IBM Software Group
© 2007 IBM Corporation
Seguridad en las Aplicaciones Web:
Protección de los datos y cumplimiento de Normativas
Jessica Valderrama
jvalderrama@es.ibm.com
®
IBM Software Group
© 2007 IBM Corporation
Las compañías que
intercambian información
confidencial on-line, son
susceptibles de tener agujeros de
seguridad
aun cuando invierten
en seguridad de red y desktop.
Teenagers who’s computers were seized by the FBI for hacking into a company web site
Business impact of application security breaches
The new face of “risk”…
EmployeesPartners & Suppliers Customers
Increased costs Fines/Audits
Public Disclosure & Brand Damage
“VISA will start levying
fines this month for lack of
[PCI] compliance”
by
Robin Sidel (October 6,
2007)
A
pp
lic
atio
n
A
pp
lic
atio
n
Se
cu
rity
Se
cu
rity
=
=
+
+
SSN Pa yrollCredit card data
“75 percent of hacks occur at the
application level.”
By 2009, 80 percent of companies
will have suffered an application
security incident.
Gartner, 2005
IBM Software Group | Rational software
Red
Aplicaciones
Web
Nivel de Seguridad e inversión no están equilibrados
% de ataques
% Costes
75%
10%
25%
90%
Sources: Gartner, Watchfire
Seguridad
Gasto
de los ataques a la seguridad informatica
estan dirigidos hacia el nivel de las aplicaciones Web
75%
75%
de todas las aplicaciones Web se consideran vulnerables
2/3
2/3
Security Security •Buffer Overflow •Cookie Poisoning •Hidden Fields•Cross Site Scripting •Stealth Commanding •Parameter Tampering •Forceful Browsing •SQL Injection •Etc…
Usamos instrumentos de
control de la
vulnerabilidades de la red
Usamos instrumentos de
control de la
vulnerabilidades de la red
“Nuestro sito Web es seguro”
Tenemos firewalls
Tenemos firewalls
Tenemos auditores de
seguridad que hacen
tests de intrusiones cada
trimestre
Tenemos auditores de
seguridad que hacen
tests de intrusiones cada
trimestre
Security
IBM Software Group | Rational software
6
Desktop
Transport
Network
Web Applications
Antivirus
Protection
Encryption
(SSL)
Firewalls /
Advanced
Routers
Seguridad de red vs. seguridad de
Aplicación-Soluciones complementarias.
Firewall Web Servers Databases Backend Server Application ServersInfo Security Landscape
Info Security Landscape
Network & Application Security solutions address different problems
Seguridad en todas las fases del entorno de
desarrollo
Build
DesarrolladoresRequerimientos
Requerimientos
Código
QA
Seguridad
Producción
Desarrolladores
IBM Software Group | Rational software
8
Rational End-to-End Application Security…with Ounce
REQUERIMIENTOS
REQUERIMIENTOS
CÓDIGO
CÓDIGO
BUILD
BUILD
QA
QA
SEGURIDAD
SEGURIDAD
PRODUCCIÓN
PRODUCCIÓN
AppScan (desktop) AppScan Build (scanning agent) AppScan Developer (desktop) AppScan Tester (scan agent &
clients)
Def Requisitos
(plantillas de seg)
AppScan OnDemand (SaaS)
AppScan Enterprise / Reporting Console
(enterprise-wide scanning and reporting)
Revisiones de Seguridad/cumplimient
o incorporado en los workflows de teseo y
remediación Los req de seguridad
son definidos antes del diseño y la implementación Pruebas externalizadas para auditorias de seguridad y monitorización de servidores de producción Revisión y cumplimiento de seguridad, controles, políticas, auditorias, posibles descuidos Construcción de código seguro en el origen.
Mejores prácticas en la seguridad de las aplicaciones Automatizacion de seguridad/ cumplimiento de revisiones en el proceso de Built
Ounce Labs
Seguridad en el cicho de vida de desarrollo
Soluciones de auditoria de seguridad para departamento
de Seguridad IT Orientar la seguridad
Dashboards
Dashboards
Reports
Reports
CSO / CIO
Divisions
Applications
Compliance OfficersDevelopers
Visibilidad para toda la empresa
Entire Organization Equity Investments Partner Access Group Portal Individual Markets Application 1 Application 2 EFORMS Remediation Report Trending Report Security Issues PCI ISO 17799
IBM Software Group | Rational software
IBM Adquiere Once Labs
Application security is the largest category of vulnerability disclosures (55% in 2008)
Rational acquired Watchfire in 2007 to address customers’ Application Security Testing needs
AppScan continues to be recognized as the leader in Dynamic Analysis Security Testing (DAST)
Ounce Labs is a recognized leader in Static Analysis Security Testing (SAST)
Application security markets are converging
The combination of these two industry leading technologies provides the most accurate solution in the market
Ounce’s technology enables Rational to fulfill our vision of moving testing earlier in the development process
Continues to add to our competitive advantage in the application security testing segment
Only vendor to offer complete solutions for both SAST & DAST
Only vendor to offer complete integration across the software delivery lifecycle
Only vendor to offer a complete IT security solution across all major domains (IBM Security Framework)
Ounce is a good fit
Mature technology that supports all key development technologies and languages (Java, .NET, C/C++)
Excellent integrations with Rational SDLC products and for the developer – Rational’s traditional user base
10
Ounce Labs
Ounce Labs
provee
provee
herramentas
herramentas
de
de
revisi
revisi
ó
ó
n
n
y control de
y control de
c
c
ó
ó
digo
digo
fuente
fuente
ayudando
ayudando
a
a
las
las
empresas
empresas
a
a
reducir
reducir
el
el
riesgo
riesgo
y los
y los
costes
costes
asociados
asociados
a
a
posibles
posibles
fallos
fallos
de
de
seguridad
© Copyright IBM Corporation 2007. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, the on-demand business logo, Rational, the Rational logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.