Rolling Out an Effective Application Security Training Program

Size: px
Start display at page:

Download "Rolling Out an Effective Application Security Training Program"

Transcription

1 Rolling Out an Effective Application Security Training Program TRAINING & AWARENESS ORIENTATION FOR SECURE AND RESILIENT SOFTWARE DEVELOPMENT 187 Ballardvale Street, Wilmington, MA

2 2 Table of Contents Overview... 3 The Three Pillars of Secure Software Development... 3 Context is Key... 3 Principles for Software Security Education... 4 Getting People s Attention... 5 Putting the Pieces into Place... 6 Strategies for Rolling out Training... 8 You are not alone!... 9 Summary... 9 References... 10

3 3 OVERVIEW Today s development teams are encouraged to create software applications quickly and at acceptable costs. However, traditional education that prepares them for new technologies, development languages, and infrastructures does not arm them with the defensive skills they need to meet the demands of organizations that require secure applications. While it would be ideal if those involved in specifying, developing, and testing applications arrived already prepared to meet security mandates, it often falls upon employers to fill knowledge gaps in teams that are able to create quality software but not necessarily secure, resilient software. THE THREE PILLARS OF SECURE SOFTWARE DEVELOPMENT Software security can only be achieved once three elements are in place and operating effectively Standards, Education, and Assessment, as shown in the figure to the left. All three feed into one another to create an ecosystem of repeatable, secure software development. Education is the middle pillar of a secure SDLC for a very good reason Education Provides Context. Standards are needed to document security requirements on development projects, define the process for how you develop secure software, and define the technical details for secure design and implementation during development. Education provides the knowledge necessary so that your team can successfully comply with the security requirements and standards in the development process. Education may include computerbased training, instructor led training, or a hybrid combination of both. Education ensures standards are being implemented correctly. Assessments are how you measure your applications and process to provide feedback to the team. SDLC analysis, penetration testing, code review, design review and automated scanning are all examples of assessments. Not only will you get feedback you can use for immediate vulnerability remediation, you can also use root cause analysis to create a cycle of continuous improvement in your standards and educational pillars. CONTEXT IS KEY Without proper context, mandates for secure applications won t be communicated effectively to those who need to know. It s of little use to run around shouting that applications are vulnerable to Cross Site Scripting, SQL Injections, Buffer Overruns, and so forth if the people you re screaming at have little clue as to what they re hearing and lack the knowledge to do something about it. To this end, while prevention is always better than cure, programmers typically learn that their applications are insecure long after they ve released them to production - and to the malicious users with the means to exploit them.

4 4 While Secure Software Development is only one of the topics within an overall Information Security Training Program, varied levels of awareness and training are needed to get through the various stakeholders within the SDLC. An effective program uses a layering approach that builds on foundational concepts that are relevant and timely for each role in each phase. PRINCIPLES FOR SOFTWARE SECURITY EDUCATION The following are basic principles for consideration when setting up and maintaining an Education Program: Executive Management sets the mandate When aligned with management mandates for secure application development that are widely communicated, you re given the appropriate license-to-drive a program from inception forward to continuous improvement. Software security programs that start out as a grassroots initiative typically fail to catch fire across the organization. You ll need this executive support for establishing a program, acquiring an adequate budget and staff, and keeping the program going in the face of setbacks or delays. Awareness and Training must be rooted in company goals, policies, and standards for software security Establishing, then using documented organizational goals, policies, and controls for secure development as the basis for a training program creates a strong connection to developer actions that lead to compliance and Defense in Depth brought to life. Learning media must be flexible and tailored to the specific roles within your SDLC Not everyone can attend an in-person instructor-led course so alternatives should be provided such as Computer-Based Training, recorded live presentations, and so forth. Some of the alternatives at your disposal include: o Instructor Led Training (ILT): Typically hands-on and lab based; ideal for very technical or specialized and customized topics. ILT courses are often leveraged for the advanced development team members, or to generate more buy-in through a sense of team building. o Computer Based Training (CBT): One of the fastest ways to get basic and foundational skills to many people quickly and provides an ability to assess and track knowledge. o Virtual Instructor-Led (VILT): Allows for some level of customization, can be conducted remotely, and is perfect for "refresher" training on courses/topics already taught. o Persistent Reference Materials (Learning at the Time of Need): Tools here are often built-on or are readily available to a developer as they re working in their development environment. These tools offer knowledge at your fingertips with just-in-time reference material for solving specific issues with specific languages and computing environments. Learning should happen as close as possible to point where it s needed A long course that covers a laundry list of problems and solutions won t be useful when a specific issue crops up and the learner can t readily access whatever was mentioned related to the issue. Here is where Persistent Reference tools go a long way. Learning and practicing go hand-in-hand As people personally experience the how to of learning new skills, the better the questions they ask, and the quicker the knowledge becomes a regular practice.

