Optimizing Internet Application Vulnerability Discovery– A Hybrid Approach Works

As more applications have moved to the cloud, the industry has seen a proliferation of application security issues. In 2012, several cloud service providers were breached as a direct result of application security vulnerabilities. Before you choose a cloud service provider, make sure that it answers the series of security questions created by the Cloud Security Alliance (CSA). CSA has created a checklist of industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings – creating more transparency for enterprises. The speakers will walk attendees through this blueprint, helping them to become more adept at identifying service provider security readiness. They'll also discuss some of the most common application vulnerabilities, including unencrypted passwords, SQL Injection, and those that impact poorly architected mobile apps.

Mobile devices are a hot trend amongst security topics this year. While most cover the angle of the device management, only few go into testing the applications. Since the mobile application vulnerability landscape is still young, there is a need to classify these vulnerabilities so that development teams can focus and root them out of their codebases. Join us as we explore the OWASP Mobile Top 10 classification system and metrics from a large case study of a real enterprise facing the deployment and assessment of a large number of mobile applications. Developers, Managers, and team leads will leave with resources and guidelines to start mobile security both at the process level and code level, including how to handle external mobile development teams they might contract. Get ahead of upcoming PCI compliance by addressing your mobile software early!

Join us to explore the mobile application threat landscape and identify ways to prepare for reverse engineering and tampering attacks.

The mobile App Economy is growing explosively as businesses are seeking to embrace innovation to provide new products and services to consumers, partners, and employees. However, malicious hackers and criminal organizations are now targeting these applications with a growing number of sophisticated attacks. Security of mobile apps, rather than devices, has become the new focal point as well as a top level concern for all stakeholders.

In this webinar, mobile security experts, James Lynn, Practice Principal of HP Fortify and Vince Arneja, VP of Product Management of Arxan Technologies will explore the mobile application threat landscape to identify a wide range of threats from vulnerability based attacks to reverse engineering and tampering attacks. The presenters will also address how to achieve comprehensive mobile application security within the SDLC to manage risk and exposure for B2C, B2E and B2B applications and protect today’s App Economy from theft, fraud, malware invasion, and tampering. You will gain insights how to develop and launch vulnerability-free, self-defending, and tamper-proofed applications that can withstand the new attacks.

HP Fortify is the leader in Software Security Assurance with solutions that contain, remove, and prevent software vulnerabilities. Arxan Technologies is the leader in protecting the App Economy with application protection solutions that are deployed on over one hundred million devices by Fortune 500 and global financial services.

In the wake of Wikileaks breaches in recent years, resulting from insider threat breaches, organizations began looking not only at perimeter defense but also at solutions that serve as a “Single Pane of Glass” in order to monitor and thwart insider threat and data loss activities. Specifically, organizations want to incorporate disparate applications, processes and mobile devices into the Single Pane of Glass view. In this webinar, you will learn how HP Enterprise Security solved these types of customer challenges to ensure that their “Wiki doesn’t leak.”

Speaker: Ray Patterson, Vice President of Global Services, HP Enterprise Security Products

About Ray Patterson
Ray is a veteran information security executive, having held leadership roles at VeriSign, Oracle, ArcSight, and currently at HP Enterprise Security Products (ESP). In his present role, Ray leads the Global Government Services business where his organization solves critical cyber security challenges for customers through the ESP portfolio of security solutions such as ArcSight, Fortify and Tipping Point. He also frequently presents and speaks on emerging cyber security issues impacting business and government. Ray is a retired Lieutenant Colonel, U.S Army, and is a graduate of George Washington University (MBA), George Mason University (BS), Virginia Tech (BA), and is a Certified Public Accountant.

Social networking for most of us is becoming wrapped into our DNA. This is especially important for the next generation workforce. Additionally, the employees today and those of tomorrow will expect the capability to blog and social network with corporate assets and corporate bandwidth. Additionally, these technologies are being widely used for corporate marketing and communication. That is why it's important to look at all aspects of securing your infrastructure and more importantly, the people that drive your organization today. This involves educating people, corporate process and the right security technologies. The following session will cover the benefits and the security risks inherit with social networking across all business verticals. Additionally, the author will provide a use case analysis of information that is gathered via web beacons that harvest information unknowing to the user.

Join us to explore the mobile application threat landscape and identify ways to prepare for reverse engineering and tampering attacks.

