Security Metrics Rehab. Breaking Free from Top X Lists, Cultivating Organic Metrics, & Realizing Operational Risk Management
|
|
- Clifford Parker
- 8 years ago
- Views:
Transcription
1 Security Metrics Rehab Breaking Free from Top X Lists, Cultivating Organic Metrics, & Realizing Operational Risk Management April 11, 2014
2 About Me! Author of P.A.S.T.A threat modeling methodology (risk centric) (Wiley Life Sciences)! Nearly 20 years of IT/Security experience (Developer, Security Arch, Dir of RM, CISO roles)! Founder of VerSprite, global consulting security firm based in Atlanta! OWASP ATL Chapter/ Project Leader for past 6 years! VerSprite works across Retail, Hospitality, Financial, Gov t, Higher Ed, Healthcare, Info Svc! Co-organizer to BSides Atlanta grassroots security conference! B.S from Cornell in International Finance! Contact Info:! 2
3 About This Talk! Counterculture presentation on metrics, governance, and risk! Depict pros/ cons around existing metrics/ frameworks in public domain! Introduce seed of thought around building organic security metrics 3
4 Consider the Following If you had to only pick one! Option A: Fully developed security controls framework w/ supporting metrics based upon leading industry lists and control frameworks! Option B: Fully developed risk framework where inherent and residual values are quantifiable, supported, and tied to business impact scenarios 4
5 METRICS VS BSETRICS
6 Separating Fact from Fiction Metrics! Objective focused! Built from What Do I Need (e.g. goal of providing evidence to effective technology/process management)! Data source is dependable & vast! Metrics should have a reliable data source that augments over time! Outliers are factored out! Support clearly defined IT/ Biz goals BSetrics! Metrics that feel/look good (e.g. closed risk issues)! Built from What Do I have (e.g. tool begins to shape metrics discussion! Based upon industry standard! Keeping Up w/ the Jones Metrics! Building metrics to manage perception! Data set is limited (e.g. time, breadth, pre-fixed)! Outliers are not factored out 6
7 Bad Metrics! Issues remediated! Unanswered: Tested/ not tested! Unanswered: Was issue resolved, closed, transferred! Unanswered: Is this issue important! # High Vulnerabilities Closed! Deemed High by whom?! No context (High risk to a Low value asset)! # of Code Imperfections to a Top X List (SAST Scan)! Top X List begins to drive your risk perception devoid of anything else! Cultivating responses, remediation, and reports solely on top X items! # of Pen Tests # WebAppScans Conducted! Doesn t factor in automated or poorly conducted testing 7
8 STATUS QUO SECURITY METRICS
9 Examples of AppSec Metrics Today Process Metrics! Is a SDL Process used? Are security gates enforced?! Secure application development standards and testing criteria?! Security status of a new application at delivery (e.g., % compliance with organizational security standards and application system requirements).! Existence of developer support website (FAQ's, Code Fixes, lessons learned, etc.)?! % of developers trained, using organizational security best practice technology, architecture and processes Management Metrics! Management Metrics! % of applications rated business-critical that have been tested.! % of applications which business partners, clients, regulators require be certified.! Average time to correct vulnerabilities (trending).! % of flaws by lifecycle phase.! % of applications using centralized security services.! Business impact of critical security incidents. 9
10 AppSec Metrics in Vuln Management! Number and criticality of vulnerabilities found.! Most commonly found vulnerabilities.! Reported defect rates based on security testing (per developer/team, per application)! Root cause of Vulnerability Recidivism.! % of code that is re-used from other products/projects*! % of code that is third party (e.g., libraries)*! Results of source code analysis**:! Vulnerability severity by project, by organization! Vulnerabilities by category by project, by organization! Vulnerability +/- over time by project! % of flaws by lifecycle phase (based on when testing occurs) Source: * WebMethods, ** Fortify Software
11 ROOM FOR IMPROVEMENT
12 Forrester Survey: What are your top three drivers for measuring information security? Justification for security spending 63% Regulations 51% Loss of reputation 37% Better Better stewardship Report Report progress to to business 26% 23% Base: 40 CISOs and senior security managers Manage risk 11% Source: Measuring Information Security Through Metrics And Reporting, Forrester Research, Inc., May 2006
13 Good Metrics Align w/ Maturity Model Align to Biz/ IT Goals Relate to Business Processes Map to a Business Impact Metrics ma+er most when they have direct or indirect relevance to opera5onal/ strategic goals Directly or indirectly, categories to be measured need to map to key indicators that ma+er in IT Ops, Sales, Finance Good start is to map metric areas to key processes sustained by a BIA! Start simple! Forget what everyone else is doing for now! Perform an internal PoC with LOBs/ BUs! Grow base of coverage over time! Mature metrics by benchmarking against industry reports/ analysis 13
