Stories From the Front Lines: Deploying an Enterprise Code Scanning Program
|
|
- Madeline Heath
- 8 years ago
- Views:
Transcription
1 Stories From the Front Lines: Deploying an Enterprise Code Scanning Program Adam Bixby Manager Gotham Digital Science 10/28/2010 YOUR LOGO HERE
2 Introduction Adam Bixby, CISSP, MS o Manager at Gotham Digital Science Penetration Tester Static Analysis/Code Auditing abixby {at} gdssecurity.com o Currently running an enterprise code scanning program at a large financial services organization Over 200 application integrated with code scanner in less than a year
3 Outline Why am I here? Lessons Learned Tips for a successful scanning program Code Scanning Integration Strategy Code Scanning Strategies - Pros and Cons Questions
4 Why am I here? Many companies try to invest in code scanning solutions only to fail o Common Reasons for Failure: Misguided perception of what a scanner can do Don t know how to use it properly Don t plan a pilot program Buy it without any training I ll figure it out Don t tune the product properly for their enterprise/application environment Fail to get support from upper management
5 What is not going to be discussed Comparisons of the different Static Analysis Tools/Solutions o Fortify SCA o Rational AppScan Source Edition (Ounce) o Vericode o Checkmarx o Coverity o Klockwork This talk is about the process
6 Lessons Learned
7 Lessons Learned Need IT/Upper Management support o Probably the most important takeaway from this presentation o Without upper level support or mandate, code scanning programs are doomed to fail Development teams will not be as cooperative Remediation of issues need to be mandated Issues will sit there scan after scan without being addressed o All Integrations I ve been involved in needed buyoff in order for their success
8 Lessons Learned Common excuses from upper management o Too expensive o We are already performing penetration tests o Application teams already have busy release schedules Business units want functionality Security scanning will only slow them down
9 Lessons Learned Common excuses from development teams o We don t have time o Busy release schedule o We can t fix all 1000 Cross-Site Scripting issues by our next major release o This code has been deployed with these issues for 10 years, why do we have to fix it now? Application makes us money, why change it?
10 Lessons Learned Common assumptions that are made by team performing code scanner rollout o All development teams are run the same o Development teams will be onboard Everyone wants to eliminate security issues, right? o Our 5 year old spare server will be able to run a static analysis scan without any problems Code scanners are very resource intensive and hog A LOT of memory o Here s a zip file with our code, this should scan properly Always missing libraries/dependencies
11 Tips for a Successful Scanning Program
12 Tips for a successful scanning program Get management support ASAP o Cannot stress this point enough o Will make the difference between success and failure o Who needs convincing? CIO CISO Application Owners IT Management o How do we go about convincing management?
13 Tips for a successful scanning program Arm yourself with solid fact about code scanning solutions o Help find and fix vulnerabilities o Cost effective because detection and remediation comes earlier in the Software Development Lifecycle (SDLC) Fixes can be incorporated into regular bug remediation schedule instead of having to be performed out of band Often the case when issues are found during pen tests If issue goes away in the code security scan, issue has been fixed. Not always necessary to allocated additional retesting time in release schedule
14
15 Actual cost benefit analysis at a large financial services firm based on real SDLC defect cost data Finding and fixing software security issues earlier in the SDLC makes economic sense! the cost of removing a software defect grows exponentially for each downstream phase of the development lifecycle in which it remains undiscovered Study by Gary McGraw (Cigital) and Jim Routh, CISO for KPMG US
16 Want more evidence? Cost to repair a security vulnerability in an application increases later in the development cycle (Forrester, 2009):
17 Tips for a successful scanning program Arm yourself with solid facts about code scanning solutions, cont o Gets secure code to market faster o Makes your applications and your company more secure from outside and inside threats This is why we are all here and why we have jobs to keep bad guys out! o Secure company data/secrets o 75% of security breaches occur at the Application level (Gartner, 2005)
18 Tips for a successful scanning program Arm yourself with solid facts about code scanning solutions, cont o Exploited security vulnerabilities in critical externallyfacing applications can result in significant financial and reputation losses o Regulators, Compliance, Audit, customers, partners, and security policies are demanding security solutions Audit will often inquire if source code scanning for security is part of a development lifecycle From an audit report I was privy to: no requirements or guidance for regular security vulnerability assessments of source code and secure code development
19 Tips for a successful scanning program Arm yourself with solid facts about code scanning solutions, cont o Vulnerabilities in code can be difficult for developers to identify without proper tools and training o Penetration testing Will not find all issues More expensive to rely solely on pen tests Issues found in production are more expensive to fix Still should be performed since source code scanning will not find all issues (runtime bugs, server configuration bugs, business logic bugs, etc)
