Paco Hope Florence Mo ay <fmo 2012 Cigital. All Rights Reserved. SecAppDev. Define third party so ware
|
|
- Lorena Campbell
- 8 years ago
- Views:
Transcription
1 Paco Hope Florence Moay 2012 Cigital. All Rights Reserved. SecAppDev 1 Objectives Define third party soware What it is, why we use it Define the risks from third party soware Idenfy tools and techniques for addressing the risk Connect tools with the right situaons Explore one possible approach 2012 Cigital. All Rights Reserved. SecAppDev 2 1
2 Software Ecosystem Software As a Service (SaaS) Specify Design Build Test Operate Support Cloud 2012 Cigital. All Rights Reserved. SecAppDev 3 Also Known As: Software Supply Chain Risk Studied by Soware Engineering Instute (SEI) and University of Maryland Who supplies code? Who supplies labour? Who operates soware? 2012 Cigital. All Rights Reserved. SecAppDev 7 2
3 Kinds of Third Parties 1. Staff augmentaon they work on your premises, they follow your orders 2. Integrated Project Teams they provide a team; you provide management 3. Contractual You write contracts; they deliver 4. Service Provider You buy what they sell 2012 Cigital. All Rights Reserved. SecAppDev 8 The Problem You can outsource activities, but you cannot outsource liability Risk introduced by soware How do we idenfy it? How do we quanfy/qualify it? Various acvies address that risk How do we conduct those acvies in someone else's lifecycle? How do we hold the right people accountable? You acknowledge that Licensed Soware is not designed or intended for use in the design, construcon, operaon or maintenance of any nuclear facility. Sun Microsystems, Inc. disclaims any express or implied warranty of fitness for such uses Cigital. All Rights Reserved. SecAppDev 10 3
4 Risks from Software Brand and reputaon damage Non- compliance Failures in business logic Lost sales Unauthorised disclosure of data Unavailability Actual back doors or vulnerabilies 2012 Cigital. All Rights Reserved. SecAppDev 11 IANAL, But (I am not a lawyer) Popular Open Source Licenses Apache Arsc License BSD GNU General Public License GNU Lesser GPL Possible Implicaons Releasing source code Perming derivave works Disclosing origin of soware hp:// Cigital. All Rights Reserved. SecAppDev 12 4
5 Thinking About the Actors Them Do our vendors have a clue? When designing When coding When operang Do they do their jobs well? Are their products suitable for us? Us Do we have a clue? Requirements Operaons Support Are we doing our part well? Integraon Compliance 2012 Cigital. All Rights Reserved. SecAppDev 14 Tools for the Problem Assessing capabilies Deliverable- based security gates Security requirements Security test plan Threat model Code Scan results w/ defect tracking Security test results mapping to requirements Penetraon test results Contract- based hooks 2012 Cigital. All Rights Reserved. SecAppDev 15 5
6 Build Security In Maturity Model BSIMM For Us What do we do? How mature are we? Where might we put more effort? For Vendors: vbsimm Quick / crude measure 15 acvies Very low bar Vendors sll score poorly hp:// Cigital. All Rights Reserved. SecAppDev 16 Learning What Others Do idenfy gates unify regulaons know PII obligaons publish policy awareness training data classificaon idenfy features security standards review security features stac analysis tool QA boundary tesng external pen testers good network security incident response close ops bugs loop Config. Mgmt.&Vuln. Mgmt. Sw. Env. Pen. Tesng Sec. Tesng Code Review Strategy&Metrics Compliance&Policy Training Standards&Req'ts Aack Models Sec. Features&Design Arch. Analysis * ( everybody = 20 out of 30 firms) BSIMM EARTH AVG (30) BSIMM TOP TEN AVG (10) 2012 Cigital. All Rights Reserved. SecAppDev 17 6
7 Alternatives to Consider Microso SDL OpenSAMM CLASP Etc. Tend to be prescripve not descripve Don t help you measure yourself or others 2012 Cigital. All Rights Reserved. SecAppDev 18 Tools and Situations We can oen apply security requirements Very applicable when we specify Harder to enforce in SaaS limited by vendor s flexibility Code scanning is very good evidence Only works when you have code Binary scanning is a poor substute Security tesng always possible in UAT Pen tesng requires cooperaon, oen limited scope 2012 Cigital. All Rights Reserved. SecAppDev 20 7
8 Touchpoints for Third Party Development 2012 Cigital. All Rights Reserved. SecAppDev 21 Architecture Deliverables Architecture risk analysis Threat model Test strategy and test plan with security 2012 Cigital. All Rights Reserved. SecAppDev 22 8