14 Opportunities for Metrics - Secure Development Life Cycle (SDL) Software assurance activities conducted at each lifecycle phase Secure questions during interviews Threat analysis External review Security push/audit Learn & Refine Concept Designs Complete Test plans Complete Code Complete Deploy Post Deployment Team member training Security Review Data mutation & Least Priv Tests Review old defects Check-ins checked Secure coding guidelines Use tools = on-going Source: Microsoft 14
15 Organizing Metric Types Process Metrics Information about the processes themselves. Evidence of maturity. Examples! Secure coding standards in use! Avg. time to correct critical vulnerabilities Vulnerability Metrics Metrics about application vulnerabilities themselves Examples! By vulnerability type! By occurrence within a software development life cycle phase Management Metrics specifically designed for senior management Examples! % of applications that are currently security certified and accepted by business partners! Trending: critical unresolved, accepted risks
16 Our Security Metric Challenge A major difference between a "well developed" science such as physics and some of the less "welldeveloped" sciences such as psychology or sociology is the degree to which things are measured. Source: Fred S. Roberts, ROBE79 Give information risk management the quantitative rigor of financial information management. Source: CRA/NSF, 10 Year Agenda for Information Security Research, cited by Dr. Dan Geer
17 BREAKING FREE FROM TOP X LISTS
18 Let s Rethink Security Lists Pros! Great content from various sources: OWASP Top Ten, SANS 20 Critical Security Controls, MITRE CWE Top 25, WASC TC v2, OWASP Top 10 - Mobile! Provide a benchmark for testing measurement! Brings broader industry perspective! Better suited for more mature programs where benchmarking is timely Cons! This defines an AppSec s program baseline! Used as ground floor level of metrics! Tempts programs to look outwardly vs. inwardly! Doesn t foster for Good Metrics to take root! Tools don t make quitting this trend easy (pre-defined profiles)! Not a real basis for threat or risk analysis
19 How Do Lists Break Us Free from This Cycle?
20 METRICS & LISTS TIMING IS EVERYTHING
21 OWASP OpenSAMM Project! Dedicated to defining, improving, and testing the SAMM framework! Always vendor-neutral, but lots of industry participation! Open and community driven! Targeting new releases every 6-12 months! Change management process! Evaluate an organization s existing software security practices! Build a balanced software security assurance program in well-defined iterations! Demonstrate concrete improvements to a security assurance program! Define and measure security-related activities throughout an organization
22 SAMM in a nutshell! Evaluate an organization s existing software security practices! Build a balanced software security assurance program in welldefined iterations! Demonstrate concrete improvements to a security assurance program! Define and measure security-related activities throughout an organization
23 OWASP OpenSAMM (Software Assurance Maturity Model)! Look inward! Start with the core activities tied to SDLC practices! Named generically, but should resonate with any developer or manager
24 Leveraging Lists at the Right Maturity Level! Measure what you need across a framework s (OpenSAMM) area! Identify indicators that support business/ product goals & objectives! Apply use of lists for benchmarking as maturity level rise
25 Develop Organic Security Metrics Reasons! Supports contextual analysis based upon internal operations! Top down approach to regressing to security metrics that matter! Will substantiate security initiatives across non-infosec areas Baking Organic Metrics Organiza5onal Objec5ves Opera5onal Processes Suppor5ng Technology & Infrastructure BU/ LoB Objec5ves Revenue Growth Reputa5onal Loss Non- Compliance Cost Reduc5on Fines & Penal5es Product/ Service Objec5ves Product Innova5on IP Security Insider Threats Incident Handling/ Response Efficient Service Delivery Con5nuity Data Integrity
26 Revisiting Lists! Build your processes first! Design metrics mapped to activities for those processes! Develop scorecards that report on organic security metrics that relate to operational, financial areas! Bake-in industry lists in order to reflect more advanced quantitative analysis (Level 4)
27 Creating Scorecards! Gap analysis! Capturing scores from detailed assessments versus expected performance levels! Demonstrating improvement! Capturing scores from before and after an iteration of assurance program build-out! Ongoing measurement! Capturing scores over consistent time frames for an assurance program that is already in place
