can Count On
Fortify is a much better fitExtensible solutions that span the development lifecycle (SDL)
Solutions for the developers, testers auditors, teams, and the enterprise
Support for more languages, platforms, frameworks and tools than anyone else
A superior architecture and proven experience with the most demanding customers across a wide range of deployments
Fortify delivers what the others miss - complete and accurate resultsThe award winning Fortify Source Code Analysis Suite
Patent-pending RunTime Analysis
Patent-pending X-Tier Analysis
Patent-pending WhiteBox Security Testing
32
Take the Fortify Challenge
Allow us to perform a Baseline Security Audit on one of your software projects
If we find no serious security issues - We Pay You $10K
Otherwise pay our standard code audit fee $25K for a typical application < 250K SLOCIf you are anything less than delighted with the findings - You Pay Nothing
Transitions easily into a Managed Audit Service
Pilot a Development Team RolloutInfosec team and 2-3 development groups
Define project scope, introduce technology, measure results
Fee based on project scope, size, and timeline
Get Started…
35
Caveat Emptor - Software Security is the Next Big Thing
Network-vendors
Focusing on the attack over the root cause, “Now fixes
applications” is now the latest craze.
Quality-vendors Penetration Testers
To broaden reach of niche products, static analysis
vendors add security to a list of quality issues.
A popular solution for establishing awareness is
being offered up as a sustainable solution.
• Reactive approach that got us where we are now.
• Focused on addressing the attack or protecting the infrastructure.
• Some solutions serve as a stop gap, but by no means replace the need to build security in.
• Security issues are not “just another bug”.
• Static analysis tools lack the advanced data-flow features like X-Tier™ and RunTime™.
• Products (ParaSoft, Coverity, Klokwork) fall way behind in platforms and rules coverage.
• Great for demonstrating the problem.
• Testing without upstream activities to “test” is pointless and expensive.
• Penetration tests must move to the QA stage of the SDL and be replaced with audits - that most project pass.
“Security Light” “Badness-ometers”“Security in a Box”
36
Rule #1: Never Mention Your Competitors…
Ounce LabsMakes a lot of noise but still catching up on the basics (languages and platforms). Presentation over substance - fact check their claims.
Secure SoftwareWell Respected services firm struggling to transition into a software company. Consultantware architecture (Python Scripts).
SPI DynamicsRecent dramatic change in product strategy promising Fortify functionality validates our approach - What does it say about them?
…unless you maintain better than 10:1 win rate in head to head bake-offs