9 Use the Source, Luke Stac analysis Defect tracking Patch management OSS analysis Idenfy accidental / unknown usage Idenfy legal obligaons Stac Analysis tools Commercial Forfy Coverity AppScan Source Free CppCheck Findbugs OSS Analysis Black Duck Palamida 2012 Cigital. All Rights Reserved. SecAppDev 23 Working with Binaries Reverse engineering Good for mobile, embedded, client/ server Not always permied Binary analysis Veracode, etc. Not always successful Simulaon Run in VM, sandbox, or simulator Observaon Eavesdropping Proxying,etc Cigital. All Rights Reserved. SecAppDev 24 9
10 Security Testing (Not Penetration Testing!) Boundary cases Negave cases Inverted cases off the RBAC matrix Idenfying undesirable behaviour Not checking Not funconal tesng Exploratory tesng is good 2012 Cigital. All Rights Reserved. SecAppDev 25 Penetration Testing Require vendor support access credenals generous me windows etc. Require vendor tracking / reporng What will they do? When will they do it? Focus on soluons, not problems Not about finding max bugs It s about fixing bugs 2012 Cigital. All Rights Reserved. SecAppDev 26 10
11 Deployment Secure configuraon Change control process Coordinaon with development team Upgrades to base plaorm Patch deployment to applicaon 2012 Cigital. All Rights Reserved. SecAppDev 27 Operations Logging, monitoring SIEM Incident response Vulnerability tracking 2012 Cigital. All Rights Reserved. SecAppDev 28 11
12 Procurement Security requirements during RFP / Tender process Security quesons during vendor selecon Periodic evaluaon of vendor security capabilies Security deliverables with funconal deliverables 2012 Cigital. All Rights Reserved. SecAppDev 29 Procurement Require source code Permit decompiling / reverse engineering Permit security tesng Require significant documentaon Escrow code if you must 2012 Cigital. All Rights Reserved. SecAppDev 30 12
13 One possible low Figure out which lifecycle stages are out of your control Figure out which deliverables are feasible Idenfy mechanisms to enforce deliverables (e.g., UAT, procurement, etc) Require deliverables at appropriate stages Add to PMO process, if possible 2012 Cigital. All Rights Reserved. SecAppDev 32 1: Identify Lifecycle Stages Which ones are owned by vendors? Where do your teams plug in? PMO Project leads Procurement Requirements Integraon UAT 2012 Cigital. All Rights Reserved. SecAppDev 33 13
14 2: Identify Practical Deliverables What? What is praccal, permissible, measurable? Threat models Code scan reports Pen test reports Defect reports Is it objecve? How much visibility do you get into its creaon? When? At major releases? At regular intervals? On- demand access? As it is generated, or aer it is reviewed by the vendor? 2012 Cigital. All Rights Reserved. SecAppDev 34 3: Promote Enforcement Lifecycle Phases Promoon Create security gates Dev à QA QA à Staging Staging à Producon Require security deliverables for promoon phase- to- phase Enforce security sign- off Be Pragmac If security always says no, then security becomes a problem Problems get fixed Choose bales carefully 2012 Cigital. All Rights Reserved. SecAppDev 35 14
15 4: Institutionalise Put Security in the PMO Make it regular Make it understood Automate as much as possible Checklists Worksheets Processes Change Takes Time Start small Minimise overhead Make everything relevant Ensure adopon of one small piece before introducing a new piece 2012 Cigital. All Rights Reserved. SecAppDev 36 Putting it Together Idenfy your vendors and sources of third party soware risk Understand your competency and theirs Determine ownership of lifecycle phases Idenfy security deliverables for each phase Gradually work them into your process 2012 Cigital. All Rights Reserved. SecAppDev 38 15
16 The best time to plant an oak tree was twenty years ago. The next best time is now. Ancient Proverb Paco Hope Florence Mottay 2012 Cigital. All Rights Reserved. SecAppDev 39 16
Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP EVA.KUIPER@HP.COM HP ENTERPRISE SECURITY SERVICES
Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP EVA.KUIPER@HP.COM HP ENTERPRISE SECURITY SERVICES Agenda Importance of Common Cloud Standards Outline current work undertaken Define
More informationBank of America Security by Design. Derrick Barksdale Jason Gillam
