Federal Mobile App Vetting Center for Assured Software Pilot. Nick Valletta

Size: px
Start display at page:

Download "Federal Mobile App Vetting Center for Assured Software Pilot. Nick Valletta"

Transcription

1 Federal Mobile App Vetting Center for Assured Software Pilot Nick Valletta

2 MOBILE SECURITY: A REAL ISSUE Slide 2 of 20

3 NOTEWORTHY ANDROID APP TRENDS 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Trends Among Top 5000 Google Play Apps These trends highlight the readily apparent need to develop a mobile application security testing methodology. Slide 3 of 20

4 UNCLASSIFIED//FOR OFFICIAL USE ONLY CENTER FOR ASSURED SOFTWARE MISSION To substantially increase the degree of confidence that software used within DoD's critical systems is free from exploitable vulnerabilities, either intentionally or unintentionally introduced, using: Scalable Tools Scalable Techniques Scalable Processes Scalable => Timely => Effective Slide 4 of 20 UNCLASSIFIED//FOR OFFICIAL USE ONLY

5 CAS BACKGROUND IN MOBILITY The CAS surveyed the market, looking for the leading commercial, open source, academic, and free software tools for the analysis of mobile applications. The CAS performed an initial test of the top ten tools from this survey by analyzing open source applications and comparing the findings to Java code (10x10 Study). One of the major conclusions of the 10x10 study was that no one tool is adequate for mobile application testing. Furthermore, the dynamic nature of mobile app development and deployment necessitates a quick, cost-effective method for assessing mobile software assurance. Slide 5 of 20

6 WHY A PILOT? The CAS is working on a mobile application testing pilot with the goal of answering the following questions: How do we efficiently scale mobile application assessments? How do we trust that a given tool s finding is accurate? How can we create a testing infrastructure that is platform-agnostic, application-agnostic, criteria-agnostic, etc., and still have confidence that a given app is being assessed properly and accurately? The Pilot will leverage the capabilities of the best commercial, free, academic, and open source tools in order to assess Android applications Slide 6 of 20

7 PILOT OBJECTIVE Create and validate a scalable, efficient, and automated mobile application software assurance testing process that can be implemented across Government, through the use of: Multiple tools to increase coverage Automation to reduce manual review Defined processes to speed decision making A repository of test results with Metadata Slide 7 of 20

8 TESTING WALKTHROUGH App Store No SHA256 found Multiple SwA Tool Tests Report Scrape Combine Results with Confidence and Severity Automated/ Analysis: Pass/Fail Recommendation Analyst Review Analyst Report & Recommendation Management Adjudication Go Decision No Go Decision Update Database SHA256 Lookup SHA256 found Slide 8 of 20

9 TOOL CONFIDENCE CONCEPT: How do we trust a tool s output if we don t know if the tool is accurate? PROCESS: Test x open source applications using the desired tools Analyst manually reviews each finding by comparing to original source code The ratio α, where 0 α 1, is simply defined as the total number of accurate findings divided by the total number of findings Example: Tool A makes Y number of findings for a vulnerability. The analyst reviews and notes that X findings are correct (where X Y). Therefore, α = X/Y, which is the tool s confidence score for a given weakness Slide 9 of 20

10 TOOL CONFIDENCE ADVANTAGES If a confidence score is high enough or low enough, the findings for those vulnerabilities can be accepted or rejected automatically. Only confidence scores in the middle range (not high, not low), will necessitate manual review of the associated findings. Through the use of tool confidence scores, only a subset of the total findings are flagged for manual review, which significantly expedites the processing of a given application. Current values estimate that less than 25% of tool findings will be flagged for review (which makes the Pilot s methodology ~75% more efficient than traditional solutions of manual verification). Slide 10 of 20

11 CRITERIA SPECIFICATION CONCEPT: With so many differing lists of weakness criteria for evaluating mobile applications, which one should I use? PROCESS: The pilot does not advocate any specific list of criteria, but instead demonstrates a process that, theoretically, allows for the use of any list of evaluation criteria to be used to test apps. For the Pilot, we are using the CAS-defined weaknesses list*, the DISA SRG, OWASP Mobile Top 10 list, and MITRE CWEs * Available on request Slide 11 of 20

12 WEAKNESS RANKING CONCEPT: Weaknesses encountered during app testing/certification should be treated differently, depending on the impact they can cause to a given system. PROCESS: The CAS examined each criterion in each weakness specification listing to determine the weakness s severity. Weaknesses were rated as Low, Medium, High, or Fatal Depending on a given environment, thresholds can be established for weakness severities: One fatal finding may equal a failure, but a handful of high findings may be tolerable before the app is rejected. Slide 12 of 20

13 WEAKNESS RANKING PROCESS Weakness Source Ranking High Medium Low Fatal N/A CAS Weaknesses CAS DISA Mobile APP SRG DISA OWASP Top Ten CAS Mobile Specific CWEs CAS CAS Traditional Weakness Classes (CWEs) CAS Slide 13 of 20

14 DATABASE AND HASH CREATION CONCEPT: A database of which apps have been tested prevents duplication of efforts. PROCESS: All data from the application tests are saved to a shared database. When an app is submitted through the Pilot s processes, a SHA256 hash is created. This hash is compared to hashes stored in the database. If there is a match, the app does not need to be evaluated, and instead the app s reports are pulled from the database. Slide 14 of 20