28 THANK YOU!
How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP
How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright
More informationPASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013
2013 PASTA Abstract Process for Attack S imulation & Threat Assessment Abstract VerSprite, LLC Copyright 2013 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
More informationSoftware Application Control and SDLC
Software Application Control and SDLC Albert J. Marcella, Jr., Ph.D., CISA, CISM 1 The most effective way to achieve secure software is for its development life cycle processes to rigorously conform to
More informationBuilding & Measuring Security in Web Applications. Fabio Cerullo Cycubix Limited 30 May 2012 - Belfast
Building & Measuring Security in Web Applications Fabio Cerullo Cycubix Limited 30 May 2012 - Belfast Brief Bio - CEO & Founder Cycubix Limited - 10+ years security experience in Technology, Manufacturing,
More informationCertified Information Security Manager (CISM)
Certified Information Security Manager (CISM) Course Introduction Course Introduction Domain 01 - Information Security Governance Lesson 1: Information Security Governance Overview Information Security
More informationSecure Development LifeCycles (SDLC)
www.pwc.com Feb 2014 Secure Development LifeCycles (SDLC) Bart De Win Bart De Win? 15+ years of Information Security Experience Ph.D. in Computer Science - Application Security Author of >60 scientific
More informationHP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security
HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security The problem Cyber attackers are targeting applications
More informationLeveraging OWASP to Reduce Web App Data Breach Risk
Leveraging OWASP to Reduce Web App Data Breach Risk P R E S E N T E D B Y J O H N VERRY P R I N C I P A L S E C U R I T Y C O N S U L T A N T P I V O T POINT SECURITY www.pivotpointsecurity.com Specialists
More informationMatt Bartoldus matt@gdssecurity.com
Matt Bartoldus matt@gdssecurity.com Security in the SDLC: It Doesn t Have To Be Painful 2010 Gotham Digital Science, Ltd Introduction o Me o Who Are You? Assessment (Penetration Tester; Security Auditors)
More informationContinuous Prevention Testing
Continuous Prevention Testing By Andre Gironda OWASP October 2007 Bio Andre Gironda OWASP Phoenix, Chicago, MSP Other projects involved in WASC WASSEC NIST SAMATE Web Application Scanner Focus Group Web
More informationThink like an MBA not a CISSP
Think like an MBA not a CISSP Embracing University Culture to Achieve Security Initiatives' Matt Malone Security Services Director 512-650-0179 Matt.Malone@SLAITconsulting.com Goals Security is a business
More informationField Research: Security Metrics Programs
Ramon Krikken Analyst Security and Risk Management Strategies Burton Group Field Research: Security Metrics Programs All Contents 2009 Burton Group. All rights reserved. Security Metrics Programs 2 Field
More informationWeb Application Remediation. OWASP San Antonio. March 28 th, 2007
Web Application Remediation OWASP San Antonio March 28 th, 2007 Agenda Introduction The Problem: Vulnerable Web Applications Goals Example Process Overview Real World Issues To Address Conclusion/Questions
More informationApplication Security Testing as a Foundation for Secure DevOps
Application Security Testing as a Foundation for Secure DevOps White Paper - April 2016 Introduction Organizations realize that addressing the risk of attacks on their Website applications is critical.