Bank of America Security by Design Derrick Barksdale Jason Gillam Costs of Correcting Defects 2 Bank of America The Three P s Product Design and build security into our product People Cultivate a security
More informationInvestor Presenta,on Third Quarter 2014. 2014 ServiceNow All Rights Reserved 1
Investor Presenta,on Third Quarter 2014 2014 ServiceNow All Rights Reserved 1 FORWARD- LOOKING STATEMENTS, INDUSTRY AND MARKET DATA This presenta>on contains forward- looking statements that are based
More informationSo#ware quality assurance - introduc4on. Dr Ana Magazinius
So#ware quality assurance - introduc4on Dr Ana Magazinius 1 What is quality? 2 What is a good quality car? 2 and 2 2 minutes 3 characteris4cs 3 What is quality? 4 What is quality? How good or bad something
More informationCase Studies in Solving Testing Constraints using Service Virtualization
Case Studies in Solving Testing Constraints using Service Virtualization Rix.Groenboom@Parasoft.NL 2/21/14 1 Introduction Paraso& is supplier automated tes1ng solu1ons Since 1984, Los Angeles (US) and
More informationEffec%ve AX 2012 Upgrade Project Planning and Microso< Sure Step. Arbela Technologies
Effec%ve AX 2012 Upgrade Project Planning and Microso< Sure Step Arbela Technologies Why Upgrade? What to do? How to do it? Tools and templates Agenda Sure Step 2012 Ax2012 Upgrade specific steps Checklist
More informationProtec'ng Communica'on Networks, Devices, and their Users: Technology and Psychology
Protec'ng Communica'on Networks, Devices, and their Users: Technology and Psychology Alexey Kirichenko, F- Secure Corpora7on ICT SHOK, Future Internet program 30.5.2012 Outline 1. Security WP (WP6) overview
More informationHow to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP
How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright
More informationStrategies for Medical Device So2ware Development Presented By Anthony Giles of Blackwood Embedded Solu;ons And a Case Study by Francis Amoah of Creo
Strategies for Medical Device So2ware Development Presented By Anthony Giles of Blackwood Embedded Solu;ons And a Case Study by Francis Amoah of Creo Medical Introduc;on Standards 60601-1 in par;cular
More informationFTC Data Security Standard
FTC Data Security Standard The FTC takes the posi6on (Being tested now in li6ga6on) that Sec6on 5 of the FTC Act requires Reasonable Security under the circumstances: that companies have reasonable controls
More informationPrivileged Administra0on Best Prac0ces :: September 1, 2015
Privileged Administra0on Best Prac0ces :: September 1, 2015 Discussion Contents Privileged Access and Administra1on Best Prac1ces 1) Overview of Capabili0es Defini0on of Need 2) Preparing your PxM Program
More informationDisaster Recovery Planning and Implementa6on. Chris Russel Director, IT Infrastructure and ISO Compu6ng and Network Services York University
Disaster Recovery Planning and Implementa6on Chris Russel Director, IT Infrastructure and ISO Compu6ng and Network Services York University Agenda Background for York s I.T. Disaster Recovery Planning
More informationIT Change Management Process Training
IT Change Management Process Training Before you begin: This course was prepared for all IT professionals with the goal of promo9ng awareness of the process. Those taking this course will have varied knowledge
More informationBPO. Accerela*ng Revenue Enhancements Through Sales Support Services
BPO Accerela*ng Revenue Enhancements Through Sales Support Services What is BPO? Business Process Outsorcing (BPO) is the process of outsourcing specific business func6ons to a third- party service provider
More informationSUMMIT. November 2010
SUMMIT November 2010 Why Summit? Comprehensive Summit provides a unified approach to IT enterprise management following a prescriptive, ITIL based framework Rapid Deployment Summit is developed for and
More informationSo#ware- based CyberSecurity. Michael Butler Gennaro Parlato Electronic and So.ware Systems (ESS)
So#ware- based CyberSecurity Michael Butler Gennaro Parlato Electronic and So.ware Systems (ESS) Security is mul;- faceted Confiden;ality Authen;ca;on Authorisa;on / Access Control Trust / Reputa;on Anonymity
More informationBuilding an Effec.ve Cloud Security Program
Building an Effec.ve Cloud Security Program Laura Posey Senior Security Strategist, Microso3 Corpora6on Co- Chair, CSA CAIQ Programming Chair, NY Metro CSA Chapter Is Cloud worth it? Yes! Pla?orm for Innova.on
More information112 BSIMM Activities at a Glance
112 BSIMM Activities at a Glance (Red indicates most observed BSIMM activity in that practice) 6 Level 1 Activities Governance Strategy & Metrics (SM) Publish process (roles, responsibilities, plan), evolve
More informationProject Por)olio Management
Project Por)olio Management Important markers for IT intensive businesses Rest assured with Infolob s project management methodologies What is Project Por)olio Management? Project Por)olio Management (PPM)
More informationVoIP Security How to prevent eavesdropping on VoIP conversa8ons. Dmitry Dessiatnikov
VoIP Security How to prevent eavesdropping on VoIP conversa8ons Dmitry Dessiatnikov DISCLAIMER All informa8on in this presenta8on is provided for informa8on purposes only and in no event shall Security
More informationMain Research Gaps in Cyber Security
Comprehensive Approach to cyber roadmap coordina5on and development Main Research Gaps in Cyber Security María Pilar Torres Bruna everis Aerospace and Defence Index CAMINO WP2: Iden8fica8on and Analysis
More informationCloud Compu)ng in Educa)on and Research
Cloud Compu)ng in Educa)on and Research Dr. Wajdi Loua) Sfax University, Tunisia ESPRIT - December 2014 04/12/14 1 Outline Challenges in Educa)on and Research SaaS, PaaS and IaaS for Educa)on and Research
More informationMAXIMIZING THE SUCCESS OF YOUR E-PROCUREMENT TECHNOLOGY INVESTMENT. How to Drive Adop.on, Efficiency, and ROI for the Long Term
MAXIMIZING THE SUCCESS OF YOUR E-PROCUREMENT TECHNOLOGY INVESTMENT How to Drive Adop.on, Efficiency, and ROI for the Long Term What We Will Cover Today Presenta(on Agenda! Who We Are! Our History! Par7al
More informationIdentity and Access Positioning of Paradgimo
1 1 Identity and Access Positioning of Paradgimo Olivier Naveau Managing Director assisted by Bruno Guillaume, CISSP IAM in 4D 1. Data Model 2. Functions & Processes 3. Key Components 4. Business Values
More informationProtec'ng Informa'on Assets - Week 8 - Business Continuity and Disaster Recovery Planning. MIS 5206 Protec/ng Informa/on Assets Greg Senko
Protec'ng Informa'on Assets - Week 8 - Business Continuity and Disaster Recovery Planning MIS5206 Week 8 In the News Readings In Class Case Study BCP/DRP Test Taking Tip Quiz In the News Discuss items
More informationPROJECT PORTFOLIO SUITE
ServiceNow So1ware Development manages Scrum or waterfall development efforts and defines the tasks required for developing and maintaining so[ware throughout the lifecycle, from incep4on to deployment.
More informationHow To Protect Virtualized Data From Security Threats
S24 Virtualiza.on Security from the Auditor Perspec.ve Rob Clyde, CEO, Adap.ve Compu.ng; former CTO, Symantec David Lu, Senior Product Manager, Trend Micro Hemma Prafullchandra, CTO/SVP Products, HyTrust
More informationCloud Risks and Opportunities
Cloud Risks and Opportunities John Howie COO Cloud Security Alliance #SCCLondon About the Cloud Security Alliance Global, not- for- profit organiza;on Building security best prac;ces for next genera;on
More informationComputer Security Incident Handling Detec6on and Analysis
Computer Security Incident Handling Detec6on and Analysis Jeff Roth, CISSP- ISSEP, CISA, CGEIT Senior IT Security Consultant 1 Coalfire Confiden+al Agenda 2 SECURITY INCIDENT CONTEXT TERMINOLOGY DETECTION
More informationFrom Consultancy. Projects to Case Studies. Ins2tute Case Studies: 10 September 2012, SSI Fellows Programme Launch Steve Crouch s.crouch@so#ware.ac.
Ins2tute Case Studies: From Consultancy Projects to Case Studies 10 September 2012, SSI Fellows Programme Launch Steve Crouch s.crouch@so#ware.ac.uk In Context Developing the scien/fic compu/ng / so4ware
More informationARTIST Methodology and Tooling. Jesus Gorroñogoitia - Atos SOC Crete, 1 st July 2015
ARTIST Methodology and Tooling Jesus Gorroñogoitia - Atos SOC Crete, 1 st July 2015 Motivation: From SaaP to SaaS So#ware as a Product based Company So#ware as a Service based Company : Cloud Computing
More informationconfigurability compares with typical SIEM & Log Management systems Able to install collectors on remote sites rather than pull all data
Software Comparison Sheet SIEM & Log OpViewTM from Software leverages a completely new database architecture to deliver the most flexible monitoring system available on the market today. This award-winning
More informationArmedia Capabili-es Brief Enterprise Content and Informa1on Management Professionals
Armedia Capabili-es Brief Enterprise Content and Informa1on Management Professionals Company Overview ü Founded 2002 ü CMMI Level 3 Appraised ü GSA IT- 70 GS- 35F- 0891P ü Headquarters: Atlanta, Ga ü Offices:
More informationTrus%ng your Cloud Provider s System
Trus%ng your Cloud Provider s System Retaining Control over Private Virtual Machines Hosted by a Cloud Provider Using Mandatory Access Control, Trusted Boot and A>esta?on Vorarlberg University of Applied
More informationExchange of experience from a SuccessFactors LMS Implementa9on
Exchange of experience from a SuccessFactors LMS Implementa9on Seen from a user perspective Hanne Vasshus Ask Competency Management Cau9onary Statement The following presenta9on includes forward- looking
More informationconfigurability compares with typical Asset Monitoring systems Able to install collectors on remote sites rather than pull all data
Software Comparison Sheet OpViewTM from Software leverages a completely new database architecture to deliver the most flexible monitoring system available on the market today. This award-winning solution
More informationHow To Use Splunk For Android (Windows) With A Mobile App On A Microsoft Tablet (Windows 8) For Free (Windows 7) For A Limited Time (Windows 10) For $99.99) For Two Years (Windows 9
Copyright 2014 Splunk Inc. Splunk for Mobile Intelligence Bill Emme< Director, Solu?ons Marke?ng Panos Papadopoulos Director, Product Management Disclaimer During the course of this presenta?on, we may
More informationSan Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP
Presented by Mike O. Villegas, CISA, CISSP Agenda Information Security (IS) Vision at Newegg.com Typical Issues at Most Organizations Information Security Governance Four Inter-related CoBIT Domains ISO
More informationThe Real Score of Cloud
The Real Score of Cloud Mayur Sahni Sr. Research Manger IDC Asia/Pacific msahni@idc.com @mayursahni Digital Transformation Changing Role of IT Innova&on Informa&on Business agility Changing role of the
More informationIndustry Perspec.ve: DevOps - What it Means for the Average Business
Accelerating Product and Service Innovation Industry Perspec.ve: DevOps - What it Means for the Average Business Michael Elder, IBM Senior Technical Staff Member mdelder@us.ibm.com hhp://linkedin.com/in/mdelder
More informationSo#ware Development Methodologies Project Management Phases Agile Methodology Agile Manifesto Roles. Team Roles and Responsibili?
Module Summary So#ware Development Methodologies Project Management Phases Agile Methodology Agile Manifesto Roles Team Roles and Responsibili?es Goal for First Client Mee?ng Expecta?ons Client Student
More informationConnec(ng to the NC Educa(on Cloud
NC Educa)on Cloud Connec(ng to the NC Educa(on Cloud May 2012 Update! http://cloud.fi.ncsu.edu! Dave Furiness, MCNC! Phil Emer, Friday Institute! 1 First Things First Year one was about planning we are
More informationManaged Services. An essen/al set of tools for today's businesses
Managed Services An essen/al set of tools for today's businesses Manage your enterprise better with a holis/c solu/on to all your IT worries only at Infolob What are Managed Services? By far the most cu/ng
More informationPCI VERSION 2.0 AND RISK MANAGEMENT. Doug Landoll, CISSP, CISA, QSA, MBA Practice Director Risk and Compliance Management
PCI VERSION 2.0 AND RISK MANAGEMENT Doug Landoll, CISSP, CISA, QSA, MBA Practice Director Risk and Compliance Management Objec&ve: Protect cardholder data (CHD) wherever it resides Applica&on: All card
More informationEverything You Need to Know about Cloud BI. Freek Kamst
Everything You Need to Know about Cloud BI Freek Kamst Business Analy2cs Insight, Bussum June 10th, 2014 What s it all about? Has anything changed in the world of BI? Is Cloud Compu2ng a Hype or here to
More informationAWS Security & Compliance
AWS Public Sector Jerusalem 19 Nov 2014 AWS Security & Compliance CJ Moses General Manager, Government Cloud Solu3ons Security Is Our No.1 Priority Comprehensive Security Capabilities to Support Virtually
More informationDevelopment Processes (Lecture outline)
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationMobile Device Mismanagement Vulnerabili*es in MDM Solu*ons and their impact
Mobile Device Mismanagement Vulnerabili*es in MDM Solu*ons and their impact Stephen Breen 06 AUG 2014 Bios Stephen Breen Senior Consultant Christopher Camejo Director of Assessment Services 2 Contents
More informationMTD Keystone s Multiple Service Platforms
MTD s Multiple Service Platforms uses the Microso/ Office pla5orm and is an MS Access applica:on with integra:on to the common Microso/ Office applica:ons, namely Excel, Word, and Outlook. may be installed
More informationPASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013
2013 PASTA Abstract Process for Attack S imulation & Threat Assessment Abstract VerSprite, LLC Copyright 2013 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
More informationDTCC Data Quality Survey Industry Report
DTCC Data Quality Survey Industry Report November 2013 element 22 unlocking the power of your data Contents 1. Introduction 3 2. Approach and participants 4 3. Summary findings 5 4. Findings by topic 6
More informationService Level Agreements for IT
Service Level Agreements for IT Sunday, May 22, 3:50 4:40, CPE - 1 Linda Cramer, Assistant County Manager, Chatham County Gary Robinson, Director Budget and Finance, Pierce County Todd Sander, Executive
More informationWebsite Design. A Crash Course. Monique Sherre, monique@boxcarmarke4ng.com
Website Design A Crash Course Monique Sherre, monique@boxcarmarke4ng.com When & Why Do We Re- Design no mobile BoxcarMarke6ng.com aesthe6c update Raincoast.com legacy CMS ABCBookWorld.com new company,
More informationHP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security
HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security The problem Cyber attackers are targeting applications
More informationAdvanced Project Management Training Course
Advanced Project Management Training Course 1-34 Advanced Project Management Crea/ng the Scope Baseline 2-34 Crea/ng the Scope Baseline Module 1 Introduction Module 2 Creating the Project Charter Module
More informationWhite Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security
White Paper Automating Your Code Review: Moving to a SaaS Model for Application Security Contents Overview... 3 Executive Summary... 3 Code Review and Security Analysis Methods... 5 Source Code Review
More informationPCI DSS Lessons from the Frontline. Loop Technology Lyal Collins
PCI DSS Lessons from the Frontline Loop Technology Lyal Collins Objectives Common PCI Challenges Strategies that have worked Solutions that have delivered compliant outcomes Why I m still seeking the silver
More informationPhone Systems Buyer s Guide
Phone Systems Buyer s Guide Contents How Cri(cal is Communica(on to Your Business? 3 Fundamental Issues 4 Phone Systems Basic Features 6 Features for Users with Advanced Needs 10 Key Ques(ons for All Buyers
More informationSession 3: Security in a Software Project
Session 3: Security in a Software Project Part 1: Parts of a software project Until now, we have mainly discussed what goes wrong during low- level design and implementation. However, implementation in
More informationENEC Procurement Informa1on
ENEC Procurement Informa1on Program Structure KEPCO (Korea Electric Power Corpora2on) has received a US $20 billion contract to build and help operate four nuclear power plants for ENEC. KEPCO has a number
More informationModernizing EDI: How to Cut Your Migra6on Costs by Over 50%
Modernizing EDI: How to Cut Your Migra6on Costs by Over 50% EDI Moderniza6on: Before and ABer External Loca;ons, Partners, and Services Customers Suppliers / Service Providers Cloud/SaaS Applica;ons &
More informationDeveloping Your Roadmap The Association of Independent Colleges and Universities of Massachusetts. October 3, 2013
Developing Your Roadmap The Association of Independent Colleges and Universities of Massachusetts October 3, 2013 Agenda 1. Introductions 2. Higher Ed Industry Trends 3. Technology Trends in Higher Ed
More informationNow Is the Time for Security at the Application Level
Research Publication Date: 1 December 2005 ID Number: G00127407 Now Is the Time for Security at the Application Level Theresa Lanowitz Applications must be available, useful, reliable, scalable and, now
More informationProject Management Success on SharePoint
Project Management Success on SharePoint The Enterprise PMO Problem How to do the following: How to manage a large porolio of projects over a wide geographical region? How to manage project status repor9ng
More informationContractor Management
Contractor Management A Risk Based Approach Presented by Katrina Macgregor Objec
More informationCyber Supply Chain Risk Management Portal
Cyber Supply Chain Risk Management Portal Dr. Sandor Boyson, Director, Supply Chain Management Center& Holly Mann, Chief InformaBon Officer R.H. Smith School Of Business The Cyber Supply Chain Challenge
More informationSoftware Supply Chains: Another Bug Bites the Dust.
SESSION ID: STR-T08 Software Supply Chains: Another Bug Bites the Dust. Todd Inskeep 1 Global Security Assessments VP Samsung Business Services @Todd_Inskeep Series of Recent, Large, Long-term Security
More informationInforma.on Systems in Organiza.ons
Informa.on Systems in Organiza.ons MIS 2101 Week 7 / Chapter 7 Enhancing Business Processes Using Enterprise Informa.on Systems Photo: Objet Mathema+que by Man Ray, 1934 Chapter 7 Learning Objec.ves Core
More informationConfigura)on Management Process and Environment MACS Review 1 February 5th, 2010 Roland Moser
Configura)on Management Process and Environment MACS Review 1 February 5th, 2010 Roland Moser R. Gutleber 1 Goals Configura)on Management (CM) is the implementa)on and the execu)on of processes and procedures
More informationGetting Real with Policies for Software Defined Infrastructure. Manish Dave Principal Engineer, Intel IT
Getting Real with Policies for Software Defined Infrastructure Manish Dave Principal Engineer, Intel IT Manish Dave, Principal Engineer, Intel IT Network Security Architect @ Intel IT 15+ years of experience
More informationSOURCE, SELECT, MANAGE: THE CWM ATHLETE S TRIATHLON GUIDE SIG San Francisco Bay Symposium November 12, 2014. Matt Katz, VP Strategic Solutions
SOURCE, SELECT, MANAGE: THE CWM ATHLETE S TRIATHLON GUIDE SIG San Francisco Bay Symposium November 12, 2014 Matt Katz, VP Strategic Solutions WELCOME! It s another beaueful day in the Bay Area! 2 OPTIONAL:
More informationSecurity within a development lifecycle. Enhancing product security through development process improvement
Security within a development lifecycle Enhancing product security through development process improvement Who I am Working within a QA environment, with a focus on security for 10 years Primarily web
More informationA R o a d t o y o u r C l o u d. Professional Service. C R M a n d C l o u d C o n s u l t i n g
RM-C A R o a d t o y o u r C l o u d Professional Service C R M a n d C l o u d C o n s u l t i n g CRM-C Highlights! A Unique Cloud CRM Consulting service firm! Specializing in cloud CRM and Office Collaboration
More informationLicensing++ for Clouds. Mark Perry
Licensing++ for Clouds Mark Perry Plan* 1. Cloud? 2. Survey 3. Some ques@ons 4. Some ideas 5. Some sugges@ons (that would be you) * Plan 9 future events such as these will affect you in the future Clouds
More informationHOW TO CREATE APPS FOR TRAINING. A step- by- step guide to crea2ng a great training app for your company
HOW TO CREATE APPS FOR TRAINING A step- by- step guide to crea2ng a great training app for your company From compliance and health & safety to employee induction and self-assessment, there are endless
More informationBig Data + Big Analytics Transforming the way you do business
Big Data + Big Analytics Transforming the way you do business Bryan Harris Chief Technology Officer VSTI A SAS Company 1 AGENDA Lets get Real Beyond the Buzzwords Who is SAS? Our PerspecDve of Big Data
More informationCovered En**es Should Periodically Audit Third Party Vendors/Business Associates Why, What, & How?
Covered En**es Should Periodically Audit Third Party Vendors/Business Associates Why, What, & How? March 27 th 12 pm EDT Moderator: Gerry Blass Panelists: Mac McMillan, Francois Bodhuin, Lou Dignam Webinar
More informationPoten&al Impact of FDA Regula&on of EMRs. October 27, 2010
Poten&al Impact of FDA Regula&on of EMRs October 27, 2010 Agenda The case for regula&ng Impact on manufacturers Impact on providers Recommenda&ons and best prac&ces 2 A Medical Device Is an instrument,
More informationIntroduc)on of Pla/orm ISF. Weina Ma Weina.Ma@uoit.ca
Introduc)on of Pla/orm ISF Weina Ma Weina.Ma@uoit.ca Agenda Pla/orm ISF Product Overview Pla/orm ISF Concepts & Terminologies Self- Service Applica)on Management Applica)on Example Deployment Examples
More informationProgram Model: Muskingum University offers a unique graduate program integra6ng BUSINESS and TECHNOLOGY to develop the 21 st century professional.
Program Model: Muskingum University offers a unique graduate program integra6ng BUSINESS and TECHNOLOGY to develop the 21 st century professional. 163 Stormont Street New Concord, OH 43762 614-286-7895
More informationSecuring the Cloud with IBM Security Systems. IBM Security Systems. 2012 IBM Corporation. 2012 2012 IBM IBM Corporation Corporation
Securing the Cloud with IBM Security Systems 1 2012 2012 IBM IBM Corporation Corporation IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns
More informationIBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation
IBM Cloud Security Draft for Discussion September 12, 2011 IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns surrounding cloud computing
More informationSan Jacinto College Banner & Enterprise Applica5on Review Task Force Report. November 01, 2011 FINAL
San Jacinto College Banner & Enterprise Applica5on Review Task Force Report November 01, 2011 FINAL 1 Content Review goal and approach 3 Barriers to effec5ve use of Banner: Consultant observa5ons 10 Consultant
More informationPARADIGM SHIFT FROM LARGE RELEASES TO CONTINUOUS DEPLOYMENT OF SOFTWARE. DESIGNING A REFERENCE MODEL FOR CONTINUOUS DEPLOYMENT.
