Federal Mobile App Vetting Center for Assured Software Pilot. Nick Valletta
|
|
- Luke Marshall
- 8 years ago
- Views:
Transcription
1 Federal Mobile App Vetting Center for Assured Software Pilot Nick Valletta
2 MOBILE SECURITY: A REAL ISSUE Slide 2 of 20
3 NOTEWORTHY ANDROID APP TRENDS 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Trends Among Top 5000 Google Play Apps These trends highlight the readily apparent need to develop a mobile application security testing methodology. Slide 3 of 20
4 UNCLASSIFIED//FOR OFFICIAL USE ONLY CENTER FOR ASSURED SOFTWARE MISSION To substantially increase the degree of confidence that software used within DoD's critical systems is free from exploitable vulnerabilities, either intentionally or unintentionally introduced, using: Scalable Tools Scalable Techniques Scalable Processes Scalable => Timely => Effective Slide 4 of 20 UNCLASSIFIED//FOR OFFICIAL USE ONLY
5 CAS BACKGROUND IN MOBILITY The CAS surveyed the market, looking for the leading commercial, open source, academic, and free software tools for the analysis of mobile applications. The CAS performed an initial test of the top ten tools from this survey by analyzing open source applications and comparing the findings to Java code (10x10 Study). One of the major conclusions of the 10x10 study was that no one tool is adequate for mobile application testing. Furthermore, the dynamic nature of mobile app development and deployment necessitates a quick, cost-effective method for assessing mobile software assurance. Slide 5 of 20
6 WHY A PILOT? The CAS is working on a mobile application testing pilot with the goal of answering the following questions: How do we efficiently scale mobile application assessments? How do we trust that a given tool s finding is accurate? How can we create a testing infrastructure that is platform-agnostic, application-agnostic, criteria-agnostic, etc., and still have confidence that a given app is being assessed properly and accurately? The Pilot will leverage the capabilities of the best commercial, free, academic, and open source tools in order to assess Android applications Slide 6 of 20
7 PILOT OBJECTIVE Create and validate a scalable, efficient, and automated mobile application software assurance testing process that can be implemented across Government, through the use of: Multiple tools to increase coverage Automation to reduce manual review Defined processes to speed decision making A repository of test results with Metadata Slide 7 of 20
8 TESTING WALKTHROUGH App Store No SHA256 found Multiple SwA Tool Tests Report Scrape Combine Results with Confidence and Severity Automated/ Analysis: Pass/Fail Recommendation Analyst Review Analyst Report & Recommendation Management Adjudication Go Decision No Go Decision Update Database SHA256 Lookup SHA256 found Slide 8 of 20
9 TOOL CONFIDENCE CONCEPT: How do we trust a tool s output if we don t know if the tool is accurate? PROCESS: Test x open source applications using the desired tools Analyst manually reviews each finding by comparing to original source code The ratio α, where 0 α 1, is simply defined as the total number of accurate findings divided by the total number of findings Example: Tool A makes Y number of findings for a vulnerability. The analyst reviews and notes that X findings are correct (where X Y). Therefore, α = X/Y, which is the tool s confidence score for a given weakness Slide 9 of 20
10 TOOL CONFIDENCE ADVANTAGES If a confidence score is high enough or low enough, the findings for those vulnerabilities can be accepted or rejected automatically. Only confidence scores in the middle range (not high, not low), will necessitate manual review of the associated findings. Through the use of tool confidence scores, only a subset of the total findings are flagged for manual review, which significantly expedites the processing of a given application. Current values estimate that less than 25% of tool findings will be flagged for review (which makes the Pilot s methodology ~75% more efficient than traditional solutions of manual verification). Slide 10 of 20
11 CRITERIA SPECIFICATION CONCEPT: With so many differing lists of weakness criteria for evaluating mobile applications, which one should I use? PROCESS: The pilot does not advocate any specific list of criteria, but instead demonstrates a process that, theoretically, allows for the use of any list of evaluation criteria to be used to test apps. For the Pilot, we are using the CAS-defined weaknesses list*, the DISA SRG, OWASP Mobile Top 10 list, and MITRE CWEs * Available on request Slide 11 of 20