15 SWID TAGS AND QUERIES CONCEPT: A centralized database of testing results allows multiple agencies to share, upload, and query app results, thus reducing duplication of efforts. PROCESS: Every time an app is evaluated, upon completion of the evaluation, a software ID (SWID) tag is created. Contains metadata information for the app and the evaluation. Allows other agencies to quickly query the SWID database in order to find information about apps and prior evaluations. Slide 15 of 20

16 STATUS OF PILOT Process Documents are complete (pending comments and validation) Weakness severities complete Tools are in-house & operational Tool Report Scraping Complete Tool Trust in Progress All tools results being evaluated System coding is in progress Methodology Document is in progress Slide 16 of 20

17 MILESTONES Initial Tool Trust (25 Apps) Feb 28 (DONE) Initial Code Development April 15 App Testing (75 Apps) April 31 (DONE) Process Testing (250 Apps) May 31 Revise Processes May 31 Publish Testing Methodology June 30 Release Software June 30 Slide 17 of 20

18 INTERESTED IN LEARNING MORE? Contact: Slide 18 of 20

19 PILOT OVERVIEW P6 Build SWID Tag SWID Tag Creation R3 Perf Reports & Metric Reporting I2 Data Input Tool I3 Data Input Tool App and Process Analytics Agency Evaluation Criteria Specific Situation Criteria P3 Build Specific Test Critieria Database App Data Repository/ Metadata P7 App Searches & Lookups P2 App Store Data Scrape App Store Agency Apps P1 SHA256 Build and Compare Commercial Apps I1 Manual Data Input Analyst Review Multiple SwA Tool Tests Align Results with criteria and order by risk P5 Report Scraping Automated Analysis- Pass/Fail R1 Results Analysis & Report Gen Automated Reports I4 Data Input Tool Analyst Review Analyst Report & Recommendation R2 Mgmt Report Gen I5 Data Input Tool Management Adjudication Go Decision No Go Decision P8 Tool Conf Data Collect & Calc P4 Initiate Tool Runs Slide 19 of 20

Software Assurance Marketplace Use Case

Software Assurance Marketplace Use Case Software Assurance Marketplace Use Case Overview Software Assurance Tool Developer May 2013 - Revision 1.0 The Software Assurance Marketplace (SWAMP) will support five user communities as shown in the

More information

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS Published by Tony Porterfield Feb 1, 2015. Overview The intent of this test plan is to evaluate a baseline set of data security practices

More information

Interactive Application Security Testing (IAST)

Interactive Application Security Testing (IAST) WHITEPAPER Interactive Application Security Testing (IAST) The World s Fastest Application Security Software Software affects virtually every aspect of an individual s finances, safety, government, communication,

More information

HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security

HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security The problem Cyber attackers are targeting applications

More information

SAFECode Security Development Lifecycle (SDL)

SAFECode Security Development Lifecycle (SDL) SAFECode Security Development Lifecycle (SDL) Michael Howard Microsoft Matthew Coles EMC 15th Semi-annual Software Assurance Forum, September 12-16, 2011 Agenda Introduction to SAFECode Security Training

More information

Improve your equity research productivity

Improve your equity research productivity Improve your equity research productivity Creating and updating company models Standardized Excel based company models ensure each analyst s work seamlessly integrates with research database and can be

More information

Automating Attack Analysis Using Audit Data. Dr. Bruce Gabrielson (BAH) CND R&T PMO 28 October 2009

Automating Attack Analysis Using Audit Data. Dr. Bruce Gabrielson (BAH) CND R&T PMO 28 October 2009 Automating Attack Analysis Using Audit Data Dr. Bruce Gabrielson (BAH) CND R&T PMO 28 October 2009 2 Introduction Audit logs are cumbersome and traditionally used after the fact for forensics analysis.

More information

Big Data Platform (BDP) and Cyber Situational Awareness Analytic Capabilities (CSAAC)

Big Data Platform (BDP) and Cyber Situational Awareness Analytic Capabilities (CSAAC) Big Data Platform (BDP) and Cyber Situational Awareness Analytic Capabilities (CSAAC) Daniel V. Bart DISA Infrastructure Development Cyber Situational Awareness and Analytics 22 April 2016 Presentation

More information

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Sean Barnum sbarnum@mitre.org September 2011 Overview What is SCAP? Why SCAP?