5 5 Use examples from your own environment The best examples of security problems come from your own applications. When people see issues with code and systems they re already working on or familiar with, the consequences of exploiting vulnerabilities hit close to home and become more real and less theoretical. Furthermore, demonstrating where these examples stray from internal standards for secure software helps people make the connection between what they should be doing vs. what they ve been doing. Add Learning Milestones into your training and education program People are less motivated to learn and retain discrete topics and information if learning is treated as a check box activity. People want milestones in their training efforts that show progress and help them to gain recognition and demonstrate progress. As you prepare a learning curriculum for various team roles, build in a way to recognize people as they successfully advance through the courses and make sure everyone knows about it. Make your program company-culture relevant Find an icon or well-known symbol in your organization that resonates with employees; then incorporate it in your program or build your program around them. BOLO (Be On the Look Out) Be On The Lookout for people who participate in your awareness and training program who seem more enthusiastic or engaged than others. These people are candidates for becoming Internal Application Security Champions. People love thought leaders, especially when they re local, and you can harness their enthusiasm and interest to help advance your program. Keeping track of program maturity keeps people striving for improvements There are a number of approaches to measuring the maturity of your software security program (Application Security Maturity Model (ASM) i, Building Security In Maturity Model (BSIMM) ii, Software Assurance Maturity Model (OpenSAMM) iii, and others. It makes no difference which model you use provided you use it consistently. Some organizations have discovered ways of using these models to compare internal software development organizations and use it as a yardstick for some friendly competition and goal setting. GETTING PEOPLE S ATTENTION Let s face it, application security is often the proverbial elephant in the room a relatively new, complex and less understood discipline of Information Security. This makes it more difficult to bring it to a level of visibility it requires. Additionally, apathy is rampant as many prior attempts at software security awareness either failed or caused people s eyes to glaze over, making it even more challenging to address an issue that ultimately only people can resolve. Peter Sandman, a well-known professional who operates a Risk Communication practice, has identified a strategy for communication that s most appropriate for software security awareness as well as other issues where apathy reigns but the hazards are serious (e.g. Radon poisoning, employee safety, etc.) The strategy, called Precaution Advocacy is geared to motivating people by overcoming boredom with the topic iv. Precaution Advocacy is used on high-hazard, low-outrage situations in Sandman s Outrage Management Model. The advocacy approach arouses some healthy outrage and uses this attention into mobilizing people to take precautions or demand precautions.

6 6 Precaution Advocacy suggests using 4 ways to getting people to listen then learn: 1. Learning without involvement The average television viewer pays little attention to the commercials, but nevertheless knows dozens of advertising jingles by heart. Repetition is the key here. Posters, closed circuit TV segments, mouse pads, elevator wraps, etc. are all useful examples. 2. Make your campaign interesting and entertaining If you can arouse people s interest or entertain them, you ll get their attention and eventually you won t need so much repetition. Successful awareness efforts impart interesting or entertaining messages often and liberally. 3. Need to know A primary motivator to learning is curiosity - it s easier to deliver information to people who are actively seeking it. Sandman advises creators of awareness programs to focus less on delivering the information, and more on motivating their audience to want to receive it. The more people understand that insecure software is a software engineering, human-based problem (not a network security problem), the more they ll want to learn how best to prevent these problems. Making software security a personal issue for those who can effect improvements, then giving them the tools and skills to leverage will make them more valuable team members and lead to more secure software applications. 4. Ammunition Psychologist Leon Festinger s Theory of Cognitive Dissonance argues that a great deal of learning is motivated by the search for ammunition to reduce the discomfort that people feel when they have done something or decided something they re not confident is wise. v If others already believe that software security is a hazardous community-wide issue with no cognitive dissonance they won t need to pay so much attention to the arguments for doing it. Overcoming cognitive dissonance is a vital step early in your awareness program so that people can experience your information as supportive of their new behavior, rather than as hostile to their old behavior. The intent is not to frighten people or lead them to believe the sky is falling, but to motivate people into changing their behavior in positive ways that improve software security and contribute to the organization s goals. As your program progresses, metrics can show how improvements in one area lead to benefits in other areas: simpler and less frequent bug fixing, reduced time costs from reusable components shared within the development community, higher percentage of time spent on feature development, etc. PUTTING THE PIECES INTO PLACE Beginning with an awareness campaign that s culturally sensitive, interesting, entertaining, memorable, and engaging gives you the head start you need to effect positive changes. Awareness needs to reach everyone who touches software development in your organization from requirements analysts to post-production support personnel to Information Risk and Security teams. As you run your campaign, be sure to keep the material fresh and in-step with what s going on inside your organization. Provide employees with the information they need to engage in the follow on steps of training and education, and make those steps easy to complete.

7 7 People will naturally fall into a specific roles and each role has specific needs for specific information. For example: Architects and Leads o Secure code starts with secure requirements and design an insecure design can compromise even well written code o Security is required through all phases of the process o Consider threat modeling and code review processes Developers o Match training to level of awareness, technologies, and platforms used o Writing secure code doesn t take any longer than writing insecure code you just need to know which one to write o Most vulnerabilities are the result of the same coding error being made repeatedly. Learn to do it right the first time and you can save yourself and your testers a lot of work Testers o Reinforce that they are the last line of defense to verify the security of the end product o Testers can vary in capability from developer level to data input try to get them motivated to learn more about coding so they can provide more helpful vulnerability feedback to developers Information Security Personnel o They know security, they don t necessarily know about application development o Focus on language normalization many confuse standards and best practices with actual implementation know-how Management o Project and program management, Line management and Upper management o Need to understand the risks so they release the budgets to address them o The best way to demonstrate risk is to show actual vulnerabilities in your applications and the potential business impact should it be exploited Training programs should be tailored for each role and built around existing skill levels and platforms/technologies being used. Bundles of courses can be assembled to address baseline and advanced education. For example:

8 8 CSO Perspective Prof. Dr. Sachar Paulus Security is a people business because technology is ultimately built, configured, used and operated by humans who can either be the strongest or weakest link. The plethora of technology platforms and user roles that create and depend on those platforms mandates education that is tailored to each environment. This is particularly germane in secure software development, an area that relies heavily on human participation and where automated tools are limited in their ability to create secure software - especially during the earlier development phases where vulnerabilities are the most costly to fix. While serving as CSO of SAP, our AppSec training program was successful because it was tied into SAP s overall security goals and had the support of executive management. Each member of our software development teams had to possess and maintain the skills needed to implement their security activities properly: Architects needed to be able to create a secure architecture that served as a blueprint for the developers Developers needed to understand how to apply security best practices to avoid vulnerabilities in the first place - and how to fix those that slip through Testers needed to understand vulnerability classes and attack techniques as part of their normal testing program so they could provide input and feedback on security problems as they are found Ensuring that your teams have the specialized skills to do their job correctly is a required step toward maturity as an organization. This is why, with some esteemed colleagues, I founded the non-profit ISSECO (International Secure Software Engineering Council, which seeks to standardize the education and skills certification for secure software development. STRATEGIES FOR ROLLING OUT TRAINING Following are a few suggested approaches for rolling out your training program: All stakeholders get trained on application security awareness o Broadly deploy training level by level Core training plus security specialists o Specialists by functional groups or projects Base training plus candidates for Software Security Champions or Evangelists o Less training for all, but a few go-to people embedded in groups or projects o Multi-level support for developers with base training Start slow o Roll out to test group or organization o Mix and match models and test Consider risk ranking your applications and rolling out more in-depth training for high-risk applications Selecting one of these or a hybrid of strategies will depend on several factors that are specific to your organization: geographical diversity of your teams, separation or concentration of groups who are responsible for mission critical applications, existing infrastructures for educating employees, number of people available to conduct training, etc.

9 9 YOU ARE NOT ALONE! While it would be daunting to build and operate a secure development program from scratch, the good news is that you don t have to and there s a wealth of resources at your disposal. Every organization is unique and needs its own customized approach to assure effectiveness and success. Companies like Security Innovation can work with you to adapt our learning materials and expertise to your environment in the way you need them to work. Checklist for Establishing a Software Security Awareness and Education Program Requirement for Program Success Executive Management establishes the mandate for software security and budgets the time, expense, and delegation of authority to improve software security Goals, policies, standards, and controls are in place for software security throughout the SDLC Learning media is geared to your audience based on their availability, geographic dispersion, access to materials (intranet-based vs. Internet-based), language considerations, sensitivity of time zones where personnel are located Reference tools are readily available to developers and are usable for just-in-time access for solving specific software security issues Examples of high quality and secure source code are available to show developers what needs to be accomplished and why Code examples come from familiar internal sources Courses are stratified by well-defined roles in the SDLC and cover topics specific to the development languages and computing platforms your are using Progress of courses and completion of course bundles include reward and recognition steps that further motivate learners A metrics program has been established to show trends over time and help to identify components that are working as planned vs. those that need intervention or changes Program maturity is measurable and is used consistently SUMMARY Secure Software Development can be a difficult problem to get your hands around and solve. Awareness and Education are vital for success and require a many-hats approach that includes psychology, creativity, engaging materials, formal structures for learners to navigate, and a solid rooting in how people learn and apply new skills in their jobs. With sufficient time, budget and executive support in place, you re on the way to building the best program possible. Once in place, you ll marvel at how the success feeds upon itself and starts showing up with measured improvements you re proud to see!

10 10 HOW SECURITY INNOVATION CAN HELP Security Innovation s solutions are built upon 15 years of application security experience and research. Organizations rely on our training, standards and assessment solutions to ensure their software applications are secure and in compliance. TeamProfessor elearning, the industry s largest library of application security courses (65+), covering each phase of software development, all application types (cloud, web, embedded, mobile, database), popular technologies (Java, C/C++,.NET, PHP, C# and JRE) and industry standards/guidelines (OWASP, PCI-DSS, Microsoft SDL, etc) TeamMentor Security Process Framework, featuring an extensive collection of SDLC best practices that align development activities with corporate security policies and compliance requirements. It is a persistent knowledge asset that includes dedicated, prescriptive guidance views for PCI-DSS, OWASP, mobile, and security engineering, and is an excellent complement to any training initiative. SDLC Compliance gap analysis and optimization to help map application security practices to compliance and governance requirements. This service includes a complete analysis of people, processes and technology and delivers an actionable roadmap that includes recommendations for filling the gaps with the proper use of the right tools, training, and customized policies Managed Application Security Testing (MAST), for organizations that have hundreds or thousands of applications to secure. MAST provides a multi-tiered testing solution that calibrates the depth of testing and vulnerability analysis to the level of application criticality. Application assessment services to perform threat modeling, code reviews and application penetration testing on a single application or across an entire portfolio of software applications. High-performance encryption software to ensure secure, efficient communications. LEARN MORE Please visit Security at EVALUATE OUR TRAINING PRODUCTS Please contact us at x1 or or fill out online form REFERENCES i ii iii iv Sandman, Peter. Motivating Attention: Why People Learn about Risk or Anything Else. Retrieved from Nov 23, v McLeod, S. A. (2008). Cognitive Dissonance Theory - Simply Psychology. Retrieved from Nov 24, 20

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright

More information

SAFECode Security Development Lifecycle (SDL)

SAFECode Security Development Lifecycle (SDL) SAFECode Security Development Lifecycle (SDL) Michael Howard Microsoft Matthew Coles EMC 15th Semi-annual Software Assurance Forum, September 12-16, 2011 Agenda Introduction to SAFECode Security Training