12 WEAKNESS RANKING CONCEPT: Weaknesses encountered during app testing/certification should be treated differently, depending on the impact they can cause to a given system. PROCESS: The CAS examined each criterion in each weakness specification listing to determine the weakness s severity. Weaknesses were rated as Low, Medium, High, or Fatal Depending on a given environment, thresholds can be established for weakness severities: One fatal finding may equal a failure, but a handful of high findings may be tolerable before the app is rejected. Slide 12 of 20
13 WEAKNESS RANKING PROCESS Weakness Source Ranking High Medium Low Fatal N/A CAS Weaknesses CAS DISA Mobile APP SRG DISA OWASP Top Ten CAS Mobile Specific CWEs CAS CAS Traditional Weakness Classes (CWEs) CAS Slide 13 of 20
14 DATABASE AND HASH CREATION CONCEPT: A database of which apps have been tested prevents duplication of efforts. PROCESS: All data from the application tests are saved to a shared database. When an app is submitted through the Pilot s processes, a SHA256 hash is created. This hash is compared to hashes stored in the database. If there is a match, the app does not need to be evaluated, and instead the app s reports are pulled from the database. Slide 14 of 20
15 SWID TAGS AND QUERIES CONCEPT: A centralized database of testing results allows multiple agencies to share, upload, and query app results, thus reducing duplication of efforts. PROCESS: Every time an app is evaluated, upon completion of the evaluation, a software ID (SWID) tag is created. Contains metadata information for the app and the evaluation. Allows other agencies to quickly query the SWID database in order to find information about apps and prior evaluations. Slide 15 of 20
16 STATUS OF PILOT Process Documents are complete (pending comments and validation) Weakness severities complete Tools are in-house & operational Tool Report Scraping Complete Tool Trust in Progress All tools results being evaluated System coding is in progress Methodology Document is in progress Slide 16 of 20
17 MILESTONES Initial Tool Trust (25 Apps) Feb 28 (DONE) Initial Code Development April 15 App Testing (75 Apps) April 31 (DONE) Process Testing (250 Apps) May 31 Revise Processes May 31 Publish Testing Methodology June 30 Release Software June 30 Slide 17 of 20
18 INTERESTED IN LEARNING MORE? Contact: Slide 18 of 20
19 PILOT OVERVIEW P6 Build SWID Tag SWID Tag Creation R3 Perf Reports & Metric Reporting I2 Data Input Tool I3 Data Input Tool App and Process Analytics Agency Evaluation Criteria Specific Situation Criteria P3 Build Specific Test Critieria Database App Data Repository/ Metadata P7 App Searches & Lookups P2 App Store Data Scrape App Store Agency Apps P1 SHA256 Build and Compare Commercial Apps I1 Manual Data Input Analyst Review Multiple SwA Tool Tests Align Results with criteria and order by risk P5 Report Scraping Automated Analysis- Pass/Fail R1 Results Analysis & Report Gen Automated Reports I4 Data Input Tool Analyst Review Analyst Report & Recommendation R2 Mgmt Report Gen I5 Data Input Tool Management Adjudication Go Decision No Go Decision P8 Tool Conf Data Collect & Calc P4 Initiate Tool Runs Slide 19 of 20
Software Assurance Marketplace Use Case
Software Assurance Marketplace Use Case Overview Software Assurance Tool Developer May 2013 - Revision 1.0 The Software Assurance Marketplace (SWAMP) will support five user communities as shown in the
More informationBASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS
BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS Published by Tony Porterfield Feb 1, 2015. Overview The intent of this test plan is to evaluate a baseline set of data security practices
More informationInteractive Application Security Testing (IAST)
WHITEPAPER Interactive Application Security Testing (IAST) The World s Fastest Application Security Software Software affects virtually every aspect of an individual s finances, safety, government, communication,
More informationHP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security
HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security The problem Cyber attackers are targeting applications
More informationAutomating Attack Analysis Using Audit Data. Dr. Bruce Gabrielson (BAH) CND R&T PMO 28 October 2009
Automating Attack Analysis Using Audit Data Dr. Bruce Gabrielson (BAH) CND R&T PMO 28 October 2009 2 Introduction Audit logs are cumbersome and traditionally used after the fact for forensics analysis.