More information

The App Age: How Enterprises Use Mobile Applications

The App Age: How Enterprises Use Mobile Applications The App Age: How Enterprises Use Mobile Applications Introduction The mobile app market is growing steadily as businesses seek ways to innovate, create business value and engage partners and customers

More information

A Study on the Secure Software Development Life Cycle for Common Criteria (CC) Certification

A Study on the Secure Software Development Life Cycle for Common Criteria (CC) Certification , pp. 131-142 http://dx.doi.org/10.14257/ijseia.2015.9.10.13 A Study on the Secure Software Development Life Cycle for Common Criteria (CC) Certification Min-gyu Lee 1, Hyo-jung Sohn 2, Baek-min Seong

More information

Sberbank Venture Funds Strategy

Sberbank Venture Funds Strategy Sberbank Venture Funds Strategy Bled, September 0 Dr. Mircea Mihaescu Director, IT Strategy and Venture Capital, Sberbank Group @MirceaMihaescu Sberbank Strategic VC Investments Objectives Build a Corporate

More information

4. Understanding Clinical Data and Workflow Understanding Surveillance Data Exchange Processes Guide and Worksheet

4. Understanding Clinical Data and Workflow Understanding Surveillance Data Exchange Processes Guide and Worksheet To properly prepare for implementing the pilot of your surveillance program and its subsequent rollout, you must understand the surveillance data exchange processes. These processes can vary depending

More information

Customer Service Plan

Customer Service Plan Customer Service Plan 10/26/11 Executive Summary The United States has a long history of extending a helping hand to those people overseas struggling to make a better life, recover from a disaster or striving

More information

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015 For the Financial Industry in Singapore 31 July 2015 TABLE OF CONTENT 1. EXECUTIVE SUMMARY 3 2. INTRODUCTION 4 2.1 Audience 4 2.2 Purpose and Scope 4 2.3 Definitions 4 3. REQUIREMENTS 6 3.1 Overview 6

More information

Best Practices for Secure, Privacy, Preserving Mobile Networks: A NIST Perspective

Best Practices for Secure, Privacy, Preserving Mobile Networks: A NIST Perspective Best Practices for Secure, Privacy, Preserving Mobile Networks: A NIST Perspective Donna F. Dodson Chief Cybersecurity Advisor National Institute of Standards and Technology donna.dodson@nist.gov A Little

More information

Software Code Quality Checking (SCQC) No Clearance for This Secret: Information Assurance is MORE Than Security

Software Code Quality Checking (SCQC) No Clearance for This Secret: Information Assurance is MORE Than Security Software Code Quality Checking (SCQC) No Clearance for This Secret: Information Assurance is MORE Than Security Nominee International Security Executives (ISE ) Information Security Project of the Year

More information

Oracle9i Data Warehouse Review. Robert F. Edwards Dulcian, Inc.

Oracle9i Data Warehouse Review. Robert F. Edwards Dulcian, Inc. Oracle9i Data Warehouse Review Robert F. Edwards Dulcian, Inc. Agenda Oracle9i Server OLAP Server Analytical SQL Data Mining ETL Warehouse Builder 3i Oracle 9i Server Overview 9i Server = Data Warehouse

More information

EFFECTIVE STRATEGIES FOR SEARCHING ORACLE UCM. Alan Mackenthun Senior Software Consultant 4/23/2010. F i s h b o w l S o l u t I o n s

EFFECTIVE STRATEGIES FOR SEARCHING ORACLE UCM. Alan Mackenthun Senior Software Consultant 4/23/2010. F i s h b o w l S o l u t I o n s EFFECTIVE STRATEGIES FOR SEARCHING ORACLE UCM Alan Mackenthun Senior Software Consultant 4/23/2010 F i s h b o w l S o l u t I o n s EFFECTIVE STRATEGIES FOR SEARCHING ORACLE UCM Contents INTRODUCTION...

More information

Guide to set up Google Analytics - New customers Visiolab introduction

Guide to set up Google Analytics - New customers Visiolab introduction Guide to set up Google Analytics - New customers Visiolab introduction This Guide will help you set up your Google Analytics account. At the same time, it will help you understand how Visiolink applications

More information

Monitoring Remedy with BMC Solutions

Monitoring Remedy with BMC Solutions Monitoring Remedy with BMC Solutions Overview How does BMC Software monitor Remedy with our own solutions? The challenge is many fold with a solution like Remedy and this does not only apply to Remedy,

More information

Predictive Analytics

Predictive Analytics Predictive Analytics How many of you used predictive today? 2015 SAP SE. All rights reserved. 2 2015 SAP SE. All rights reserved. 3 How can you apply predictive to your business? Predictive Analytics is

More information

Making Leaders Successful Every Day

Making Leaders Successful Every Day Making Leaders Successful Every Day Why & How Enterprises Are Adopting the Cloud James Staten, VP, Principal Analyst The bottom line 1. Public cloud adoption is driven by the business, not IT Empowered

More information

Performance Testing. What is performance testing? Why is performance testing necessary? Performance Testing Methodology EPM Performance Testing

Performance Testing. What is performance testing? Why is performance testing necessary? Performance Testing Methodology EPM Performance Testing Performance Testing What is performance testing? Why is performance testing necessary? Performance Testing Methodology EPM Performance Testing What is Performance Testing l The primary goal of Performance

More information

Beyond Spreadsheets. How Cloud Computing for HR Saves Time & Reduces Costs. January 11, 2012

Beyond Spreadsheets. How Cloud Computing for HR Saves Time & Reduces Costs. January 11, 2012 Beyond Spreadsheets How Cloud Computing for HR Saves Time & Reduces Costs January 11, 2012 Introductions Carl Kutsmode Partner at talentrise Talent Management and Recruiting Solutions Consulting firm Help

More information

Extending Hyperion BI with the Oracle BI Server

<Insert Picture Here> Extending Hyperion BI with the Oracle BI Server Extending Hyperion BI with the Oracle BI Server Mark Ostroff Sr. BI Solutions Consultant Agenda Hyperion BI versus Hyperion BI with OBI Server Benefits of using Hyperion BI with the

