missioncriticalapplications missioncriticalsecurity

ApplicationandDatabaseSecurityAuditing, VulnerabilityAssessment,andCompliance

AppSentry ProductOverview

IntegrigyOverview
IntegrigyCorporationisaleaderinapplicationsecurityfor enterprisemissioncriticalapplications.AppSentry,our applicationanddatabasesecurityassessmenttool,assists companiesinsecuringtheirlargestandmostimportant applicationsthroughdetailedsecurityauditsandactionable recommendations.IntegrigyConsultingoffers comprehensivesecurityassessmentservicesforleadingERP andCRMapplications,enablingcompaniestoleverageour indepthknowledgeofthissignificantthreattobusiness operations. CorporateDetails
FoundedDecember2001 PrivatelyHeld BasedinChicago,Illinois

IntegrigyBackground
ExtensiveexperiencewithOracle
FoundedbyformerBig6consultantswithsignificantexperienceon OracleimplementationsinFortune500companies Foundersrecognizedamajorgapinallimplementations littleorno securityauditingdoneonprojects IntegrigyhasfoundmoresecuritybugsinOracleApplicationsthan anyoneelseinsideoroutsideofOracle

BothanERP/CRMcompanyandasecuritycompany
ProductsdevelopedtosupportandenhanceanERP/CRM implementation Integrigyunderstandstheissuesandrisks challenginglargeERP/CRMimplementations Integrigybridgesthegapbetweenapplications,databases,and security

IntegrigySecurityAlerts
SecurityAlert
CriticalPatchUpdateJuly2008 CriticalPatchUpdateApril2008 CriticalPatchUpdateJuly2007 CriticalPatchUpdateOctober2005 CriticalPatchUpdateJuly2005 CriticalPatchUpdateApril2005 CriticalPatchUpdateJan2005 OracleSecurityAlert#68 OracleSecurityAlert#67 OracleSecurityAlert#56 OracleSecurityAlert#55 OracleSecurityAlert#53

Versions
Oracle11g 11.5.8 12.0.x 12.0.x 11.5.7 11.5.10 12.0.x 11.5.1 11.5.10 11.5.1 11.5.10 11.0.x 11.5.1 11.5.10 11.0.x 11.5.1 11.5.10 11.0.x 11.5.1 11.5.10 11.0.x Oracle8i,9i,10g 11.5.1 11.5.8 11.0.x 11.5.1 11.5.8 11.0.x 11.5.1 11.5.8 10.7,11.0.x 11.5.1 11.5.8

SecurityVulnerabilities
2IssuesinOracleRDBMSAuthentication 2OracleEBusinessSuitevulnerabilities 8vulnerabilities,SQLinjection,XSS,information disclosure,etc. 11vulnerabilities,SQLinjection,XSS,information disclosure,etc. Defaultconfigurationissues SQLinjectionvulnerabilities Informationdisclosure SQLinjectionvulnerabilities Informationdisclosure SQLinjectionvulnerabilities Bufferoverflows Listenerinformationleakage 10SQLinjectionvulnerabilities BufferoverflowinFNDWRR.exe MultiplevulnerabilitiesinAOL/JSetupTest Obtainsensitiveinformation(validsession) NoauthenticationinFNDFSprogram RetrieveanyfilefromO/S

IntegrigysProducts
AppSentry

Securityscannerfordatabases,applicationservers,andERPpackages Performsadvancedpenetrationtestingandindepthsecurityandcontrols auditing Performsover300+auditsandchecksonOracleproducts RunsonanyWindowsPCandrequiresnosoftwaretobeinstalledonthe targetservers

AppDefend

ApplicationfirewallandintrusionpreventionsystemforERPpackages BlockscommonattackslikeSQLinjection,sessionhijacking,andcrosssite scripting BlocksaccesstounimplementedOracleApplicationsmodules RunsasanApachemodulesandscansallincomingwebrequests

ManualAuditingIssues
Massiveapplicationswithmanylayers
Verytimeconsumingtocheckeverything hundredsofitemstocheckand analyze Auditorsknowledgemustbeextensiveandbroad Technical(security)andfunctional(control)auditingskillsrequired

Auditsarestaticandneedtobeperformedroutinely
Difficultandexpensivetoconducta2weekauditeveryyear

Fewtoolsexisttoautomateauditprocess
Multipletoolsrequiredtoautomateentireprocess ToolsareusuallyaconglomerationofSQLscriptsandshellscripts

Newexploitsandvulnerabilitiesarediscoveredfrequentlyin operatingsystem,webserver,applicationserver,database,app
Difficulttokeepaccurateinventoryofnewsecurityissues

AppSentryOverview
SecurityScannerfordatabases,applicationservers,andERP/CRM Applications
Validatessecurityofnetwork,operatingsystem,webserver,database,and application ModulardesignwithdistributedGUIandcentralizedserver SecuritycheckswritteninXMLandJava Automaticprogramandsecuritycheckupdates Indepthsecurityandcontrolsauditing Advancedpenetrationtesting Scanningofopennetworkportsforwellknownandapplicationspecific vulnerabilities Validationofapplicationandtechnologystackconfigurationbyanalyzing configurationfiles,logs,andfileversions Analysisofusersandrolestoisolatesegregationofdutyissues Transactionauditingtodetectpossiblefraud

UsingAppSentry
Simpletouse taskorientedGUI Comprehensivedescriptionsandsolutionsforidentified vulnerabilities AppSentryUsers
ITSecurity InternalAudit OracleDBAs OracleProjectTeam IT OracleProjectTeam Functional/BusinessOwner