More informationImprove your equity research productivity
Improve your equity research productivity Creating and updating company models Standardized Excel based company models ensure each analyst s work seamlessly integrates with research database and can be
More informationSAFECode Security Development Lifecycle (SDL)
SAFECode Security Development Lifecycle (SDL) Michael Howard Microsoft Matthew Coles EMC 15th Semi-annual Software Assurance Forum, September 12-16, 2011 Agenda Introduction to SAFECode Security Training
More informationBig Data Platform (BDP) and Cyber Situational Awareness Analytic Capabilities (CSAAC)
Big Data Platform (BDP) and Cyber Situational Awareness Analytic Capabilities (CSAAC) Daniel V. Bart DISA Infrastructure Development Cyber Situational Awareness and Analytics 22 April 2016 Presentation
More informationSecure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities
Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Sean Barnum sbarnum@mitre.org September 2011 Overview What is SCAP? Why SCAP?
More informationSberbank Venture Funds Strategy
Sberbank Venture Funds Strategy Bled, September 0 Dr. Mircea Mihaescu Director, IT Strategy and Venture Capital, Sberbank Group @MirceaMihaescu Sberbank Strategic VC Investments Objectives Build a Corporate
More informationEFFECTIVE STRATEGIES FOR SEARCHING ORACLE UCM. Alan Mackenthun Senior Software Consultant 4/23/2010. F i s h b o w l S o l u t I o n s
EFFECTIVE STRATEGIES FOR SEARCHING ORACLE UCM Alan Mackenthun Senior Software Consultant 4/23/2010 F i s h b o w l S o l u t I o n s EFFECTIVE STRATEGIES FOR SEARCHING ORACLE UCM Contents INTRODUCTION...
More informationOracle9i Data Warehouse Review. Robert F. Edwards Dulcian, Inc.
Oracle9i Data Warehouse Review Robert F. Edwards Dulcian, Inc. Agenda Oracle9i Server OLAP Server Analytical SQL Data Mining ETL Warehouse Builder 3i Oracle 9i Server Overview 9i Server = Data Warehouse
More informationPerformance Testing. What is performance testing? Why is performance testing necessary? Performance Testing Methodology EPM Performance Testing
Performance Testing What is performance testing? Why is performance testing necessary? Performance Testing Methodology EPM Performance Testing What is Performance Testing l The primary goal of Performance
More informationBeyond Spreadsheets. How Cloud Computing for HR Saves Time & Reduces Costs. January 11, 2012
Beyond Spreadsheets How Cloud Computing for HR Saves Time & Reduces Costs January 11, 2012 Introductions Carl Kutsmode Partner at talentrise Talent Management and Recruiting Solutions Consulting firm Help
More informationPredictive Analytics
Predictive Analytics How many of you used predictive today? 2015 SAP SE. All rights reserved. 2 2015 SAP SE. All rights reserved. 3 How can you apply predictive to your business? Predictive Analytics is
More information<Insert Picture Here> Extending Hyperion BI with the Oracle BI Server
Extending Hyperion BI with the Oracle BI Server Mark Ostroff Sr. BI Solutions Consultant Agenda Hyperion BI versus Hyperion BI with OBI Server Benefits of using Hyperion BI with the
More informationEnterprise Application Security Program
Enterprise Application Security Program GE s approach to solving the root cause and establishing a Center of Excellence Darren Challey GE Application Security Leader Agenda Why is AppSec important? Why
More informationThe App Age: How Enterprises Use Mobile Applications
The App Age: How Enterprises Use Mobile Applications Introduction The mobile app market is growing steadily as businesses seek ways to innovate, create business value and engage partners and customers
More informationJOURNAL OF OBJECT TECHNOLOGY
JOURNAL OF OBJECT TECHNOLOGY Online at www.jot.fm. Published by ETH Zurich, Chair of Software Engineering JOT, 2008 Vol. 7, No. 8, November-December 2008 What s Your Information Agenda? Mahesh H. Dodani,
More informationKMG Healthcare IT Solutions Case Studies
KMG Healthcare IT Solutions Case Studies Introduction Key Management Group, Inc. is global healthcare IT solutions provider for practices, hospitals and medical centers. Our mission is to help businesses
