Beruflich Dokumente
Kultur Dokumente
ApplicationandDatabaseSecurityAuditing, VulnerabilityAssessment,andCompliance
AppSentry ProductOverview
IntegrigyOverview
IntegrigyCorporationisaleaderinapplicationsecurityfor enterprisemissioncriticalapplications.AppSentry,our applicationanddatabasesecurityassessmenttool,assists companiesinsecuringtheirlargestandmostimportant applicationsthroughdetailedsecurityauditsandactionable recommendations.IntegrigyConsultingoffers comprehensivesecurityassessmentservicesforleadingERP andCRMapplications,enablingcompaniestoleverageour indepthknowledgeofthissignificantthreattobusiness operations. CorporateDetails
FoundedDecember2001 PrivatelyHeld BasedinChicago,Illinois
IntegrigyBackground
ExtensiveexperiencewithOracle
FoundedbyformerBig6consultantswithsignificantexperienceon OracleimplementationsinFortune500companies Foundersrecognizedamajorgapinallimplementations littleorno securityauditingdoneonprojects IntegrigyhasfoundmoresecuritybugsinOracleApplicationsthan anyoneelseinsideoroutsideofOracle
BothanERP/CRMcompanyandasecuritycompany
ProductsdevelopedtosupportandenhanceanERP/CRM implementation Integrigyunderstandstheissuesandrisks challenginglargeERP/CRMimplementations Integrigybridgesthegapbetweenapplications,databases,and security
IntegrigySecurityAlerts
SecurityAlert
CriticalPatchUpdateJuly2008 CriticalPatchUpdateApril2008 CriticalPatchUpdateJuly2007 CriticalPatchUpdateOctober2005 CriticalPatchUpdateJuly2005 CriticalPatchUpdateApril2005 CriticalPatchUpdateJan2005 OracleSecurityAlert#68 OracleSecurityAlert#67 OracleSecurityAlert#56 OracleSecurityAlert#55 OracleSecurityAlert#53
Versions
Oracle11g 11.5.8 12.0.x 12.0.x 11.5.7 11.5.10 12.0.x 11.5.1 11.5.10 11.5.1 11.5.10 11.0.x 11.5.1 11.5.10 11.0.x 11.5.1 11.5.10 11.0.x 11.5.1 11.5.10 11.0.x Oracle8i,9i,10g 11.5.1 11.5.8 11.0.x 11.5.1 11.5.8 11.0.x 11.5.1 11.5.8 10.7,11.0.x 11.5.1 11.5.8
SecurityVulnerabilities
2IssuesinOracleRDBMSAuthentication 2OracleEBusinessSuitevulnerabilities 8vulnerabilities,SQLinjection,XSS,information disclosure,etc. 11vulnerabilities,SQLinjection,XSS,information disclosure,etc. Defaultconfigurationissues SQLinjectionvulnerabilities Informationdisclosure SQLinjectionvulnerabilities Informationdisclosure SQLinjectionvulnerabilities Bufferoverflows Listenerinformationleakage 10SQLinjectionvulnerabilities BufferoverflowinFNDWRR.exe MultiplevulnerabilitiesinAOL/JSetupTest Obtainsensitiveinformation(validsession) NoauthenticationinFNDFSprogram RetrieveanyfilefromO/S
IntegrigysProducts
AppSentry
AppDefend
ManualAuditingIssues
Massiveapplicationswithmanylayers
Verytimeconsumingtocheckeverything hundredsofitemstocheckand analyze Auditorsknowledgemustbeextensiveandbroad Technical(security)andfunctional(control)auditingskillsrequired
Auditsarestaticandneedtobeperformedroutinely
Difficultandexpensivetoconducta2weekauditeveryyear
Fewtoolsexisttoautomateauditprocess
Multipletoolsrequiredtoautomateentireprocess ToolsareusuallyaconglomerationofSQLscriptsandshellscripts
Newexploitsandvulnerabilitiesarediscoveredfrequentlyin operatingsystem,webserver,applicationserver,database,app
Difficulttokeepaccurateinventoryofnewsecurityissues
AppSentryOverview
SecurityScannerfordatabases,applicationservers,andERP/CRM Applications
Validatessecurityofnetwork,operatingsystem,webserver,database,and application ModulardesignwithdistributedGUIandcentralizedserver SecuritycheckswritteninXMLandJava Automaticprogramandsecuritycheckupdates Indepthsecurityandcontrolsauditing Advancedpenetrationtesting Scanningofopennetworkportsforwellknownandapplicationspecific vulnerabilities Validationofapplicationandtechnologystackconfigurationbyanalyzing configurationfiles,logs,andfileversions Analysisofusersandrolestoisolatesegregationofdutyissues Transactionauditingtodetectpossiblefraud