More information

Mobile Protection. Driving Productivity Without Compromising Protection. Brian Duckering. Mobile Trend Marketing

Mobile Protection. Driving Productivity Without Compromising Protection. Brian Duckering. Mobile Trend Marketing Driving Productivity Without Compromising Protection Brian Duckering Mobile Trend Marketing Mobile Device Explosion Paves Way for BYOD 39% 69% 340% 2,170% 2010 177M corp PCs 2015 246M corp PCs 2010 173

More information

Content Marketing in 2014:

Content Marketing in 2014: Benchmark Report Content Marketing in 2014: Sponsored By: 2014 Demand Metric Research Corporation in Partnership with Ascend2. All Rights Reserved. TABLE OF CONTENTS 3 Executive Summary 10 Content Campaign

More information

Collaboration. Michael McCabe Information Architect mmccabe@gig-werks.com. black and white solutions for a grey world

Collaboration. Michael McCabe Information Architect mmccabe@gig-werks.com. black and white solutions for a grey world Collaboration Michael McCabe Information Architect mmccabe@gig-werks.com black and white solutions for a grey world Slide Deck & Webcast Recording links Questions and Answers We will answer questions at

More information

Enterprise Application Security Program

Enterprise Application Security Program Enterprise Application Security Program GE s approach to solving the root cause and establishing a Center of Excellence Darren Challey GE Application Security Leader Agenda Why is AppSec important? Why

More information

Feature. A Higher Level of Governance Monitoring IT Internal Controls. Controls tend to degrade over time and between audits.

Feature. A Higher Level of Governance Monitoring IT Internal Controls. Controls tend to degrade over time and between audits. Feature A Higher Level of Governance Monitoring IT Internal Controls Mike Garber, CGEIT, CIA, CITP, CPA, has many years experience as both director for IT governance and as IT audit director for Motorola

More information

ORACLE S PRIMAVERA FEATURES PORTFOLIO MANAGEMENT. Delivers value through a strategy-first approach to selecting the optimum set of investments

ORACLE S PRIMAVERA FEATURES PORTFOLIO MANAGEMENT. Delivers value through a strategy-first approach to selecting the optimum set of investments ORACLE S PRIMAVERA FEATURES Delivers value through a strategy-first approach to selecting the optimum set of investments Leverages consistent evaluation metrics, user-friendly forms, one click access to

More information

Customers award top satisfaction scores to IBM System x x86 servers. August 2014 TBR T EC H N O LO G Y B U S I N ES S R ES EAR C H, I N C.

Customers award top satisfaction scores to IBM System x x86 servers. August 2014 TBR T EC H N O LO G Y B U S I N ES S R ES EAR C H, I N C. Customers award top satisfaction scores to IBM System x x86 servers August 2014 TBR T EC H N O LO G Y B U S I N ES S R ES EAR C H, I N C. IBM System x satisfaction scores surpass those of competing vendors

More information

An Introduction to Continuous Controls Monitoring

An Introduction to Continuous Controls Monitoring An Introduction to Continuous Controls Monitoring Reduce compliance costs, strengthen the control environment and lessen the risk of unintentional errors and fraud Richard Hunt, Managing Director Marc

More information

What s Up With That Airplane? Visualizing DoD Knowledge Using Splunk Dashboards. Ken Mattern

What s Up With That Airplane? Visualizing DoD Knowledge Using Splunk Dashboards. Ken Mattern What s Up With That Airplane? Visualizing DoD Knowledge Using Splunk Dashboards Ken Mattern Ken Mattern Senior Systems Analyst Data Miner Aranea Solutions, Inc. Huntsville, Alabama Department of Defense

More information

VRDA Vulnerability Response Decision Assistance

VRDA Vulnerability Response Decision Assistance VRDA Vulnerability Response Decision Assistance Art Manion CERT/CC Yurie Ito JPCERT/CC EC2ND 2007 2007 Carnegie Mellon University VRDA Rationale and Design 2 Problems Duplication of effort Over 8,000 vulnerability

More information

JOURNAL OF OBJECT TECHNOLOGY

JOURNAL OF OBJECT TECHNOLOGY JOURNAL OF OBJECT TECHNOLOGY Online at www.jot.fm. Published by ETH Zurich, Chair of Software Engineering JOT, 2008 Vol. 7, No. 8, November-December 2008 What s Your Information Agenda? Mahesh H. Dodani,

More information

KMG Healthcare IT Solutions Case Studies

KMG Healthcare IT Solutions Case Studies KMG Healthcare IT Solutions Case Studies Introduction Key Management Group, Inc. is global healthcare IT solutions provider for practices, hospitals and medical centers. Our mission is to help businesses

More information

Software Code Quality Checking (SCQC) No Clearance for This Secret: Software Assurance is MORE Than Security

Software Code Quality Checking (SCQC) No Clearance for This Secret: Software Assurance is MORE Than Security Software Code Quality Checking (SCQC) No Clearance for This Secret: Software Assurance is MORE Than Security Nominee International Security Executives (ISE ) Information Security Project of the Year North