More informationData Warehouse and Business Intelligence Testing: Challenges, Best Practices & the Solution
Warehouse and Business Intelligence : Challenges, Best Practices & the Solution Prepared by datagaps http://www.datagaps.com http://www.youtube.com/datagaps http://www.twitter.com/datagaps Contact contact@datagaps.com
More informationWhat s Up With That Airplane? Visualizing DoD Knowledge Using Splunk Dashboards. Ken Mattern
What s Up With That Airplane? Visualizing DoD Knowledge Using Splunk Dashboards Ken Mattern Ken Mattern Senior Systems Analyst Data Miner Aranea Solutions, Inc. Huntsville, Alabama Department of Defense
More informationOverview. The Knowledge Refinery Provides Multiple Benefits:
Overview Hatha Systems Knowledge Refinery (KR) represents an advanced technology providing comprehensive analytical and decision support capabilities for the large-scale, complex, mission-critical applications
More informationPenetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015
For the Financial Industry in Singapore 31 July 2015 TABLE OF CONTENT 1. EXECUTIVE SUMMARY 3 2. INTRODUCTION 4 2.1 Audience 4 2.2 Purpose and Scope 4 2.3 Definitions 4 3. REQUIREMENTS 6 3.1 Overview 6
More informationOnline Content Optimization Using Hadoop. Jyoti Ahuja Dec 20 2011
Online Content Optimization Using Hadoop Jyoti Ahuja Dec 20 2011 What do we do? Deliver right CONTENT to the right USER at the right TIME o Effectively and pro-actively learn from user interactions with
More informationCustomer Service Plan
Customer Service Plan 10/26/11 Executive Summary The United States has a long history of extending a helping hand to those people overseas struggling to make a better life, recover from a disaster or striving
More informationAnalytics Canvas Tutorial: Cleaning Website Referral Traffic Data. N m o d a l S o l u t i o n s I n c. A l l R i g h t s R e s e r v e d
Cleaning Website Referral Traffic Data Overview Welcome to Analytics Canvas's cleaning referral traffic data tutorial. This is one of a number of detailed tutorials in which we explain how each feature
More informationProven Testing Techniques in Large Data Warehousing Projects
A P P L I C A T I O N S A WHITE PAPER SERIES A PAPER ON INDUSTRY-BEST TESTING PRACTICES TO DELIVER ZERO DEFECTS AND ENSURE REQUIREMENT- OUTPUT ALIGNMENT Proven Testing Techniques in Large Data Warehousing
More informationVRDA Vulnerability Response Decision Assistance
VRDA Vulnerability Response Decision Assistance Art Manion CERT/CC Yurie Ito JPCERT/CC EC2ND 2007 2007 Carnegie Mellon University VRDA Rationale and Design 2 Problems Duplication of effort Over 8,000 vulnerability
More informationStreamlining the Process of Business Intelligence with JReport
Streamlining the Process of Business Intelligence with JReport An ENTERPRISE MANAGEMENT ASSOCIATES (EMA ) Product Summary from 2014 EMA Radar for Business Intelligence Platforms for Mid-Sized Organizations
More informationSemantic Chat for Command, Control, and Intel Beyond Text
- 1 - Semantic for Command, Control, and Intel Beyond Text Version 1.0 draft, 2/23/2005 Authors Michael Behrens, R2AD, LLC Abstract tools have been around for a long time and have recently been recognized
More informationCisco Unified Security Metrics: Measuring Your Organization s Security Health
Cisco Unified Security Metrics: Measuring Your Organization s Security Health SESSION ID: SEC-W05 Hessel Heerebout Manager, Application Security and Governance Cisco @InfoSec_Metrics You will take away
More informationSecurity Automation in Agile SDLC Real World Cases
Security Automation in Agile SDLC Real World Cases Ofer Maor Director of Security Strategy, Synopsys AppSec California, January 2016 Speaker Security Strategy at Synopsys Founder of Seeker / Pioneer of
More informationMonitoring Remedy with BMC Solutions
Monitoring Remedy with BMC Solutions Overview How does BMC Software monitor Remedy with our own solutions? The challenge is many fold with a solution like Remedy and this does not only apply to Remedy,
More informationA Study on the Secure Software Development Life Cycle for Common Criteria (CC) Certification
