Browse communities
Browse communities
Presenting a webinar?

Optimizing Internet Application Vulnerability Discovery– A Hybrid Approach Works

Jonathan Davis, Security Consultant, AsTech Consulting
External penetration testing of Internet facing applications provides a valuable but limited perspective. Source code assessment, either manual or automated, delivers a more comprehensive understanding of vulnerabilities. The most efficient discovery methodology will combine the best of both these approaches. We discuss a method for performing hybrid assessments in which the results of some level of source code analysis drives the penetration testing process. This will maximize Return on Security Investment.
Mar 8 2012
49 mins
Optimizing Internet Application Vulnerability Discovery– A Hybrid Approach Works
More from this community:

Cloud Computing

  • Live and recorded (4361)
  • Upcoming (135)
  • Date
  • Rating
  • Views
  • Channel
  • Channel profile
  • Runtime Application Self-Protection Recorded: Mar 19 2015 47 mins
    Cindy Blake & Rob Putman, HPSW Enterprise Security Products
    Greater than 80% of today’s breaches occur with application software, yet many companies continue to invest in ‘over the wire’ solutions that are not solving the problem. Runtime Application Self-Protection, or RASP, is an emerging market that promises to protect applications from the inside. Using the rich context of the application’s logic and associated core libraries, RASP identifies attacks in ‘real-time’ and stops them. Implementation is quick and requires no changes to your application’s code. Join us to learn more about what RASP can do for you.

    Learn:
    •Why context from inside the application matters
    •How easy it can be to use native capabilities of Java and .NET to protect your applications
    •Use cases to get you started.

    Help lead your enterprise to a stronger, more effective security program.
  • HP Cyber Risk Report 2015: The Past is Prologue Recorded: Mar 12 2015 28 mins
    Jewel Timpe, Senior Manager- Threat Research, HP Security Research
    In the world of information security, the past isn’t dead; it isn’t even the past. The 2015 edition of HP’s annual security-research analysis reveals a threat landscape still populated by old problems and known issues, even as the pace of new developments quickens. In 2014, well-known attacks and misconfigurations existed side-by-side with mobile and connected devices (the “Internet of Things”) that remained largely unsecured. As the global economy continues its recovery, enterprises continued to find inexpensive access to capital; unfortunately, network attackers did as well, some of whom launched remarkably determined and formidable attacks over the course of the year.

    The 2015 edition of the HP Cyber Risk Report, drawn from innovative work by HP Security Research (HPSR), examines the nature of currently active vulnerabilities, how adversaries take advantage of them, and how defenders can prepare for what lies ahead. Jewel Timpe, HPSR’s senior manager of threat research, describes the report’s findings and explains how this intelligence can be used to better allocate security funds and personnel resources for enterprises looking toward tomorrow.
  • Who’s watching your home? Internet of Things Security Study Recorded: Mar 4 2015 43 mins
    Craig Smith, Senior Security Researcher
    We all want our families and homes to be safe with the convenience of remote monitoring, but do these smart home security devices really make our families safer or put them at more risk by inviting easier access to our homes electronically via insecure Internet of Things? In a follow-up to HP’s 2014 report on the Internet of (Insecure) Things we explore the security of popular off-the-shelf connected Home Security Systems and discuss various testing techniques we used in our study along with recommendations for manufacturers, developers and consumers.
  • Outthinking the Bad Guys Recorded: Feb 6 2015 22 mins
    Art Gilliland, General Manager of HP Enterprise Security Products
    Businesses are spending so much money on security -- almost $47 billion in 2013 -- and yet the number of breaches continues to increase. To mitigate the risks of increasingly sophisticated, innovative and persistent threats, we need to change the way we think about our security programs. In this webcast, Art Gilliland, General Manager of HP Enterprise Security Products, talks about the challenges all enterprises face from the bad guys -- and the critical steps businesses must take to defend against today's most advanced threats.
  • Dynamically Controllable Dynamic Scanning Recorded: Jan 28 2015 41 mins
    Jonathan Griggs, Brandon Spruth, Brooks Garrett, Jeremy Brooks
    Dynamic scanning is a staple of the web application security community. The complex nature of scanning each site and the expertise required in running the tools and interpreting the results often limits the deployment models. Development teams usually do not contain a security expert and must rely on an external team to perform their dynamic audits. This means that dynamic scans are often only performed once or twice throughout the development lifecycle, usually near the end.
    Security teams also wrestle with demand for dynamic scanning. Demand is not always consistent but hardware is expensive to purchase and maintain only to sit idle. What if there were a way to automate dynamic scanning after each build in a continuous build environment while not leaving servers idle during periods of inactivity.
    In this talk we will explain how the new WebInspect API, introduced in the 10.20 release and expanded in the recent 10.30 release, can help security teams integrate dynamic scanning with WebInspect earlier in the Security Development Lifecycle (SDL) and add flexibility and scalability into your company’s Software Security Assurance program.