More informationApplication Portfolio Risk Ranking Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking Banishing FUD With Structure and Numbers Dan Cornell OWASP AppSec DC 2010 November 11 th, 2010 Overview The Problem Information Gathering Application Scoring Risk Rank
More informationBeyond ISO 27034 - Intel's Product Security Maturity Model (PSMM)
Beyond ISO 27034 - Intel's Product Security Maturity Model (PSMM) Harold Toomey Sr. Product Security Architect & PSIRT Manager Intel Corp. 2 October 2015 @NTXISSA #NTXISSACSC3 Agenda Application / Product
More informationApplication Security Center overview
Application Security overview Magnus Hillgren Presales HP Software Sweden Fredrik Möller Nordic Manager - Fortify Software HP BTO (Business Technology Optimization) Business outcomes STRATEGY Project &
More informationMeasuring Software Security
Measuring Software Security Defining Security Metrics Dr. Bill Young Department of Computer Science University of Texas at Austin Last updated: July 1, 2014 at 14:53 Dr. Bill Young: 1 Why Is CyberSecurity
More informationBusiness Continuity in Healthcare
Business Continuity in Healthcare Cynthia Simeone, CBCP, PMP Director Business Resilience Catholic Health Initiatives Scott Ream President Virtual Corporation 1 Session Speakers Cynthia Simeone, CBCP,
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More informationMeasurement for Successful Projects. Authored by Michael Harris and David Herron
Measurement for Successful Projects Authored by Michael Harris and David Herron Software Project Managers have many responsibilities ranging from managing customer expectations to directing internal resources
More informationIBM Innovate 2011. AppScan: Introducin g Security, a first. Bobby Walters Consultant, ATSC bwalters@atsc.com Application Security & Compliance
IBM Innovate 2011 Bobby Walters Consultant, ATSC bwalters@atsc.com Application Security & Compliance AppScan: Introducin g Security, a first June 5 9 Orlando, Florida Agenda Defining Application Security
More informationPrinciples of IT Governance
Principles of IT Governance Governance of enterprise IT focuses on delivering services to support top line growth while moving operational savings to the bottom line. The management of IT services has
More informationMetrics that Matter Security Risk Analytics
Metrics that Matter Security Risk Analytics Rich Skinner, CISSP Director Security Risk Analytics & Big Data Brinqa rskinner@brinqa.com April 1 st, 2014. Agenda Challenges in Enterprise Security, Risk
More informationIMPROVEMENT THE PRACTITIONER'S GUIDE TO DATA QUALITY DAVID LOSHIN
i I I I THE PRACTITIONER'S GUIDE TO DATA QUALITY IMPROVEMENT DAVID LOSHIN ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO SINGAPORE SYDNEY TOKYO Morgan Kaufmann
More informationIT Governance. What is it and how to audit it. 21 April 2009
What is it and how to audit it 21 April 2009 Agenda Can you define What are the key objectives of How should be structured Roles and responsibilities Key challenges and barriers Auditing Scope Test procedures
More informationA Privacy Officer s Guide to Providing Enterprise De-Identification Services. Phase I
IT Management Advisory A Privacy Officer s Guide to Providing Enterprise De-Identification Services Ki Consulting has helped several large healthcare organizations to establish de-identification services
More informationSecure Development Lifecycle. Eoin Keary & Jim Manico
Secure Development Lifecycle Jim Manico @manicode OWASP Volunteer Global OWASP Board Member OWASP Cheat-Sheet Series Manager VP of Security Architecture, WhiteHat Security 16 years of web-based, database-driven
More informationAgile and Secure: OWASP AppSec Seattle Oct 2006. The OWASP Foundation http://www.owasp.org/
Agile and Secure: Can We Be Both? OWASP AppSec Seattle Oct 2006 Dan Cornell, OWASP San Antonio Leader Principal, Denim Group Ltd. dan@denimgroup.com (210) 572-4400 Copyright 2006 - The OWASP Foundation
More informationProcess-Based Business Transformation. Todd Lohr, Practice Director
Process-Based Business Transformation Todd Lohr, Practice Director Process-Based Business Transformation Business Process Management Process-Based Business Transformation Service Oriented Architecture
More informationHow Boards of Directors Really Feel About Cyber Security Reports. Based on an Osterman Research survey
How Boards of Directors Really Feel About Cyber Security Reports Based on an Osterman Research survey Executive Summary 89% of board members said they are very involved in making cyber risk decisions Bay
More informationInterpretation and lesson learned from High Maturity Implementation of CMMI-SVC
Interpretation and lesson learned from High Maturity Implementation of CMMI-SVC Agenda and Topics Opening Recap High Maturity Process Areas Main Questions for High Maturity Process Improvement Pilot Lessoned
More informationInformation Technology Governance. Steve Crutchley CEO - Consult2Comply www.consult2comply.com
Information Technology Governance Steve Crutchley CEO - Consult2Comply www.consult2comply.com What is IT Governance? Information Technology Governance, IT Governance is a subset discipline of Corporate
More informationAn ITIL Perspective for Storage Resource Management
An ITIL Perspective for Storage Resource Management BJ Klingenberg, IBM Greg Van Hise, IBM Abstract Providing an ITIL perspective to storage resource management supports the consistent integration of storage
More informationTurning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006
Turning the Battleship: How to Build Secure Software in Large Organizations Dan Cornell May 11 th, 2006 Overview Background and key questions Quick review of web application security The web application
More informationHow to measure your business resiliency
How to measure your business resiliency Define the KPI s/kri s and scorecards to control your security and business continuity capabilities Krzysztof Pulkiewicz BCMLogic krzysztof.pulkiewicz@bcmlogic.com
More informationHP Fortify application security
HP Fortify application security Erik Costlow Enterprise Security The problem Cyber attackers are targeting applications Networks Hardware Applications Intellectual Property Security Measures Switch/Router
More informationwww.pwc.com Next presentation starting soon Next Gen Customer Experience Enabled by PwC & Oracle s Cloud CRM & CX Applications
www.pwc.com Next presentation starting soon Next Gen Customer Experience Enabled by & Oracle s Cloud CRM & CX Applications Agenda Introductions & Customer Experience / CX Defined Why CX is Critical Today?