, pp. 131-142 http://dx.doi.org/10.14257/ijseia.2015.9.10.13 A Study on the Secure Software Development Life Cycle for Common Criteria (CC) Certification Min-gyu Lee 1, Hyo-jung Sohn 2, Baek-min Seong
More informationSoftware Code Quality Checking (SCQC) No Clearance for This Secret: Information Assurance is MORE Than Security
Software Code Quality Checking (SCQC) No Clearance for This Secret: Information Assurance is MORE Than Security Nominee International Security Executives (ISE ) Information Security Project of the Year
More informationSACM Vulnerability Assessment Scenario IETF 94 11/05/2015
SACM Vulnerability Assessment Scenario IETF 94 11/05/2015 What is it? Walks through an automated enterprise vulnerability assessment scenario Begins with an enterprise ingesting a vulnerability report
More informationMobile Protection. Driving Productivity Without Compromising Protection. Brian Duckering. Mobile Trend Marketing
Driving Productivity Without Compromising Protection Brian Duckering Mobile Trend Marketing Mobile Device Explosion Paves Way for BYOD 39% 69% 340% 2,170% 2010 177M corp PCs 2015 246M corp PCs 2010 173
More informationWhite Paper. Software Development Best Practices: Enterprise Code Portal
White Paper Software Development Best Practices: Enterprise Code Portal An Enterprise Code Portal is an inside the firewall software solution that enables enterprise software development organizations
More informationManage Vulnerabilities (VULN) Capability Data Sheet
Manage Vulnerabilities (VULN) Capability Data Sheet Desired State: - Software products installed on all devices are free of known vulnerabilities 1 - The list of known vulnerabilities is up-to-date Desired
More informationBIG DATA AND THE ENTERPRISE DATA WAREHOUSE WORKSHOP
BIG DATA AND THE ENTERPRISE DATA WAREHOUSE WORKSHOP Business Analytics for All Amsterdam - 2015 Value of Big Data is Being Recognized Executives beginning to see the path from data insights to revenue
More informationCollaboration. Michael McCabe Information Architect mmccabe@gig-werks.com. black and white solutions for a grey world
Collaboration Michael McCabe Information Architect mmccabe@gig-werks.com black and white solutions for a grey world Slide Deck & Webcast Recording links Questions and Answers We will answer questions at
More informationCOURSE OUTLINE. Track 1 Advanced Data Modeling, Analysis and Design
COURSE OUTLINE Track 1 Advanced Data Modeling, Analysis and Design TDWI Advanced Data Modeling Techniques Module One Data Modeling Concepts Data Models in Context Zachman Framework Overview Levels of Data
More informationNorthstone Consulting Ltd.
Northstone Consulting Ltd. We give you precise key agendas, strategies and recommendations to strengthen your business. - Mr. Philipp Elhaus, Partner Company Profile Northstone is a management consultancy.
More informationClinical Research Innovation through Shared Clinical Data Warehousing
Clinical Research Innovation through Shared Clinical Data Warehousing Jerry Whaley Pfizer Jerry Whaley is senior director of development business technology at Pfizer and is involved in the implementation
More informationHITEKS REAL- TIME SOLUTIONS FOR REAL- LIFE PROBLEMS
HITEKS REAL- TIME SOLUTIONS FOR REAL- LIFE PROBLEMS Health systems invest extremely large amounts of financial and human capital collecting clinical encounter data. The process begins with the physician
More informationContent Marketing in 2014:
Benchmark Report Content Marketing in 2014: Sponsored By: 2014 Demand Metric Research Corporation in Partnership with Ascend2. All Rights Reserved. TABLE OF CONTENTS 3 Executive Summary 10 Content Campaign
More informationNIH Commons Overview, Framework & Pilots - Version 1. The NIH Commons
The NIH Commons Summary The Commons is a shared virtual space where scientists can work with the digital objects of biomedical research, i.e. it is a system that will allow investigators to find, manage,
More informationGlobal Project Management System Reporting Portal. March 2012
Global Project Management System Reporting Portal March 2012 1 Agenda Background Example Reports Bells & Whistles Lessons Learned & What s Next Daiichi Sankyo, Inc. 2 The Problem Senior Management was
