Customer challenges with application security
Application security is more important than ever
The majority of security breaches today are from application vulnerabilities
Perimeter
Network
Endpoint
Application
Data
of security incidents from exploits against defects in the design or code of software.1
Percentage of applications containing at least one critical or high vulnerability.2
1 U.S. Department of Homeland Security’s U.S. Computer Emergency Response Team (US-CERT)
2 2017 Application Security Research Update” by the HPE Software Security Research team, 2017
What is Application Security?
Application security is the discipline of processes, tools and practices aiming to protect applications from threats throughout the entire application lifecycle. Cyber criminals are organized, specialized, and motivated to find and exploit vulnerabilities in enterprise applications to steal data, intellectual property, and sensitive information. Application security can help organizations protect all kinds of applications (such as legacy, desktop, web, mobile, micro services) used by internal and external stakeholders including customers, business partners and employees.
Why Application Security?
As validated by multiple studies, the majority of successful breaches target exploitable vulnerabilities residing in the application layer, indicating the need for enterprise IT departments to be extra vigilant about application security. To further compound the problem, the number and complexity of applications is growing. Ten years ago, the software security challenge was about protecting desktop applications and static websites that were fairly innocuous and easy to scope and protect. Now, the software supply chain is much more complicated considering the outsourced development, the number of legacy applications, coupled with in-house development that takes advantage of 3rd party, open source and commercial, off-the-shelf software components.
Organizations need application security solutions that cover all of their applications, from those used internally to popular external apps used on customers’ mobile phones. These solutions must cover the entire development stage and offer testing after an application is put into use to monitor for potential problems. Application security solutions must be capable of testing web applications for potential and exploitable vulnerabilities, have the ability to analyze code, help manage the security and development management processes by coordinating efforts and enabling collaboration between the various stakeholders. Solutions also must offer application security testing that is easy to use and deploy.
Application Security Solutions
- Micro Focus Application Security solutions offer application security testing and management on-premise and as-a-service that can help companies secure their software applications including legacy, mobile, third-party, and open-source applications.
- The Micro Focus Fortify offerings included static, dynamic, interactive application security testing, and runtime application self-protection, as well as services to support a Software Security Assurance program, which are processes to ensure that the applications that run your business are protected and secure.
- The solutions include:
- Fortify Static Code Analyzer – Static Application Security Testing (SAST) – Identifies and pinpoints security vulnerabilities in source code early in the software development lifecycle.
- Fortify WebInspect – Dynamic application security testing (DAST) – Simulates real-world security attacks on a running application to provide comprehensive analysis of complex web applications and services.
- Interactive application security testing (IAST) – Integration of our dynamic testing and runtime analysis to identify more vulnerabilities by expanding coverage of the attack surface and exposing exploits better than dynamic testing alone.
- Fortify Application Defender – Runtime application self-protection (RASP) – Actively monitors and protects applications in production that have known and unknown vulnerabilities.
- Fortify on Demand – Security as a Service – A simple, easy and quick way to accurately test applications without having to install or manage software, or add additional resources.
- Mobile Security – Mobile testing methodology that tests all three tiers including the client, network and server.
- Software Security Assurance – Centralized management repository provides visibility that helps resolve security vulnerabilities.
- Fortify Software Security Center – Centralized management repository providing visibility to the entire application security testing program. It prioritizes, manages and track security testing activities and provides an accurate picture of software security risk across your enterprise.
Security at the Speed of DevOps with Fortify
Fortify is the recognized market leader in application security and is the most comprehensive and scalable application security solution that works with your current development tools and processes. Through integration with existing tools such as Visual Studio, JIRA, ALM Octane or Jenkins, Fortify enables adoption by developers, reduces friction, and promotes continuous deployment of secure code through automation. With Fortify, organizations can start securing applications in a single day including custom code, open source or commercial components and scale as needs grow with an on-premises, as a service, or hybrid implementation.
Defensive measures act on specific layers
Types of application security
Security functionality
Letting the right people into a system using authentication and authorization.
Encryption of data.
Logging and auditing.
Can be explicitly coded in the application; or the application and call centralized infrastructure (NetIQ, Voltage, Arcsight preferably)
General/baseline application security
Avoiding that the application can hacked (made to behave in ways that it shouldn’t)
Application-level hacks generally compromise security functionality.
Not concerned with letting users in, but with keeping hackers out.