20 Tips for a successful scanning program Arm yourself with solid facts about code scanning solutions, cont o Our application team does not have time to setup and run a code scanning tool. Their schedule is full already. Investing some minimal time upfront will save time in the future Scans can be totally automated Scan setup is usually not that complicated Run in application build environment Process can be rolled into SDLC seamlessly
21 Tips for a successful scanning program Arm yourself with solid facts about code scanning solutions, cont o Easy to enforce company s existing coding practices and security policies without having to deviate from existing development lifecycle Finding security bugs can be done during normal build process Most code scanners allow for the creation of custom rules create a rule to look for existing coding practices that need enforcing Fixing security bugs can be rolled into normal bug remediation effort without having to stop the presses Testing and verification can occur during testing and rescans
22 Tips for a successful scanning program Learn how the tool works o Sounds obvious, however, many security teams fail to get a code scanner integrated because they just are not proficient enough with it Don t know how the scanner works and get frustrated Can t troubleshoot scan failures Don t know how to weed through the multitude of issues produced to identify most critical issues that need addressing
23 Tips for a successful scanning program Educate Application Owners o Armed with knowledge of the code scanner as well as facts about why you need a code scanner in your enterprise, inform app owners on what you are proposing Should get their buy-in as well Easy integration into development phase of SDLC Will find vulnerabilities during builds and help with remediation Facts stated previously o Demo actual exploits of common vulnerabilities to show how dangerous they can be XSS and SQLi demos are easy and effective
24 Tips for a successful scanning program Run a pilot program first o Will help gauge how successful a full rollout across all applications will be Will determine if major roadblocks exist that will prevent full rollout o Buy a few licenses upfront and purchase more in the future if needed
25 Tips for a successful scanning program Run a pilot program first, cont o Identify a small number of highly visible, externally-facing applications within your organization and target them Get app owner or PM buy-in If these apps are successful, will give you good ammunition for convincing management to do a full rollout Try to find applications of varying languages Want to test the code scanners ability against all of the types of applications run within your organization a) C++, C b) Java c) C#, ASP.NET d) PHP
26 Tips for a successful scanning program Develop a step-by-step guide for application teams to utilize when they are walking through code scanner integrations o This helps to make the integration process seamless and painless o If you can do most of the work upfront for a developer, they will be much more receptive
27 Code Scanning Integration Strategy Developed Web Site on company intranet portal o Identifies all steps needed from requesting code scanning integration to issue remediation help Steps we have broken the integration process into: 1. Introduction to Enterprise Code Scanning program Includes description of scanner 2. Request code scanner integration within application that is sent to us 3. Instructions on how to install code scanner on Build Server/Desktop 4. Signup application developer(s) to attend training Identify member from each development team who is responsible for all code scanning issues (security guru)
28 Code Scanning Integration Strategy Develop Web Site on company intranet portal o Identifies all steps needed from requesting code scanning integration to issue remediation help Steps we have broken the integration process into, cont : 5. Automate your code scans Automate the scans into existing build server 6. Scan code 7. Analyze scan results (validate issues) 8. Remediate issues 9. Submit feedback 10. Post Integration steps explained
29 Code Scanning Integration Strategy Develop Web Site on company intranet portal o Identifies all steps needed from requesting code scanning integration with the application to issue remediation help More on automating the code scans Types of code scanning integrations: Continuous integration build server Build server using autosys/cron-job Desktop Scheduler on Windows machine What happens to the scan results when scans are completed Automatically uploaded to a reporting management portal used for storing the results, generating reports and keeping track of key metrics Fortify 360 Server Rational AppScan Reporting Console
30 Code Scanning Integration Strategy When utilizing build server automation, develop scan templates (batch files or shell scripts) for the developers ahead of time o Allow them to download from company portal o Makes for much faster integration o Only a few details in scan script need to be replaced for scans to run successfully o Minimize the potential for scan failure
31 Tips for a successful scanning program Identify a member of your company s security team to be the code scanner guru o Needs a strong technical understanding of security concepts o Needs to be able to review the code scanner results and distinguish true positives from false positives Identify potential risk to the organization if issue is exploited o Ability to provide technical guidance to application teams Help understand and remediate security issues o Ability to present results to application teams and provide remediation support Help prioritize issue remediation and provide recommendations
32 Tips for a successful scanning program Develop a single scanning strategy and DO NOT allow for deviation o o o Identify how your organization would like to run your code scans and force all development teams to use this method Do not allow for one team to run their scans through build integration and another team to run ad hoc scans using their IDE code scanner plug-in Lack of continuity will make troubleshooting scan failures harder Will produce inconsistent results
33 Code Scanning Strategies - Pros and Cons Developer runs code scans from their IDE using the integrated plug-in o Typically, developers pulls latest code from version control repository into IDE and run scan o Pros o Cons Easy to run Usually different than what is in production Scanners are resource intensive Will hog up machine for long periods of time during the work day Developer needs to remember to run the scans and can only be done when the developer is using their workstation Cannot automate
34 Code Scanning Strategies - Pros and Cons Company Security Team runs scans for application teams from a dedicated machine o Pros o Cons Can build a powerful box that has a lot of hard drive space, memory and CPU power Need to pull latest code drop from version control repository Which version do you scan? Libraries/dependencies are not included in these code drops The proper libraries will be needed every time you run the scan. Can be very cumbersome Too much overhead to keep all scans accurate and running
35 Code Scanning Strategies - Pros and Cons Run code scans on application s existing build server and automate o Recommended approach o Pros Source is the most up-to-date and accurate to what is in production Code that is on the build server should be compile-able and therefore should generate the most accurate scans All libraries/dependencies should be present
36 Code Scanning Strategies - Pros and Cons Run code scans on application s existing build server and automate o Pros cont o Cons Least time consuming out of all the approaches mentioned Build server integrations are setup once Scans can be automated to run weekly/monthly and automatically uploaded to your scan repository Most cost effective Build servers tend to be beefier machines with high specs No need to acquire an additional machines to run the scans None identified to date
37 Tips for a successful scanning program Ensure scans are performed on a periodic basis o Helps determine if remediation is occurring o Does not have to been done during nightly builds o Ensure new issues are not being added to code o Tracks progress of remediation over time Good for management level reports o Ensure scans are actually being performed Developers will run the scan once and forget about it Setup windows desktop scheduler, autosys, or use a continuous integration server Send weekly reminders to developer in charge of scanning if not using build server integration
38 Tips for a successful scanning program Integrate security issues found by your code scanner into a bug tracking system o Bugzilla, JIRA, etc o Code scan issues become treated like any other bug found Hopefully given a higher priority o Can be resolved and closed during normal bug remediation process o Good place to track details of fix Can be shared across team/company o Make sure you analyze bugs first before checking into bug tracking system False positive will make there way in there otherwise
39 Tips for a successful scanning program Pay for Technical Support o Will help iron out kinks/snafu s that might arise o Do not solely rely on the manual Not written to give the user any more information than necessary to run against a simple application o May need custom rules to be written for unsupported libraries, policy enforcement, etc o Management usually wants custom reports Not the easiest to develop if you don t know what you are doing o Hiring a knowledgeable consultant to help with the integration goes a long way as well
40 Tips for a successful scanning program Sensitivity/Classification of source code that is scanned needs to be identified o Need to treat the machine that code is scanned on as having the same classification level as the source code Scanners leave translated versions of the source code on the scanning machine. Files need to be treated with same classification as the source code o Make sure the results file is given the same classification as well If code is SECRET, scan results need to be designated SECRET as well Code snippets, etc
41 Tips for a successful scanning program Send application teams feedback surveys o Feedback from the development teams can only help with making the code scanning program more successful
42 QUESTIONS? Adam Bixby abixby {at} gdssecurity.com
HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security
HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security The problem Cyber attackers are targeting applications
More informationIBM Rational AppScan: Application security and risk management
IBM Software Security November 2011 IBM Rational AppScan: Application security and risk management Identify, prioritize, track and remediate critical security vulnerabilities and compliance demands 2 IBM
More informationBlack Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand different types of application assessments and how they differ Be
More informationLearning objectives for today s session
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand what a black box and white box assessment is and how they differ Identify
More informationIntegrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper
Integrating Application Security into the Mobile Software Development Lifecycle WhiteHat Security Paper Keeping pace with the growth of mobile According to the November 2015 edition of the Ericsson Mobility
More informationPractical Applications of Software Security Model Chris Nagel
Practical Applications of Software Security Model Chris Nagel Software Security Consultant Fortify Software Introductions About Me: Chris Nagel Software Security Consultant With Fortify for 2+ Years Before
More informationEnterprise Application Security Program
Enterprise Application Security Program GE s approach to solving the root cause and establishing a Center of Excellence Darren Challey GE Application Security Leader Agenda Why is AppSec important? Why
More informationWebGoat for testing your Application Security tools
WebGoat for testing your Application Security tools NAISG-DFW February 28 th, 2012 Michael A Ortega, CISSP CEH CISM GCFA Sr Application Security Professional IBM Security Systems 312.523.1538 maortega@us.ibm.com
More informationIBM Innovate 2011. AppScan: Introducin g Security, a first. Bobby Walters Consultant, ATSC bwalters@atsc.com Application Security & Compliance
IBM Innovate 2011 Bobby Walters Consultant, ATSC bwalters@atsc.com Application Security & Compliance AppScan: Introducin g Security, a first June 5 9 Orlando, Florida Agenda Defining Application Security
More informationAutomatic vs. Manual Code Analysis
Automatic vs. Manual Code Analysis 2009-11-17 Ari Kesäniemi Senior Security Architect Nixu Oy ari.kesaniemi@nixu.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this
More informationAccelerating Software Security With HP. Rob Roy Federal CTO HP Software
Accelerating Software Security With HP Rob Roy Federal CTO HP Software If we were in a cyberwar today, the United States would lose. Mike McConnell Former DNI, NSA. Head of Booz Allen Hamilton National
More informationThe AppSec How-To: Achieving Security in DevOps
The AppSec How-To: Achieving Security in DevOps How do you integrate security within a Continuous Deployment (CD) environment - where every 5 minutes a feature, an enhancement, or a bug fix needs to be
More informationHow to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP
How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright
More informationIntroduction. Secure Software Development 9/03/2015. Matias starts. Daan takes over. Matias takes over. Who are we? Round of introductions
Matias starts Who are we? Applying Static Analysis Matias Madou and Daan Raman, Leuven, Feb 27, 2015 1 At NVISO, I m responsible for the software security practice. Next to the client work, I also leads
More informationPractical Approaches for Securing Web Applications across the Software Delivery Lifecycle
Across the Software Deliver y Lifecycle Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle Contents Executive Overview 1 Introduction 2 The High Cost of Implementing
More informationA Strategic Approach to Web Application Security The importance of a secure software development lifecycle
A Strategic Approach to Web Application Security The importance of a secure software development lifecycle Rachna Goel Technical Lead Enterprise Technology Web application security is clearly the new frontier
More informationComparing Application Security Tools
Comparing Application Security Tools Defcon 15-8/3/2007 Eddie Lee Fortify Software Agenda Intro to experiment Methodology to reproduce experiment on your own Results from my experiment Conclusions Introduction
More informationApplication Security Center overview
Application Security overview Magnus Hillgren Presales HP Software Sweden Fredrik Möller Nordic Manager - Fortify Software HP BTO (Business Technology Optimization) Business outcomes STRATEGY Project &
More informationHow Virtual Compilation Transforms Code Analysis
How Virtual Compilation Transforms Code Analysis 2009 Checkmarx. All intellectual property rights in this publication are owned by Checkmarx Ltd. and are protected by United States copyright laws, other
More informationIBM Rational AppScan: enhancing Web application security and regulatory compliance.
Strategic protection for Web applications To support your business objectives IBM Rational AppScan: enhancing Web application security and regulatory compliance. Are untested Web applications putting your
More informationBuilding Assurance Into Software Development Life- Cycle (SDLC)
Application Software Assurance Center of Excellence (ASACoE) Building Assurance Into Software Development Life- Cycle (SDLC) James Woody Woodworth Operations Chief, ASACoE & Sean Barnum, Principal Consultant
More informationDevelopment Testing for Agile Environments
Development Testing for Agile Environments November 2011 The Pressure Is On More than ever before, companies are being asked to do things faster. They need to get products to market faster to remain competitive
More informationHow to achieve PCI DSS Compliance with Checkmarx Source Code Analysis
How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis Document Scope This document aims to assist organizations comply with PCI DSS 3 when it comes to Application Security best practices.
More information! Resident of Kauai, Hawaii
SECURE SDLC Jim Manico @manicode! OWASP Volunteer! Global OWASP Board Member! Manager of several OWASP secure coding projects! Security Instructor, Author! 17 years of web-based, databasedriven software
More informationOperationalizing Application Security & Compliance
IBM Software Group Operationalizing Application Security & Compliance 2007 IBM Corporation What is the cost of a defect? 80% of development costs are spent identifying and correcting defects! During the
More informationHP Fortify application security
HP Fortify application security Erik Costlow Enterprise Security The problem Cyber attackers are targeting applications Networks Hardware Applications Intellectual Property Security Measures Switch/Router
More informationWhy Your SIEM Isn t Adding Value And Why It May Not Be The Tool s Fault. Best Practices Whitepaper June 18, 2014
Why Your SIEM Isn t Adding Value And Why It May Not Be The Tool s Fault Best Practices Whitepaper June 18, 2014 2 Table of Contents LIVING UP TO THE SALES PITCH... 3 THE INITIAL PURCHASE AND SELECTION
More informationLeveraging Rational Team Concert's build capabilities for Continuous Integration
Leveraging Rational Team Concert's build capabilities for Continuous Integration Krishna Kishore Senior Engineer, RTC IBM Krishna.kishore@in.ibm.com August 9-11, Bangalore August 11, Delhi Agenda What
More informationHackMiami Web Application Scanner 2013 PwnOff
HackMiami Web Application Scanner 2013 PwnOff An Analysis of Automated Web Application Scanning Suites James Ball, Alexander Heid, Rod Soto http://www.hackmiami.org Overview Web application scanning suites
More informationHP Application Security Center
HP Application Security Center Web application security across the application lifecycle Solution brief HP Application Security Center helps security professionals, quality assurance (QA) specialists and
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationEd Adams, CEO Security Innovation. Dr. Larry Ponemon Ponemon Institute. 2012 ISACA Webinar Program. 2012 ISACA. All rights reserved.
2012 Study on Application Security: AS Survey of fits Security and dd Developers Ed Adams, CEO Security Innovation Dr. Larry Ponemon Ponemon Institute 2012 ISACA Webinar Program. 2012 ISACA. All rights
More informationVulnerability Management
Vulnerability Management Buyer s Guide Buyer s Guide 01 Introduction 02 Key Components 03 Other Considerations About Rapid7 01 INTRODUCTION Exploiting weaknesses in browsers, operating systems and other
More informationProduct Roadmap. Sushant Rao Principal Product Manager Fortify Software, a HP company
Product Roadmap Sushant Rao Principal Product Manager Fortify Software, a HP company Agenda Next Generation of Security Analysis Future Directions 2 Currently under investigation and not guaranteed to
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationCode Review Best Practices. With Adam Kolawa, Ph.D.
Code Review Best Practices With Adam Kolawa, Ph.D. This paper is part of a series of interviews in which Adam Kolawa Parasoft CEO and Automated Defect Prevention: Best Practices in Software Management
More informationEl costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada
El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada The Traditional Approach is Changing. Security is no longer controlled and enforced through the
More informationMean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP
Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationBraindumps.C2150-810.50 questions
Braindumps.C2150-810.50 questions Number: C2150-810 Passing Score: 800 Time Limit: 120 min File Version: 5.3 http://www.gratisexam.com/ -810 IBM Security AppScan Source Edition Implementation This is the
More informationLifecycle Vulnerability Management and Continuous Monitoring with Rapid7 Nexpose
Lifecycle Vulnerability Management and Continuous Monitoring with Rapid7 Nexpose SPONSORED BY WhatWorks is a user-to-user program in which security managers who have implemented effective Internet security
More informationAgile Development for Application Security Managers
Agile Development for Application Security Managers www.quotium.com When examining the agile development methodology many organizations are uncertain whether it is possible to introduce application security
More informationStreamlining Application Vulnerability Management: Communication Between Development and Security Teams
Streamlining Application Vulnerability Management: Communication Between Development and Security Teams October 13, 2012 OWASP Boston Application Security Conference Agenda Introduction / Background Vulnerabilities
More informationApplication Code Development Standards
Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards
More informationIntegrated Threat & Security Management.
Integrated Threat & Security Management. SOLUTION OVERVIEW Vulnerability Assessment for Web Applications Fully Automated Web Crawling and Reporting Minimal Website Training or Learning Required Most Accurate
More informationWeb Application Remediation. OWASP San Antonio. March 28 th, 2007
Web Application Remediation OWASP San Antonio March 28 th, 2007 Agenda Introduction The Problem: Vulnerable Web Applications Goals Example Process Overview Real World Issues To Address Conclusion/Questions
More informationWhite Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security
White Paper Automating Your Code Review: Moving to a SaaS Model for Application Security Contents Overview... 3 Executive Summary... 3 Code Review and Security Analysis Methods... 5 Source Code Review
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationFortify. Securing Your Entire Software Portfolio
Fortify 360 Securing Your Entire Software Portfolio Fortify Fortify s holistic approach to application security truly safeguards our enterprise against today s ever-changing security threats. Craig Schumard,
More informationSecurity for a Smarter Planet. 2011 IBM Corporation All Rights Reserved.
Security for a Smarter Planet The Smarter Planet Our world is getting Instrumented Our world is getting Interconnected Our world is getting Intelligent Growing Security Challenges on the Smarter Planet
More informationHow To Protect Your Data From Attack
Integrating Vulnerability Scanning into the SDLC Eric Johnson JavaOne Conference 10/26/2015 1 Eric Johnson (@emjohn20) Senior Security Consultant Certified SANS Instructor Certifications CISSP, GWAPT,
More informationWhat is Penetration Testing?
White Paper What is Penetration Testing? An Introduction for IT Managers What Is Penetration Testing? Penetration testing is the process of identifying security gaps in your IT infrastructure by mimicking
More informationNeXUS REPOSITORY managers
PRODUCT OVERVIEW NeXUS REPOSITORY managers Nexus OSS, Nexus Pro and Nexus Pro+ Nexus repository managers help organizations build better software, faster. Like a supply chain, applications are built by
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationMicrosoft SDL: Agile Development
Microsoft SDL: Agile Development June 24, 2010 Nick Coblentz, CISSP Senior Security Consultant AT&T Consulting Nick.Coblentz@gmail.com http://nickcoblentz.blogspot.com http://www.twitter.com/sekhmetn Copyright
More informationThreat landscape how are you getting attacked and what can you do better protect yourself and your e-commerce platform
Threat landscape how are you getting attacked and what can you do better protect yourself and your e-commerce platform Sebastian Zabala Senior Systems Engineer 2013 Trustwave Holdings, Inc. 1 THREAT MANAGEMENT
More informationIntegrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
Integrating Security into the Application Development Process Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis Agenda Seek First to Understand Source Code Security AppSec and SQA Analyzing
More informationWeb application security: automated scanning versus manual penetration testing.
Web application security White paper January 2008 Web application security: automated scanning versus manual penetration testing. Danny Allan, strategic research analyst, IBM Software Group Page 2 Contents
More informationClosing the Vulnerability Gap of Third- Party Patching
SOLUTION BRIEF: THIRD-PARTY PATCH MANAGEMENT........................................ Closing the Vulnerability Gap of Third- Party Patching Who should read this paper IT Managers who are trying to manage
More informationEnhance visibility into and control over software projects IBM Rational change and release management software
Enhance visibility into and control over software projects IBM Rational change and release management software Accelerating the software delivery lifecycle Faster delivery of high-quality software Software
More informationIT Security & Compliance. On Time. On Budget. On Demand.
IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount
More informationSeven Practical Steps to Delivering More Secure Software. January 2011
Seven Practical Steps to Delivering More Secure Software January 2011 Table of Contents Actions You Can Take Today 3 Delivering More Secure Code: The Seven Steps 4 Step 1: Quick Evaluation and Plan 5 Step
More informationNetwork Configuration Management
Network Configuration Management Contents Abstract Best Practices for Configuration Management What is Configuration Management? FCAPS Configuration Management Operational Issues IT Infrastructure Library
More informationData Masking with Delphix. Services Catalog
Data Masking with Delphix Services Catalog TABLE OF CONTENTS WHY TDM?... 3 TDM APPROACH... 4 Delphix for TDM... 4 ENABLEMENT PHASES... 6 TDM Process Review... 6 TDM Process Implementation... 6 TDM Continuous
More informationThe Quality Assurance Centre of Excellence
The Quality Assurance Centre of Excellence A X I S T E C H N I C A L G R O U P A N A H E I M H E A D Q U A R T E R S, 300 S. H A R B O R, B L V D. S U I T E 904, A N A H E I M, CA 92805 PHONE :( 714) 491-2636
More informationThe Importance of Continuous Integration for Quality Assurance Teams
The Importance of Continuous Integration for Quality Assurance Teams Without proper implementation, a continuous integration system will go from a competitive advantage for a software quality assurance
More informationNexus Professional Whitepaper. Repository Management: Stages of Adoption
Sonatype Nexus Professional Whitepaper Repository Management: Stages of Adoption Adopting Repository Management Best Practices SONATYPE www.sonatype.com sales@sonatype.com +1 301-684-8080 12501 Prosperity
More informationEssential Visual Studio Team System
Essential Visual Studio Team System Introduction This course helps software development teams successfully deliver complex software solutions with Microsoft Visual Studio Team System (VSTS). Discover how
More information5 Partner Benefits and Requirements... 8 5.1 Benefits... 8 5.2 Requirements... 8
Table of Contents Table of Contents... 2 1 Overview & Presentation... 4 2 Partner Communications... 5 2.1 Partner channels... 5 2.2 Kiuwan Representatives... 5 3 About Kiuwan... 6 4 Partner Types... 7
More informationNow Is the Time for Security at the Application Level
Research Publication Date: 1 December 2005 ID Number: G00127407 Now Is the Time for Security at the Application Level Theresa Lanowitz Applications must be available, useful, reliable, scalable and, now
More informationUP L04 Introduction to 3 rd Party Patching Using the 4A Model Hands-On Lab
UP L04 Introduction to 3 rd Party Patching Using the 4A Model Hands-On Lab Description The objective of this course is to introduce students to the various concepts of 3rd party patching. Students will
More informationBladeLogic Software-as-a- Service (SaaS) Solution. Help reduce operating cost, improve security compliance, strengthen cybersecurity posture
BladeLogic Software-as-a- Service (SaaS) Solution Help reduce operating cost, improve security compliance, strengthen cybersecurity posture February 20, 2014 Contents The Configuration Security Compliance
More informationMeister Going Beyond Maven
Meister Going Beyond Maven A technical whitepaper comparing OpenMake Meister and Apache Maven OpenMake Software 312.440.9545 800.359.8049 Winners of the 2009 Jolt Award Introduction There are many similarities
More informationEffective Release Management for HPOM Monitoring
Whitepaper Effective Release Management for HPOM Monitoring Implementing high-quality ITIL-compliant release management processes for HPOM-based monitoring Content Overview... 3 Release Management... 4
More informationCentralized Disaster Recovery using RDS
Centralized Disaster Recovery using RDS RDS is a cross-platform, scheduled replication application. Using RDS s replication and scheduling capabilities, a Centralized Disaster Recovery model may be used
More informationBest Practices - Remediation of Application Vulnerabilities
DROISYS APPLICATION SECURITY REMEDIATION Best Practices - Remediation of Application Vulnerabilities by Sanjiv Goyal CEO, Droisys February 2012 Proprietary Notice All rights reserved. Copyright 2012 Droisys
More informationFive Steps to Achieve Risk-Based Application Security Management Make application security a strategically managed discipline
IBM Security Thought Leadership White Paper Five Steps to Achieve Risk-Based Application Security Management Make application security a strategically managed discipline July 2015 2 Five Steps to Achieve
More informationCONTINUOUS INTEGRATION
CONTINUOUS INTEGRATION REALISING ROI IN SOFTWARE DEVELOPMENT PROJECTS In the following pages we will discuss the policies and systems that together make up the process called Continuous Integration. This
More informationHow to Justify Your Security Assessment Budget
2BWhite Paper How to Justify Your Security Assessment Budget Building a Business Case For Penetration Testing WHITE PAPER Introduction Penetration testing has been established as a standard security practice
More informationSecure Development LifeCycles (SDLC)
www.pwc.com Feb 2014 Secure Development LifeCycles (SDLC) Bart De Win Bart De Win? 15+ years of Information Security Experience Ph.D. in Computer Science - Application Security Author of >60 scientific
More informationSoftware Supply Chains: Another Bug Bites the Dust.
SESSION ID: STR-T08 Software Supply Chains: Another Bug Bites the Dust. Todd Inskeep 1 Global Security Assessments VP Samsung Business Services @Todd_Inskeep Series of Recent, Large, Long-term Security
More informationIntegrating Automated Tools Into a Secure Software Development Process
Integrating Automated Tools Into a Secure Software Development Process Kenneth R. van Wyk KRvW Associates, LLC Ken@KRvW.com Copyright 2007, KRvW Associates, LLC This paper is intended to augment and accompany
More informationWhy Alerts Suck and Monitoring Solutions need to become Smarter
An AppDynamics Business White Paper HOW MUCH REVENUE DOES IT GENERATE? Why Alerts Suck and Monitoring Solutions need to become Smarter I have yet to meet anyone in Dev or Ops who likes alerts. I ve also
More informationPerforming a Web Application Security Assessment
IBM Software Group Performing a Web Application Security Assessment 2007 IBM Corporation Coordinate the Time of the Audit Set up a time window with the application owner Inform your security team Inform
More informationThe Web AppSec How-to: The Defenders Toolbox
The Web AppSec How-to: The Defenders Toolbox Web application security has made headline news in the past few years. Incidents such as the targeting of specific sites as a channel to distribute malware
More informationStreamlining Patch Testing and Deployment
Streamlining Patch Testing and Deployment Using VMware GSX Server with LANDesk Management Suite to improve patch deployment speed and reliability Executive Summary As corporate IT departments work to keep
More informationKey Benefits of Microsoft Visual Studio Team System
of Microsoft Visual Studio Team System White Paper November 2007 For the latest information, please see www.microsoft.com/vstudio The information contained in this document represents the current view
More informationInteractive Application Security Testing (IAST)
WHITEPAPER Interactive Application Security Testing (IAST) The World s Fastest Application Security Software Software affects virtually every aspect of an individual s finances, safety, government, communication,
More informationVistara Lifecycle Management
Vistara Lifecycle Management Solution Brief Unify IT Operations Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid
More informationFortify Training Services. Securing Your Entire Software Portfolio FRAMEWORK*SSA
Fortify Training Services Securing Your Entire Software Portfolio FRAMEWORK*SSA Fortify s holistic approach to application security truly safeguards our enterprise against today s ever-changing security
More informationNEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015
NEXPOSE ENTERPRISE METASPLOIT PRO Effective Vulnerability Management and validation March 2015 KEY SECURITY CHALLENGES Common Challenges Organizations Experience Key Security Challenges Visibility gaps
More informationManaged Service Solutions Catalogue. MANAGED SERVICES SOLUTIONS CATALOGUE MS Offering Overview June 2014
Managed Service Solutions Catalogue MANAGED SERVICES SOLUTIONS CATALOGUE MS Offering Overview June 2014 1 MANAGED SERVICES SOLUTIONS CATALOGUE Managed Services Solutions Catalogue Managed Service Solutions
More informationPATCH MANAGEMENT POLICY IT-P-016
IT-P-016 Date: 28 th March, 2016 Stamford International University ( STIU ) Patch Management Policy Rationale Stamford International University ( STIU ) is responsible for ensuring the confidentiality,
More informationWeb Application security testing: who tests the test?
Web Application security testing: who tests the test? Ainārs Galvāns Application Penetration Tester www.exigenservices.lv About myself Functional testing Leading test group Reporting to client Performance
More informationIBM Rational AppScan Source Edition
IBM Software November 2011 IBM Rational AppScan Source Edition Secure applications and build secure software with static application security testing Highlights Identify vulnerabilities in your source
More informationWeb application security Executive brief Managing a growing threat: an executive s guide to Web application security.
Web application security Executive brief Managing a growing threat: an executive s guide to Web application security. Danny Allan, strategic research analyst, IBM Software Group Contents 2 Introduction
More informationCenzic Product Guide. Cloud, Mobile and Web Application Security
Cloud, Mobile and Web Application Security Table of Contents Cenzic Enterprise...3 Cenzic Desktop...3 Cenzic Managed Cloud...3 Cenzic Cloud...3 Cenzic Hybrid...3 Cenzic Mobile...4 Technology...4 Continuous
More informationExtreme Networks Security Analytics G2 Vulnerability Manager
DATA SHEET Extreme Networks Security Analytics G2 Vulnerability Manager Improve security and compliance by prioritizing security gaps for resolution HIGHLIGHTS Help prevent security breaches by discovering
More information