More information

Getting Started with Web Application Security

Getting Started with Web Application Security Written by Gregory Leonard February 2016 Sponsored by Veracode 2016 SANS Institute Since as far back as 2005, 1 web applications have been attackers predominant target for the rich data that can be pulled

More information

Seven Practical Steps to Delivering More Secure Software. January 2011

Seven Practical Steps to Delivering More Secure Software. January 2011 Seven Practical Steps to Delivering More Secure Software January 2011 Table of Contents Actions You Can Take Today 3 Delivering More Secure Code: The Seven Steps 4 Step 1: Quick Evaluation and Plan 5 Step

More information

Enterprise Application Security Program

Enterprise Application Security Program Enterprise Application Security Program GE s approach to solving the root cause and establishing a Center of Excellence Darren Challey GE Application Security Leader Agenda Why is AppSec important? Why

More information

90% of data breaches are caused by software vulnerabilities.

90% of data breaches are caused by software vulnerabilities. 90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with

More information

Fortify Training Services. Securing Your Entire Software Portfolio FRAMEWORK*SSA

Fortify Training Services. Securing Your Entire Software Portfolio FRAMEWORK*SSA Fortify Training Services Securing Your Entire Software Portfolio FRAMEWORK*SSA Fortify s holistic approach to application security truly safeguards our enterprise against today s ever-changing security

More information

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle A Strategic Approach to Web Application Security The importance of a secure software development lifecycle Rachna Goel Technical Lead Enterprise Technology Web application security is clearly the new frontier

More information

HOW TO MAKE YOUR EMPLOYEE ONBOARDING PROGRAM STRATEGIC AND EFFECTIVE FOR BETTER NEW HIRE ENGAGEMENT, PRODUCTIVITY, AND RETENTION

HOW TO MAKE YOUR EMPLOYEE ONBOARDING PROGRAM STRATEGIC AND EFFECTIVE FOR BETTER NEW HIRE ENGAGEMENT, PRODUCTIVITY, AND RETENTION HOW TO MAKE YOUR EMPLOYEE ONBOARDING PROGRAM STRATEGIC AND EFFECTIVE FOR BETTER NEW HIRE ENGAGEMENT, PRODUCTIVITY, AND RETENTION ACHIEVE BETTER NEW HIRE ENGAGEMENT, PRODUCTIVITY, AND RETENTION EXTEND LEARNING

More information

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult

More information

Development Processes (Lecture outline)

Development Processes (Lecture outline) Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development

More information

VOLUME 3. State of Software Security Report. The Intractable Problem of Insecure Software

VOLUME 3. State of Software Security Report. The Intractable Problem of Insecure Software VOLUME 3 State of Software Security Report The Intractable Problem of Insecure Software Executive Summary April 19, 2011 Executive Summary The following are some of the most significant findings in the

More information

The Seven Deadly Myths of Software Security Busting the Myths

The Seven Deadly Myths of Software Security Busting the Myths The Seven Deadly Myths of Software Security Busting the Myths With the reality of software security vulnerabilities coming into sharp focus over the past few years, businesses are wrestling with the additional

More information

Secure Software Begins in the Development Process

Secure Software Begins in the Development Process A S P E S D L C Tr a i n i n g Secure Software Begins in the Development Process A WHITE PAPER PROVIDED TO ASPE BY SECURITY INNOVATION Secure Software Begins in the Development Process written for CIO

More information

Learning Course Curriculum

Learning Course Curriculum Learning Course Curriculum Security Compass Training Learning Curriculum. Copyright 2012. Security Compass. 1 It has long been discussed that identifying and resolving software vulnerabilities at an early

More information

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC. Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies

More information

Microsoft Services Premier Support. Security Services Catalogue

Microsoft Services Premier Support. Security Services Catalogue Microsoft Services Premier Support Security Services Catalogue 2014 Microsoft Services Microsoft Services helps you get the most out of your Microsoft Information Technology (IT) investment with integrated

More information

Dr. Markus Braendle, Head of Cyber Security, ABB Group 10 Steps on the Road to a Successful Cyber Security Program Asia Pacific ICS Security SUMMIT

Dr. Markus Braendle, Head of Cyber Security, ABB Group 10 Steps on the Road to a Successful Cyber Security Program Asia Pacific ICS Security SUMMIT Dr. Markus Braendle, Head of Cyber Security, ABB Group 10 Steps on the Road to a Successful Cyber Security Program Asia Pacific ICS Security SUMMIT December 3, 2013 slide 1 A global leader in power and

More information

elearning for Secure Application Development

elearning for Secure Application Development elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security

More information

ISSECO Syllabus Public Version v1.0

ISSECO Syllabus Public Version v1.0 ISSECO Syllabus Public Version v1.0 ISSECO Certified Professional for Secure Software Engineering Date: October 16th, 2009 This document was produced by the ISSECO Working Party Syllabus Introduction to

More information

Agile Development for Application Security Managers

Agile Development for Application Security Managers Agile Development for Application Security Managers www.quotium.com When examining the agile development methodology many organizations are uncertain whether it is possible to introduce application security

More information

A Guide to Preparing for the GSM Capstone Exam

A Guide to Preparing for the GSM Capstone Exam A Guide to Preparing for the GSM Capstone Exam by: Courtney Imbert, courtneyimbert@gmail.com Last update: November 11, 2015 An Overview of the GSM Capstone Exam The GSM (GIAC Security Manager) is the capstone

More information

Ed Adams CEO Security Innovation. John Kirkwood CISO Security Innovation. 2012 ISACA Webinar Program. 2012 ISACA. All rights reserved.

Ed Adams CEO Security Innovation. John Kirkwood CISO Security Innovation. 2012 ISACA Webinar Program. 2012 ISACA. All rights reserved. Mapping Application Security to Compliance Ed Adams CEO Security Innovation John Kirkwood CISO Security Innovation Agenda About Security Innovation Security Drivers and Industry Data Aligning software

More information

I D C E X E C U T I V E B R I E F

I D C E X E C U T I V E B R I E F Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com I D C E X E C U T I V E B R I E F P e netration Testing: Taking the Guesswork Out of Vulnerability

More information

The AppSec How-To: Achieving Security in DevOps

The AppSec How-To: Achieving Security in DevOps The AppSec How-To: Achieving Security in DevOps How do you integrate security within a Continuous Deployment (CD) environment - where every 5 minutes a feature, an enhancement, or a bug fix needs to be

More information

How to Build a Trusted Application. John Dickson, CISSP

How to Build a Trusted Application. John Dickson, CISSP How to Build a Trusted Application John Dickson, CISSP Overview What is Application Security? Examples of Potential Vulnerabilities Strategies to Build Secure Apps Questions and Answers Denim Group, Ltd.

More information

MICROSOFT DYNAMICS NAV TRAINING

MICROSOFT DYNAMICS NAV TRAINING MICROSOFT DYNAMICS NAV TRAINING Get the best out of Microsoft Dynamics NAV with training from Tisski. Ensure the successful use of your Enterprise Resource Planning solution and exceed your objectives.

More information

The Path Ahead for Security Leaders

The Path Ahead for Security Leaders The Path Ahead for Security Leaders Executive Summary What You Will Learn If you asked security leaders five years ago what their primary focus was, you would likely get a resounding: securing our operations.

More information

The PMO as a Project Management Integrator, Innovator and Interventionist

The PMO as a Project Management Integrator, Innovator and Interventionist Article by Peter Mihailidis, Rad Miletich and Adel Khreich: Peter Mihailidis is an Associate Director with bluevisions, a project and program management consultancy based in Milsons Point in Sydney. Peter

More information

THE THREE Es OF MODERN EMAIL SECURITY FOR PHISHING

THE THREE Es OF MODERN EMAIL SECURITY FOR PHISHING THE THREE Es OF MODERN EMAIL SECURITY FOR PHISHING AN ACCUVANT VIEWPOINT By James Robinson, Director, Office of the CISO Attempting to keep up with the ever-changing world of cyber security threats can

More information

What is Penetration Testing?

What is Penetration Testing? White Paper What is Penetration Testing? An Introduction for IT Managers What Is Penetration Testing? Penetration testing is the process of identifying security gaps in your IT infrastructure by mimicking

More information

HOW TO USE THE DGI DATA GOVERNANCE FRAMEWORK TO CONFIGURE YOUR PROGRAM

HOW TO USE THE DGI DATA GOVERNANCE FRAMEWORK TO CONFIGURE YOUR PROGRAM HOW TO USE THE DGI DATA GOVERNANCE FRAMEWORK TO CONFIGURE YOUR PROGRAM Prepared by Gwen Thomas of the Data Governance Institute Contents Why Data Governance?... 3 Why the DGI Data Governance Framework

More information

APP DEVELOPMENT REVOLUTION:

APP DEVELOPMENT REVOLUTION: APP DEVELOPMENT REVOLUTION: ELSEVIER TAKES A NEW APPROACH TO SECURING SOFTWARE DEVELOPMENT Contributors: Alexander J. Fry and Meron Samuel Security awareness works but is not typically part of formal app

More information

PENETRATION TESTING GUIDE. www.tbgsecurity.com 1

PENETRATION TESTING GUIDE. www.tbgsecurity.com 1 PENETRATION TESTING GUIDE www.tbgsecurity.com 1 Table of Contents What is a... 3 What is the difference between Ethical Hacking and other types of hackers and testing I ve heard about?... 3 How does a

More information

MICROSOFT DYNAMICS CRM. Training your marketing team

MICROSOFT DYNAMICS CRM. Training your marketing team MICROSOFT DYNAMICS CRM Training your marketing team Increase the effectiveness of your campaigns, build a 360 degree view of your customers and get results Contents Introduction CRM Training With Tisski

More information

Cybersecurity: A View from the Boardroom

Cybersecurity: A View from the Boardroom An Executive Brief from Cisco Cybersecurity: A View from the Boardroom In the modern economy, every company runs on IT. That makes security the business of every person in the organization, from the chief

More information

Training Programs for Enterprise-Wide Change

Training Programs for Enterprise-Wide Change Training Programs for Enterprise-Wide Change Top Five Requirements for Programs that Deliver Prepared by VisionCor, Inc. 1 Contents Summary... 3 Before We Get Started... 3 Program Principles... 4 Business

More information

Creating a Training Program and Learning Culture in Your Organization

Creating a Training Program and Learning Culture in Your Organization Creating a Training Program and Learning Culture in Your Organization Common Roadblocks: 1. No manager support/accountability Use it or lose it We often forget this building block for all training and

More information

Effective Software Security Management

Effective Software Security Management Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1

More information

IBM Rational AppScan: Application security and risk management

IBM Rational AppScan: Application security and risk management IBM Software Security November 2011 IBM Rational AppScan: Application security and risk management Identify, prioritize, track and remediate critical security vulnerabilities and compliance demands 2 IBM

More information

LEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3. Copyright 2015. Security Compass. 1

LEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3. Copyright 2015. Security Compass. 1 LEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3 Copyright 2015. Security Compass. 1 CONTENTS WHY SECURITY COMPASS...3 RECOMMENDED LEARNING PATHs...4 TECHNICAL LEARNING PATHS...4 BUSINESS / SUPPORT

More information

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global

More information

Achieving Business Analysis Excellence

Achieving Business Analysis Excellence RG Perspective Achieving Business Analysis Excellence Turning Business Analysts into Key Contributors by Building a Center of Excellence 11 Canal Center Plaza Alexandria, VA 22314 HQ 703-548-7006 Fax 703-684-5189

More information

Integrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper

Integrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper Integrating Application Security into the Mobile Software Development Lifecycle WhiteHat Security Paper Keeping pace with the growth of mobile According to the November 2015 edition of the Ericsson Mobility

More information

The New Value of Change Management: Success at Microsoft

The New Value of Change Management: Success at Microsoft The New Value of Change Management: Success at Microsoft by Molly Cooper, Microsoft IT Page 1 of 8 Summary Microsoft recently completed a significant IT transformation effort by replacing the existing

More information

How to Secure Your SharePoint Deployment

How to Secure Your SharePoint Deployment WHITE PAPER How to Secure Your SharePoint Deployment Some of the sites in your enterprise probably contain content that should not be available to all users [some] information should be accessible only

More information

When companies purchase an integrated learning

When companies purchase an integrated learning Feature 2. Project team members are required to perform their regular responsibilities in addition to committing their time to the implementation. Organizations can overcome these challenges if they find

More information

At Your Service: Your Roadmap to Support from SAS

At Your Service: Your Roadmap to Support from SAS Introduction At Your Service: Your Roadmap to Support from SAS Kathy Council, Vice President, SAS Publications Division I ve had the good fortune to do a fair bit of travel; from small seaside resort towns,

More information

Vulnerability Management

Vulnerability Management Vulnerability Management Buyer s Guide Buyer s Guide 01 Introduction 02 Key Components 03 Other Considerations About Rapid7 01 INTRODUCTION Exploiting weaknesses in browsers, operating systems and other

More information

112 BSIMM Activities at a Glance

112 BSIMM Activities at a Glance 112 BSIMM Activities at a Glance (Red indicates most observed BSIMM activity in that practice) 6 Level 1 Activities Governance Strategy & Metrics (SM) Publish process (roles, responsibilities, plan), evolve

More information

AN APPLICATION-CENTRIC APPROACH TO DATA CENTER MIGRATION

AN APPLICATION-CENTRIC APPROACH TO DATA CENTER MIGRATION AN APPLICATION-CENTRIC APPROACH TO DATA CENTER MIGRATION Five key success factors Whether the decision to relocate or consolidate a data center is driven by cost pressure or the need for greater IT efficiency,

More information

15 Principles of Project Management Success

15 Principles of Project Management Success 15 Principles of Project Management Success Project management knowledge, tools and processes are not enough to make your project succeed. You need to get away from your desk and get your hands dirty.

More information

Application Security in the Software Development Lifecycle

Application Security in the Software Development Lifecycle Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO

More information

Social Media and Content Marketing.

Social Media and Content Marketing. Social Media and Content Marketing. A Guide for B2B Marketing Managers. On the Internet, marketing trends come and go faster than ever. Do you remember frames, flash intros, and even visitor counters?

More information

Testing in a Mobile World

Testing in a Mobile World White Paper Testing in a Mobile World April 2014 Share this White Paper Contents Introduction 3 1. Testing in agile projects 4 2. Testing tools 6 3. Testing practices 10 4. Testing as a service 14 Conclusion

More information

SAP Security Recommendations December 2011. Secure Software Development at SAP Embedding Security in the Product Innovation Lifecycle Version 1.

SAP Security Recommendations December 2011. Secure Software Development at SAP Embedding Security in the Product Innovation Lifecycle Version 1. SAP Security Recommendations December 2011 Secure Software Development at SAP Embedding Security in the Product Innovation Lifecycle Version 1.0 Secure Software Development at SAP Table of Contents 4

More information

How to Build an All-Star App & Desktop Virtualization Team. Giving the right skills to the right people

How to Build an All-Star App & Desktop Virtualization Team. Giving the right skills to the right people How to Build an All-Star App & Desktop Virtualization Team Giving the right skills to the right people It s all about the team. You re mobilizing your organization by going from physical desktops to virtual

More information

Rethinking Your Finance Functions

Rethinking Your Finance Functions Rethinking Your Finance Functions Budgeting, Planning & Technology BDO Canada Daniel Caringi ( dcaringi@bdo.ca ) September 25th, 2014 A journey of a thousand miles must begin with a single step. - Lao

More information

Microsoft Dynamics CRM Training Guide

Microsoft Dynamics CRM Training Guide Microsoft Dynamics CRM Training Guide A Curriculum Guide for CRM Enthusiasts Based on The CRM Field Guide Prepared By Jerry Weinstock, Microsoft Dynamics CRM MVP Co-author The CRM Field Guide Contents

More information

How to Justify Your Security Assessment Budget

How to Justify Your Security Assessment Budget 2BWhite Paper How to Justify Your Security Assessment Budget Building a Business Case For Penetration Testing WHITE PAPER Introduction Penetration testing has been established as a standard security practice

More information

Aligning Application Security and Compliance

Aligning Application Security and Compliance Aligning Application Security and Compliance A Security Innovation Whitepaper 187 Ballardvale Street, Wilmington, MA 01887 +1.978.694.1008 2 Table of Contents Application Security: The Next Frontier of

More information

Procuring Penetration Testing Services

Procuring Penetration Testing Services Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat

More information

Cisco Security Optimization Service

Cisco Security Optimization Service Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless

More information

A Strategic Approach to Web Application Security

A Strategic Approach to Web Application Security WhiteHat Security White Paper A Strategic Approach to Web Application Security Extending security across the entire software development lifecycle Jerry Hoff WhiteHat Security The problem: websites are

More information

Agile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007

Agile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007 Agile and Secure Can We Be Both? Chicago OWASP June 20 th, 2007 The Agile Practitioner s Dilemma Agile Forces: Be more responsive to business concerns Increase the frequency of stable releases Decrease

More information

Secure Development LifeCycles (SDLC)

Secure Development LifeCycles (SDLC) www.pwc.com Feb 2014 Secure Development LifeCycles (SDLC) Bart De Win Bart De Win? 15+ years of Information Security Experience Ph.D. in Computer Science - Application Security Author of >60 scientific

More information

AN APPLICATION-CENTRIC APPROACH TO DATA CENTER MIGRATION

AN APPLICATION-CENTRIC APPROACH TO DATA CENTER MIGRATION AN APPLICATION-CENTRIC APPROACH TO DATA CENTER MIGRATION Five key success factors IT organizations today are under constant business pressure to transform their infrastructure to reduce costs, increase

More information

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst TRACESECURITY WHITE PAPER GRC Simplified... Finally. A Guide to Successfully Implementing the NIST Cybersecurity Framework Jerry Beasley CISM and TraceSecurity Information Security Analyst TRACESECURITY

More information

Excellence Doesn t Need a Certificate. Be an. Believe in You. 2014 AMIGOSEC Consulting Private Limited

Excellence Doesn t Need a Certificate. Be an. Believe in You. 2014 AMIGOSEC Consulting Private Limited Excellence Doesn t Need a Certificate Be an 2014 AMIGOSEC Consulting Private Limited Believe in You Introduction In this age of emerging technologies where IT plays a crucial role in enabling and running

More information

SOCIAL MEDIA BRANDING SUMMIT 2015

SOCIAL MEDIA BRANDING SUMMIT 2015 SOCIAL MEDIA BRANDING SUMMIT 2015 28 th 29 th May Palazzo Hotel, Fourways Johannesburg, South Africa Social media strategy and activation It s all about keeping control of the branding message through

More information

Application Security in the Software Development Life Cycle (SDLC) White Paper

Application Security in the Software Development Life Cycle (SDLC) White Paper Application Security in the Software Development Life Cycle (SDLC) White Paper Table of Contents Executive Summary... 3 The Rush to Get Applications to Web, Cloud and Mobile... 3 Issues in Software Development...

More information

Security-as-a-Service (Sec-aaS) Framework. Service Introduction

Security-as-a-Service (Sec-aaS) Framework. Service Introduction Security-as-a-Service (Sec-aaS) Framework Service Introduction Need of Information Security Program In current high-tech environment, we are getting more dependent on information systems. This dependency

More information

Matt Bartoldus matt@gdssecurity.com

Matt Bartoldus matt@gdssecurity.com Matt Bartoldus matt@gdssecurity.com Security in the SDLC: It Doesn t Have To Be Painful 2010 Gotham Digital Science, Ltd Introduction o Me o Who Are You? Assessment (Penetration Tester; Security Auditors)

More information

Table of contents. Best practices in open source governance. Managing the selection and proliferation of open source software across your enterprise

Table of contents. Best practices in open source governance. Managing the selection and proliferation of open source software across your enterprise Best practices in open source governance Managing the selection and proliferation of open source software across your enterprise Table of contents The importance of open source governance... 2 Executive

More information

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT How advancements in automated security testing software empower organizations to continuously measure information

More information

Agile and Secure: OWASP AppSec Seattle Oct 2006. The OWASP Foundation http://www.owasp.org/

Agile and Secure: OWASP AppSec Seattle Oct 2006. The OWASP Foundation http://www.owasp.org/ Agile and Secure: Can We Be Both? OWASP AppSec Seattle Oct 2006 Dan Cornell, OWASP San Antonio Leader Principal, Denim Group Ltd. dan@denimgroup.com (210) 572-4400 Copyright 2006 - The OWASP Foundation

More information

Taking Your PMO to the Next Level:

Taking Your PMO to the Next Level: Taking Your PMO to the Next Level: Four Steps to Value Improvement An ESI International White Paper +44 (0)20 7017 7100 www.esi-emea.com Contents Abstract...3 Introduction...4 Key Functions of the PMO...5

More information

Corporate Security Research and Assurance Services

Corporate Security Research and Assurance Services Corporate Security Research and Assurance Services We Keep Your Business In Business Obrela Security Industries mission is to provide Enterprise Information Security Intelligence and Risk Management Services

More information

Survey on Application Security Programs and Practices

Survey on Application Security Programs and Practices Survey on Application Security Programs and Practices A SANS Analyst Survey Written by Jim Bird and Frank Kim Advisor: Barbara Filkins February 2014 Sponsored by Hewlett-Packard, Qualys and Veracode 2014

More information

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

More information

IronBee Open Source Web Application Firewall

IronBee Open Source Web Application Firewall IronBee Open Source Web Application Firewall Building a universal web application firewall engine www.ironbee.com Introduction Qualys is announcing the development of IronBee, a new open source project

