Matin Barmare

Technical Consultant

Scalable Secure Applications

Optimize Application Quality

2 August 11, 2008

Agenda

• Are these Necessities??

• HP Solution Approach

• HP Solutions Overview

• Q & A

3 August 11, 2008

Performance – Is it really important??

4 August 11, 2008

Application Security – What is that??

So What is Hacking?

6 August 11, 2008

7 August 11, 2008

Hacking … ??

8 August 11, 2008

I don’t know this Security thing!!

9 August 11, 2008

Now that hurts!!

10 August 11, 2008

The Risks are Real!!

10August 11, 2008

Hackers Move from hobbyists

to professionals.

Hack went on for 2 years, 40

million records stolen,

company now out of

business.

Cardsystems out of

business

PCI Requirement 6.6 becomes effective on June 30, 2008, requires web sites to be scanned for vulnerabilities or protected

PCI deadline looming

Hacker Redirects Barack

Obama's site to

hillaryclinton.com using

cross-site scripting

vulnerability

Obama web site hacked

MySpace site shut down by JavaScript worm exploiting vulnerabilities

in the sites AJAX code

Web 2.0 vulnerable

Chain says intrusion

may expose 4.2m

cards; 1,800 fraud

cases seen

Grocer Hannaford hit by

computer breach

11 August 11, 2008

HP’s approach to AQM

Global, enterprise-wide projects•Global teams and deployments•Complex, heterogeneous environments

Plan Define/ Design

Develop / Test

Launch Operate

NewDeployment

Full Quality Process

Fix /

Patch

Fix /

Patch

Fix /

PatchMinor

ReleaseMinor

Release

Accelerated Quality Process

Assess andAnalyze risk

Establishtestingpriorities

Create test plans

RISK-BASEDTEST PLANNING

TEST MANAGEMENTAND EXECUTION

Execute security scans

Identify and customize security policies

DEFECT MANAGEMENT

Execute functional tests

Create manualtest cases

Automateregression test cases

Functional requirements

Business requirements

Securityrequirements

Performancerequirements

REQUIREMENTSMANAGEMENT

Other non-functionalrequirements

Execute tests, diagnose and resolve problems

Create performancescripts and scenarios

Enforce quality processes; support key roles

Applied across the true lifecycleof a business application

Three pillars of quality

Does it work?

Is it secure?

Does it perform?

AQM

12 August 11, 2008

Three pillars of quality1

AQM

Does it work?

FUNCTIONALITY

Does it perform?

PERFORMANCE

Is it secure?

SECURITY

Does it work?

•Does the application function the way the business needs it to?

Does it perform?

•Will the application perform for the entire customer set?

•Will it scale?

•Will it meet SLAs in production?

Is it secure?

• Has the application been assessed against all known threats?

• Are there open doors or windows that sophisticated hackers can penetrate?