PARADIGM SHIFT FROM LARGE RELEASES TO CONTINUOUS DEPLOYMENT OF SOFTWARE. DESIGNING A REFERENCE MODEL FOR CONTINUOUS DEPLOYMENT. PhD Student Teemu Karvonen Supervisors: Markku Oivo and Pasi Kuvaja XP2015
More informationThe Game of Hide and Seek, Hidden Risks in Modern Software Development
The Game of Hide and Seek, Hidden Risks in Modern Software Development SESSION ID: ASEC-R02 Ryan Berg CSO Sonatype @ryanberg00 Agenda The changing dynamics surrounding application security Why this is
More informationBrivo OnAir TOTAL COST OF OWNERSHIP (TCO) How Software-as-a-Service (SaaS) lowers the Total Cost of Ownership (TCO) for physical security systems.
Brivo OnAir TOTAL COST OF OWNERSHIP (TCO) How Software-as-a-Service (SaaS) lowers the Total Cost of Ownership (TCO) for physical security systems. WHITE PAPER Page 2 Table of Contents Executive summary...
More informationKaseya Fundamentals Workshop DAY THREE. Developed by Kaseya University. Powered by IT Scholars
Kaseya Fundamentals Workshop DAY THREE Developed by Kaseya University Powered by IT Scholars Kaseya Version 6.5 Last updated March, 2014 Day Two Overview Day Two Lab Review Patch Management Configura;on
More informationPanorama Consulting Group. PERFECT Fit ERP Selection Framework
Panorama Consulting Group PERFECT Fit ERP Selection Framework 1 Goals of the meeting Meeting Goals and Agenda Help Panorama better understand the Client Address questions about Panorama s ERP selection
More informationDiscovering Computers Fundamentals, 2010 Edition. Living in a Digital World
Discovering Computers Fundamentals, 2010 Edition Living in a Digital World Objec&ves Overview Discuss the importance of project management, feasibility assessment, documenta8on, and data and informa8on
More informationFive Factors Driving Businesses to Rethink EDI on IBM i
Simplify and Accelerate e- Business Integra6on Five Factors Driving Businesses to Rethink EDI on IBM i EDI Change Drivers External Loca6ons, Partners, and Services Customers Suppliers / Service Providers
More informationSecure Development LifeCycles (SDLC)
www.pwc.com Feb 2014 Secure Development LifeCycles (SDLC) Bart De Win Bart De Win? 15+ years of Information Security Experience Ph.D. in Computer Science - Application Security Author of >60 scientific
More informationCapitalize on your carbon management solu4on investment
Capitalize on your carbon management solu4on investment Best prac4ce guide for implemen4ng carbon management so9ware Carbon Disclosure Project +44 (0) 20 7970 5660 info@cdproject.net www.cdproject.net
More informationManaging Open Source Code Best Practices
Managing Open Source Code Best Practices September 24, 2008 Agenda Welcome and Introduction Eran Strod Open Source Best Practices Hal Hearst Questions & Answers Next Steps About Black Duck Software Accelerate
More informationSession 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness
Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness Wayne A. Wheeler The Aerospace Corporation GSAW 2015, Los Angeles, CA, March 2015 Agenda Emerging cyber
More informationBe Fast, but be Secure a New Approach to Application Security July 23, 2015
Be Fast, but be Secure a New Approach to Application Security July 23, 2015 Copyright 2015 Vivit Worldwide Copyright 2015 Vivit Worldwide Brought to you by Copyright 2015 Vivit Worldwide Hosted by Paul
More informationFixed Scope Offering (FSO) for Oracle SRM
Fixed Scope Offering (FSO) for Oracle SRM Agenda iapps Introduc.on Execu.ve Summary Business Objec.ves Solu.on Proposal Scope - Business Process Scope Applica.on Implementa.on Methodology Time Frames Team,
More informationAlexander Polyakov CTO ERPScan
Invest in security to secure investments ERP Security. Myths, Problems, Solu6ons Alexander Polyakov CTO ERPScan About ERPScan The only 360- degree SAP Security solu8on - ERPScan Security Monitoring Suite
More informationIntroduc)on to the IoT- A methodology
10/11/14 1 Introduc)on to the IoTA methodology Olivier SAVRY CEA LETI 10/11/14 2 IoTA Objec)ves Provide a reference model of architecture (ARM) based on Interoperability Scalability Security and Privacy
More informationThe system approach in human resources. Functional Analysis of the System for Human Resources Management. Introduction. Arcles
Functional Analysis of the System for Human Resources Management Assoc. Prof. Margarita Harizanova, Ph.D. Chief Assist. Prof. Nadya Mironova, Ph.D. Assist. Prof. Tatyana Shtetinska Summary: The arcle presents
More informationiscripts Top 10 challenges to consider before testing SaaS based applications
Top 10 challenges to consider before testing SaaS based applications iscripts SaaS What s in store for 2015? Forrester has revealed that there is a significant change in adopting enterprise applications
More information