More informationNew Zealand Company Six full time technical staff Offices in Auckland and Wellington
INCREASING THE VALUE OF PENETRATION TESTING ABOUT YOUR PRESENTER Brett Moore Insomnia Security New Zealand Company Six full time technical staff Offices in Auckland and Wellington Penetration Testing Web
More informationIntroduction. Success Tips for GRC Projects
Info Security & Compliance Project Success Tips from Veteran Security Execs What Technology Vendors Don t Tell You and Project Pitfalls to Avoid W I S E G AT E C O M M U N I T Y V I E W P O I N T S 300
More informationBlending Corporate Governance with. Information Security
Blending Corporate Governance with Information Security WHAT IS CORPORATE GOVERNANCE? Governance has proved an issue since people began to organise themselves for a common purpose. How to ensure the power
More informationSoftware security, by the numbers. October 20, 2015
Software security, by the numbers October 20, 2015 Why are we here? 2 Chris Wysopal, CTO & Co-Founder 15+ years focused solely on application security One of the original security researchers from mid
More informationThe following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material,
More informationQA Engagement Models. Managed / Integrated Test Center A Case Study
1 QA Engagement Models Managed / Integrated Test Center A Case Study 2 Today s Agenda» Background» Overview of QA Engagement Models MTC & ITC» The Journey to Steady State» Transition Approach» Challenges
More informationBUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM
BUILDING AN OFFENSIVE SECURITY PROGRAM Common Gaps in Security Programs Outsourcing highly skilled security resources can be cost prohibitive. Annual assessments don t provide the coverage necessary. Software
More informationUsing Metrics to Manage Your Application Security Program
Using Metrics to Manage Your Application Security Program Written by Jim Bird March 2016 Sponsored by Veracode 2016 SANS Institute In this paper, we ll look at the first steps in measuring your AppSec
More informationWebGoat for testing your Application Security tools
WebGoat for testing your Application Security tools NAISG-DFW February 28 th, 2012 Michael A Ortega, CISSP CEH CISM GCFA Sr Application Security Professional IBM Security Systems 312.523.1538 maortega@us.ibm.com
More informationCisco IT Technology Tutorial Overview of ITIL at Cisco
Cisco IT Technology Tutorial Overview of ITIL at Cisco Ian Reddy, IT Manager David Lietzell, IT Program Manager May 2009 Produced by the Cisco on Cisco team within Cisco IT 2007 Cisco Systems, Inc. All
More informationITIL in the Cloud. Vernon Lloyd. www.foxit.net www.askthefox.info
ITIL in the Cloud Vernon Lloyd ITIL is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office www.foxit.net
More informationEnterprise Application Security Program
Enterprise Application Security Program GE s approach to solving the root cause and establishing a Center of Excellence Darren Challey GE Application Security Leader Agenda Why is AppSec important? Why
More informationApplication Security Maturity Model (ASM)
Application Security Maturity Model (ASM) A PRAGMATIC APPROACH TO SECURING YOUR SOFTWARE APPLICATIONS 187 Ballardvale Street, Wilmington, MA 01887 +1.978.694.1008 2 Table of Contents Introduction... 3
More informationEffective Software Security Management
Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1
More informationApplication Security Guide For CISOs
Application Security Guide For CISOs Version 1.0 (November 2013) Project Lead and Main Author Marco Morana Co-authors, Contributors and Reviewers Tobias Gondrom, Eoin Keary, Andy Lewis, Stephanie Tan and
More informationData Governance. Unlocking Value and Controlling Risk. Data Governance. www.mindyourprivacy.com
Data Governance Unlocking Value and Controlling Risk 1 White Paper Data Governance Table of contents Introduction... 3 Data Governance Program Goals in light of Privacy... 4 Data Governance Program Pillars...
