View full webinar here: http://event.on24.com/wcc/r/1286410/98904A9D0E24337184C64B1D21AE6385 Join our security experts to learn how you can harness the power of cognitive computing in your application security program. At IBM, we refer to our capabilities as Intelligent Finding Analytics (IFA), a series of companion technologies that can be utilized over several execution phases to improve the effectiveness of your Static Application Security Testing (SAST) activities. During our on demand webinar, you will learn how IFA helps organizations conduct application security testing with speed and accuracy by: Identifying the most critical application vulnerabilities Reducing false positives by more than 99% Analyzing vulnerabilities to advance learnings and prevent future security vulnerabilities​ Most importantly, we will showcase real-life results and use cases of IBM clients who have successfully leveraged IFA to reduce their static analysis findings. Register for this session now, and then share the invitation with your colleagues via e-mail and social media. It promises to be a lively event!

1. David Marshak, Senior Product Manager, IBM Security
Kris Duer, Lead Security Analytics Researcher, IBM Security
October 27, 2016
How to Leverage Cognitive Technology
to Think Like a Security Expert

2. 2 IBM Security
Application security challenges
Rapid growth in applications,
releases and technology
PaceCompliance
External regulations and
internal policy requirements
Resources
Small security teams,
lots of applications
?
• Which applications pose
the biggest business risk?
• How do we test apps for
security in rapid DevOps /
Agile shops without slowing
down the process / business?
• How do we reduce costs
and catch security problems
earlier in the lifecycle?
• Where is my business risk?
• How do I set internal policy
requirements for application
security?
• Is my private / sensitive
data exposed by apps?
• How do I check for and
demonstrate application
compliance?
• How do we prioritize the work
for the resources I have?
• What do we test
and how do we test it?
• How do we staff and improve
skills and awareness?

3. 3 IBM Security
• Cost of a Data Breach $7.2M
• 80 days to detect
• More than four months (123 days) to resolve
Found during Development
$80 / defect
Found during Build
$240 / defect
Found during QA/Test
$960 / defect
Found in Production
$7,600 / defect
80% of development costs are spent
identifying and correcting defects!
Source: Ponemon InstituteSource: National Institute of Standards and Technology
Cost of Security Defects

4. 4 IBM Security
Simplifying Application Security Testing
Easy to Use Easy to Understand Secure
ç Integrates into your Continuous Engineering Processes è
IBM

5. 5 IBM Security
Quickly Plug Into Your Application Lifecycle
• Automated
̶ No waiting on manual steps
̶ Integrates with developer IDEs (Eclipse, IntelliJ,
Visual Studio)
̶ Scan daily, weekly
• Plugins simplify your setup
̶ e.g. UrbanCode and Maven
• Extend your environment
with robust REST API
• Streamlined incorporation into
existing DevOps / continuous
integration frameworks
Automation drives early detection and reduces cost to fix!
IBM

6. 6 IBM Security
Intelligent Finding Analytics: The problem
Vulnerability Analysis
Scan something
Get Results
Triage Results
(Look for needles in the haystack)

7. 7 IBM Security
Intelligent Finding Analytics: The Solution
Vulnerability Analysis
Scan something
Intelligent Finding Analytics
* Cognitive Learning
* “Security Expert in a Box”
Get triaged results!

8. 8 IBM Security
§ Reduce false positives
§ Minimize “unlikely attack
scenarios”
§ Provide fix recommendations
that resolve multiple vulnerabilities
* Patents Pending
Applying Cognitive Computing to security vulnerability analysis
Machine learning with Intelligent Finding Analytics*
Learned results
Intelligent
Finding
Analytics
• Built on Watson Machine Learning
• Trained by IBM Security Experts
• Fully automated review of scan findings
Scan results
IBM

9. 9 IBM Security
Intelligent Finding Analytics Results
IBM Confidential
• Meets or exceeds human experts
• Returns results in seconds, rather than in hours or days
• 90-95% average reduction in false positives
• Integrates right back into the development workflow
• Fix an average 8-10 issues in a single place within the code
IBM

10. 10 IBM Security
Intelligent Finding Analytics Results
• Meets or exceeds human experts
• Returns results in seconds, rather than in hours or days
• 90-95% average reduction in false positives
• Integrates right back into the development workflow
• Fix an average 8-10 issues within a single place in the code IFA
Example Real-World Applications
Scan
Findings
Vulnerabilities Fix Recommendations
Application 1 55,132 14,050 60
Application 2
12,480 1,057 35
Application 3 247,350 1,271 103
IBM

11. IFA Demonstration

12. 12 IBM Security
Simplifying Application Security Testing
Easy to Use Easy to Understand Secure
ç Integrates into your Continuous Engineering Processes è
IBM

13. 13 IBM Security
Overview: Application Security on Cloud Feature Summary
• Application Security Management
̶ Build an inventory of application assets; classify and rank applications by business impact; organize scans by application;
obtain a security rating for each application; prioritize vulnerabilities and manage their resolution
̶ View a dashboard to understand application security posture and monitor progress
• Dynamic Analyzer
̶ Dynamic web application security analysis
̶ Based on AppScan’s Dynamic Application Security Testing engine
̶ Scan pre-production or production web apps hosted on public and private networks
• Mobile Analyzer
̶ Interactive mobile applications security analysis
̶ Supports Android and iOS
• Static Analyzer
̶ Static security testing for applications. Java, .NET, Node.js, PHP, Ruby, JavaScript…
̶ Simple and accurate capability, based on the AppScan Source engine, with IBM’s cognitive Intelligent Finding Analytics
• Consulting Services
̶ IBM Application Security experts:
• Help ensure Client’s success with ASoC, from DevOps integration through to interpreting scan results
• Perform application scanning and manual application penetration testing for our Clients
IBM

14. 14 IBM Security
IBM Application Security on Cloud Consulting Services
Expert assistance in
understanding and optimizing
Application Security on Cloud
testing and risk management
features
Fast Start
Assessment Review
Expert assistance in reviewing test
reports, including understanding
and prioritizing vulnerabilities
in the application.
Scan for Me
“Concierge” scan service where an
expert will configure & run the scan,
validate results, prioritize remediation,
and conduct a walk-through
with the customer.
Application Penetration Test
Human executed, controlled tests
to identify vulnerabilities.
Advisor
on Demand
Deep interaction with experts
on specific application security
activities such as remediation
assistance and program management.
Application Risk
Management & Testing
ASoC SaaS
IBM l

15. 15 IBM Security
Learn More About IBM Application Security on Cloud & IFA:
Blog: IFA- Your Cognitive Computing Application Security Expert
Interactive White Paper: Effectively Manage AppSec Risk in the Cloud
Complimentary Trial Plan: IBM Application Security on Cloud
We encourage you to “like” & share these links with your professional colleagues:

16. Question & Answer Session

17. © Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express
or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of,
creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these
materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may
change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and
other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks
or service marks ofothers.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise.
Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or
product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are
designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.
IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT
OFANY PARTY.
FOLLOW US ON:
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
THANK YOU
IBM Confidential