View full webinar here:
http://event.on24.com/wcc/r/1286410/98904A9D0E24337184C64B1D21AE6385
Join our security experts to learn how you can harness the power of cognitive computing in your application security program. At IBM, we refer to our capabilities as Intelligent Finding Analytics (IFA), a series of companion technologies that can be utilized over several execution phases to improve the effectiveness of your Static Application Security Testing (SAST) activities.
During our on demand webinar, you will learn how IFA helps organizations conduct application security testing with speed and accuracy by:
Identifying the most critical application vulnerabilities
Reducing false positives by more than 99%
Analyzing vulnerabilities to advance learnings and prevent future security vulnerabilities
Most importantly, we will showcase real-life results and use cases of IBM clients who have successfully leveraged IFA to reduce their static analysis findings.
Register for this session now, and then share the invitation with your colleagues via e-mail and social media. It promises to be a lively event!
How to Leverage Cognitive Technology to Think Like a Security Expert
1. David Marshak, Senior Product Manager, IBM Security
Kris Duer, Lead Security Analytics Researcher, IBM Security
October 27, 2016
How to Leverage Cognitive Technology
to Think Like a Security Expert
2. 2 IBM Security
Application security challenges
Rapid growth in applications,
releases and technology
PaceCompliance
External regulations and
internal policy requirements
Resources
Small security teams,
lots of applications
?
• Which applications pose
the biggest business risk?
• How do we test apps for
security in rapid DevOps /
Agile shops without slowing
down the process / business?
• How do we reduce costs
and catch security problems
earlier in the lifecycle?
• Where is my business risk?
• How do I set internal policy
requirements for application
security?
• Is my private / sensitive
data exposed by apps?
• How do I check for and
demonstrate application
compliance?
• How do we prioritize the work
for the resources I have?
• What do we test
and how do we test it?
• How do we staff and improve
skills and awareness?
3. 3 IBM Security
• Cost of a Data Breach $7.2M
• 80 days to detect
• More than four months (123 days) to resolve
Found during Development
$80 / defect
Found during Build
$240 / defect
Found during QA/Test
$960 / defect
Found in Production
$7,600 / defect
80% of development costs are spent
identifying and correcting defects!
Source: Ponemon InstituteSource: National Institute of Standards and Technology
Cost of Security Defects
4. 4 IBM Security
Simplifying Application Security Testing
Easy to Use Easy to Understand Secure
ç Integrates into your Continuous Engineering Processes è
IBM
5. 5 IBM Security
Quickly Plug Into Your Application Lifecycle
• Automated
̶ No waiting on manual steps
̶ Integrates with developer IDEs (Eclipse, IntelliJ,
Visual Studio)
̶ Scan daily, weekly
• Plugins simplify your setup
̶ e.g. UrbanCode and Maven
• Extend your environment
with robust REST API
• Streamlined incorporation into
existing DevOps / continuous
integration frameworks
Automation drives early detection and reduces cost to fix!
IBM
6. 6 IBM Security
Intelligent Finding Analytics: The problem
Vulnerability Analysis
Scan something
Get Results
Triage Results
(Look for needles in the haystack)
7. 7 IBM Security
Intelligent Finding Analytics: The Solution
Vulnerability Analysis
Scan something
Intelligent Finding Analytics
* Cognitive Learning
* “Security Expert in a Box”
Get triaged results!
8. 8 IBM Security
§ Reduce false positives
§ Minimize “unlikely attack
scenarios”
§ Provide fix recommendations
that resolve multiple vulnerabilities
* Patents Pending
Applying Cognitive Computing to security vulnerability analysis
Machine learning with Intelligent Finding Analytics*
Learned results
Intelligent
Finding
Analytics
• Built on Watson Machine Learning
• Trained by IBM Security Experts
• Fully automated review of scan findings
Scan results
IBM
9. 9 IBM Security
Intelligent Finding Analytics Results
IBM Confidential
• Meets or exceeds human experts
• Returns results in seconds, rather than in hours or days
• 90-95% average reduction in false positives
• Integrates right back into the development workflow
• Fix an average 8-10 issues in a single place within the code
IBM
10. 10 IBM Security
Intelligent Finding Analytics Results
• Meets or exceeds human experts
• Returns results in seconds, rather than in hours or days
• 90-95% average reduction in false positives
• Integrates right back into the development workflow
• Fix an average 8-10 issues within a single place in the code IFA
Example Real-World Applications
Scan
Findings
Vulnerabilities Fix Recommendations
Application 1 55,132 14,050 60
Application 2
12,480 1,057 35
Application 3 247,350 1,271 103
IBM
12. 12 IBM Security
Simplifying Application Security Testing
Easy to Use Easy to Understand Secure
ç Integrates into your Continuous Engineering Processes è
IBM
13. 13 IBM Security
Overview: Application Security on Cloud Feature Summary
• Application Security Management
̶ Build an inventory of application assets; classify and rank applications by business impact; organize scans by application;
obtain a security rating for each application; prioritize vulnerabilities and manage their resolution
̶ View a dashboard to understand application security posture and monitor progress
• Dynamic Analyzer
̶ Dynamic web application security analysis
̶ Based on AppScan’s Dynamic Application Security Testing engine
̶ Scan pre-production or production web apps hosted on public and private networks
• Mobile Analyzer
̶ Interactive mobile applications security analysis
̶ Supports Android and iOS
• Static Analyzer
̶ Static security testing for applications. Java, .NET, Node.js, PHP, Ruby, JavaScript…
̶ Simple and accurate capability, based on the AppScan Source engine, with IBM’s cognitive Intelligent Finding Analytics
• Consulting Services
̶ IBM Application Security experts:
• Help ensure Client’s success with ASoC, from DevOps integration through to interpreting scan results
• Perform application scanning and manual application penetration testing for our Clients
IBM
14. 14 IBM Security
IBM Application Security on Cloud Consulting Services
Expert assistance in
understanding and optimizing
Application Security on Cloud
testing and risk management
features
Fast Start
Assessment Review
Expert assistance in reviewing test
reports, including understanding
and prioritizing vulnerabilities
in the application.
Scan for Me
“Concierge” scan service where an
expert will configure & run the scan,
validate results, prioritize remediation,
and conduct a walk-through
with the customer.
Application Penetration Test
Human executed, controlled tests
to identify vulnerabilities.
Advisor
on Demand
Deep interaction with experts
on specific application security
activities such as remediation
assistance and program management.
Application Risk
Management & Testing
ASoC SaaS
IBM l
15. 15 IBM Security
Learn More About IBM Application Security on Cloud & IFA:
Blog: IFA- Your Cognitive Computing Application Security Expert
Interactive White Paper: Effectively Manage AppSec Risk in the Cloud
Complimentary Trial Plan: IBM Application Security on Cloud
We encourage you to “like” & share these links with your professional colleagues: