HP Fortify Solution Introduce - bccs.com.t 銷商茶會_session_I_Fortify... · PDF filePL/SQL Python T-SQL Visual Basic VBScript ... Erroneous String Compare 9 ... elements in the

© Copyright 2011 Hewlett-Packard Development Company, L.P.

HP Taiwan Fortify Sales

Bill Lee

HP Fortify Solution Introduce


如何防範

2

源始碼掃描(治本之法)

改善程式效能

檢查程式可能發生漏洞

協助導入軟体開發生命週期(SDLC)

軟体弱點掃描(治標之法對網頁)

找出可能發生問題(利用滲透測試)

提早預防問題發生

<script>alert(“attack”)</script>

“<script>alert(“attack”)</script>

‘<script>alert(“attack”)</script>

<img src=“javascript: alert(“attack”)”/>

/><body onload=“alert(‘attack’)”/>

NO

NO

NO

NO

NO


HP Fortify 解決方案之產品列表

3

•源始碼掃描工具

– HP Fortify Static Code Analyzer(SCA)

•網站滲透測試工具

–HP WebInspect

•應用系統弱點交叉分析工具

–HP Fortify Software Security Center Server

– HP Fortify SecurityScope

•主機式網頁防火牆

–HP Fortify Real-Time Analyzer

•雲端掃描服務

–HP fortify on demand( public cloud)

–HP CloudScan (Private cloud)


4

如何應用HP產品在軟体開發階段

HP Fortify SS

Dynamic Test

SecurityScope

HP Fortify SCA

Develop

Static Code Analyzer

HP Fortify RTA

Deploy

Real-Time Analyzer

Coding Integration QA Maintenance Deploy

HP Fortify SSC Server

Reporting Correlation

Proactive alert Management

HP WI

Penetration Test

WebInspect


Fortify 源始碼掃描

5


Fortify Architecture

6

DB

LDAP

AD

SMTP

Rulepack

Bugzilla

SSC

Audit Workbench

SCA

FPR Fortify Client

submit

Fortify RTA

Update


源始碼掃描-白箱測試

ABAP

ASP.NET,

VB.NET,

C# (.NET)

C/C++

Classic ASP

COBOL

CFML

Flex/ActionScript

HTML

Java

JavaScript/AJAX

JSP

PHP

PL/SQL

Python

T-SQL

Visual Basic

VBScript

XML

SCA Frontend

XML

Java T-SQL

JSP

Normalized Representation

Results

XML

Java

T-SQL

JSP

User Input

SQL Injection

Source Code

SCA Analysis

7 Enterprise Security – HP Confidential


8

HP Fortify SCA支援 21 種程式語言安全漏洞檢測

1. ASP.Net

2. VB.Net

3. C#.Net

4. ASP

5. VBScript

6. VB6

7. Java(Android)

8. JSP

9. JavaScript

10. HTML

11. XML

12. C/C++

13. PHP

14. T-SQL (MSSQL DB)

15. PL/SQL (Oracle DB)

16. Action Script

17. Object-C (iPhone) 2012/5 支援

18. ColdFusion 5.0 – 增購

19. Python -增購

20. COBOL -增購

21. SAP-ABAP - 增購


HP Fortify SCA 可以檢測超過 500 類的安全漏洞

兼顧安全與品質 SQL Injection

Cross-site Script

Command Injection

System Information Leak

Cross-site Request Forgery

Unused Method

Poor Error Handling

Recursive loop

Memory Leak

Buffer Overflow

Unreleased Resources

Erroneous String Compare

9


10

http://www.hpenterprisesecurity.com/vulncat/

HP Fortify SCA 檢測的安全漏洞清單


11

HP Fortify SCA 檢測程式碼安全漏洞的程序

轉譯階段Translation Phase[1]

分析階段Analysis Phase[2]

稽核階段Audit Phase[3]


12

HP Fortify SCA (1) 轉譯階段Translation Phase

Translation Phase

IDE & AWB

NST: Normalized Syntax Tree

SS

C


13

HP Fortify SCA (2) 分析階段Analysis Phase

Analysis Phase

IDE & AWB SS

C


14

HP Fortify SCA (3) 稽核階段Audit Phase

Audit Phase

IDE & AWB

FPR: Fortify Project Result

SS

C

© Copyright 2011 Hewlett-Packard Development Company, L.P. 15

HP Fortify SCA 檢測問題等級的區分方法

檢測問題等級的歸類方式

是以兩個座標值做為量化區分依據

(1) Likelihood

(問題準確度的可能性)

