1. © 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Application Security and Testing Test Management Summit

2. © 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice TSE managing director Tomio Amano blamed the glitch on a software upgrade for processing data from securities companies which was introduced in October Application Security - Who Cares? From The Times December 3, 2007 Secrets of Shell and Rolls-Royce come under attack from Chinas spies James Rossiter Rolls-Royce and Royal Dutch Shell have fallen victim to Chinese espionage attacks, The Times has learnt. Sustained spying assaults on Britains largest engineering company and on the worlds second-biggest oil multinational occurred earlier this year as part of a campaign to obtain confidential commercial information, sources said 40M credit cards hacked Breach at third party payment processor affects 22 million Visa cards and 14 million MasterCards. June 20, 2005: 3:18 PM EDT By Jeanne Sahadi, CNN/Money senior writer 10.15 – 10.25 10m 2 of 9

3. HP Confidential 3 11 January 2014 Application Security is the weakness of Security

4. HP Confidential Web Application Vulnerabilities on the Rise 4 Web is easiest entry point Networks are secure. Hackers know Web applications are not. Organizations under pressure More Web applications More regulatory requirements More customer & partner demands More pressure from shareholders Sources: Computer Emergency Response Team Coordination Center (CERT/CC), National Vulnerability Database, Open-Source Vulnerability Database, and the Symantec Vulnerability Database. Growth of Web Application Vulnerabilities

5. HP Confidential What are organizations doing about these threats? 5 Leading organizations secure the lifecycle 92% of security defects exist in the application Save $$ by fixing security defects before they get to production 1 X Development 6.5X Testing 15X 100X Design Deployment

6. HP Confidential 6 Challenge of Building a Scalable Security Program

7. HP Confidential Tools available today to support application security quality issues Source code analysis static review of application vulnerabilities at the code phase Find and fix Security testing tools Functional validation of security requirements Some integrated with test management solutions Remedial updates to cover new threats Post deployment security Penetration testing as an ongoing preventative measure Regular updates and re-test imperative

8. HP Confidential Points to consider Where does security fit in to the application lifecycle? What is your security policy ? how do you consider it when approaching software quality? Should quality be considered only at the testing stage? What about pre and post testing? Internal vs external security – Where are the vulnerabilities in your org? People? Applications? Data? Is there enough awareness of this issue within your org Application vulnerabilities account for 75% of all issues

9. HP Confidential Open to the floor Security testing experiences What works well Why? Challenges How can they be overcome? Who is responsible? Does it have to become front line news before it is taken seriously?

10. HP Confidential