    Jonathan Griggs – WebInspect Product Manager
    Brandon Spruth – Security Solutions Architect, HP Fortify
    Brooks Garrett – Manager Operations and Architecture, Fortify on Demand
    Jeremy Brooks – Senior Engineer, WebInspect Engineering
  • Adapting Software Security Assurance for Cloud and Mobile Recorded: Nov 18 2014 49 mins
    Michael Farnum, Practice Principal, HP Fortify on Demand, Hewlett-Packard
    Many organizations have been building client-server and web applications for some time, and quite a few have reached a good level of maturity in regards to building security into their SDLC. Yet that traditional model of securing applications can’t fully address the security challenges presented by mobile and cloud infrastructures and the applications built around them. The business benefits of ubiquitous and quick data access (that come with mobile and cloud) are obvious, but the security issues are very real.

    Join this discussion to find out how internal development and security groups can update their software security assurance processes so that they are embracing AND securing mobile and cloud solutions.
  • Measuring and Maturing an AppSec program Recorded: Nov 6 2014 44 mins
    Bruce C. Jenkins, AppSec Program Strategist, HPSW Fortify
    Software Security Assurance (SSA) programs take many forms across various industries. What remains constant across all programs and industries is the challenge of choosing appropriate measurements. We often ask: “Is this the right metric?” “Am I collecting enough data?” “What should be reported to my managers and senior executives?” In this webinar we help you answer those questions, and we also show you how the right metrics mature your SSA program and keep it focused on business priorities.
  • Taking an AppSec Program from 0 to 60 in 30 days Recorded: Oct 16 2014 39 mins
    David Harper, Fortify on Demand Practice Principal, EMEA, HPSW ASC
    Whether a mandate to secure all web and mobile apps comes from a newly enlightened CIO or in response to a major security breach, beginning even a small application security program can be a daunting task. How will you know how many digital assets you have, let alone their risk profile?
    In this webinar we will explore how, using a cloud solution like Fortify on Demand, even the largest organizations can begin to scan apps immediately and rapidly scale an application security program. Identify and risk rank assets, fix critical vulnerabilities, and put in place a process to secure all new and existing applications - without hiring a separate security team.
  • 5th Annual Ponemon Cost of Cyber Crime Study Results: APJ Recorded: Oct 10 2014 56 mins
    Sponsored by HP Enterprise Security, Independently conducted by Ponemon Institute LLC
    Explore cyber crime in Asia Pacific and Japan

    The cost of cyber crime is on the rise in the APJ region, according to the 2014 Cost of Cyber Crime study from the Ponemon Institute. Among 30 companies surveyed in Australia, the reported per-company cost for Internet-driven crime was $4 million, up 8.4% from 2013. In Japan, the per-company average hit $6.9 million in the study, up 5.7% from 2013.

