Procedure of Secure Development Tool Adoption Study
|
|
- Amelia Hodges
- 8 years ago
- Views:
Transcription
1 Procedure of Secure Development Tool Adoption Study Introduction This study is designed for us to better understand how developers adopt secure development tools and why some developers refuse to use these tools. (the definition of secure development tools) We define secure development tools as those tools that help find or fix security vulnerabilities reside in source code during the software development life cycle. Example of tools: resharper, Jprofiler, Jprob, Findbugs, FXcut, Valgrind. (2 types of participants adopter & non adopter) During this interview, you will be asked several questions about your past experience with secure development tools. If you have no experience with secure development tool, then our questions will relate to discovering why you have not been exposed to it. (In case of people have trouble understanding me) If you have any difficulty understanding what I am asking, feel free to ask me to repeat myself. (Clarify the privacy issue) During this interview, your voice will be recorded. In any data collected, or in reports or papers that are published, you will not be identified by name. Please be careful not to discuss any sensitive information about the company you work for. If you do mention any, we will do our best to remove it from our transcripts, but better if you don't mention such sensitive information at all. Further Definition of Secure Software and Secure Development Tools (Make sure we are in the same context with the participant) Secure Software Enhancing the Development Life Cycle to Produce Secure Software defines secure software as follows: To be considered secure, software must exhibit three properties: 1. Dependability: Dependable software executes predictably and operates correctly under all conditions, including hostile conditions, including when the software comes under attack or runs on a malicious host. 2. Trustworthiness: Trustworthy software contains few if any vulnerabilities or weaknesses that can be intentionally exploited to subvert or sabotage the software s dependability. In addition, to be considered trustworthy, the software must contain no malicious logic that causes it to behave in a malicious manner. 3. Survivability (also referred to as Resilience ): Survivable or resilient software is software that is resilient enough to (1) either resist (i.e., protect itself against) or tolerate (i.e., continue operating dependably in spite of) most known attacks plus as many novel attacks as possible, and (2) recover as quickly as possible, and with as little damage as possible, from those attacks that it can neither resist nor tolerate.
2 Secure Development Tools Secure development tools are those tools that help developers make more secure software by finding or fixing security vulnerabilities reside in source code during the software development life cycle. Generally, there are two different types of secure development tools on the market static analysis tools and dynamic analysis tools. Static analysis tools (e.g. Fortify SCA, Armorize CodeSecure, etc.) are used to scan application source code for vulnerabilities. Dynamic analysis tools (e.g. HP WebInspect, IBM AppScan) are used to scan live applications such as web applications or a web service. Do you have any questions about this definition before we continue? Background Check Are you working as a developer in your company, or manager or both? (Our participants are developers or managers. Managers are treated as opinion leader in their company, but they will also be asked questions as developers because they usually either worked as developer before or working as both manager and developer now ) Questions just for managers How many people do you supervise? Can you tell me a little bit about your job's duty? Do you know how decisions are made at your company about tool purchasing? Who makes the decision? Where do you fit into the purchasing chain? What is the most important factor when you consider tool purchasing? Does your company have budget just for tool purchasing? how about security tools? If budget is a big concern, why don t you consider open source security tools? Typically, how do you know about a security tool? What is the information channel that you rely on? How do you trust that channel? After purchased the tool, what is the company s strategy to let people actually use that tool? Was this strategy succeed? (Talk about specific cases, if any) Have you ever adopted any secure development tool for your group? (adoption case) What is the name of the tool you adopted?can you tell me the situation when you adopted that tool? What are the concerns? What is the result of adoption? (main reason for non adoption) What is the main reason you haven t adopted any security tool for your group?
