matin barmare technical consultant scalable secure applications optimize application quality
TRANSCRIPT
Matin Barmare
Technical Consultant
Scalable Secure Applications
Optimize Application Quality
2 August 11, 2008
Agenda
• Are these Necessities??
• HP Solution Approach
• HP Solutions Overview
• Q & A
3 August 11, 2008
Performance – Is it really important??
4 August 11, 2008
Application Security – What is that??
So What is Hacking?
6 August 11, 2008
7 August 11, 2008
Hacking … ??
8 August 11, 2008
I don’t know this Security thing!!
9 August 11, 2008
Now that hurts!!
10 August 11, 2008
The Risks are Real!!
10August 11, 2008
Hackers Move from hobbyists
to professionals.
Hack went on for 2 years, 40
million records stolen,
company now out of
business.
Cardsystems out of
business
PCI Requirement 6.6 becomes effective on June 30, 2008, requires web sites to be scanned for vulnerabilities or protected
PCI deadline looming
Hacker Redirects Barack
Obama's site to
hillaryclinton.com using
cross-site scripting
vulnerability
Obama web site hacked
MySpace site shut down by JavaScript worm exploiting vulnerabilities
in the sites AJAX code
Web 2.0 vulnerable
Chain says intrusion
may expose 4.2m
cards; 1,800 fraud
cases seen
Grocer Hannaford hit by
computer breach
11 August 11, 2008
HP’s approach to AQM
Global, enterprise-wide projects•Global teams and deployments•Complex, heterogeneous environments
Plan Define/ Design
Develop / Test
Launch Operate
NewDeployment
Full Quality Process
Fix /
Patch
Fix /
Patch
Fix /
PatchMinor
ReleaseMinor
Release
Accelerated Quality Process
Assess andAnalyze risk
Establishtestingpriorities
Create test plans
RISK-BASEDTEST PLANNING
TEST MANAGEMENTAND EXECUTION
Execute security scans
Identify and customize security policies
DEFECT MANAGEMENT
Execute functional tests
Create manualtest cases
Automateregression test cases
Functional requirements
Business requirements
Securityrequirements
Performancerequirements
REQUIREMENTSMANAGEMENT
Other non-functionalrequirements
Execute tests, diagnose and resolve problems
Create performancescripts and scenarios
Enforce quality processes; support key roles
Applied across the true lifecycleof a business application
Three pillars of quality
Does it work?
Is it secure?
Does it perform?
AQM
12 August 11, 2008
Three pillars of quality1
AQM
Does it work?
FUNCTIONALITY
Does it perform?
PERFORMANCE
Is it secure?
SECURITY
Does it work?
•Does the application function the way the business needs it to?
Does it perform?
•Will the application perform for the entire customer set?
•Will it scale?
•Will it meet SLAs in production?
Is it secure?
• Has the application been assessed against all known threats?
• Are there open doors or windows that sophisticated hackers can penetrate?
13 August 11, 2008
STRATEGY/ DEMAND
Strategic demand
• New applications
• New services• Application
integrations
Operational demand
• Defects• Enhancements• Change
requests
Enterprise Architecture and Policies
• SOA• Security
Many stakeholders from across IT and the business
Business Analyst Quality
AssuranceDevelopers
Requirements Management
Quality Assurance
Performance Engineers/ Security
EngineersTest Plan
RISK-BASEDTEST PLANNING
TEST MANAGEMENTAND EXECUTION
Quality Assurance QA InspectDevelopersDevInspect
Security Engineers
Assessment Management
Platform
DEFECT MANAGEMENT
Quality Assurance
Functional Testing
TestersBusiness Process Testing
Quality Assurance
Functional Testing
Performance Engineers Systems Architect
Diagnostics
Performance Engineers
LoadRunnerPerformance
Center
DEV / QA / PE / SE / Project Management
Defect Management
Quality Assurance
RequirementsManagement
Business Analyst
RequirementsManagement
SecurityEngineers
RequirementsManagement
Performance Engineers
RequirementsManagement
REQUIREMENTSMANAGEMENT
Developers
RequirementsManagement
Support all key roles
Inte
gra
te w
ith
dem
an
d
Security Engineers
WebInspect
OPERATIONS
Application Support Service
Manager
Operations BAC
EUM & Diagnostics
Con
nect to
pro
du
ction
IT / Project ManagementDashboard
Go/No Go
14 August 11, 2008
HP Performance Center
Foundation
LoadRunner | Performance Center
VuGen Controller Load Generator Monitors Analysis
Center Management
Demand Project Resource
Diagnostics
J2EE .NET SOA SAP Oracle
User/Privilege Management
Infrastructure Management
Central Repository Global Access and Collaboration
Dashboard
HP Performance Center
15 August 11, 2008
Performance Engineering - Value
16 August 11, 2008
Breadth of analysis
End user: Transaction “look up account” took 17.58 seconds at 250 users
System: Application server CPU reached 90% at 500 users
Network: London to datacenter network segment very slow
Application: J2EE method “AccountLookup” took 16 seconds; 90% of end user response time
What do you see at the end of a load test?