(2) Impact

(問題對部門或企業的影響衝擊性)

高準確度區: Critical / Medium

: Impact/ Low 凡有安全凡有嫌疑跡象區漏洞或品質問題的嫌疑跡象就列出的部分必須要有資安人員再人工覆核是否有問題

Impact Critical

Low Medium

Impact

Likelihood


16

HP Fortify SCA

程式碼安全性漏洞檢測工具檢測程式碼方式介紹


17

HP Fortify SCA 檢測程式碼漏洞3種操作模式

檢測方式1 :使用IDE-Plug-In

檢測方式2 :使用AWB Commandline Builder

檢測方式3 :使用命令列( .bat )


18

檢測方式 :使用IDE Plug-In

Visual Studio 2003/2005/2008/2010

Eclipse 2.0/3.0

IBM WSAD, RAD, RSA


19

檢測方式 :使用AWB

適用程式語言 ASP、 PHP 、JavaScript 、Java 、 JSP、XML 、T-SQL 、PL/SQL


20

檢測方式 : 使用命令列( .bat or .cmd or script )

可以設定自動排程

PS:使用微軟語言開發一定需要安裝微軟對應IDE 工具

適用程式語言: 所有 HP Fortify SCA 支援的程式語言


21

Audit workbench 程式碼安全漏洞審核分析工具

(2) 歸類發現的安全弱點指出發生于那支程式

(3)指出安全弱點發生的程式碼列位置

(1)掃描的程式碼潛在的安全弱點並區分嚴重等級

(5)提供安全弱點說明解釋及修正建議

(4)多層次的追蹤分析技術


多元的分析角度


23

報表樣版元件: Report Overview

Pie 、Table、Bar


24

檢測報表說明

問題等級Critical/High/ Medium/ Low 的數目


25

檢測報表說明

程式碼安全性漏洞

類別及數量


26

安全弱點問題說明

SQL Injection

安全弱點問題

說明


iPhone APP scan result


Fortify Sample Report (Hard code password)


Fortify Sample Report(後門檢測)


30

HP Fortify SSC Server 軟體安全管理中心介紹

HPFortify_New02.pptx


Fortify Software Security Center

Correlates dynamic test results with static test results, leveraging

runtime technology to help identify the connection between the two

Identify and prioritize a baseline of existing vulnerabilities

Prevent new vulnerabilities from being introduced

Remediate existing vulnerabilities and lower the baseline

Ensure that your code is in compliance with internal and external

security mandates


Security Project Dashboard


33

Multi-View : Security Issue Counts of Per1000 Lines

The Best Vendor or Develop Team !

Easily Compared Develop Teams Security Level


Collaboration Module

34


35

Management, tracking and remediation of enterprise software risk

HP Fortify Software Security Center server

Why it matters

• Offers central repository, access and visibility for all testing results so that triaging, auditing and remediation is faster

• Enables teams across organizational silos to collaborate more effectively to resolve security issues

Features

• Specify, communicate and track security activities performed on projects

• Role-based, process-driven management of software security program

• Flexible repository and exporting platform for security status, trending and compliance

Benefits

• Provides a clear, accurate picture of software risk across the

enterprise

• Lowers cost of resolving vulnerabilities

• Identify areas of improvement for accelerated reduction of

risk and costs


Software Security Center benefit

36

可全面了解所有專案的安全性，並匯整成報表顯示

對於不同專案可製定成不同的政策來進行管理。

可與內外部的人員進行協同作業，以減少溝通上的

問題。

可與Webinspect整合進行黑白箱交叉分析，讓準確

率提高，減少誤判及即時驗證的動作。

可以檢查應用程式是否符合法規之要求。


HP Fortify SCA

案例介紹


38

正式套與測試套 : 整合架構


39

架構說明

AP Developer

Group

Scan Server

( 本次新增)