More information2 Day In House Demand Planning & Forecasting Training Outline
2 Day In House Demand Planning & Forecasting Training Outline On-site Corporate Training at Your Company's Convenience! For further information or to schedule IBF s corporate training at your company,
More informationA DESIGN SCIENCE APPROACH TO DEVELOP A NEW COMPREHENSIVE SOA GOVERNANCE FRAMEWORK
A DESIGN SCIENCE APPROACH TO DEVELOP A NEW COMPREHENSIVE SOA GOVERNANCE FRAMEWORK Fazilat Hojaji 1 and Mohammad Reza Ayatollahzadeh Shirazi 2 1 Amirkabir University of Technology, Computer Engineering
More informationTh3 - Open Source Tools for Test Management
Th3 - Open Source Tools for Test Management Narayanan C. V., Vice President, Sonata Software Limited www.sonata-software.com Agenda Introduction Methodology Architectural View Test Management Best Practices
More informationYour world runs on applications. Secure them with Veracode.
Application Risk Management Solutions Your world runs on applications. Secure them with Veracode. Software Security Simplified Application security risk is inherent in every organization that relies on
More informationBuilding Security into the Software Life Cycle
Building Security into the Software Life Cycle A Business Case Marco M. Morana Senior Consultant Foundstone Professional Services, a Division of McAfee Outline» Glossary» What is at risk, what we do about
More informationStories From the Front Lines: Deploying an Enterprise Code Scanning Program
Stories From the Front Lines: Deploying an Enterprise Code Scanning Program Adam Bixby Manager Gotham Digital Science 10/28/2010 YOUR LOGO HERE Introduction Adam Bixby, CISSP, MS o Manager at Gotham Digital
More informationBusiness Metrics. Business Intelligence that Positively Impacts Your Business. White Paper
White Paper TM Business Metrics Business Intelligence that Positively Impacts Your Business By Tim Dewey Vice President of Operations STI Knowledge, Inc. In today s contact center environment leaders are
More information"Data Manufacturing: A Test Data Management Solution"
W14 Concurrent Session 5/4/2011 3:00 PM "Data Manufacturing: A Test Data Management Solution" Presented by: Fariba Alim-Marvasti Aetna Healthcare Brought to you by: 340 Corporate Way, Suite 300, Orange
More informationA Strategic Approach to Web Application Security The importance of a secure software development lifecycle
A Strategic Approach to Web Application Security The importance of a secure software development lifecycle Rachna Goel Technical Lead Enterprise Technology Web application security is clearly the new frontier
More informationFrom Chaos to Clarity: Embedding Security into the SDLC
From Chaos to Clarity: Embedding Security into the SDLC Felicia Nicastro Security Testing Services Practice SQS USA Session Description This session will focus on the security testing requirements which
More informationENTERPRISE RISK MANAGEMENT FRAMEWORK
ENTERPRISE RISK MANAGEMENT FRAMEWORK COVENANT HEALTH LEGAL & RISK MANAGEMENT CONTENTS 1.0 PURPOSE OF THE DOCUMENT... 3 2.0 INTRODUCTION AND OVERVIEW... 4 3.0 GOVERNANCE STRUCTURE AND ACCOUNTABILITY...
More informationApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability Manager Bryan Beverly June 2 nd, 2010 Today's Presentation The challenges of application security scanning and remediation What Vulnerability
More informationOperational Risk Management - The Next Frontier The Risk Management Association (RMA)
Operational Risk Management - The Next Frontier The Risk Management Association (RMA) Operational risk is not new. In fact, it is the first risk that banks must manage, even before they make their first
More informationEMBEDDING SUSTAINABILITY SELF-ASSESSMENT
EMBEDDING SUSTAINABILITY SELF-ASSESSMENT Embedding Sustainability Self-Assessment This document is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. You are free to share
More informationDo You Have a Scanner or a Scanning Program?
