Scaling a Software Security Initiative: Lessons from the BSIMM
|
|
- Randall Perkins
- 8 years ago
- Views:
Transcription
1 Scaling a Software Security Initiative: Lessons from the BSIMM GARY MCGRAW, PH.D. SEPTEMBER 29, Gary McGraw, PH.D. Chief Technology Officer, Cigital gem@cigital.com
2 Cigital Providing software security professionals services since 1992 World s premiere software security consulting firm 350 employees 13 offices including Dulles, Boston, New York, Santa Clara, Bloomington, Boston, Chicago, Atlanta, Amsterdam, and London Recognized experts in software security
3 BSIMM-V
4 67 Firms in the BSIMM-V Community Real data from 67 firms 161 measurements 21 over time McGraw, Migues, & West bsimm.com plus 24 anonymous firms
5 Monkeys Eat Bananas BSIMM is not about good or bad ways to eat bananas or banana best practices BSIMM is about observations BSIMM is descriptive, not prescriptive BSIMM describes and measures multiple prescriptive approaches
6 BSIMM by the Numbers BSIMM describes and measures the work of 2930 full time software security people controlling the work of 272,358 developers.
7 12 Practices 112 Activities Real activities, not theories Real data How do the 67 BSIMM firms carry out a practice? How do the practices scale?
8 BSIMM-V = Measuring Stick
9 Scaling Code Review
10 Remedial Code Review #1 Touchpoint Get a tool (HP/Fortify, IBM/Ounce, Coverity, Cigital SecureAssist) 50 of 67 firms have an automated tool
11 Code Review in the BSIMM
12 Code Review Pitfalls Security runs a complex tool Results computed WAY too late Results include too many false positives Security types have no clue how to fix anything Developers try to avoid being beaten by the security police Tool thrown over the wall to dev Developers asked to just run the tool with no real training The red screen of death ensues Developers learn to game the results 12 Copyright 2013, Cigital and/or its affiliates. All rights reserved. Cigital Confidential Restricted.
13 Scaling Code Review: Path 1 Build a centralized code review factory Streamline code submission Provide middleware data flow intelligence Normalize results (across multiple feeds) Know what to look for Create and enforce coding standards (carrot and stick) Build custom rules that work for YOUR code
14 Scaling Code Review: Path 2 (very new) Put a very simple real-time training tool on developer desktops Eliminate whole classes of bugs before they are compiled in Focus on coding more securely in the first place Teaching is more powerful than punishing Developers need to know what to DO not what not to do Train developers just in time at code writing time READ: bit.ly/1iicapb
15 Scaling Architecture Analysis
16 Remedial Architecture Analysis #2 Touchpoint Requires real expertise Know your components 56 of 67 firms review security FEATURES
17 Architecture Analysis Pitfalls The Expert Bottleneck Superman required for each analysis exercise Lots of products and teams need analysis, but must either must wait forever or skip it Ad Hoc Review Review only as powerful as whoever bothers to show up No institutional knowledge or consistency 17 Copyright 2013, Cigital and/or its affiliates. All rights reserved. Cigital Confidential Restricted.
18 Architecture Analysis in the BSIMM
19 Define a Process: Architecture Risk Analysis Step 0: Get an architecture diagram Step 1: Known attack analysis Leverage STRIDE by analogy Know your potential flaws Step 2: System-specific attack analysis Anticipate emergent flaws Build a threat model (trust boundaries and data sensitivity) Step 3: Dependency analysis Read: bit.ly/1b2f5zk
20 Scaling Architecture Analysis Security Architecture Survey (SAS) Focus on standard components and a software component model Look for your commonly encountered flaws Identify common controls Know your design principles Consider where the SDLC breaks Sweep the entire portfolio Use a proven process like Cigital ARA for high-risk applications Read: bit.ly/19jmk7f
21 Scaling Penetration Testing
22 Remedial Penetration Testing #3 Touchpoint Becoming a commodity (so buy some) 62 of 67 BSIMM firms use external pen testers Black box tools available
23 Penetration Testing Pitfalls Hiring reformed hackers Pen testing!= security meter badness-ometer 23 Copyright 2013, Cigital and/or its affiliates. All rights reserved. Cigital Confidential Restricted.