More information

THE 7 STEPS TO A SUCCESSFUL CRM IMPLEMENTATION DEPLOYING CRM IN THE NEW ERA OF CONNECTED CUSTOMERS

THE 7 STEPS TO A SUCCESSFUL CRM IMPLEMENTATION DEPLOYING CRM IN THE NEW ERA OF CONNECTED CUSTOMERS THE NEW ERA OF ABOUT THE AUTHOR Paul Rogers is the Head of Customer Experience and CRM within HCL s Applications Division. Based in London, Paul is responsible for leading HCL s CRM consulting and technology

More information

Accelerate Application Development through DevOps Automation

Accelerate Application Development through DevOps Automation www.wipro.com Accelerate Application Development through DevOps Automation Giridhara Madakashira, Solutions Head Solutions Strategy Architecture Group (SSAG) Sriraman K R, Product Architect Solutions Strategy

More information

W204 - LMS Consolidation, Underlying Design More Important Than Platform

W204 - LMS Consolidation, Underlying Design More Important Than Platform W204 - LMS Consolidation, Underlying Design More Important Than Platform Assess the scalability of your organization s LMS platform Evaluate an LMS based upon the size and character of different learner

More information

Secure Code Development

Secure Code Development ISACA South Florida 7th Annual WOW! Event Copyright Elevate Consult LLC. All Rights Reserved 1 Agenda i. Background ii. iii. iv. Building a Business Case for Secure Coding Top-Down Approach to Develop

More information

The Benefits of Deployment Automation

The Benefits of Deployment Automation WHITEPAPER Octopus Deploy The Benefits of Deployment Automation Reducing the risk of production deployments Contents Executive Summary... 2 Deployment and Agile software development... 3 Aim to deploy

More information

Becoming Agile: a getting started guide for Agile project management in Marketing, Customer Service, HR and other business teams.

Becoming Agile: a getting started guide for Agile project management in Marketing, Customer Service, HR and other business teams. Becoming Agile: a getting started guide for Agile project management in Marketing, Customer Service, HR and other business teams. Agile for Business www.agilefluent.com Summary The success of Agile project

More information

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Danny Allan, strategic research analyst, IBM Software Group Contents 2 Introduction

More information

The following is intended to outline our general product direction. It is intended for informational purposes only, and may not be incorporated into

The following is intended to outline our general product direction. It is intended for informational purposes only, and may not be incorporated into The following is intended to outline our general product direction. It is intended for informational purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any

More information

Six Best Practices of IT Security

Six Best Practices of IT Security Six Best Practices of IT Security 187 Ballardvale Street, Wilmington, MA 01887 +1.978.694.1008 2 Table of Contents 1. Make a Self-Assessment...3 2. Believe the Application Security Hype...3 3. Ask Tough

More information

The IT Infrastructure Library (ITIL)

The IT Infrastructure Library (ITIL) IT service management is often equated with the Information Technology Infrastructure Library (ITIL), even though there are a variety of standards and frameworks contributing to the overall ITSM discipline.

More information

Application Code Development Standards

Application Code Development Standards Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards

More information

How To Choose the Right Vendor Information you need to select the IT Security Testing vendor that is right for you.

How To Choose the Right Vendor Information you need to select the IT Security Testing vendor that is right for you. Information you need to select the IT Security Testing vendor that is right for you. Netragard, Inc Main: 617-934- 0269 Email: sales@netragard.com Website: http://www.netragard.com Blog: http://pentest.netragard.com

More information

Buyer s Guide to Big Data Integration

Buyer s Guide to Big Data Integration SEPTEMBER 2013 Buyer s Guide to Big Data Integration Sponsored by Contents Introduction 1 Challenges of Big Data Integration: New and Old 1 What You Need for Big Data Integration 3 Preferred Technology

More information

2013-2015 INFORMATION

2013-2015 INFORMATION 2013-2015 INFORMATION TECHNOLOGY DEPARTMENT STRATEGICTRATEGIC PLANLAN www.nd.gov/itd OUR MISSIONISSION To provide leadership and knowledge to assist our customers in achieving their mission through the

More information

Editor Stacy Simpson, SAFECode. Contributors

Editor Stacy Simpson, SAFECode. Contributors Security Engineering Training A Framework for Corporate Training Programs on the Principles of Secure Software Development April 20, 2009 Editor Stacy Simpson, SAFECode Contributors Eric Baize, EMC Corporation

More information

WHITE PAPER. 7 Keys to. successful. Organizational Change Management. Why Your CRM Program Needs Change Management and Tips for Getting Started

WHITE PAPER. 7 Keys to. successful. Organizational Change Management. Why Your CRM Program Needs Change Management and Tips for Getting Started 7 Keys to successful Organizational Change Management Why Your CRM Program Needs Change Management and Tips for Getting Started CONTENTS 2 Executive Summary 3 7 Keys to a Comprehensive Change Management

More information

Successful Strategies for QA- Based Security Testing

Successful Strategies for QA- Based Security Testing Successful Strategies for QA- Based Security Testing Rafal Los Enterprise & Cloud Security Strategist HP Software 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject

More information

Five best practices for deploying a successful service-oriented architecture

Five best practices for deploying a successful service-oriented architecture IBM Global Services April 2008 Five best practices for deploying a successful service-oriented architecture Leveraging lessons learned from the IBM Academy of Technology Executive Summary Today s innovative

More information