More information

Data Warehouse and Business Intelligence Testing: Challenges, Best Practices & the Solution

Data Warehouse and Business Intelligence Testing: Challenges, Best Practices & the Solution Warehouse and Business Intelligence : Challenges, Best Practices & the Solution Prepared by datagaps http://www.datagaps.com http://www.youtube.com/datagaps http://www.twitter.com/datagaps Contact contact@datagaps.com

More information

Procuring Penetration Testing Services

Procuring Penetration Testing Services Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat

More information

The SharePoint Maturity Model

The SharePoint Maturity Model The SharePoint Maturity Model Version 2.1 Last revised: 16 November 2011 11/27/2011 Copyright 2011 Sadalit Van Buren 1 What s In It For Me? The Maturity Model can help you develop your strategic roadmap,

More information

SECURITY RISK MANAGEMENT

SECURITY RISK MANAGEMENT SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W

More information

Overview. The Knowledge Refinery Provides Multiple Benefits:

Overview. The Knowledge Refinery Provides Multiple Benefits: Overview Hatha Systems Knowledge Refinery (KR) represents an advanced technology providing comprehensive analytical and decision support capabilities for the large-scale, complex, mission-critical applications

More information

Proven Testing Techniques in Large Data Warehousing Projects

Proven Testing Techniques in Large Data Warehousing Projects A P P L I C A T I O N S A WHITE PAPER SERIES A PAPER ON INDUSTRY-BEST TESTING PRACTICES TO DELIVER ZERO DEFECTS AND ENSURE REQUIREMENT- OUTPUT ALIGNMENT Proven Testing Techniques in Large Data Warehousing

More information

Analytics Canvas Tutorial: Cleaning Website Referral Traffic Data. N m o d a l S o l u t i o n s I n c. A l l R i g h t s R e s e r v e d

Analytics Canvas Tutorial: Cleaning Website Referral Traffic Data. N m o d a l S o l u t i o n s I n c. A l l R i g h t s R e s e r v e d Cleaning Website Referral Traffic Data Overview Welcome to Analytics Canvas's cleaning referral traffic data tutorial. This is one of a number of detailed tutorials in which we explain how each feature

More information

MOBILE METRICS REPORT

MOBILE METRICS REPORT MOBILE METRICS REPORT ios vs. Android Development in 2015 A Ship.io Study for Mobile App Developers, Testers, and Product Managers Mobile developers understand the rising importance of continuous integration

More information

Online Content Optimization Using Hadoop. Jyoti Ahuja Dec 20 2011

Online Content Optimization Using Hadoop. Jyoti Ahuja Dec 20 2011 Online Content Optimization Using Hadoop Jyoti Ahuja Dec 20 2011 What do we do? Deliver right CONTENT to the right USER at the right TIME o Effectively and pro-actively learn from user interactions with

More information

Cisco Unified Security Metrics: Measuring Your Organization s Security Health

Cisco Unified Security Metrics: Measuring Your Organization s Security Health Cisco Unified Security Metrics: Measuring Your Organization s Security Health SESSION ID: SEC-W05 Hessel Heerebout Manager, Application Security and Governance Cisco @InfoSec_Metrics You will take away

More information

Security Automation in Agile SDLC Real World Cases

Security Automation in Agile SDLC Real World Cases Security Automation in Agile SDLC Real World Cases Ofer Maor Director of Security Strategy, Synopsys AppSec California, January 2016 Speaker Security Strategy at Synopsys Founder of Seeker / Pioneer of

More information

The Role of the BI Competency Center in Maximizing Organizational Performance

The Role of the BI Competency Center in Maximizing Organizational Performance The Role of the BI Competency Center in Maximizing Organizational Performance Gloria J. Miller Dr. Andreas Eckert MaxMetrics GmbH October 16, 2008 Topics The Role of the BI Competency Center Responsibilites

More information

Cyber Security Information Exchange

Cyber Security Information Exchange Cyber Security Information Exchange Luc Dandurand NATO Communications and Information Agency Session ID: SECT-T08 Session Classification: General Interest Overview Cyber security in NATO Highlight of existing

More information

OPEN SOURCE SOFTWARE CUSTODIAN AS A SERVICE

OPEN SOURCE SOFTWARE CUSTODIAN AS A SERVICE OPEN SOURCE SOFTWARE CUSTODIAN AS A SERVICE Martin Callinan Martin.callinan@sourcecodecontrol.co Wednesday, June 15, 2016 Table of Contents Introduction... 2 Source Code Control... 2 What we do... 2 Service

More information

Creating a project management office (PMO)

Creating a project management office (PMO) Executive summary The project management was initially developed to define and maintain standards for project management in the organisation. In many organisations, the PMO has developed a strategic role

More information

Authoring and Workflow

Authoring and Workflow Authoring and Workflow 30 September, 2014 All rights reserved. Questionmark is a registered trademark of Questionmark Computing Limited. All other trademarks are acknowledged. Status of Authoring Slide

More information

Streamlining the Process of Business Intelligence with JReport

Streamlining the Process of Business Intelligence with JReport Streamlining the Process of Business Intelligence with JReport An ENTERPRISE MANAGEMENT ASSOCIATES (EMA ) Product Summary from 2014 EMA Radar for Business Intelligence Platforms for Mid-Sized Organizations