Do You Have a Scanner or a Scanning Program? About Me Dan Cornell Founder and CTO of Denim Group Software developer by background (Java,.NET, etc) OWASP San Antonio 15 years experience in software architecture,
More informationFive Fundamental Data Quality Practices
Five Fundamental Data Quality Practices W H I T E PA P E R : DATA QUALITY & DATA INTEGRATION David Loshin WHITE PAPER: DATA QUALITY & DATA INTEGRATION Five Fundamental Data Quality Practices 2 INTRODUCTION
More informationFortify Training Services. Securing Your Entire Software Portfolio FRAMEWORK*SSA
Fortify Training Services Securing Your Entire Software Portfolio FRAMEWORK*SSA Fortify s holistic approach to application security truly safeguards our enterprise against today s ever-changing security
More informationSeven Practical Steps to Delivering More Secure Software. January 2011
Seven Practical Steps to Delivering More Secure Software January 2011 Table of Contents Actions You Can Take Today 3 Delivering More Secure Code: The Seven Steps 4 Step 1: Quick Evaluation and Plan 5 Step
More informationIRMAC SAS INFORMATION MANAGEMENT, TRANSFORMING AN ANALYTICS CULTURE. Copyright 2012, SAS Institute Inc. All rights reserved.
IRMAC SAS INFORMATION MANAGEMENT, TRANSFORMING AN ANALYTICS CULTURE ABOUT THE PRESENTER Marc has been with SAS for 10 years and leads the information management practice for canada. Marc s area of specialty
More informationBeyond Mandates: Getting to Sustainable IT Governance Best Practices. Steve Romero PMP, CISSP, CPM IT Governance Evangelist
Beyond Mandates: Getting to Sustainable IT Governance Best Practices Steve Romero PMP, CISSP, CPM IT Governance Evangelist Agenda > IT Governance Definition > IT Governance Principles > IT Governance Decisions
More informationCisco Network Optimization Service
Service Data Sheet Cisco Network Optimization Service Optimize your network for borderless business evolution and innovation using Cisco expertise and leading practices. New Expanded Smart Analytics Offerings
More informationDEVELOPING AN EFFECTIVE INTERNAL AUDIT TECHNOLOGY STRATEGY
DEVELOPING AN EFFECTIVE INTERNAL AUDIT TECHNOLOGY STRATEGY SEPTEMBER 2012 DISCLAIMER Copyright 2012 by The Institute of Internal Auditors (IIA) located at 247 Maitland Ave., Altamonte Springs, Fla., 32701,
More informationBenchmark Against Best Practice Service Delivery Metrics
Benchmark Against Best Practice Service Delivery Metrics Featuring: Julie Giera, Forrester Pierre Champigneulle, BearingPoint Host: Jason Schroedl, newscale Internal Service Delivery The average company
More information<Insert Picture Here> When to Automate Your Testing (and When Not To)
When to Automate Your Testing (and When Not To) Joe Fernandes (Oracle) Alex Di Fonzo (Synchronoss Technologies) Three Myths of Automated Testing 1. Automated testing always results
More informationOpen Group SOA Governance. San Diego 2009
Open Group SOA Governance San Diego 2009 SOA Governance Aspects A comprehensive view of SOA Governance includes: People Organizational structures Roles & Responsibilities Processes Governing processes
More information3 rd Party Application Analysis: Best Practices and Lessons Learned. Chris Wysopal Founder and CTO Veracode
3 rd Party Application Analysis: Best Practices and Lessons Learned Chris Wysopal Founder and CTO Veracode Agenda q About Veracode q Need for 3 rd Party Analysis q Terminology q Sample Size/Success Rates
More informationMatch point: Who will win the game, ITIL or CMMI-SVC? NA SEPG 2011 Paper Presentation
Match point: Who will win the game, ITIL or CMMI-SVC? NA SEPG 2011 Paper Presentation Anju Saxena John Maher IT Process and Service Management Global Consulting Practice ITIL is a Registered Trade Mark,
More informationContent. Preface. From the Editors Desk. Perspectives on IT Optimization
Content Preface From the Editors Desk Perspectives on IT Optimization 01. Shed Light on your RTS : Driving Optimization through 05 Financial Transparency 02. Outsourcing Trends in IT Optimization: 13 A
More informationHow To Protect Your Data From Attack
Integrating Vulnerability Scanning into the SDLC Eric Johnson JavaOne Conference 10/26/2015 1 Eric Johnson (@emjohn20) Senior Security Consultant Certified SANS Instructor Certifications CISSP, GWAPT,
More informationMS-10232 - PRO: Designing Applications for Microsoft SharePoint 2010
MS-10232 - PRO: Designing Applications for Microsoft SharePoint 2010 Table of Contents Introduction Audience At Course Completion Prerequisites Microsoft Certified Professional Exams Student Materials
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationExecutive Summary... 2. Introduction And Survey Methodology... 3. For Many, Application Security Is Not Yet A Mature Practice... 5
Executive Summary... 2 Introduction And Survey Methodology... 3 For Many, Application Security Is Not Yet A Mature Practice... 5 From Design To Production, Software Security Practices Need To Improve...
