Matin Barmare Technical Consultant Scalable Secure Applications Optimize Application Quality

2August 11, 2008 Agenda Are these Necessities?? HP Solution Approach HP Solutions Overview Q & A

3August 11, 2008 Performance – Is it really important??

4August 11, 2008 Application Security – What is that??

So What is Hacking?

6August 11, 2008

7 Hacking … ??

8August 11, 2008 I don’t know this Security thing!!

9August 11, 2008 Now that hurts!!

10August 11, 2008 The Risks are Real!! 10August 11, 2008 Hackers Move from hobbyists to professionals. Hack went on for 2 years, 40 million records stolen, company now out of business. Cardsystems out of business PCI Requirement 6.6 becomes effective on June 30, 2008, requires web sites to be scanned for vulnerabilities or protected PCI deadline looming Hacker Redirects Barack Obama's site to hillaryclinton.com using cross-site scripting vulnerability Obama web site hacked MySpace site shut down by JavaScript worm exploiting vulnerabilities in the sites AJAX code Web 2.0 vulnerable Chain says intrusion may expose 4.2m cards; 1,800 fraud cases seen Grocer Hannaford hit by computer breach

11August 11, 2008 HP’s approach to AQM Global, enterprise-wide projects Global teams and deployments Complex, heterogeneous environments Plan Define / Design Develop / Test Launch Operate New Deploy ment Full Quality Process Fix / Pat ch Minor Release Accelerated Quality Process Assess and Analyze risk Establish testing priorities Create test plans RISK-BASED TEST PLANNING TEST MANAGEMENT AND EXECUTION Execute security scans Identify and customize security policies DEFECT MANAGEMENT Execute functional tests Create manual test cases Automate regression test cases Functional requirements Business requirements Security requirements Performance requirements REQUIREMENTS MANAGEMENT Other non- functional requirements Execute tests, diagnose and resolve problems Create performance scripts and scenarios Enforce quality processes; support key roles Applied across the true lifecycle of a business application Three pillars of quality Does it work? Is it secure? Does it perform? AQM

12August 11, 2008 Three pillars of quality 1 AQM Does it work? FUNCTIONALITY Does it perform? PERFORMANCE Is it secure? SECURITY Does it work? Does the application function the way the business needs it to? Does it perform? Will the application perform for the entire customer set? Will it scale? Will it meet SLAs in production? Is it secure? Has the application been assessed against all known threats? Are there open doors or windows that sophisticated hackers can penetrate?

13August 11, 2008 STRATEGY/ DEMAND Strategic demand New applications New services Application integrations Operational demand Defects Enhancements Change requests Enterprise Architecture and Policies SOA Security Many stakeholders from across IT and the business Business Analyst Quality Assurance Developers Requirements Management Quality Assurance Performance Engineers/ Security Engineers Test Plan RISK-BASED TEST PLANNING TEST MANAGEMENT AND EXECUTION Quality Assurance QA Inspect Developers DevInspect Security Engineers Assessment Management Platform DEFECT MANAGEMENT Quality Assurance Functional Testing Testers Business Process Testing Quality Assurance Functional Testing Performance Engineers Systems Architect Diagnostics Performance Engineers LoadRunner Performance Center DEV / QA / PE / SE / Project Management Defect Management Quality Assurance Requirements Management Business Analyst Requirements Management Security Engineers Requirements Management Performance Engineers Requirements Management REQUIREMENTS MANAGEMENT Developers Requirements Management Support all key roles Integrate with demand Security Engineers WebInspect OPERATIONS Application Support Service Manager Operations BAC EUM & Diagnostics Connect to production IT / Project Management Dashboard Go/ No Go

14August 11, 2008 HP Performance Center Foundation LoadRunner | Performance Center VuGen Controller Load Generator Monitors Analysis Center Management Demand Project Resource Diagnostics J2EE.NET SOA SAP Oracle User/Privilege Management Infrastructure Management Central Repository Global Access and Collaboration Dashboard HP Performance Center

15August 11, 2008 Performance Engineering - Value

16August 11, 2008 Breadth of analysis End user: Transaction “look up account” took seconds at 250 users System: Application server CPU reached 90% at 500 users Network: London to datacenter network segment very slow Application: J2EE method “AccountLookup” took 16 seconds; 90% of end user response time What do you see at the end of a load test?

17August 11, 2008 AQM – IT initiatives Minimize time, reduce cost and gain control of risk for all applications across the entire IT organization Application project deployments & upgrades − Enable high-quality, timely releases − Validate application functionality − Optimize application performance − Assess application security Quality management product & process standardization − Ensure consistent delivery of high-quality releases − Risk-based approach to managing application change − Connect quality with strategic & operational processes Center of excellence − Pervasive quality approach for all application types and SOA services − Centralized technology & personnel − QA processes govern testing and quality initiatives − QA has enterprise influence Application quality management Application project deployments and upgrades Quality management product and process standardization Center of excellence

18August 11, 2008 Security illusions

19August 11, 2008 Applications are the target 19August 11, 2008 “75% of hacks happen at the application.” - Gartner “Security at the Application Level” “75% of hacks happen at the application.” - Gartner “Security at the Application Level” Network: Secured by firewall Servers: Protected by intrusion prevention Applications: Unprotected and ignored 

20August 11, 2008 HP Application Security Center Foundation Dashboard HP Application Security Center Assessment Management Platform Policy and compliance Centralized administration Vulnerability and risk management Alerts and reporting Distributed scanning DevInspect Microsoft Visual Studio Eclips e IBM RAD QAInspect HP Quality Center HP Functional Testing Intelligent engines SecureBase Security toolkit Open APIs SmartUpdat e Reporting Hybrid analysis WebInspect Production Application Assessment

21August 11, 2008 Enterprise application security assurance HP Application Security Center Security for the Application lifecycle HP Web Security Research Group Internal app security research External hacking research PlanDesignCode Production Test HP Application Security Center Enterprise security assurance and reporting Source code validation QA & integration testing Production assessment QAInspect WebInspect DevInspect Assessment Management Platform Continuous Updates

22August 11, 2008 Secure Your Outcome with the Application Security Center 22August 11, 2008 A Complete Application Lifecycle Solution Key benefits Find Security defects throughout the lifecycle Correct security defects early in application lifecycle and monitor applications in production Manage your online risk Verify compliance with government regulations Less exposure to application downtime and theft of online information Key capabilities Automatically finds and prioritizes security defects in a Web application Supports the latest AJAX and Web 2.0 Rich Internet Application technologies The only solution with Hybrid Analysis combining both static and dynamic analysis for the most accurate results possible Built-in Security Expertise combines daily updates of vulnerability checks with our unique intelligent engine technology Comprehensive defect information and remediation advice about each vulnerability Integrates with HP Quality Center

Q & A

Thank you!