The mobile App Economy is growing explosively as businesses are seeking to embrace innovation to provide new products and services to consumers, partners, and employees. However, malicious hackers and criminal organizations are now targeting these applications with a growing number of sophisticated attacks. Security of mobile apps, rather than devices, has become the new focal point as well as a top level concern for all stakeholders.

In this webinar, mobile security experts, Jason Schmitt, Director of Product Management of HP Fortify and Vince Arneja, VP of Product Management of Arxan Technologies will explore the mobile application threat landscape to identify a wide range of threats from vulnerability based attacks to reverse engineering and tampering attacks. The presenters will also address how to achieve comprehensive mobile application security within the SDLC to manage risk and exposure for B2C, B2E and B2B applications and protect today’s App Economy from theft, fraud, malware invasion, and tampering. You will gain insights how to develop and launch vulnerability-free, self-defending, and tamper-proofed applications that can withstand the new attacks.

HP Fortify is the leader in Software Security Assurance with solutions that contain, remove, and prevent software vulnerabilities. Arxan Technologies is the leader in protecting the App Economy with application protection solutions that are deployed on over one hundred million devices by Fortune 500 and global financial services.

The business benefits of moving to the cloud are quite compelling, however, with those benefits come concerns. The most significant challenge facing companies that are either moving to the cloud as a consumer or as a service provider is ensuring the security of the services that are provided. The Cloud Security Alliance (CSA) was formed to help ease this challenge. The CSA’s guidance is adopted as the defacto standard for accessing the security of cloud providers across the software security market.

While this guidance has helped greatly, there is still the very challenging question of creating a standard set of questions for organizations to ask a provider in order to understand how they have implemented the CSA guidance. This is where the Consensus Assessments Initiative Questionnaire (CAI) comes into play. The questionnaire is a CSA-developed tool for both consumers and providers of cloud services to use as common criteria for determining cloud security.

This hands-on and prescriptive web seminar will review both the CSA guidance and how the CAI can be used in day-to-day business to help companies assess cloud providers. Attendees will walk away with a firm grasp on the questions to ask or to be prepared to answer- whichever side of the cloud equation they are on.

For individuals tasked with ensuring their organizations are PCI complaint, challenges are ever present. The delicate balance of achieving PCI Compliance while ensuring there is no disturbance in day to day operations of a security program is what separates experts from practitioners. This web seminar will give attendees the expert’s guide to reviewing PCI requirements for secure application development and will detail how HP helps partners not only meet these requirements but to also solidify the future of a security program by securing applications from the inside out.

There’s only one surefire way to prevent SQL injection, the #1 most frequent and damaging application security attack: verify that your code does not have SQL injection vulnerabilities. SQL injection allows hackers to steal or modify everything in your database. Code review is the most effective analysis technique for finding SQL injection flaws, and it also pinpoints exactly where the flaw is located, making it much easier and faster to remediate. If your organization is still solely focused on application penetration testing, you are wasting your time and putting your organization at risk.

Join Dave Wichers and learn about the simple genius of performing application code review to efficiently identify vulnerabilities in your applications.

Historically, software security vendors and enterprise teams have been divided into two camps: The Crusaders, who embrace the 'true religion' of source code analysis as the holy grail and believe that they can achieve nirvana with solving problems completely at the code level; and the Pragmatists, who believe that the Crusaders are unrealistic idealists, and that dynamic analysis of staged web applications is the only practical way of addressing real, attackable vulnerabilities.

The reality is that both camps are correct when placed within an overarching Software Security Assurance (SSA) framework. SSA creates a programmatic enterprise application security approach that incorporates both the source code Crusaders and the dynamic Pragmatists. This presentation will describe how the Crusaders and Pragmatists, placed within the SSA discipline, can work together to reinforce each other and bolster the entire security program’s ultimate goal – securing the enterprise.

The third installment of the “Securing Your Applications” Web Seminar Series by Derek Brink, covers Mobile Applications.

Security concerns and the execution of strategy are among the key concerns for organizations’ tasked with securing mobile applications. This video delves into the details surrounding these issues and presents relevant research to help you better understand the risks associated with mobile security and its potential impact on your organization.