    On the more optimistic side, companies in the region are achieving notable ROI for their investments in cyber security solutions. The average ROI for seven security technologies was 16% in Australia and 17% in Japan. For a close-up view of these and other findings from the institute’s research in Australia and Japan, join Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, for our APJ Security webinar.
  • 5th Annual Ponemon Cost of Cyber Crime Study Results: Americas Recorded: Oct 9 2014 60 mins
    Sponsored by HP Enterprise Security, Independently conducted by Ponemon Institute LLC
    Explore cyber crime in the Americas

    In the 2014 Cost of Cyber Crime study, U.S. companies reported an average of $12.7 million in losses to cyber crime. That was the highest national average in the study by the Ponemon Institute. Among the 59 U.S. companies in the survey, the average cost of cyber crime climbed by more than 9% over the course of the year.

    Among other findings, the study noted that the most costly cyber crimes are those caused by denial of services, malicious insiders, and malicious code. These threats account for more than 55 percent of all cyber crime costs. For a fuller look at these and other findings from the institute’s study of U.S. companies, join Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, for our AMS Security webinar
  • 5th Annual Ponemon Cost of Cyber Crime Study Results: EMEA Recorded: Oct 8 2014 59 mins
    Sponsored by HP Enterprise Security, Independently conducted by Ponemon Institute LLC
    Explore cyber crime in Europe

    For its 2014 Cost of Cyber Crime study, the Ponemon Institute expanded its focus in Europe to encompass the Russian Federation, as well as France, Germany, and the United Kingdom. Collectively, the institute surveyed 137 companies in Europe in a study that found broad differences in the reported costs of cyber crime across the region. The per-company average ranged from $3.3 million in the Russian Federation to $8.1 million in Germany.

    The study results indicate that over the course of the year, cyber crime rose 20.5% in France, 17.4% in the U.K., and 7.2% in Germany. For a closer look at these and other findings from the institute’ European research, join Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, for our EMEA Security webinar.
  • The Internet of (Insecure) Things Recorded: Aug 14 2014 20 mins
    Craig Smith, Senior Security Researcher
    The Internet of Things (IoT) is a hot topic these days. Smart devices, systems, and services that “talk” to other devices via the internet means we can all be a lot more productive, but also opens us up to added security risk. Gartner says there will be 26 billion of these interconnected devices installed by 2020.

    Until now there had been very little research done on the security of available devices and technologies, HP Fortify Security Research team decided to take this on. This is an overview of their findings.
  • HP Cyber Risk Report Recorded: Jul 23 2014 4 mins
    HP Enterprise Security
    In application vulnerability testing performed by HP, 52 percent of total vulnerabilities found are on the client side, and 48 percent are on the server. That is one of the real-world statistics uncovered by the HP 2013 Cyber Risk Report and summarized in this informative four-minute video.

    The Cyber Risk Report video presents the data you need to separate the hype from the real threats and better plan how to spend your security dollars. View it to learn the most common kinds of attacks and to hear the one lesson learned from the in-depth study of the 2013 attack that took down South Korean Banks.
  • Static Application Security Testing Demystified Recorded: Jun 23 2014 41 mins
    David Harper, Fortify on Demand Practice Principal, EMEA
    Static analysis vs. Binary analysis, binary vs. bytecode, debug vs. obfuscation… Confused about Static Application Security Testing? In this webinar, David Harper, Fortify on Demand Practice Principal will explain all these terms, dispel some of the rumors and clear up any confusion. Afterwards, you will be able to authoritatively select the best approach for your Static Application Security Testing needs that will address your requirements for both comprehensive vulnerability detection and actionable remediation advice.
  • Do You Trust Your Mobile Apps? Recorded: Jun 17 2014 45 mins
    David Anumudu, Software Security Solution Architect, HP Enterprise Security
    While users are more mobile than ever, that flexibility has also come with increased risk. As business managers push for more mobile apps, faster development, newer features and broader distribution of these apps, the businesses’ risk exposure grows exponentially. Organizations are at risk of exposing their corporate data, losing brand equity, and ultimately suffering financial loss through breaches of their mobile applications. IT must ensure these apps are secure, even if they are developed by a third party, so understanding the mobile vulnerability landscape is critical and its tough to keep this expertise in-house.