More informationInformation Governance Workshop. David Zanotta, Ph.D. Vice President, Global Data Management & Governance - PMO
Information Governance Workshop David Zanotta, Ph.D. Vice President, Global Data Management & Governance - PMO Recognition of Information Governance in Industry Research firms have begun to recognize the
More informationBusiness Analysis Standardization & Maturity
Business Analysis Standardization & Maturity Contact Us: 210.399.4240 info@enfocussolutions.com Copyright 2014 Enfocus Solutions Inc. Enfocus Requirements Suite is a trademark of Enfocus Solutions Inc.
More informationApplication Security Testing How to find software vulnerabilities before you ship or procure code
Application Security Testing How to find software vulnerabilities before you ship or procure code Anita D Amico, Ph.D. Hassan Radwan 1 Overview Why Care About Application Security? Quality vs Security
More informationPenetration Testing and Vulnerability Assessment
2013 CliftonLarsonAllen LLP Penetration Testing and Vulnerability Assessment CLAconnect.com Presentation overview What is Risk Assessment Governance Frameworks Types of Audits Vulnerability Assessment
More informationOPTIMUS SBR. Optimizing Results with Business Intelligence Governance CHOICE TOOLS. PRECISION AIM. BOLD ATTITUDE.
OPTIMUS SBR CHOICE TOOLS. PRECISION AIM. BOLD ATTITUDE. Optimizing Results with Business Intelligence Governance This paper investigates the importance of establishing a robust Business Intelligence (BI)
More informationThe following is intended to outline our general product direction. It is intended for informational purposes only, and may not be incorporated into
The following is intended to outline our general product direction. It is intended for informational purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any
More informationA Simple Guide to Material Master Data Governance. By Keith Boardman, Strategy Principal
A Simple Guide to Material Master Data Governance By Keith Boardman, Strategy Principal DATUM is an Information Management solutions company focused on driving greater business value through data. We provide
More informationRapid Threat Modeling Techniques
SESSION ID: ASD-R01 Rapid Threat Modeling Techniques Chad Childers IT Security Ford Motor Company Agenda Threat Modeling background Lessons Learned to make threat modeling faster Techniques specifically
More information2011 Forrester Research, Inc. Reproduction Prohibited
1 2011 Forrester Research, Inc. Reproduction Prohibited Information Security Metrics Present Information that Matters to the Business Ed Ferrara, Principal Research Analyst July 12, 2011 2 2009 2011 Forrester
More informationPresented By: Leah R. Smith, PMP. Ju ly, 2 011
Presented By: Leah R. Smith, PMP Ju ly, 2 011 Business Intelligence is commonly defined as "the process of analyzing large amounts of corporate data, usually stored in large scale databases (such as a
More informationThe Seven Deadly Myths of Software Security Busting the Myths
The Seven Deadly Myths of Software Security Busting the Myths With the reality of software security vulnerabilities coming into sharp focus over the past few years, businesses are wrestling with the additional
More informationAgile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007
Agile and Secure Can We Be Both? Chicago OWASP June 20 th, 2007 The Agile Practitioner s Dilemma Agile Forces: Be more responsive to business concerns Increase the frequency of stable releases Decrease
More informationEnterprise Security Tactical Plan
Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise
More informationInsert sponsor logo here. Dell SecureWorks. 2012 ISACA Webinar Program. 2012 ISACA. All rights reserved.
Insert sponsor logo here Bye-Bye Budget: Top spending mistakes that put your budget at risk Matt Anthony Dell SecureWorks Today s webinar: Text in questions using the Ask A Question button All audio is
More information