© 2015 IBM Corporation
@FlorinCoadaApplication Security CTPIBM Security
Jul 16, 2015
Building Security into Your DevOps Toolchain
© 2015 IBM Corporation 2
DevOps is like Formula 1
§ Communication
§ Collaboration
§ Integration
§ Automation
© 2015 IBM Corporation 3
What about security?
§ Formula 1?– In formula one the breaks are
one of the most important security features
§ Why do we need breaks in DevOps?– Because breaks enable us to go faster
§ What's the cost for a car going off the track?– A few seconds off the lap, a few positions
the tile and some time more....
§ What can we learn from this?– Security must be a part of the foundation.
© 2015 IBM Corporation 4
Application Security Landscape
????????????????????????????????????????????XSS and SQL Injection Exploitations
Mobile Devices Targeted
Web Application Vulnerabilities
????????????????????????????????????????????Mobile Malware Increasing
Malicious code is infecting more than
11.6 millionmobile devicesat any given time
Source: InfoSec, "Mobile Malware Infects Millions; LTE Spurs Growth," January 2014
Mobile devices and the apps we rely on are under attack
90% of the top mobile
apps have been hackedSource: Arxan Technologies, “App Economy under Attack: Report Reveals
More than 90 Percent of the Top 100 Mobile Apps Have Been Hacked”
Web Application Vulnerabilities
XSS and SQL injection exploits are continuing in high numbers
Source: IBM X-Force Threat Intelligence Quarterly, 1Q 2014Source: IBM X-Force Threat
Intelligence Quarterly, 1Q 2014
33%of vulnerability
disclosers are web application vulnerabilities
© 2015 IBM Corporation 5
Application Security Landscape
Sampling of 2013 security incidents by attack type, time and impact
Note: Size of circle estimates relative impact of incident in terms of cost to business.
Attack types SQL injection
Spear phishing
DDoS Physical access
Malware XSS Watering hole
Undisclosed
January February March April May June July August September October November December
SQL injection accounted for 13% of attacks in 2013
Source: IBM X-Force Threat Intelligence Quarterly 1Q 2014
© 2015 IBM Corporation 6
Start simple, be efficient
§ Start from the foundation
§ Application Security is not an add-on
§ No, security is not here to slow you down.
§ DAST first.
§ Use the existing work flow– APIs, CLIs It's cheaper to build a security from the start
© 2015 IBM Corporation 7
Security is part of the journey, not a step at the end
Status
Build
Build
App B
App A
App C
Test UAT
Test UAT
Build Test UAT Staging Production
Data Breach
© 2015 IBM Corporation 8
Security is part of the journey, not a step at the end
Status
Build
Build
App B
App A
App C
I/F
I/F
Test UAT
Test UAT
Build Test UAT Staging Production
© 2015 IBM Corporation 9
Application Security best practices
§ Walk before you run– Pilot projects to hone work flows– Start with the obvious suspects– Prove and highlight success stories
§ Centralized Expertise– Develop Application Security SMEs– Centralized policy decisions
§ Broad Education– Expect push back– Focused education on work flows– Focus on critical issues
© 2015 IBM Corporation 10
Application Security best practices
§ Automation– Mature organizations have security scanning automated – Integrate into build process– Clarify remediation responsibilities
§ Feedback– Build an “open” internal security community– Wikis/Issues Reporting/Best Practice Sharing– Champion success stories / Action failures
§ Don't give up!
© 2015 IBM Corporation 12
IBM Application Security Framework
Utilize resources effectively to identify and mitigate risk
Application Security Management
DatabaseActivity
Monitoring
DatabaseActivity
Monitoring
WebApplication
Firewall
WebApplication
FirewallSIEMSIEM
MobileApplicationProtection
MobileApplicationProtection
Monitor and ProtectDeployed Applications
StaticAnalysis
StaticAnalysis
Dynamic AnalysisDynamic Analysis
Mobile Application
Analysis
Mobile Application
AnalysisInteractiveAnalysis
InteractiveAnalysis
IntrusionPreventionIntrusion
Prevention
TestApplications in Development
Business Impact Assessment
AssetInventory
Compliance Determination
Status and Progress Measurement
Vulnerability Prioritization
© 2015 IBM Corporation 13
AppScan Adoption Example
Level 1
Basic ad-hoc DAST and IAST testing of key applications
Level 3
Integration with QRadar for deeper security analysis and app monitoring
Formalized application security initiative – application inventory and asset classification
Level 2
Application Security Maturity
© 2015 IBM Corporation 14
AppScan Adoption Example
Application Security Maturity
Database monitoring and virtual vulnerability patching
Level 6
Mobile app testing and protection
Level 5
Start testing earlier in the software development lifecycle using SAST
Level 4
© 2015 IBM Corporation 15
Small security team responsiblefor managing nearly
2,500 applications
Business challenge
Executing an effective application security program
Empowered developers and QA personnel to test applications and address security issues before deployment
• Drove a 33 percent decrease in number of security issues found
• Reduced post-deployment remediation costs significantly
• Freed security experts to focus on deep application vulnerability assessments
Solution benefits (IBM Security AppScan Enterprise)
• Security team did not have enough security experts on staff to handle the workload• Security staff was becoming a “bottleneck” in application security
Client Example: A leading networking company
© 2015 IBM Corporation 16
Executing an effective application security program
Improved web application quality
Business challenge
Provide developers across the university with a standard, centralized solution for scanning web applications for vulnerabilities
Solution benefits (IBM Security AppScan Enterprise)
Increased the number of scans each year, fixed problems in application code, resulting in a 60 percent decrease in the number of vulnerabilities identified
“After doing our research, we determined that IBM was leader in the field of dynamic application scanning.”
Alex Jalso, Assistant DirectorOffice of Information Security
Client Example: A state-run university in the U.S.
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOUwww.ibm.com/security
Top Related