3 Questions for developers Have you ever adopted any secure development tool?{ Yes. > Go to the Adopter Question part. No. Go to the Non adopter Question part } Non adopter Question (Only ask non adopters) What is the main reason you think that you have not used any of secure development tools? (An open ended question before all the specific questions. Elicit more if possible) (Activity 1: Role Playing before asking awareness question) Awareness Question (Ask both adopter and non adopter) Security sensitive domain What are the domains of the application you have developed? Was security a big concern of the software you have developed? (if the developer claim security is not a concern, ask the following questions to see if we can persuade them that security is a concern, even if it is low) What kind of resource your software accesses? Whether confidentiality, availability and integrity of the resource could be compromised by security bugs in your software? Which programming language you have used? So security is a concern, right? (make them admit) Secure development experience Which programming language you are using? Organizational culture & standards Is developing secure software a big concern in your company? Does your company have any standards to follow in terms of secure development? Reward & punishment system for software security Does your company have any reward and punishment system for software security? or more general for software quality? Organizational structure Does your company have a dedicated security team? Does your company have a dedicated testing team? Perceived responsibility
4 Do you think you as a developer is responsible for software security? Or the testing team should responsible for software security? Or other dedicated teams? Tool usage observability Can you describe the environment that you usually work in? (share a cubicle with some peers; sitting in a private cubicle but have peers sitting nearby; a private office) Practitioner inquisitiveness Are you interested in exploring new tools and techniques relate to your work? What is your patient level for looking for new tools? added 6/29 Tool advertisement (awareness knowledge) Have you ever seen any secure development tool advertisement? Where did you see it? When? What type of advertisement did you see? Peer influence Has any of your colleague recommended a secure development tool to you before? Does anybody else in your company use the security tool? (Nobody use it? working environment and are people around you using it do make difference. Or management issue? Why doesn t the company introduce security tool to their developers?) Has your manager ever required or encouraged you use any security tools? Education Have you learned about any secure development tools through university courses or company trainings? Does your company provide this kind of training? Is it mandatory or optional? Adopter Question (Only ask adopters) Open questions: (here we ask open questions to discover other factors that are not in our initial model) What is the name of the tool you adopted? Could you please describe the tool to me? Which part of this tool you like most? Which part of this tool you like least? When did you adopt the tool? How did you know about this tool? What type of application you were developing when you adopted this tool? Did this tool help? What made you decide to adopt this tool? What made you decide to try out this tool? Have you ever recommend this tool to people you know?
5 How did you recommend this tool to others? How was this topic brought up between you and your friend. Did he or she see you using that tool? What is the result of the recommendation? Have them tried it out or adopted the tool? Are you still using this tool?{ Yes. { Have you ever tried other tools that have similar functionality? If so, what makes you continue to use this tool? If I recommend XXX to you, which has more advantages than the one you are using, will you consider discontinue using the current tool? } } No.{ } how long did you use that tool? Why discontinue using that tool? What kind of effort the development team make can change your mind? What do you think is the main reason for the security tool underused problem? added 6/29 Factors related questions: (here we ask questions relate to actors in our initial model) Desired functionality What are the functionalities this tool has? Does that tool have all the desired functionalities you want? Cost & potential gain How much does this tool cost? (financial cost) Was it hard to learn to use that tool? (learning cost) How long it took for you to get familiar with all the operations of that tool? (learning cost) What are the potential benefits if you adopt this tool? Status aspects Will use this tool help you gain status aspects? i.e., treated as more experienced in your company? Do you feel using this tool makes you experienced or advanced developer? Do you feel using this tool makes you superior than other developers who do the same tasks without using this tool? Incentives Did your company provide any incentives for asking you to adopt this tool? Or any punishment if you refuse to adopt it?
6 Tool advertisement (how to & principles knowledge) How did you learn how to use this tool? How deep you learned to use this tool? Peer influence (ask only when peer recommendation is mentioned by the developer) Did you trust the colleague who recommend this tool to you? Did the situation of that colleague similar to yours? How did the colleague recommend this tool to you? highly recommended? or just mentioned about it? Perceived complexity Was the use interface of the tool complex to you? Was the framework of this tool hard to understand? Perceived compatibility Was this tool compatible with the operating system you are using? Was this tool compatible with the Integrated Development Environment you are using? Was the operation of that tool similar to dominating tools? Did this tool come with a bunch of other tools as a cluster? (technology cluster, eg., HP Fortify Products) Did this tool have some functionalities or strengths that other tools do not have? (Did this tool fit the niche of customers requirement?) Perceived Trialability Did this tool have detailed tutorial? Did this tool have complete documentation? Re Invention Was this tool configurable? Can you customize that tool to better suit your needs? Workflow suitability Did this tool fit into your workflow?