More informationWhite Paper Think BIG
White Paper Think BIG Fusion of Biometric and Biographic Data In Large-Scale Identification Projects WCC is a global leader in search and match technology with a market leading platform for identification
More informationHayri Tarhan, Sr. Manager, Public Sector Security, Oracle Ron Carovano, Manager, Business Development, F5 Networks
EXTENDING ACCESS WHILE ENHANCING CONTROL FOR YOUR ORGANIZATION S DATA LEVERAGE THE POWER OF F5 AND ORACLE TO DELIVER SECURE ACCESS TO APPLICATIONS AND DATABASES Hayri Tarhan, Sr. Manager, Public Sector
More informationCloud Security. A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud. Sean Curry Sales Executive, Aquilent
Cloud Security A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud Sean Curry Sales Executive, Aquilent The first in a series of audits DoD did not fully execute elements of the July 2012
More informationAn Introduction to Continuous Controls Monitoring
An Introduction to Continuous Controls Monitoring Reduce compliance costs, strengthen the control environment and lessen the risk of unintentional errors and fraud Richard Hunt, Managing Director Marc
More informationORACLE S PRIMAVERA FEATURES PORTFOLIO MANAGEMENT. Delivers value through a strategy-first approach to selecting the optimum set of investments
ORACLE S PRIMAVERA FEATURES Delivers value through a strategy-first approach to selecting the optimum set of investments Leverages consistent evaluation metrics, user-friendly forms, one click access to
More informationMaking Leaders Successful Every Day
Making Leaders Successful Every Day Why & How Enterprises Are Adopting the Cloud James Staten, VP, Principal Analyst The bottom line 1. Public cloud adoption is driven by the business, not IT Empowered
More informationDistributed Networking
Distributed Networking Millions of people. Strong collaborations. Privacy first. Jeffrey Brown, Lesley Curtis, Richard Platt Harvard Pilgrim Health Care Institute and Harvard Medical School Duke Medical
More informationPay-Per-Click/Google Adwords Services
Pay-Per-Click/Google Adwords Services 1. Development of PPC Campaign and Optimisation Services. SIMPLE ID agrees to create, install, manage, develop and employ custom PPC Advertising tactics according
More informationKaspersky Whitelisting Database Test
Kaspersky Whitelisting Database Test A test commissioned by Kaspersky Lab and performed by AV-Test GmbH Date of the report: February 14 th, 2013, last update: April 4 th, 2013 Summary During November 2012
More informationCustomers award top satisfaction scores to IBM System x x86 servers. August 2014 TBR T EC H N O LO G Y B U S I N ES S R ES EAR C H, I N C.
Customers award top satisfaction scores to IBM System x x86 servers August 2014 TBR T EC H N O LO G Y B U S I N ES S R ES EAR C H, I N C. IBM System x satisfaction scores surpass those of competing vendors
More informationGuide to set up Google Analytics - New customers Visiolab introduction
Guide to set up Google Analytics - New customers Visiolab introduction This Guide will help you set up your Google Analytics account. At the same time, it will help you understand how Visiolink applications
More information4. Understanding Clinical Data and Workflow Understanding Surveillance Data Exchange Processes Guide and Worksheet
To properly prepare for implementing the pilot of your surveillance program and its subsequent rollout, you must understand the surveillance data exchange processes. These processes can vary depending
More informationConfiguration and Management of Speaker Verification Systems
Configuration and Management of Speaker Verification Systems Chuck Johnson Architect ibiometrics, Inc. Introduction For peak performance of a Speaker Verification solution, the VoiceXML client (voice application)
More informationIntegrated Governance, Risk and Compliance (igrc) Approach
U.S. Department of Homeland Security (DHS) United States Secret Service (USSS) Integrated Governance, Risk and Compliance (igrc) Approach Concept Paper* *connectedthinking Provided to: Provided by: Mrs.