More information

White Paper. Software Development Best Practices: Enterprise Code Portal

White Paper. Software Development Best Practices: Enterprise Code Portal White Paper Software Development Best Practices: Enterprise Code Portal An Enterprise Code Portal is an inside the firewall software solution that enables enterprise software development organizations

More information

CHAPTER 1 INTRODUCTION

CHAPTER 1 INTRODUCTION CHAPTER 1 INTRODUCTION 1.1 Background Cloud computing is something which is not new in the world of Internet. Basically, it is a unique space in the Internet. It can be used for service, storage and many

More information

SACM Vulnerability Assessment Scenario IETF 94 11/05/2015

SACM Vulnerability Assessment Scenario IETF 94 11/05/2015 SACM Vulnerability Assessment Scenario IETF 94 11/05/2015 What is it? Walks through an automated enterprise vulnerability assessment scenario Begins with an enterprise ingesting a vulnerability report

More information

Global Project Management System Reporting Portal. March 2012

Global Project Management System Reporting Portal. March 2012 Global Project Management System Reporting Portal March 2012 1 Agenda Background Example Reports Bells & Whistles Lessons Learned & What s Next Daiichi Sankyo, Inc. 2 The Problem Senior Management was

More information

Manage Vulnerabilities (VULN) Capability Data Sheet

Manage Vulnerabilities (VULN) Capability Data Sheet Manage Vulnerabilities (VULN) Capability Data Sheet Desired State: - Software products installed on all devices are free of known vulnerabilities 1 - The list of known vulnerabilities is up-to-date Desired

More information

Clinical Research Innovation through Shared Clinical Data Warehousing

Clinical Research Innovation through Shared Clinical Data Warehousing Clinical Research Innovation through Shared Clinical Data Warehousing Jerry Whaley Pfizer Jerry Whaley is senior director of development business technology at Pfizer and is involved in the implementation

More information

Ubiquitous and Mobile Computing CS 525M: RiskRanker: Scalable and Accurate Zero day Android Malware Detection

Ubiquitous and Mobile Computing CS 525M: RiskRanker: Scalable and Accurate Zero day Android Malware Detection Ubiquitous and Mobile Computing CS 525M: RiskRanker: Scalable and Accurate Zero day Android Malware Detection Martti Peltola Computer Science Dept. Worcester Polytechnic Institute (WPI) Introduction/Motivation:

More information

Five Best Practices of Vendor Application Security Management

Five Best Practices of Vendor Application Security Management Five Best Practices of Vendor Application Security Management Table of Contents Executive Summary...1 Managing Risk in the Software Supply Chain...1 Challenges with Securing Vendor Software...3 Taking

More information

Northstone Consulting Ltd.

Northstone Consulting Ltd. Northstone Consulting Ltd. We give you precise key agendas, strategies and recommendations to strengthen your business. - Mr. Philipp Elhaus, Partner Company Profile Northstone is a management consultancy.

More information

COURSE OUTLINE. Track 1 Advanced Data Modeling, Analysis and Design

COURSE OUTLINE. Track 1 Advanced Data Modeling, Analysis and Design COURSE OUTLINE Track 1 Advanced Data Modeling, Analysis and Design TDWI Advanced Data Modeling Techniques Module One Data Modeling Concepts Data Models in Context Zachman Framework Overview Levels of Data

More information

Software security, by the numbers. October 20, 2015

Software security, by the numbers. October 20, 2015 Software security, by the numbers October 20, 2015 Why are we here? 2 Chris Wysopal, CTO & Co-Founder 15+ years focused solely on application security One of the original security researchers from mid

More information

BIG DATA AND THE ENTERPRISE DATA WAREHOUSE WORKSHOP

BIG DATA AND THE ENTERPRISE DATA WAREHOUSE WORKSHOP BIG DATA AND THE ENTERPRISE DATA WAREHOUSE WORKSHOP Business Analytics for All Amsterdam - 2015 Value of Big Data is Being Recognized Executives beginning to see the path from data insights to revenue

More information

U.S. Nuclear Regulatory Commission. Customer Service Plan

U.S. Nuclear Regulatory Commission. Customer Service Plan U.S. Nuclear Regulatory Commission Customer Service Plan October 24, 2011 Executive Summary The U.S. Nuclear Regulatory Commission (NRC) regulates the civilian nuclear industry s use of radioactive materials

More information

NIH Commons Overview, Framework & Pilots - Version 1. The NIH Commons

NIH Commons Overview, Framework & Pilots - Version 1. The NIH Commons The NIH Commons Summary The Commons is a shared virtual space where scientists can work with the digital objects of biomedical research, i.e. it is a system that will allow investigators to find, manage,

More information

GOVERNMENT USE OF MOBILE TECHNOLOGY

GOVERNMENT USE OF MOBILE TECHNOLOGY GOVERNMENT USE OF MOBILE TECHNOLOGY Barriers, Opportunities, and Gap Analysis DECEMBER 2012 Product of the Digital Services Advisory Group and Federal Chief Information Officers Council Contents Introduction...

More information

A CobiT Case Study. Drawing on CobiT for the implementation of an Enterprise Risk Management Framework. December 2008

A CobiT Case Study. Drawing on CobiT for the implementation of an Enterprise Risk Management Framework. December 2008 A CobiT Case Study Drawing on CobiT for the implementation of an Enterprise Risk Management Framework December 2008 Presenter: Clive E. Waugh, CISSP C/EH 1 Risk Management Framework Objectives CobiT provided

More information

White Paper Think BIG

White Paper Think BIG White Paper Think BIG Fusion of Biometric and Biographic Data In Large-Scale Identification Projects WCC is a global leader in search and match technology with a market leading platform for identification

More information

Quality Assurance Plan PPM Version 2.0

Quality Assurance Plan PPM Version 2.0 Quality Assurance Plan PPM Version 2.0 U.S. Department of Housing and Urban Development PPM Version 2.0 January 2014 Quality Assurance Plan Document Control Information

More information

Seven Practical Steps to Delivering More Secure Software. January 2011

Seven Practical Steps to Delivering More Secure Software. January 2011 Seven Practical Steps to Delivering More Secure Software January 2011 Table of Contents Actions You Can Take Today 3 Delivering More Secure Code: The Seven Steps 4 Step 1: Quick Evaluation and Plan 5 Step

More information

Distributed Networking

Distributed Networking Distributed Networking Millions of people. Strong collaborations. Privacy first. Jeffrey Brown, Lesley Curtis, Richard Platt Harvard Pilgrim Health Care Institute and Harvard Medical School Duke Medical

More information

DoD Software Assurance (SwA) Overview

DoD Software Assurance (SwA) Overview DoD Software Assurance (SwA) Overview Tom Hurt Office of the Deputy Assistant Secretary of Defense for Systems Engineering NDIA Program Protection Summit / Workshop McLean, VA May 19, 2014 May 19, 2014

More information

REDUCING COSTS WITH ADVANCED REVIEW STRATEGIES - PRIORITIZATION FOR 100% REVIEW. Bill Tolson Sr. Product Marketing Manager Recommind Inc.

REDUCING COSTS WITH ADVANCED REVIEW STRATEGIES - PRIORITIZATION FOR 100% REVIEW. Bill Tolson Sr. Product Marketing Manager Recommind Inc. REDUCING COSTS WITH ADVANCED REVIEW STRATEGIES - Bill Tolson Sr. Product Marketing Manager Recommind Inc. Introduction... 3 Traditional Linear Review... 3 Advanced Review Strategies: A Typical Predictive

More information

Kaspersky Whitelisting Database Test

Kaspersky Whitelisting Database Test Kaspersky Whitelisting Database Test A test commissioned by Kaspersky Lab and performed by AV-Test GmbH Date of the report: February 14 th, 2013, last update: April 4 th, 2013 Summary During November 2012

More information

Cloud Security. A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud. Sean Curry Sales Executive, Aquilent

Cloud Security. A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud. Sean Curry Sales Executive, Aquilent Cloud Security A Sales Guy Talks About DoD s Cautious Journey to the Public Cloud Sean Curry Sales Executive, Aquilent The first in a series of audits DoD did not fully execute elements of the July 2012

More information

BUSINESS INTELLIGENCE. Keywords: business intelligence, architecture, concepts, dashboards, ETL, data mining

BUSINESS INTELLIGENCE. Keywords: business intelligence, architecture, concepts, dashboards, ETL, data mining BUSINESS INTELLIGENCE Bogdan Mohor Dumitrita 1 Abstract A Business Intelligence (BI)-driven approach can be very effective in implementing business transformation programs within an enterprise framework.

More information

2012 North American Vulnerability Research Product Leadership Award

2012 North American Vulnerability Research Product Leadership Award 2012 2012 North American Vulnerability Research Product Leadership Award 2012 Frost & Sullivan 1 We Accelerate Growth Product Leadership Award Vulnerability Management North America, 2012 Frost & Sullivan

More information

Pay-Per-Click/Google Adwords Services

Pay-Per-Click/Google Adwords Services Pay-Per-Click/Google Adwords Services 1. Development of PPC Campaign and Optimisation Services. SIMPLE ID agrees to create, install, manage, develop and employ custom PPC Advertising tactics according

More information

Hayri Tarhan, Sr. Manager, Public Sector Security, Oracle Ron Carovano, Manager, Business Development, F5 Networks

Hayri Tarhan, Sr. Manager, Public Sector Security, Oracle Ron Carovano, Manager, Business Development, F5 Networks EXTENDING ACCESS WHILE ENHANCING CONTROL FOR YOUR ORGANIZATION S DATA LEVERAGE THE POWER OF F5 AND ORACLE TO DELIVER SECURE ACCESS TO APPLICATIONS AND DATABASES Hayri Tarhan, Sr. Manager, Public Sector

More information

KPMG Unlocks Hidden Value in Client Information with Smartlogic Semaphore

KPMG Unlocks Hidden Value in Client Information with Smartlogic Semaphore CASE STUDY KPMG Unlocks Hidden Value in Client Information with Smartlogic Semaphore Sponsored by: IDC David Schubmehl July 2014 IDC OPINION Dan Vesset Big data in all its forms and associated technologies,