UsingAppSentry
Simpletouse taskorientedGUI Comprehensivedescriptionsandsolutionsforidentified vulnerabilities AppSentryUsers
ITSecurity InternalAudit OracleDBAs OracleProjectTeam IT OracleProjectTeam Functional/BusinessOwner
AppSentry AutomatedAudit
Confidence
Auditsalllayersfromoperatingsystemtoapplication Downloadsupdatesbeforeeveryscan
Breadth
Performsbothsecurityandcontrolaudits
Productivity
Simpletouse Automatesauditingandreporting Auditorcanfocusonmoreimportanttasks(e.g.,process controls) Fast auditcanbeaccomplishedinlessthan1hour
AppSentryWorkflow
Quickandsimpleworkflow Policiesandconfigurationsarecreatedonceby DBA,SecurityOfficer,orInternalAudit
Create Policies
(onetime)
ScanscanbeexecutedbyDBAorSecurityOfficeron aweeklyormonthlybasis
Create Configurations
(onetime)
Configure Session
(policyand configuration)
Execute Scan
RepeatScan
Run Reports
Resolve Issues
ThirdPartyIntegration
SecurityManagementSystemandSNMP ManagementSystems
ResultdatasenttoSecurityManagementSystems (EventandIncidentConsoles)orSNMP ManagementSystems SupportsSyslog,SNMPTrap,orArcSight CEF
AppSentry PolicyEditor
Policiescanbedefined fordifferentscenarios suchasHIPAA,month endscan,alevelof security,orachecklist
AppSentry PolicyEditor
Policyitemscanbe tailoredtoaspecific environment,security standard,orchecklist. Asanexample, AppSentryallowsany Oracledatabasesystem privilegetobechecked. Otherareasinclude accesstostandard packages,roles,etc.
AppSentry ConfigurationEditor
Configurationsare definedfordifferent environmentsincluding Oracledatabase,Oracle ApplicationServer,and OracleEBusinessSuite
AppSentry Scan
Runningascanisas simpleaschoosinga configurationandpolicy andclickingstart
AppSentry Scan
Resultsareavailablein realtimeasthescanis runninginaneasyto usetreenavigator
AppSentry Results
Resultsfromallscans canbereviewedatany time.
Resultscanbebrowsedor reportsrun
AppSentry Reporting
Reportsareinteractive andsomeallowdrill downintodetailed information
AppSentryArchitecture
AppSentry Client
(Windows)
AES
AppSentryServer(Java)
TestManager Knowledge Manager NASLEngine
(future)
Security Test
(Java)
Report Generator
UpdateManager AlertManager
(future)
(OVAL)Engine
(future)
CVE Information
ODBC
External
Internal
PortScanner
SQLEngine
Centralized Repository
(local,Oracle, SQLServer,...)
Security Test
(NASL)
(future)
JDBC
URLGrabber
FileScanner
TNSInspector
PermissionScanner
FileIdentifier
Security Test
(OVAL)
(future)
Target DB Server
Target Application
AppSentryDeployment
Standard
WindowsPC Centralized Repository AppSentry Client
(Windows) (local)
Distributed
WindowsPC AppSentry Client
(Windows)
AppSentry Server
(Java)
Target Server
Target Server
Distributeddeploymentsrequire supportfromIntegrigyConsulting
CurrentAppSentryModules
OracleEBusinessSuite OracleDatabase OracleApplicationServer Microsoft SQLServer
11i (11.5.1 11.5.10 CU2) R12(12.0,12.1) 8i(8.1.7) 9i (9.0.1,9.2.0) 10g(10.1,10.2) 11g(11.1,11.2) 9iAS (1.0.2,9.0.2,9.0.3) 10g(9.0.4,10.1) 11g(11.1) 2000 2005 2008
AppSentryModulesinDevelopment
Database/Web Server/Application EstimatedReleaseDate Q4 2010 Q12011 Q12011 Q1 2011 Q22011 Q2 2011 Q12011 Q1 2011 Q32011 Q42010
OraclePeopleSoft SAP OracleCollaborationSuite Oracle Clinical Oracle Retail OracleSiebel IBM DB2 Sybase Apacheand MySQL (AppSentryOpenSource Edition) OracleWebLogic
IntegrigyContactInformation
Copyright2010IntegrigyCorporation.Allrightsreserved.