    HP Security Research leveraged HP Fortify on Demand (FoD) Mobile to scan more than 2,000 mobile applications from more than 600 companies, revealing alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
  • Closing the Book on Heartbleed - and Avoiding Future Sad Stories Recorded: May 14 2014 61 mins
    Joanna Burkey, TippingPoint DVLabs Manager, and Joe Sechman, Manager, Software Security Research for HP
    The Heartbleed vulnerability in OpenSSL forced millions of users to changed passwords and enterprises to rapidly patch thousands of servers.Because of all the publicity there continues to be a lot of CXO-level awareness around cyber security and now is the perfect time to recommend strategies for avoiding or mitigating the next Heartbleed - and there *will* be a next one. There were many lessons learned during Heartbleed than can be used to bolster your plans and your presentations to management to gain funding.
    In this SANS Special webcast, John Pescatore, SANS Director of Emerging Security Trends will present an overview on the details around Heartbleed and an update on the current status, risks and industry efforts around software security. He will then moderate a panel of vendor experts in a discussion around lessons learned from dealing with Heartbleed and best practices for mitigating or shielding the risks due to vulnerabilities in open source and other third party software. Panelists will include Joanna Burkey, TippingPoint DVLabs Manager, and Joe Sechman, Manager, Software Security Research for HP.
  • Software Security Assurance-Developing an Effective Application Security Program Recorded: Apr 25 2014 41 mins
    Bruce C Jenkins, AppSec Program Strategist
    Do you trust your software?
    Software security has never been more important to the success of your business. Using the BSIMM framework, this session covers best practices for application development; why you should put people and process before technology, how to pitch the value of coding standards to CIOs and developers, and how to build security into the software development life cycle as opposed to the all-too-often-seen reactive, bolt-on approach.
  • Introducing a New Level of on Demand Application Security Recorded: Mar 27 2014 58 mins
    Ryan Berg, Chief Security Officer, Sonatype and Ryan English, Director of Fortify on Demand & Mobile Security Services
    According to Gartner, by 2015, ninety-nine percent of mission -critical applications in Global 2000 companies will contain open source. The ease of using open source components speeds development and creates competitive advantage but can introduce security risk into your organization. Do you know what open source components are used in your application landscape?

    Sonatype and HP Fortify are the first to deliver a new level of application security that includes static and dynamic testing coupled with open source component analysis. Join this session to learn how your organization can use Fortify on Demand to gain complete visibility into what components you are using and if there are known vulnerabilities or license obligation that bring risk to your organization and your customers.
  • The Application Blind-spot Recorded: Feb 18 2014 28 mins
    Eric Schou & Rob Putman
    In many organizations, Security Operation Center teams have little to no visibility into application security events. This is a significant challenge because security teams can’t protect the organization If they can't identify threats. With the evolution of threats targeting applications as the weakest link in the security ecosystem, security teams need help closing the security gap that results from improper user access as well as an improper usage of applications. For many organizations it takes up to 270 days to recognize that they have been breached and it’s often a 3rd party such as customer that highlights the issue. Can your organization wait for a breach to happen to react? Attend this webcast to hear from HP security experts, as they articulate specific use case examples.
  • The 6 Deadly Mistakes of Mobile Application Development Recorded: Dec 13 2013 39 mins
    Daniel Miessler
    Everyone's heading to mobile and attackers are following. To stay ahead of the curve you need to think like the enemy. In this talk Fortify on Demand Principal Security Architect, Daniel Miessler, talks about what makes mobile security different, the OWASP (mobile) top ten and deadly mistakes NOT to make during mobile app development.
Proactively Securing Software for the Enterprise.
Listen to experts from HP, partners and customers discuss pressuring issues across application security.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Optimizing Internet Application Vulnerability Discovery– A Hybrid Approach Works
  • Live at: Mar 8 2012 7:00 pm
  • Presented by: Jonathan Davis, Security Consultant, AsTech Consulting
  • From:
Your email has been sent.
or close
You must be logged in to email this