24 Penetration Testing in the BSIMM
25 Scaling Penetration Testing Automate with customized tools and know your attacker Black box Web/mobile testing tools are cheap and fast Fuzzing tools aimed at APIs also help scale Investigate cloud services (remote pen testing) Fix what you find Real integration with development is important Don t just throw rocks Periodically pen test everything you can
26 Where to Learn More
27 SearchSecurity + Justice League No-nonsense monthly security column by Gary McGraw In-depth thought leadership blog from the Cigital Principals Gary McGraw Sammy Migues John Steven Scott Matsumoto Paco Hope Jim DelGrosso
28 Silver Bullet + IEEE Security & Privacy Building Security In Software Security Best Practices column
29 The Book How to DO software security Best practices Tools Knowledge Cornerstone of the Addison- Wesley Software Security Series
30 Build Security In Read the Addison-Wesley Software Security series Send
Cyber Security: Software Risk Management for Utilities
Cyber Security: Software Risk Management for Utilities Gary McGraw, Ph.D. Chief Technology Officer, Cigital Founded in 1992 to provide software security and software quality professional services Recognized
More informationSoftware Security Touchpoint: Architectural Risk Analysis
Software Security Touchpoint: Architectural Risk Analysis Gary McGraw, Ph.D. Chief Technology Officer, Cigital Founded in 1992 to provide software security and software quality professional services Recognized
More informationAttack Trends 2011. software security? Gary McGraw, Ph.D. Chief Technology Officer, Cigital. 2011 Cigital
Attack Trends 2011 -orwhy software security? Gary McGraw, Ph.D. Chief Technology Officer, Cigital Cigital n n Founded in 1992 to provide software security and software quality professional services Recognized
More information112 BSIMM Activities at a Glance
112 BSIMM Activities at a Glance (Red indicates most observed BSIMM activity in that practice) 6 Level 1 Activities Governance Strategy & Metrics (SM) Publish process (roles, responsibilities, plan), evolve
More informationSoftware Security Testing: Seeking security in an insecure world
Software Security Testing: Seeking security in an insecure world Gary McGraw, Ph.D. CTO, Cigital http://www.cigital.com Software security is getting harder The Trinity of Trouble Connectivity The Internet
More informationThe Silver Bullet Security Podcast, episode 21: A Panel Discussion with Cigital s Principals
The Silver Bullet Security Podcast, episode 21: A Panel Discussion with Cigital s Principals Listen to this show at http://www.cigital.com/silverbullet/show-021/ Gary McGraw: This is a Silver Bullet security
More informationExploiting Online Games: Cheating massively distributed systems
Exploiting Online Games: Cheating massively distributed systems Gary McGraw, Ph.D. CTO, Cigital http://www.cigital.com Cigital Founded in 1992 to provide software security and software quality professional
More informationSecure Development LifeCycles (SDLC)
www.pwc.com Feb 2014 Secure Development LifeCycles (SDLC) Bart De Win Bart De Win? 15+ years of Information Security Experience Ph.D. in Computer Science - Application Security Author of >60 scientific
More informationDevelopment Processes (Lecture outline)
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationSeven Practical Steps to Delivering More Secure Software. January 2011
Seven Practical Steps to Delivering More Secure Software January 2011 Table of Contents Actions You Can Take Today 3 Delivering More Secure Code: The Seven Steps 4 Step 1: Quick Evaluation and Plan 5 Step
More informationHow to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP
How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright
More informationMcAfee Total Protection Reduce the Complexity of Managing Security
McAfee Total Protection Reduce the Complexity of Managing Security Computer security has changed dramatically since the first computer virus emerged 25 years ago. It s now far more complex and time-consuming.
More informationPreemptive security solutions for healthcare
Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare
More informationSecure Programming Lecture 9: Secure Development
Secure Programming Lecture 9: Secure Development David Aspinall, Informatics @ Edinburgh 24th February 2014 Outline Overview Lifecycle security touchpoints 1. Code review and repair 2. Architectural risk
More informationSoftware Security Engineering: A Key Discipline for Project Managers
Software Security Engineering: A Key Discipline for Project Managers Julia H. Allen Software Engineering Institute (SEI) Email: jha@sei.cmu.edu Sean Barnum Cigital Robert J. Ellison SEI Gary McGraw Cigital
More informationIn Building Security In, Gary McGraw proposes three pillars to use throughout the lifecycle: I: Applied Risk Management
Secure Programming Lecture 9: Secure Development David Aspinall, Informatics @ Edinburgh 24th February 2014 Outline Overview Lifecycle security touchpoints 1. Code review and repair 2. Architectural risk
More informationBuilding Security into the Software Life Cycle
Building Security into the Software Life Cycle A Business Case Marco M. Morana Senior Consultant Foundstone Professional Services, a Division of McAfee Outline» Glossary» What is at risk, what we do about
More informationA Study on the Security aspects of Network System Using Penetration Testing
A Study on the Security aspects of Network System Using Penetration Testing 1 Shwetabh Suman, 2 Vedant Rastogi 1,2 Institute of Engineering and Technology, Alwar, India 1 shwetabhsuman13@gmail.com 2 vedantnoki@gmail.com
More informationProcuring Penetration Testing Services
Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat
More informationSoftware Security. Building Security In. Gary McGraw. A Addison-Wesley
Software Security Building Security In Gary McGraw A Addison-Wesley Upper Saddle River, NJ Boston Indianapolis San Francisco New York Toronto Montreal London Munich Paris Madrid Capetown Sydney Tokyo Singapore
More informationThe current buzzword of choice among the technical
Editor: Gary McGraw, gem@cigital.com Software Security and SOA: Danger, Will Robinson! JEREMY EPSTEIN webmethods SCOTT MATSUMOTO AND GARY MCGRAW Cigital The current buzzword of choice among the technical
More informationCybersecurity: Navigating a Changing Landscape
Cybersecurity: Navigating a Changing Landscape Cybersecurity: Navigating a Changing Landscape The Privacy & Security Forum 2015 Karl J. West, AVP and CISO LA County 350,000 Advocate Medical Group 4,000,000
More informationStories From the Front Lines: Deploying an Enterprise Code Scanning Program
Stories From the Front Lines: Deploying an Enterprise Code Scanning Program Adam Bixby Manager Gotham Digital Science 10/28/2010 YOUR LOGO HERE Introduction Adam Bixby, CISSP, MS o Manager at Gotham Digital
More informationLeveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs
IBM Global Technology Services Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs Achieving a secure government
More informationCutting Edge Practices for Secure Software Engineering
Cutting Edge Practices for Secure Software Engineering Kanchan Hans Amity Institute of Information Technology Amity University, Noida, 201301, India khans@amity.edu Abstract Security has become a high
More informationThe Security Development Lifecycle. OWASP 24 June 2010. The OWASP Foundation http://www.owasp.org
The Security Development Lifecycle 24 June 2010 Steve Lipner Senior Director of Security Engineering Strategy Trustworthy Computing Microsoft Corporation SLipner@microsoft.com +1 425 705-5082 Copyright
More informationWeb Application Security: Connecting the Dots
Web Application Security: Connecting the Dots Jeremiah Grossman Founder & Chief Technology Officer OWASP AsiaPac 04.13.2012 2012 WhiteHat Security, Inc. 1 Jeremiah Grossman Ø Founder & CTO of WhiteHat
More informationBSIMM6 Brings Science to Software Security
BSIMM Building Security In Maturity Model 6 BSIMM6 Brings Science to Software Security The sixth iteration of the Building Security In Maturity Model project is a tool you can use as a measuring stick
More informationAdobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, 2014. Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661
Adobe ColdFusion Secure Profile Web Application Penetration Test July 31, 2014 Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661 Chicago Dallas This document contains and constitutes the
More informationIntroduction. Secure Software Development 9/03/2015. Matias starts. Daan takes over. Matias takes over. Who are we? Round of introductions
Matias starts Who are we? Applying Static Analysis Matias Madou and Daan Raman, Leuven, Feb 27, 2015 1 At NVISO, I m responsible for the software security practice. Next to the client work, I also leads
More informationSecure in 2010? Broken in 2011! Matias Madou, PhD Principal Security Researcher
Secure in 2010? Broken in 2011! Matias Madou, PhD Principal Security Researcher Matias Madou Principal Security Researcher, Fortify an HP Company Static Analysis Rules Insider Threat Research Runtime products:
More informationBuilding Assurance Into Software Development Life- Cycle (SDLC)
Application Software Assurance Center of Excellence (ASACoE) Building Assurance Into Software Development Life- Cycle (SDLC) James Woody Woodworth Operations Chief, ASACoE & Sean Barnum, Principal Consultant
More informationSurvey on Application Security Programs and Practices
Survey on Application Security Programs and Practices A SANS Analyst Survey Written by Jim Bird and Frank Kim Advisor: Barbara Filkins February 2014 Sponsored by Hewlett-Packard, Qualys and Veracode 2014
More informationSeven Requirements for Hybrid Web Delivery Getting the best of both on-premises and SaaS
Seven Requirements for Hybrid Web Delivery Getting the best of both on-premises and SaaS Traditionally, IT risk management has balanced security investment and the impact of the threat, allowing each business
More informationStrategies for assessing cloud security
IBM Global Technology Services Thought Leadership White Paper November 2010 Strategies for assessing cloud security 2 Securing the cloud: from strategy development to ongoing assessment Executive summary
More informationSecurity testing has recently moved beyond the
Editor: Gary McGraw, gem@cigital.com Software Security Testing BRUCE POTTER Booz Allen Hamilton GARY MCGRAW Cigital Security testing has recently moved beyond the realm of network port scanning to include
More informationManaged Security Services D e l i vering real-time protection to help organizations st r e n g t h e n their security posture in the face of today s
Managed Security Services D e l i vering real-time protection to help organizations st r e n g t h e n their security posture in the face of today s emerging threats. In today s sophisticated online env
More informationInformation Security: Enabling the Business Developing an Effective Application Security Program
Information Security: Enabling the Business Developing an Effective Application Security Program Bruce C Jenkins (bcj@hp.com) AppSec Program Strategist 04 April 2014 About me Commonwealth IT Security Conference
More informationPaco Hope <paco@cigital.com> Florence Mo ay <fmo ay@cigital.com> 2012 Cigital. All Rights Reserved. SecAppDev. Define third party so ware
Paco Hope Florence Moay 2012 Cigital. All Rights Reserved. SecAppDev 1 Objectives Define third party soware What it is, why we use it Define the risks from third
More informationCrossing the DevOps Chasm
SOLUTION BRIEF Application Delivery Solutions from CA Technologies Crossing the DevOps Chasm Can improved collaboration and automation between Development and IT Operations deliver business value more
More informationTHE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT
THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT 2 EXECUTIVE SUMMARY The growth of enterprise-developed applications has made it easier for businesses to use technology to work more efficiently and productively.
More informationOVERVIEW DMC S SERVICES. Established in 1996, DMC serves customers worldwide from offices in Chicago, Boston, Denver, New York, and Houston
OVERVIEW DMC S MANUFACTURING AUTOMATION & INTELLIGENCE DMC programs the systems that keep factory floors running, including PLCs, Servos, Robotics and more. TEST & MEASUREMENT AUTOMATION DMC develops automated
More informationSecurity-as-a-Service (Sec-aaS) Framework. Service Introduction
Security-as-a-Service (Sec-aaS) Framework Service Introduction Need of Information Security Program In current high-tech environment, we are getting more dependent on information systems. This dependency
More informationPhysical Therapy. Physical Therapy. Improve patient care, workflow efficiency, and your bottom line. Solutions
Physical Therapy Physical Therapy Solutions Improve patient care, workflow efficiency, and your bottom line. NextGen Healthcare is a market leader with thousands of practicing physical therapists using
More informationSoftware Application Control and SDLC
Software Application Control and SDLC Albert J. Marcella, Jr., Ph.D., CISA, CISM 1 The most effective way to achieve secure software is for its development life cycle processes to rigorously conform to
More informationCisco Security Optimization Service
Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless
More informationMicrosoft STRIDE (six) threat categories
Risk-based Security Testing: Prioritizing Security Testing with Threat Modeling This lecture provides reference material for the book entitled The Art of Software Security Testing by Wysopal et al. 2007
More informationAttack Intelligence: Why It Matters
Attack Intelligence: Why It Matters WHITE PAPER Core Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com A Proactive Strategy Attacks against your organization are more prevalent than ever,
More informationTechnology Blueprint. Protect Your Email Servers. Guard the data and availability that enable business-critical communications
Technology Blueprint Protect Your Email Servers Guard the data and availability that enable business-critical communications LEVEL 1 2 3 4 5 SECURITY CONNECTED REFERENCE ARCHITECTURE LEVEL 1 2 4 5 3 Security
More informationPractical Applications of Software Security Model Chris Nagel
Practical Applications of Software Security Model Chris Nagel Software Security Consultant Fortify Software Introductions About Me: Chris Nagel Software Security Consultant With Fortify for 2+ Years Before
More informationThreat Modeling: The Art of Identifying, Assessing, and Mitigating security threats
Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats Mohamed Ali Saleh Abomhara University of Agder mohamed.abomhara@uia.no Winter School in Information Security, Finse May
More informationSecure Your Success. Intel Security Partner Program
Secure Your Success Intel Security Partner Program Today s digital security threats are more sophisticated and complex than ever. At the same time, computing advancements are opening up new possibilities
More informationThe Future of Data Management
The Future of Data Management with Hadoop and the Enterprise Data Hub Amr Awadallah (@awadallah) Cofounder and CTO Cloudera Snapshot Founded 2008, by former employees of Employees Today ~ 800 World Class
More informationCisco Cloud Enablement Services for Education
Services Overview Cisco Cloud Enablement Services for Education Bringing the Cloud to the Campus In today s higher education environment, IT organizations must keep pace with a long list of competing demands:
More informationTotal Protection for Compliance: Unified IT Policy Auditing
Total Protection for Compliance: Unified IT Policy Auditing McAfee Total Protection for Compliance Regulations and standards are growing in number, and IT audits are increasing in complexity and cost.
More informationCyber intelligence in an online world
Cyber intelligence in an online world James Hanlon CISM, CISSP, CMI Cyber Strategy & GTM, EMEA Cyber intelligence in an online world SYMANTEC VISION SYMPOSIUM 2014 2 Software and data powers the world
More informationHP Fortify application security
HP Fortify application security Erik Costlow Enterprise Security The problem Cyber attackers are targeting applications Networks Hardware Applications Intellectual Property Security Measures Switch/Router
More informationHow To Test For Security On A Network Without Being Hacked
A Simple Guide to Successful Penetration Testing Table of Contents Penetration Testing, Simplified. Scanning is Not Testing. Test Well. Test Often. Pen Test to Avoid a Mess. Six-phase Methodology. A Few
More informationThe Security Development Lifecycle. Steven B. Lipner, CISSP SLipner@microsoft.com Senior Director Security Engineering Strategy Microsoft Corp.
The Security Development Lifecycle Steven B. Lipner, CISSP SLipner@microsoft.com Senior Director Security Engineering Strategy Microsoft Corp. 2 Overview Introduction A look back Trustworthy Computing
More informationApplication Security Maturity Model
Application Security Maturity Model Ed Adams Phone: +1.978.694.1008 x23 eadams@securityinnovation.com Agenda Introduction to the Application Security Maturity (ASM) Model Three Case Studies Business drivers
More informationEXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY
EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY Dean Frye Sourcefire Session ID: SEC-W05 Session Classification: Intermediate Industrialisation of Threat Factories Goal: Glory,
More informationNorth American Electric Reliability Corporation (NERC) Cyber Security Standard
North American Electric Reliability Corporation (NERC) Cyber Security Standard Symantec Managed Security Services Support for CIP Compliance Overviewview The North American Electric Reliability Corporation
More informationIntegrating Automated Tools Into a Secure Software Development Process
Integrating Automated Tools Into a Secure Software Development Process Kenneth R. van Wyk KRvW Associates, LLC Ken@KRvW.com Copyright 2007, KRvW Associates, LLC This paper is intended to augment and accompany
More informationThreat Intelligence Pty Ltd info@threatintelligence.com 1300 809 437. Specialist Security Training Catalogue
Threat Intelligence Pty Ltd info@threatintelligence.com 1300 809 437 Specialist Security Training Catalogue Did you know that the faster you detect a security breach, the lesser the impact to the organisation?
More informationIn a dynamic economic environment, your company s survival
Chapter 1 Cloud Computing Defined In This Chapter Examining the reasons for cloud Understanding cloud types Defining the elements of cloud computing Comparing private and public clouds In a dynamic economic
More informationSoftware Supply Chains: Another Bug Bites the Dust.
SESSION ID: STR-T08 Software Supply Chains: Another Bug Bites the Dust. Todd Inskeep 1 Global Security Assessments VP Samsung Business Services @Todd_Inskeep Series of Recent, Large, Long-term Security
More informationDEVELOPING SECURE SOFTWARE
DEVELOPING SECURE SOFTWARE A FOUNDATION FOR CLOUD AND IOT SECURITY Eric Baize @ericbaize Senior Director, Product Security Office EMC Corporation Chairman of SAFECode CSA EMEA Congress November 2015 1
More informationIBM Rational AppScan: enhancing Web application security and regulatory compliance.
Strategic protection for Web applications To support your business objectives IBM Rational AppScan: enhancing Web application security and regulatory compliance. Are untested Web applications putting your
More informationWho, What, Where, How: Five Big Questions in Mobile Security
Who, What, Where, How: Five Big Questions in Mobile Security Jacob West CTO, Fortify Products HP Enterprise Security Session ID: ASEC-R31 Session Classification: Intermediate Why is mobile security an
More informationContents. -Testing as a Services - TaaS 4. -Staffing Strategies 4. -Testing as a Managed Services - TaaMS 5. -Services 6.
Contents -Testing as a Services - TaaS 4 -Staffing Strategies 4 -Testing as a Managed Services - TaaMS 5 -Services 6 -Training 8 2 TestPRO is an Egyptian company founded in 2012 and headquartered in Nasr
More informationCenzic Product Guide. Cloud, Mobile and Web Application Security
Cloud, Mobile and Web Application Security Table of Contents Cenzic Enterprise...3 Cenzic Desktop...3 Cenzic Managed Cloud...3 Cenzic Cloud...3 Cenzic Hybrid...3 Cenzic Mobile...4 Technology...4 Continuous
More informationOptimizing Network Vulnerability
SOLUTION BRIEF Adding Real-World Exposure Awareness to Vulnerability and Risk Management Optimizing Network Vulnerability Management Using RedSeal november 2011 WHITE PAPER RedSeal Networks, Inc. 3965
More informationBeyond ISO 27034 - Intel's Product Security Maturity Model (PSMM)
Beyond ISO 27034 - Intel's Product Security Maturity Model (PSMM) Harold Toomey Sr. Product Security Architect & PSIRT Manager Intel Corp. 2 October 2015 @NTXISSA #NTXISSACSC3 Agenda Application / Product
More informationAgile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007
Agile and Secure Can We Be Both? Chicago OWASP June 20 th, 2007 The Agile Practitioner s Dilemma Agile Forces: Be more responsive to business concerns Increase the frequency of stable releases Decrease
More informationCliQr Support and Services Overview
CliQr Support and Services Overview CliQr Support and Services Overview Page 2 Table of Contents 1 Executive Summary...2 2 Overview...3 3 Support Offerings...4 3.1 CliQr Hosted Deployment (SaaS)...5 3.2
More informationCloud Computing and Data Center Consolidation
Cloud Computing and Data Center Consolidation Charles Onstott, PMP Chief Technology Officer, Enterprise IT Services SAIC Steven Halliwell General Manager for State and Local and Education Sales Amazon
More information11th AMC Conference on Securely Connecting Communities for Improved Health
11th AMC Conference on Securely Connecting Communities for Improved Health Information Security Testing How Do AMCs Ensure Your Networks are Secure June 22, 2015 Ray Hillen, Dennis Schmidt, Adam Bennett
More informationSecurity Infrastructure for Trusted Offloading in Mobile Cloud Computing
Security Infrastructure for Trusted Offloading in Mobile Cloud Computing Professor Kai Hwang University of Southern California Presentation at Huawei Forum, Santa Clara, Nov. 8, 2014 Mobile Cloud Security
More informationHow to Build a Trusted Application. John Dickson, CISSP
How to Build a Trusted Application John Dickson, CISSP Overview What is Application Security? Examples of Potential Vulnerabilities Strategies to Build Secure Apps Questions and Answers Denim Group, Ltd.
More informationDHS IT Successes. Rationalizing Our IT Infrastructure
TESTIMONY OF Richard A. Spires Chief Information Officer U.S. Department of Homeland Security Before the House Committee on Oversight and Government Reform February 27, 2013 Chairman Issa, Ranking Member
More informationSecurity Management. Keeping the IT Security Administrator Busy
Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching
More informationTraditionally, software development efforts in large
Editor: Gary McGraw, gem@cigital.com Bridging the Gap between Software Development and Information Security KENNETH R. VAN WYK Cigital and KRVW Associates GARY MCGRAW Cigital Traditionally, software development
More informationA Strategic Approach to Web Application Security The importance of a secure software development lifecycle
A Strategic Approach to Web Application Security The importance of a secure software development lifecycle Rachna Goel Technical Lead Enterprise Technology Web application security is clearly the new frontier
More informationBuilding a Web Application Security Program. Rich Mogull Adrian Lane Securosis, L.L.C.
Building a Web Application Security Program Rich Mogull Adrian Lane Securosis, L.L.C. Old School, New School, Oh SH*& School What s Different About This Presentation We are focusing on the business processes
More informationThe Internet of Things:
The Internet of Things: What Does it Take to Make the Internet of Everything Real? Kip Compton, VP Internet of Things (IoT) Systems and Software Group @kipcompton www.linkedin.com/in/kipcompton/en Are
More informationITEC441- IS Security. Chapter 15 Performing a Penetration Test
1 ITEC441- IS Security Chapter 15 Performing a Penetration Test The PenTest A penetration test (pentest) simulates methods that intruders use to gain unauthorized access to an organization s network and
More informationEl costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada
El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada The Traditional Approach is Changing. Security is no longer controlled and enforced through the
More informationSECURITY AND RISK MANAGEMENT
SECURITY AND RISK MANAGEMENT IN AGILE SOFTWARE DEVELOPMENT SATURN 2012 Conference (#SATURN2012) Srini Penchikala (@srinip) 05.10.12 #WHOAMI Security Architect @ Financial Services Organization Location:
More informationJuniper Networks Secure
White Paper Juniper Networks Secure Development Lifecycle Six Practices for Improving Product Security Copyright 2013, Juniper Networks, Inc. 1 Table of Contents Executive Summary...3 Introduction...3
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationThe real SDN Power Materializes itself with Application Defined Networking
The real SDN Power Materializes itself with Application Defined Networking Pascale Vicat-Blanc, PhD CEO - Lyatiss Santa Clara, CA USA April 2013 1 This session objectives What is Application Defined Networking?
More informationIMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE
IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE Solution Brief SUMMARY New security threats demand a new approach to security management. Security teams need a security analytics architecture that can handle
More informationI D C E X E C U T I V E B R I E F
Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com I D C E X E C U T I V E B R I E F P e netration Testing: Taking the Guesswork Out of Vulnerability
More informationWhite Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security
White Paper Automating Your Code Review: Moving to a SaaS Model for Application Security Contents Overview... 3 Executive Summary... 3 Code Review and Security Analysis Methods... 5 Source Code Review
More informationIMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY MONITORING
IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY How runtime application security monitoring helps enterprises make smarter decisions on remediation 2 ABSTRACT Enterprises today
More informationeguide: Designing a Continuous Response Architecture 5 Steps For Windows Server 2003 End of Life Success
: Designing a Continuous Response Architecture 5 Steps For Windows Server 2003 End of Life Success FAST FACTS Over 10 Million Windows Server 2003 Devices Still In Use Less Than 250 Days To Windows Server
More informationThreat Modeling in the Gaming Industry. Robert Wood Technical Manager Cigital @robertwood50 rwood@cigital.com
Threat Modeling in the Gaming Industry Robert Wood Technical Manager Cigital @robertwood50 rwood@cigital.com Agenda Threat modeling overview Unique risks in the gaming industry Building our hypothetical
More informationISSECO Syllabus Public Version v1.0
ISSECO Syllabus Public Version v1.0 ISSECO Certified Professional for Secure Software Engineering Date: October 16th, 2009 This document was produced by the ISSECO Working Party Syllabus Introduction to
More informationSoftware Security Testing
Software Security Testing Elizabeth Sanders Department of Electrical & Computer Engineering Missouri University of Science and Technology ejwxcf@mst.edu 2015 Elizabeth Sanders Pop Quiz What topics am I
More informationNew-Age Master s Programme
New-Age Master s Programme MCA (Information Security Management Services) (3 Year Full-Time Programme) Academic Year 2015 Page 1 Course Objective MCA (Information Security Management Services) This unique
More information