Join HP Enterprise Security Products experts Tom Reilly, VP and GM and Alan Kessler, VP Product Strategy and Development, as they discuss the current state of the security market and explore the future. Key takeaways for participants include:
1. How to create a proactive security posture to meet the changing security landscape.
2. What HP is doing in terms of delivering solutions and products that enhance existing products to address the threat landscape enterprises face today.
3. A quick view into how HP has already leveraged ‘better together’ in our products.

External penetration testing of Internet facing applications provides a valuable but limited perspective. Source code assessment, either manual or automated, delivers a more comprehensive understanding of vulnerabilities. The most efficient discovery methodology will combine the best of both these approaches. We discuss a method for performing hybrid assessments in which the results of some level of source code analysis drives the penetration testing process. This will maximize Return on Security Investment.

As applications become more prevalent in today's world, there's an increasing threat of attacks targeting web-based and mobile applications. Often times, quick fixes are added to the applications or additional components are introduced to minimize the impact of these vulnerabilities, but these are no longer scalable approaches as applications are getting more sophisticated, providing even great integration, functionality and requiring ease of use. It is more important than ever to implement application security from the ground up as part of the software development lifecycle by ensuring there are sound policies at the base of every development project and proper procedures and processes are in place for the design, inception, development, testing and implementation of applications.

Kris Philipsen will discuss the essential controls necessary to ensure an effective application security strategy is being followed and how these essential controls improve the overall security of the application.

Mobile devices and the risk posed by vulnerabilities in the software that runs them are proliferating. This talk scrutinizes challenges faced in securing mobile apps and contrasts them with legacy software security initiatives. We discuss how outsourcing confounds security efforts, how the mobile app lifecycle can make risk a hot potato, and a variety of other challenges organizations face as users demand ever increasing mobile capabilities.

Security for cloud web applications has become a marketing tool for many security companies. In this webinar we aim to outline what the real threats to cloud based infrastructure are, how you can identify them, and what steps to take next.

Andre Gironda is a Senior Application Security Engineer for HP/Fortify. Andre has taught cloud penetration testing and threat modeling at multiple conferences around the US.

According to Google, Android was designed to give mobile developers "an excellent software platform for everyday users" on which to build rich applications for the growing mobile device market. The power and flexibility of the Android platform are undeniable, but where does it leave developers when it comes to security? In this talk we discuss seven of the most interesting code--level security mistakes we've seen developers make in Android applications. We cover common errors ranging from the promiscuous or incorrect use of Android permissions to lax input validation that enables a host of exploits, such as query string injection. We discuss the root cause of each vulnerability, describe how attackers might exploit it, and share the results of our research applying static analysis to identify the issue. Specifically, we will show our successes and failures using static analysis to identify each type of vulnerability in real-world Android applications.

Can PCI Compliance be Harmful to Your Security Initiative? Understand and Navigate Compliance in the Real World:

PCI Compliance is necessary, but can it be harmful to your security? Does the prescriptive nature of the PCI regulations make enterprises spend money on controls that might be handled in a different way? Could this also cost the enterprise in capital and operational dollars that might be spent elsewhere? PCI Council General Manager Bob Russo's has defined PCI Compliance as a structured "blend...[of] specificity and high-level concepts" that allows "stakeholders the opportunity and flexibility to work with Qualified Security Assessors (QSAs) to determine appropriate security controls within their environment that meet the intent of the PCI standards." The question is how do you define and create the right structured blend for your organization?

This webinar will help you to understand the difference between meeting a regulation and executing on a well-defined and successful Software Security Assurance program. Attendees will gain an understanding of common pitfalls in navigating the compliance focused enterprise and walk away with directives on how to create a secure environment while maintaining compliance.

So you've successfully gotten started with your application security initiative -- now what? How do you take securing your applications to the next level?

Characteristics of the companies achieving top performance in application security include:

- Start from a solid foundation of testing
- Start small (e.g., with a proof-of-concept) and then expand by building on your success
- Establish a risk-based approach on what vulnerabilities to address and when
- Partner between the IT Security and Application Development teams to expand your program beyond testing to create a true software assurance program

Research from Aberdeen Group confirms that bringing about a systemic change across the entire software development lifecycle -- i.e., to become "secure at the source" -- yields the best results.

In addition to the use of several enabling tools and technologies -- including application vulnerability scanning, penetration testing, manual source code reviews, static source code analysis and verification, and dynamic source code analysis and verification -- this webinar will review the "people and process" capabilities that most strongly differentiate the top performers.