AppSentry AutomatedAudit
Confidence
Auditsalllayersfromoperatingsystemtoapplication Downloadsupdatesbeforeeveryscan

Breadth
Performsbothsecurityandcontrolaudits

Productivity
Simpletouse Automatesauditingandreporting Auditorcanfocusonmoreimportanttasks(e.g.,process controls) Fast auditcanbeaccomplishedinlessthan1hour

AppSentryWorkflow
Quickandsimpleworkflow Policiesandconfigurationsarecreatedonceby DBA,SecurityOfficer,orInternalAudit
Create Policies
(onetime)

ScanscanbeexecutedbyDBAorSecurityOfficeron aweeklyormonthlybasis

Create Configurations
(onetime)

Configure Session
(policyand configuration)

Execute Scan

RepeatScan

Run Reports

Resolve Issues

ThirdPartyIntegration
SecurityManagementSystemandSNMP ManagementSystems
ResultdatasenttoSecurityManagementSystems (EventandIncidentConsoles)orSNMP ManagementSystems SupportsSyslog,SNMPTrap,orArcSight CEF

AppSentry PolicyEditor
Policiescanbedefined fordifferentscenarios suchasHIPAA,month endscan,alevelof security,orachecklist

Policyitemsaregeneral securitypolicysettings (e.g.,minimum passwordlength)and individualauditand checksettings

Detailedinformationis providedforeachpolicy itemincludingbest practicesand references

AppSentry PolicyEditor
Policyitemscanbe tailoredtoaspecific environment,security standard,orchecklist. Asanexample, AppSentryallowsany Oracledatabasesystem privilegetobechecked. Otherareasinclude accesstostandard packages,roles,etc.

AnyOracledatabase systemprivilegecanbe checkedandreturn eitherAUDIT,HIGH, MEDIUM,LOWresults.

AppSentry ConfigurationEditor
Configurationsare definedfordifferent environmentsincluding Oracledatabase,Oracle ApplicationServer,and OracleEBusinessSuite

Complexconfigurations canbecreatedto handleenvironments likeRAC

Detailedinformationis includedforeach configurationsetting

AppSentry Scan
Runningascanisas simpleaschoosinga configurationandpolicy andclickingstart

Detailedinformationis presentedonthe currentstatusofthe scan,includingthe currentcheckrunning, thetimingofall executedchecks,and anyerrorsencountered duringthescan

AppSentry Scan
Resultsareavailablein realtimeasthescanis runninginaneasyto usetreenavigator

Eachresultincludes detailedinformation includingSummary, Details,Target(host, database,application), Description,Solution, Risk,Type,and References

AppSentry Results
Resultsfromallscans canbereviewedatany time.

Resultscanbebrowsedor reportsrun

Eachscanincludesa scorebasedona customformuladefined foreachcustomer.

AppSentry Reporting
Reportsareinteractive andsomeallowdrill downintodetailed information

Reportsincludecharts andgraphs,whichare interactiveandallow drilldown

Reportscanbeviewed, printed,orexportedinto multipleformatsincluding Acrobat(PDF),Word,Excel, HTML

AppSentryArchitecture
AppSentry Client
(Windows)

AES

AppSentryServer(Java)
TestManager Knowledge Manager NASLEngine
(future)

Security Test
(Java)

Report Generator

UpdateManager AlertManager
(future)

(OVAL)Engine
(future)

CVE Information

ODBC

External

Internal

PortScanner

SQLEngine

Centralized Repository
(local,Oracle, SQLServer,...)

Security Test
(NASL)
(future)

JDBC

URLGrabber

FileScanner

TNSInspector

PermissionScanner

Security, Compliance orSNMP Console

PasswordCracker SysLog SNMP XML

(Web,Oracle,App)

FileIdentifier

Security Test
(OVAL)
(future)

Target DB Server

Target AppServer Server

Target Application

AppSentryDeployment
Standard
WindowsPC Centralized Repository AppSentry Client
(Windows) (local)

Distributed
WindowsPC AppSentry Client
(Windows)

WindowsPC AppSentry Client

(Windows)

AppSentry Server
(Java)

DatabaseServer Centralized Repository

(Oracle,SQLServer, anyJDBC/ODBC)

JavaServer AppSentry Server

(Java)

Target Server

Target Server

Distributeddeploymentsrequire supportfromIntegrigyConsulting

CurrentAppSentryModules
OracleEBusinessSuite OracleDatabase OracleApplicationServer Microsoft SQLServer
11i (11.5.1 11.5.10 CU2) R12(12.0,12.1) 8i(8.1.7) 9i (9.0.1,9.2.0) 10g(10.1,10.2) 11g(11.1,11.2) 9iAS (1.0.2,9.0.2,9.0.3) 10g(9.0.4,10.1) 11g(11.1) 2000 2005 2008

AppSentryModulesinDevelopment
Database/Web Server/Application EstimatedReleaseDate Q4 2010 Q12011 Q12011 Q1 2011 Q22011 Q2 2011 Q12011 Q1 2011 Q32011 Q42010

OraclePeopleSoft SAP OracleCollaborationSuite Oracle Clinical Oracle Retail OracleSiebel IBM DB2 Sybase Apacheand MySQL (AppSentryOpenSource Edition) OracleWebLogic

IntegrigyContactInformation

IntegrigyCorporation P.O.Box81545 Chicago,Illinois60681 888/5424802

Website:www.integrigy.com Sales:sales@integrigy.com Development:development@integrigy.com Support:support@integrigy.com SecurityAlerts:alerts@integrigy.com

Copyright2010IntegrigyCorporation.Allrightsreserved.