More informationSoftware Code Quality Checking (SCQC) No Clearance for This Secret: Software Assurance is MORE Than Security
Software Code Quality Checking (SCQC) No Clearance for This Secret: Software Assurance is MORE Than Security Nominee International Security Executives (ISE ) Information Security Project of the Year North
More informationExternal Network Penetration Test Report
External Network Penetration Test Report Jared Doe jared@acmecompany.com C O N F I D E N T I A L P a g e 2 Document Information Assessment Information Assessor Kirit Gupta kirit.gupta@rhinosecuritylabs.com
More informationProcuring Penetration Testing Services
Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat
More informationIntroduction to QualysGuard IT Risk SaaS Services. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe
Introduction to QualysGuard IT Risk SaaS Services Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe Qualys at a Glance Software-as-a-Service (SaaS) Founded in 1999
More information2012 North American Vulnerability Research Product Leadership Award
2012 2012 North American Vulnerability Research Product Leadership Award 2012 Frost & Sullivan 1 We Accelerate Growth Product Leadership Award Vulnerability Management North America, 2012 Frost & Sullivan
More informationTidepool Informational Pre-submission Meeting
Tidepool Informational Pre-submission Meeting Prepared for FDA CDRH June 2, 2015 Tidepool attendees: Howard Look, President and CEO (phone) Brandon Arbiter, VP Product and BizDev (phone) Sheila Ramerman,
More informationLee Barnes, CTO Utopia Solutions. Utopia Solutions
Mobile Technology Testing Are You Ready? Lee Barnes, CTO Utopia Solutions Agenda 1. Mobile Testing Challenges 2. Mobile Testing Practices 3. Mobile Test Automation 4. Summary and Q & A Mobile Testing Challenges
More informationThe SharePoint Maturity Model
The SharePoint Maturity Model Version 2.1 Last revised: 16 November 2011 11/27/2011 Copyright 2011 Sadalit Van Buren 1 What s In It For Me? The Maturity Model can help you develop your strategic roadmap,
More informationMOBILE METRICS REPORT
MOBILE METRICS REPORT ios vs. Android Development in 2015 A Ship.io Study for Mobile App Developers, Testers, and Product Managers Mobile developers understand the rising importance of continuous integration
More informationBuilding a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved
Building a Mobile App Security Risk Management Program Your Presenters Who Are We? Chris Salerno, Consultant, Security Risk Advisors Lead consultant for mobile, network, web application penetration testing
More information<Insert Picture Here> Increasing the Effectiveness and Efficiency of SOA through Governance
Increasing the Effectiveness and Efficiency of SOA through Governance Enrique Martín MW Presales Manager. Oracle Agenda Challenges Solved with SOA Governance Oracle s SOA Governance:
More informationAn Overview of NewsEdge.com
An Overview of NewsEdge.com 1 Introduction This document introduces Acquire Media s NewsEdge.com service. The associated high-level walkthroughs are designed to guide you through the steps for using some
More informationFive Best Practices of Vendor Application Security Management
Five Best Practices of Vendor Application Security Management Table of Contents Executive Summary...1 Managing Risk in the Software Supply Chain...1 Challenges with Securing Vendor Software...3 Taking
More informationMySQL Security: Best Practices
MySQL Security: Best Practices Sastry Vedantam sastry.vedantam@oracle.com Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes
More informationApplication for Splunk Enterprise
Application for Splunk Enterprise User Guide Document Version 1.77 28 October 2015 10004-01 EN Rev. A 2015 ThreatConnect, Inc. ThreatConnect is a registered trademark of ThreatConnect, Inc. UNIX is a registered
More informationBuilding a Corporate Application Security Assessment Program
Building a Corporate Application Security Assessment Program Rob Jerdonek and Topher Chung Corporate Information Security Intuit Inc. July 23, 2009 Copyright The Foundation Permission is granted to copy,
More informationStudio. Rapid Single-Source Content Development. Author XYLEME STUDIO DATA SHEET
Studio Xyleme delivers content management for learning and development. We transform the way you author, publish, deliver, and analyze learning content to drive business performance. With Xyleme, you have
More informationAligning Quality Management Processes to Compliance Goals
Aligning Quality Management Processes to Compliance Goals MetricStream.com Smart Consulting Group Joint Webinar February 23 rd 2012 Nigel J. Smart, Ph.D. Smart Consulting Group 20 E. Market Street West
More informationImproving Java Migration Outcomes with Rapid Assessment
Improving Java Migration Outcomes with Rapid Assessment Proven Strategies for Making Java 8 or JDK 8 Migrations Timely, Cost-Effective, and Predictable By G Venkat, Rajneesh Kumar, Sheenam Maheshwari Nagarro
