Improve Security of App Portfolio with On-Demand Testing

DISCOVER 2015
1-3 December, London
Improve the security of your application portfolio
in a few days with on-demand testing services
London, December 2, Yves Le Floch

2Copyright © 2015 Capgemini and Sogeti. All Rights Reserved
Improve the security of your application portfolio | December 2nd, 2015
Capgemini positioning

Cybersecurity services portfolio

Capgemini Cybersecurity video

Improve the security of your applications
! The World Quality Report: Application Security Findings
! Application security: the next challenge
! Best Practice: a secure software development lifecycle
! Application Security Testing as a Service
! Platform demonstration
! Questions & Answers

The World Quality Report: Application Security Findings

The World Quality Report 2015-16
Companysize:1,000–
4,999,5,000–10,000
and10,000+
Controlledmix ofCIOs,
ITDirectors,VP
Applications/QA,Testing
ManagerandCDO/CMO
Seenextslidefor
detailedsplits
1560interviews
CATI25%(390)
CAWI75%(1170) Globalstudy
April– June2015
Allinterviews
conductedabidedby
therulesand
regulationssetbythe
MRS
How
When
Where
Who
What
Studydetails

The Top 5 most important aspects of your IT strategy

Focus areas for IT Strategy

Commonly performed security testing activities

The Top 5 most important aspects of your IT strategy

In what stage of Application Lifecycle is security testing undertaken?

Application security: the next challenge

Giant data breaches!

What is the challenge enterprises are facing?
68%
increase in mobile
application
vulnerability
disclosures
5
Infrastructure security
is rather mature,
when application security
is rather new

How to measure the issue?

The Top 10 Application security risks

The current state of security
Organizations are under increased pressure to develop new applications to support
digital transformation – whether internal or external facing
!  Applications delivered quickly, focus on ergonomics and little focus on governance
!  Many incorporate sensitiv<e data that can be breached, should any vulnerability be left
!  Do you know how many applications your organization has? How many critical applications?
Security checks left to the end of the development lifecycle (penetration testing)
!  Penetration testing is no longer enough: too little too late
!  Too expensive to perform pentests or manual code reviews at each releases
!  Much less costly to fix security issues before the application is deployed (i.e. in QA/integration)
Network and infrastructure security testing now widely covered, but lack of maturity at the
application level
!  Lack of a formal & systematic process to prevent vulnerabilities before the breach
•  Hackers know that : 80%+ of breaches happen at application level

What does a good approach look like?
! Supports your digital transformation
! Proactive instead of reactive
! Includes:
• Building security into the development process
• Comprehensive testing: automated scanning,
expert assessment and penetration testing
• Secure architecture & deployment
! Security issues are fixed before the application goes
into production
! Issues prioritised by risk and business criticality
! Cost effective
! Rapidly implemented

Best Practice: a secure software development lifecycle

Best Practice Approach: Overview
1. Discover 2. Patch 3. Security Gate 4. Shift-Left 5. Mature
1.  Identify the scope of the problem
2.  Fix the critical vulnerabilities in the high risk applications
3.  Establish a Security Gate
4.  Add security controls earlier in the Software Development Life-cycle
5.  Raise the security bar

Best Practice Approach: Discover
1. Discover
Create risk ranked inventory of on-line applications
•  Web, Facebook, mobile
•  In-house developed, out-sourced, third-party
•  Basic risk categorization
Assess sample of applications
•  Dynamic Application Security Testing
Establish the business case
•  Gain executive sponsorship
Don‘t wait for a breach!

Best Practice Approach: Patch
2. Patch
Reduce exposure to critical vulnerabilities in high risk applications
Complete assessment of high risk applications
–  Identify critical vulnerabilities
Remediate
–  Retire or replace application
–  Block with WAF/IPS
–  Work with development to fix
Commence Application Security Awareness program
These can’t wait!

Best Practice Approach: Security Gate
3. Security Gate
Define and Implement Policy
•  Application risk category specific
•  Update Internal Standards
•  Add to Vendor Contracts
Implement a Security Gate
•  Enforce policy for all new apps and major releases
•  Work through backlog by risk category
–  Advisory initially then enforce incrementally
Publicise Program
•  Publish KPI’s
•  Identify Security Champions

Best Practice Approach: Shift-Left
4. Shift-Left
Embed Static Application Security Testing in development process
•  In-house development teams
–  IDE Integration
–  Build Integration
–  Bug-tracking
•  Offer to key out-source suppliers and third-parties
Secure Development Training Program
•  Secure Development Guidelines
•  Mandatory Role-based training

Best Practice Approach: Mature
5. Mature
Raise Security Bar
•  E.g. Policy now includes addressing ‘medium’ rated vulnerabilities for high risk applications
Increase scope
•  Internal Applications
BSIMM assessment of SDLC
•  Identify and implement additional security controls
–  Threat Modelling
–  Security Architecture Review
Use metrics to drive continuous improvement
•  Add application security performance to vendor selection
Move cost of assessments to third-party vendors

Best Practice Approach: Summary
1. Discover 2. Patch 3. Security Gate 4. Shift-Left 5. Mature
1.  Identify the scope of the problem
•  Take advantage of automated discovery approach
2.  Fix the critical vulnerabilities in the high risk applications
•  Retire or block to minimize impact on development. Fix if you have to.
3.  Establish a Security Gate
•  Use cloud–based solution like Fortify on Demand for speed and scalability
4.  Add security controls earlier in the Software Development Life-cycle
•  Add SAST and role-based security training to your SDLC
5.  Raise the security bar
•  Use metrics to drive continuous improvement