17 August 11, 2008
AQM – IT initiativesMinimize time, reduce cost and gain control of risk for all applications across the entire IT organization
• Application project deployments & upgrades− Enable high-quality, timely releases− Validate application functionality− Optimize application performance− Assess application security
• Quality management product & process standardization− Ensure consistent delivery of high-quality releases− Risk-based approach to managing application change− Connect quality with strategic & operational
processes
• Center of excellence− Pervasive quality approach for all application types
and SOA services− Centralized technology & personnel− QA processes govern testing and quality initiatives− QA has enterprise influence
Application quality
management
Application project deployments and
upgrades
Quality management product and process
standardization
Center of excellence
18 August 11, 2008
Security illusions
19 August 11, 2008
Applications are the target
19August 11, 2008
“75% of hacks happen at the application.”
- Gartner “Security at the Application Level”
“75% of hacks happen at the application.”
- Gartner “Security at the Application Level”
Network: Secured by firewall
Servers: Protected by intrusion prevention
Applications: Unprotected and ignored
20 August 11, 2008
HP Application Security Center
Foundation
Dashboard
HP Application Security Center
Assessment Management Platform
Policy and compliance
Centralized administration
Vulnerability and risk
management
Alerts and reporting
Distributed scanning
DevInspectMicrosoft
Visual Studio
Eclipse
IBM RAD
QAInspect
HP Quality Center
HP Functional
Testing
Intelligent engines
SecureBaseSecurity toolkit
Open APIsSmartUpda
teReporting
Hybrid analysis
WebInspectProduction Application
Assessment
21 August 11, 2008
Enterprise application security assurance
HP Application Security CenterSecurity for the Application lifecycle
HP Web Security Research Group
• Internal app security research• External hacking research
Plan Design Code ProductionTest
HP Application Security CenterHP Application Security Center
Enterprise security assurance
and reporting
Enterprise security assurance
and reporting
Source code
validation
Source code
validation
QA & integration
testing
QA & integration
testing
Production assessmentProduction assessment
QAInspectQAInspect WebInspectWebInspectDevInspect
DevInspect
Assessment Management PlatformAssessment Management PlatformContinuous Updates
22 August 11, 2008
Secure Your Outcome with the Application Security Center
22 August 11, 2008
A Complete Application Lifecycle Solution
Key benefits• Find Security defects throughout the lifecycle
• Correct security defects early in application lifecycle and monitor applications in production
• Manage your online risk
• Verify compliance with government regulations
• Less exposure to application downtime and theft of online information
Key capabilities• Automatically finds and prioritizes security
defects in a Web application• Supports the latest AJAX and Web 2.0 Rich
Internet Application technologies• The only solution with Hybrid Analysis
combining both static and dynamic analysis for the most accurate results possible
• Built-in Security Expertise combines daily updates of vulnerability checks with our unique intelligent engine technology
• Comprehensive defect information and remediation advice about each vulnerability
• Integrates with HP Quality Center
Q & A
Thank you!