More information& ENTERPRISE DATA COST AND SCALE WAREHOUSE AUGMENTATION BIG DATA COST, SCALABILITY
COST AND SCALE BIG DATA COST, SCALABILITY & ENTERPRISE DATA 1 WAREHOUSE AUGMENTATION To derive the most value from Big Data technologies, enterprises must solve the cost and scalability problems inherent
More informationSwiftScale: Technical Approach Document
SwiftScale: Technical Approach Document Overview This document outlines a technology embodiment of the SwiftScale application including the technology, deployment and application architectures. Technology
More informationIn ediscovery and Litigation Support Repositories MPeterson, June 2009
XAM PRESENTATION (extensible TITLE Access GOES Method) HERE In ediscovery and Litigation Support Repositories MPeterson, June 2009 Contents XAM Introduction XAM Value Propositions XAM Use Cases Digital
More informationCyber Security Information Exchange
Cyber Security Information Exchange Luc Dandurand NATO Communications and Information Agency Session ID: SECT-T08 Session Classification: General Interest Overview Cyber security in NATO Highlight of existing
More informationMoving Enterprise Applications into VoiceXML. May 2002
Moving Enterprise Applications into VoiceXML May 2002 ViaFone Overview ViaFone connects mobile employees to to enterprise systems to to improve overall business performance. Enterprise Application Focus;
More informationSearch Engine Optimization
Search Engine Optimization Software Features Guide 2015 Prepared by: Aesthetic Agency Table of Contents SEO Software Features 3 Live Monitoring... 3 Tracks Notifications and Confirmations.. 3 Checks for
More informationOPEN SOURCE SOFTWARE CUSTODIAN AS A SERVICE
OPEN SOURCE SOFTWARE CUSTODIAN AS A SERVICE Martin Callinan Martin.callinan@sourcecodecontrol.co Wednesday, June 15, 2016 Table of Contents Introduction... 2 Source Code Control... 2 What we do... 2 Service
More informationHow to achieve PCI DSS Compliance with Checkmarx Source Code Analysis
How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis Document Scope This document aims to assist organizations comply with PCI DSS 3 when it comes to Application Security best practices.
More informationGOVERNMENT USE OF MOBILE TECHNOLOGY
GOVERNMENT USE OF MOBILE TECHNOLOGY Barriers, Opportunities, and Gap Analysis DECEMBER 2012 Product of the Digital Services Advisory Group and Federal Chief Information Officers Council Contents Introduction...
More informationBest practices for improving consumer data quality
Best practices for improving consumer data quality Experian and the marks used herein are service marks or registered trademarks of Experian Information Solutions, Inc. Other product and company names
More informationGetting Started with Web Application Security
Written by Gregory Leonard February 2016 Sponsored by Veracode 2016 SANS Institute Since as far back as 2005, 1 web applications have been attackers predominant target for the rich data that can be pulled
More informationFeature. A Higher Level of Governance Monitoring IT Internal Controls. Controls tend to degrade over time and between audits.
Feature A Higher Level of Governance Monitoring IT Internal Controls Mike Garber, CGEIT, CIA, CITP, CPA, has many years experience as both director for IT governance and as IT audit director for Motorola
More informationARF, ARCAT, and Summary Results. Lt Col Joseph L. Wolfkiel
ARF, ARCAT, and Summary Results Lt Col Joseph L. Wolfkiel Enterprise-Level Assessment and Reporting The Concept Assessment Results Format (ARF) Assessment Summary Results (ASR) The Assessment Results Consumer
More informationThe Recipe for Sarbanes-Oxley Compliance using Microsoft s SharePoint 2010 platform
The Recipe for Sarbanes-Oxley Compliance using Microsoft s SharePoint 2010 platform Technical Discussion David Churchill CEO DraftPoint Inc. The information contained in this document represents the current
More informationBuilding In-Database Predictive Scoring Model: Check Fraud Detection Case Study
Building In-Database Predictive Scoring Model: Check Fraud Detection Case Study Jay Zhou, Ph.D. Business Data Miners, LLC 978-726-3182 jzhou@businessdataminers.com Web Site: www.businessdataminers.com
More informationTechnology Enablement
SOLUTION OVERVIEW 1 ABOUT TECHMILEAGE Founded in 2008 / Tempe, Arizona Over 100 engagements Full range of business & technology services Software Development, Big Data, Cloud/AWS, BI, Advanced Analytics
More informationCompany X SEO Review. April 2014
Company X SEO Review April 2014 Introduction The following SEO marketing review provides a top-line overview of your current position online, as it relates to natural search rankings, and highlights areas
More informationLocalizing Your Mobile App is Good for Business
Global Insight Localizing Your Mobile App is Good for Business Simply put, the more people who can find and use your mobile application in their native language, the larger your potential market. But launching
More information