Application Security Testing as a Service

An industrial Application Security Testing platform

Delivered by Capgemini/Sogeti, powered by Hewlett Packard Enterprise –
Combining the power of two market leaders
Capgemini - Sogeti recognized as a leader
for independent Testing Services
HP recognized as a leader by Gartner
for Application Security Testing

Combining manual/automated testing, static/dynamic testing, pentest
SAST - Static application security
testing:
Test is done on modules on the written code (not
running)
• Can be performed during of after development process, early in
the lifecycle, no server required
• Manual and automated analysis of the source, bytecode or
binary code
• Linked to code, provides useful and clear clues for remediation
• Integrate application security testing into Development / Quality
Assurance processes -> to be performed early in the process
DAST - Dynamic application security
testing:
Test is done on the running code, which is
challenged to reveal vulnerabilities
• Test the runtime application on integration or production
platform.
• Manual and automated analysis of the running application
• Can be performed only at the end of the development
process
• Results more difficult to exploit, but closer to a real attack
Code manual review
Expert analysis of the code
• Can be performed early in the lifecycle, no server required
• Linked to code, provides useful and clear clues for remediation
• Find all vulnerabilities with the right criticality analysis
• Expert intensive (expensive, difficult to scale, slow)
Penetration testing:
The ethical hacker performs a real hacking
• Very similar to what a real hacker would do
• Provides a good view of the operational risks
• Exploits vulnerabilities in order to demonstrate exploitability
• Alco covers servers and production vulnerabilities
• Late in the process
• Expert intensive (expensive, difficult to scale, slow)

Objective: an industrial Security testing capacity
Supported by best-in-classApplication security testing tools1
Maximizing the industrialapproach (reduceddelay and cost)2
Entirely managed/hosted by Sogetiin Europe forsecurity and trust reasons3
Offering on-line accessforclients (management,assessments,reports…)4
Allowing maximumadaptationto client risk and budgetpriorities5
Allowing Rightshore delivery upon clientrequestforimproved delay and cost6
Pay peruse: no investment,no license,no hardware,no expertise required7

Platform demonstration

Access to a leading tool and proven expertise

How it works
Customeruploadssoftware
or dynamic accessdata
directly on his portal
Upload
Dynamic,static and/ormobile
automatic testing
Scan
Expertreview and additional
tests to ensure minimalfalse
positives and falsenegatives
Review

The benefits
! Regularly checkedand updated by HP’s Security Researchteam who find four times the number of new critical
vulnerabilities than the rest of the market combined (Frost and Sullivan)
! Easy to purchase
Launchyour application
securityinitiative in < 1 day
! No hardware or software
investments
! No security experts to hire,
train and retain
Simple
Scale to test all sensitive
applicationsin your
organization
! From one-day turn-around on
applicationsecurity results
! Potentially support 1000sof
applicationsfor desktop,
mobile or cloud
! Dynamic and static testing
with manual review
Fast & Comprehensive
Test anyapplication
! Secure commercial, open
source and 3rd party
applications
! Test applications on demand
according to risk and budget
Flexible

Comprehensive and accurate testing

Multiple levels of testing based on application risk
Low Medium High
Basic
assessment
Standard
assessment
Premium
assessment
! Marketing Site ! Personally identifiable
information
! Business useful
! Credit card/ SSN
information
! Business critical

Contact information
Yves
Le Floch
VP, Head of CyberSecurity
Business Development
Sogeti
yves.le-floch@sogeti.com
+33 1 55 00 13 41
David
Harper
Fortify on Demand
Practice Principal, EMEA
Hewlett Packard Enterprise
david.harper@hpe.com
+44 751 528 5200

www.sogeti.com
www.capgemini.com
The information contained in this presentation is proprietary and confidential. It is for internal and intermediary use only.
Copyright © 2015 Capgemini and Sogeti. All rights reserved.
Rightshore® is a trademark belonging to Capgemini.
No part of this presentation may be modified, deleted or expanded by any process or means without prior written permission from Capgemini.
About Capgemini and Sogeti
Now with 180,000 people in over 40 countries, Capgemini is one of the world's
foremost providers of consulting, technology and outsourcing services. The Group
reported 2014 global revenues of EUR 10.573 billion. Together with its clients,
Capgemini creates and delivers business, technology and digital solutions that fit
their needs, enabling them to achieve innovation and competitiveness. A deeply
multicultural organization, Capgemini has developed its own way of working,
the Collaborative Business Experience™, and draws on Rightshore®, its worldwide
delivery model.
Sogeti is a leading provider of technology and software testing, specializing in
Application, Infrastructure and Engineering Services. Sogeti offers cutting-edge
solutions around Testing, Business Intelligence & Analytics, Mobile, Cloud and
Cyber Security. Sogeti brings together more than 20,000 professionals in 15
countries and has a strong local presence in over 100 locations in Europe, USA
and India. Sogeti is a wholly-owned subsidiary of Cap Gemini S.A., listed on the
Paris Stock Exchange.

Improve Security of App Portfolio with On-Demand Testing

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Improve Security of App Portfolio with On-Demand Testing

Similar to Improve Security of App Portfolio with On-Demand Testing (20)

More from Capgemini

More from Capgemini (20)

Recently uploaded

Recently uploaded (20)

Improve Security of App Portfolio with On-Demand Testing