13 August 11, 2008

STRATEGY/ DEMAND

Strategic demand

• New applications

• New services• Application

integrations

Operational demand

• Defects• Enhancements• Change

requests

Enterprise Architecture and Policies

• SOA• Security

Many stakeholders from across IT and the business

Business Analyst Quality

AssuranceDevelopers

Requirements Management

Quality Assurance

Performance Engineers/ Security

EngineersTest Plan

RISK-BASEDTEST PLANNING

TEST MANAGEMENTAND EXECUTION

Quality Assurance QA InspectDevelopersDevInspect

Security Engineers

Assessment Management

Platform

DEFECT MANAGEMENT

Quality Assurance

Functional Testing

TestersBusiness Process Testing

Quality Assurance

Functional Testing

Performance Engineers Systems Architect

Diagnostics

Performance Engineers

LoadRunnerPerformance

Center

DEV / QA / PE / SE / Project Management

Defect Management

Quality Assurance

RequirementsManagement

Business Analyst

RequirementsManagement

SecurityEngineers

RequirementsManagement

Performance Engineers

RequirementsManagement

REQUIREMENTSMANAGEMENT

Developers

RequirementsManagement

Support all key roles

Inte

gra

te w

ith

dem

an

d

Security Engineers

WebInspect

OPERATIONS

Application Support Service

Manager

Operations BAC

EUM & Diagnostics

Con

nect to

pro

du

ction

IT / Project ManagementDashboard

Go/No Go

14 August 11, 2008

HP Performance Center

Foundation

LoadRunner | Performance Center

VuGen Controller Load Generator Monitors Analysis

Center Management

Demand Project Resource

Diagnostics

J2EE .NET SOA SAP Oracle

User/Privilege Management

Infrastructure Management

Central Repository Global Access and Collaboration

Dashboard

HP Performance Center

15 August 11, 2008

Performance Engineering - Value

16 August 11, 2008

Breadth of analysis

End user: Transaction “look up account” took 17.58 seconds at 250 users

System: Application server CPU reached 90% at 500 users

Network: London to datacenter network segment very slow

Application: J2EE method “AccountLookup” took 16 seconds; 90% of end user response time

What do you see at the end of a load test?

17 August 11, 2008

AQM – IT initiativesMinimize time, reduce cost and gain control of risk for all applications across the entire IT organization

• Application project deployments & upgrades− Enable high-quality, timely releases− Validate application functionality− Optimize application performance− Assess application security

• Quality management product & process standardization− Ensure consistent delivery of high-quality releases− Risk-based approach to managing application change− Connect quality with strategic & operational

processes

• Center of excellence− Pervasive quality approach for all application types

and SOA services− Centralized technology & personnel− QA processes govern testing and quality initiatives− QA has enterprise influence

Application quality

management

Application project deployments and

upgrades

Quality management product and process

standardization

Center of excellence

18 August 11, 2008

Security illusions

19 August 11, 2008

Applications are the target

19August 11, 2008

“75% of hacks happen at the application.”

- Gartner “Security at the Application Level”

“75% of hacks happen at the application.”

- Gartner “Security at the Application Level”

Network: Secured by firewall

Servers: Protected by intrusion prevention

Applications: Unprotected and ignored

20 August 11, 2008

HP Application Security Center

Foundation

Dashboard

HP Application Security Center

Assessment Management Platform

Policy and compliance

Centralized administration

Vulnerability and risk

management

Alerts and reporting

Distributed scanning

DevInspectMicrosoft

Visual Studio

Eclipse

IBM RAD

QAInspect

HP Quality Center

HP Functional

Testing

Intelligent engines

SecureBaseSecurity toolkit

Open APIsSmartUpda

teReporting

Hybrid analysis

WebInspectProduction Application

Assessment

21 August 11, 2008

Enterprise application security assurance

HP Application Security CenterSecurity for the Application lifecycle

HP Web Security Research Group

• Internal app security research• External hacking research

Plan Design Code ProductionTest

HP Application Security CenterHP Application Security Center

Enterprise security assurance

and reporting

Enterprise security assurance

and reporting

Source code

validation

Source code

validation

QA & integration

testing

QA & integration

testing

Production assessmentProduction assessment

QAInspectQAInspect WebInspectWebInspectDevInspect

DevInspect

Assessment Management PlatformAssessment Management PlatformContinuous Updates

22 August 11, 2008

Secure Your Outcome with the Application Security Center

22 August 11, 2008

A Complete Application Lifecycle Solution

Key benefits• Find Security defects throughout the lifecycle

• Correct security defects early in application lifecycle and monitor applications in production

• Manage your online risk

• Verify compliance with government regulations

• Less exposure to application downtime and theft of online information

Key capabilities• Automatically finds and prioritizes security

defects in a Web application• Supports the latest AJAX and Web 2.0 Rich

Internet Application technologies• The only solution with Hybrid Analysis

combining both static and dynamic analysis for the most accurate results possible

• Built-in Security Expertise combines daily updates of vulnerability checks with our unique intelligent engine technology

• Comprehensive defect information and remediation advice about each vulnerability

• Integrates with HP Quality Center

Q & A

Thank you!

arun.john@hp.com