More information

HITEKS REAL- TIME SOLUTIONS FOR REAL- LIFE PROBLEMS

HITEKS REAL- TIME SOLUTIONS FOR REAL- LIFE PROBLEMS HITEKS REAL- TIME SOLUTIONS FOR REAL- LIFE PROBLEMS Health systems invest extremely large amounts of financial and human capital collecting clinical encounter data. The process begins with the physician

More information

DITA Adoption Process: Roles, Responsibilities, and Skills

DITA Adoption Process: Roles, Responsibilities, and Skills DITA Adoption Process: Roles, Responsibilities, and Skills Contents 2 Contents DITA Adoption Process: Roles, Responsibilities, and Skills... 3 Investigation Phase... 3 Selling Phase...4 Pilot Phase...5

More information

U.S. DEPARTMENT OF THE INTERIOR OFFICE OF INSPECTOR GENERAL Verification of Previous Office of Inspector General Recommendations September 2009

U.S. DEPARTMENT OF THE INTERIOR OFFICE OF INSPECTOR GENERAL Verification of Previous Office of Inspector General Recommendations September 2009 U.S. DEPARTMENT OF THE INTERIOR OFFICE OF INSPECTOR GENERAL Verification of Previous Office of Inspector General Recommendations September 2009 ISD-EV-MOA-0002-2009 Contents Acronyms and Other Reference

More information

Tidepool Informational Pre-submission Meeting

Tidepool Informational Pre-submission Meeting Tidepool Informational Pre-submission Meeting Prepared for FDA CDRH June 2, 2015 Tidepool attendees: Howard Look, President and CEO (phone) Brandon Arbiter, VP Product and BizDev (phone) Sheila Ramerman,

More information

Lee Barnes, CTO Utopia Solutions. Utopia Solutions

Lee Barnes, CTO Utopia Solutions. Utopia Solutions Mobile Technology Testing Are You Ready? Lee Barnes, CTO Utopia Solutions Agenda 1. Mobile Testing Challenges 2. Mobile Testing Practices 3. Mobile Test Automation 4. Summary and Q & A Mobile Testing Challenges

More information

System x x86 servers from Lenovo achieve top customer satisfaction scores. January 2015 TBR T EC H N O LO G Y B U S I N ES S R ES EAR C H, I N C.

System x x86 servers from Lenovo achieve top customer satisfaction scores. January 2015 TBR T EC H N O LO G Y B U S I N ES S R ES EAR C H, I N C. System x x86 servers from Lenovo achieve top customer satisfaction scores January 2015 TBR T EC H N O LO G Y B U S I N ES S R ES EAR C H, I N C. System x customer satisfaction scores surpass those of Dell

More information

Gilead Clinical Operations Risk Management Program

Gilead Clinical Operations Risk Management Program Gilead Clinical Operations Risk Management Program Brian J Nugent, Associate Director 1 Agenda Risk Management Risk Management Background, Benefits, Framework Risk Management Training and Culture Change

More information

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Customer Account Data Engine 2 (CADE 2): System Requirements and Testing Processes Need Improvements September 28, 2012 Reference Number: 2012-20-122 This

More information

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense By: Daniel Harkness, Chris Strasburg, and Scott Pinkerton The Challenge The Internet is an integral part of daily

More information

Successful Projects Begin with Well-Defined Requirements

Successful Projects Begin with Well-Defined Requirements Successful Projects Begin with Well-Defined Requirements Defining requirements clearly and accurately at the outset speeds software development processes and leads to dramatic savings. Executive Summary

More information

SOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013

SOFTWARE ASSET MANAGEMENT Continuous Monitoring. September 16, 2013 SOFTWARE ASSET MANAGEMENT Continuous Monitoring September 16, 2013 Tim McBride National Cybersecurity Center of Excellence timothy.mcbride@nist.gov David Waltermire Information Technology Laboratory david.waltermire@nist.gov

More information

Financial Audit Scoping Tool Blueprint for Oracle GRC Applications

<Insert Picture Here> Financial Audit Scoping Tool Blueprint for Oracle GRC Applications Financial Audit Scoping Tool Blueprint for Oracle GRC Applications Implement Audit Standard 5 (AS5) scoping to streamline financial reporting compliance Agenda Financial Audit Scoping

More information

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief RSA Solution Brief RSA envision Platform Real-time Actionable Information, Streamlined Incident Handling, Effective Measures RSA Solution Brief The job of Operations, whether a large organization with

More information

OPTIMIZING THE USE OF VHA s FEE BASIS CLAIMS SYSTEM (FBCS)

OPTIMIZING THE USE OF VHA s FEE BASIS CLAIMS SYSTEM (FBCS) VA-CASE VISN 11 VA Center for Applied Systems Engineering OPTIMIZING THE USE OF VHA s FEE BASIS CLAIMS SYSTEM (FBCS) The Fee Basis Claims System (FBCS) Optimization initiative aims to improve, standardize,

More information

America Saves! Energizing Main Street Small Businesses

America Saves! Energizing Main Street Small Businesses America Saves! Energizing Main Street Small Businesses 2014 Building Technologies Office Peer Review Mark Huppert / mhuppert@savingplaces.org Ric Cochrane / rcochrane@savingplaces.org National Trust for

More information