內部開發人員

上傳程式碼

Fortify SCA

Windows 2003 Server

Fortify SCA

IDE Plug-In

程式碼版本控管Server

專案負責人依據專案狀況手動簽出一份專案程式碼進行定時排程程式碼安全檢測

控管程式碼修復進度

遠端桌面連線1. Scan Log 問題排除2. 設定程式碼檢測排程

委外廠商IBM

Team Leader

委外廠商

內部開發人員

Fortify SCA

IDE Plug-In有效的程式碼安全弱點修復

AP Leader

Group

Fortify SCA

IDE Plug-In

有效的程式碼安全弱點修復

有效的程式碼安全弱點修復

▓ 依據晚上1:00定時排程, 使用命令列批次檔(.bat), 進行程式碼安全檢測


Webinspect產品介紹

40


更快的掃描, 更廣泛的評估, 真實的結果

智能掃描引擎

能有效的縮短掃描的時間

提升弱點掃描的準確性

模擬駭客的動作模式

•決策樹(Decision tree)

•隨著應用系統變化的動態分析

Industry leading scanning technology you can trust


針對Web 2.0提供唯一而準確目標分析

滿足最新科技的需求

能辨識在用戶端的原始碼當中有何安

全弱點

•針對Adobe Flash進行自動化反組譯並進行靜態

分析

•在動態建立應用程式中找出安全弱

點

– 自動模擬真實使用者的行為模式,透過

JavaScript的程式碼路徑的執行和記錄一般使

用者的使用經驗

V

Testing web applications like web applications, not like web sites


花費最少的時間在掃瞄設定,把時間用在修正弱點問題

簡易使用的“指導精靈”

集中於被要求的掃描的結果，

並非只是設定

非安全專家也能透過導引,進行

成功的掃描

消除對掃描設定的困擾,並減少

相關進階設定的步驟


44

URL Rewriting/RESTful Web Services Support

What it is

• Many dynamic sites use URL rewriting, thus creating variable elements in the URL. • A RESTful web service can contain parameter names and variable values. Therefore, when WebInspect scans a page it must be able to determine which elements are variable so that its attack agents can thoroughly check for vulnerabilities. • To enable this, you can use the Custom Parameters rule creator to define rules that identify these elements. • You can also import them from common configuration files, such as a WADL definition file. In addition to the rules you define, • WebInspect will also automatically identify custom parameters and suggest them as recommendations.

Who cares • Security teams in RESTful framework environments • Stakeholders with mobile web applications (but NOT those with native mobile apps

Problem it solves:

• Inability to scan Web applications using RESTful framework principles • Inability to account for variables in rewritten URLs

Web Services and Advanced Scanning


45

Large Scale Confirmation

What it is

• Extension of single retest functionality from WebInspect 9.00 and AMP 9.10 • With this release, quickly retest all your vulnerabilities in a scan. • This enables you to determine if a vulnerability still exists without having to conduct a new scan from scratch: reducing scan time and improving accuracy..

Who cares • Security tester at the stage gate trying to determine if vulnerabilities have been fixed • Application Owners that would like confirmation that the reported vulnerabilities have been fixed.

Problem it solves:

• Long test cycles, retesting vulnerability by vulnerability

Differential Analysis and Control


46

Results Comparison

What it is

• Provides visual representation of vulnerability differences found between two scans of the same site. .

• The information is presented as an interactive dashboard and

the common vulnerability view.

Who cares

• Security tester evaluating critical site • Application security manager who must prioritize security fixes

Problem it solves:

• Addresses lack of confidence some customers have in our vulnerabilities • Chaotic vulnerability overload

Differential Analysis and Control


Start remediation of vuln’s immediately 即時的掃描檢視

即時掃描儀表板

網站樹狀結構

目前已發現的安全弱點

排除&允許的網站列表區塊

詳細的攻擊列表

即時掃描統計


分享知識和加速問題修正

專家等級安全知識

安全弱點的詳細知識

如何確認或找出問題

這個安全弱點會如何影響

如何修復這個問題

(包括了程式碼樣本和針對不同團隊的資訊)

其他的參考資訊和最佳實踐方法


Powerful, scalable, flexible, and extensible

提供企業等級, 可客製化報表

提供您企業所需的客製化報表

•簡易使用的報表設計工具

•可透過個性化編輯提供個人化報表

多重的報表輸出選項 • 包括了 RTF, PDF, Excel, HTML, TXT

可以整合其他外部的資料來源

能透過 SmartUpdate加以更新


HP WebInspect 自動化產生報表-法規

50


檢視, 分析和管理掃描資料

掃描歷史資料管理

能輕易的針對大型資料庫加以管理掃描資料

群組,排序和整理掃描資料

提供明確的掃描細部資訊的檢視


HP SmartUpdate

確保能提供最新安全弱點和駭客攻擊手法的最新技術驗證 HP SmartUpdate

HP Web Security Research Group

安全弱點的檢測弱點修正的相關知識

駭客攻擊手法

“藉由技術的投入, 提升了正確性和效率”

安全弱點的研究產品的研究

• 業界知名的講師或作者

Blackhat, RSA, ShmooCon

HP Application

Security Center

Solutions 手動下載或外部載入

http://search.barnesandnoble.com/booksearch/imageviewer.asp?ean=9780321491930


HP WebInspect checks for Data injection and manipulation attacks

53


Webinspect Type

New platform for webinspect

54


Webinspect Type- Name user


Webinspect Type- Concurrent License


Webinspect Type- Concurrent License


Defect Management

Local & RemoteTarget Sites

HP Sensors

CIO/CISO/Auditor

WebInspect

Developers

App Security

WebInspect

Software Security Center Delivers· Vulnerability Management· Reporting & Dashboards· Repository for Static, Dynamic, & Manual Results

WebInspect Enterprise Delivers· Scalable Dynamic Test Execution· Web-based Test configuration· Web-based Test monitoring and results triage

Web Services

SSC

WI Ent

Workflows

Software Security Center

with WI Ent.

Webinspect Type- Enterprise


User Management

Two Sets of Accounts

• Software Security Center

• Role Based Permissions

• Project / Project Version Access

Control

• WebInspect Enterprise

• Scan configuration & Visualization

When Interacting with SSC

through WI Enterprise, you need

SSC credentials…


Project Onboarding

• Unified List of Projects & Project

Versions

• Project onboarding is originated

in Software Security Center

• Two Step Process; Create the

project version in SSC and then

make it available for testing in WI

Enterprise.

• Requires both SSC & WI

Enterprise Permissions & user

accounts


Task Management : Scan Request

• Enable Developers to request

scans from App Security Testers

• Customize the Input Form.

• Centralize all scan requests into a

single list for App Security Testers.

• Project must be onboarded in

order to request a scan

• Requires both SSC & WI

Enterprise Permissions & user

accounts


HP Webinspect 台灣成功案例


63

面臨的問題

原先有做黑箱的滲透測試，但發現覆蓋率不足

遊戲產品重心，由代理逐漸轉向到自製產品

自製產品上線前的自我檢核

內部尚無建置資安程式碼檢測機制

駭客利用程式弱點盜取、修改遊戲道具資料

Web 版遊戲，有安全漏洞 (injection, XSS)的風險

C++ 遊戲主程式，常因 Buffer Overflow 當機

因自製遊戲，外包比重越來越多，安全性品質管控不易

希望導入 Code Review 的自動化工具


64

HP Fortify Solution

趨勢管理

預警機制


65

HP Fortify Solution 導入概述

導入單位 : 企業資訊安全部

白箱：Tool – HP Fortify SCA

黑箱：Tool – HP WebInspect

人工覆核：both (黑白箱比對)

主要用途 : 協助確保內部開發的軟體沒有安全漏洞

軟體開發 : 目前大部分自行開發，小部分委外開發

程式語言 : .Net、Java、MS VC++、Linux C++


66

系統架構


67

使用效益

趨勢管理 : 即時掌控專案的資訊安全現況


68

導入 HP Fortify Solution 效益

自動化地程式碼安全弱點審核(Code Review) 節省大量時間

提供程式碼安全的驗證數據與報表，為內部開發團隊或委外廠

商驗收的品質把關

直接指出問題程式碼列並提供問題解釋說明及修改建議

提供程式碼安全知識與修復技能的學習平台

程式碼安全漏洞的趨勢分析圖，讓資安人員管理更簡單


Thank you !

Documents

HP Fortify Solution Introduce - bccs.com.t 銷商茶會_session_I_Fortify... · PDF filePL/SQL Python T-SQL Visual Basic VBScript ... Erroneous String Compare 9 ... elements in the