7 Activities 1. Role Play (Awareness of the tool drives the need of the tool or the need of the tool makes people aware of the tool, which one is the case?) awareness need (Online Advertisement vs interpersonal network ( peers vs opinion leader) (Little concern in this case) One day, you are curious about how to make more secure software, so you google it. This page come out. Will you click the AD inside the red rectangle? (show the picture) A page contains more detailed information come out. Please read it for 2 minutes. Will you try this tool out? Suppose I am your colleague. One day, I said this to you when we met in our company: hi, I am using a tool called CodeSecure. This tool is really good for me to find vulnerabilities in my code, you might want to try it out. Will you try this tool out? Then I said this: remember I were trying to find a bug last time? I asked you to help me. But we did not find anything. The code was just giving weird results. I finally found a bug by using this tool! So I think it might help you out later in similar situations. Will you try this tool out? Suppose I am your manager. One day, I said this to you: Hi, I know a tool named SecureCode. It can make our code more secure. Why don t you try it out? Will you try this tool out? need awareness (trusted peer vs untrusted peer) Suppose you are the guy who posted this post in stackoverflow. Basically you need a tool to help you coding against malicious attacks, e.g. SQL injection. Please read this post for 1 second.
8 Suppose somebody answered you and posted a link to CodeSecure. Will you try this tool out? 2. Rank the factors/attributes of the secure development tool Can you rank these factors in terms of how important it is when you make your adoption decision? You can drag it to rank them in Google Doc. I will explain the factors one by one. Please let me know if you have any questions. First, let s start with 5 main factors: Perceived Complexity: how complex is the tool? Perceived Compatibility: how compatible this tool with your working environment? Perceived Trialability: how easy can you try this tool out? Perceived Relative advantage: the advantages this tool gives to you over not using any tool or using other tools. Re invention: Can you configure or even customize this tool to more suit your needs? Can you tell me your opinion about these 5 main factors first? Next, we are going to look at more detailed factors. Make a better tool toolsmiths Desired functionality: if this tool have whatever functionalities you want? Cost & potential gain: what are the cost and potential gain if you adopt this tool? is it worth adopting? Compatibility with OS: is this tool compatible with the operating system you are using? Compatibility with IDE: is this tool compatible with the integrated development environment you are using? Operations similar to dominating tools: is the operations of this tool similar to the dominating tools? which reduces the difficulty of learning it. Framework complexity: is the framework of this tool hard to understand? User interface complexity: is the UI hard to understand or hard to use? Tutorial: is the tutorial well written and comprehensive? Documentation: is the documentation complete and helpful? Technology cluster: does this tool come out with other tools as a cluster? (show examples: HP Fortify; Microsoft Security Development Lifecycle Tools). (I do want to emphasize this one) Ideal niche: Does this tool have its special ability that fits in a ideal niche? Configurability: can you configure this tool? Customizability: can you customize this tool? (usually larger changes than configuring). Provide better environment of adopting the tool company managers Organizational culture & standards: is this tool compatible with the company s culture and standards? In other word, does your company care about security (non functional requirement in general)? Does your company have any security requirement that you have to make your code pass?
9 Status aspects: Will use this tool help you gain status aspects? i.e., treated as more experienced in your company? Incentives: (a factor comes from the company & managers) does anybody provide you incentive to adopt your tool or punishment if you don t? Can you think of other factors that did not mention here but it is important to you to make adoption decision? 3. Brainstorm of desired functionalities (Opinion from novice vs experienced) Can you brainstorm the functionalities you want to have in secure development tool? The functionality can be as fancy as whatever you can think of. Security Experts 1. [Guidance] Drove effort to define company wide usable security design guidance for Microsoft engineers. Can you tell me your experience about designing the company wide usable security design guidance? 1. What are the types of the guidance? 2. Who asked you to design this guidance? 3. What did you do to make ordinary developers follow your guidance? 4. What was the result? Does everybody follow the guidance now? What were the challenges? 5. Does Microsoft have policies to ensure secure coding other than guidance? 2. [Education] Co developed 4 hour course on designing usable security and privacy user experiences that I teach several times per year to Microsoft engineers. 1. What is this course about? 2. Does this course include how to use some specific security tools? 3. Does anybody in the security team teach about using some specific security tools? 4. Is this course optional or mandatory? 5. Who is the audience? Does everybody in Microsoft can attend? 3. [Consulting] Consult with engineering teams as needed on usable security issues 1. What do you do as a consultant? 2. Do the engineering teams interact with you often? 3. Do you do code reviews for new software features? 4. What types of application have the need to consult security experts? 4. [Community building] Maintain a distribution list, bring speakers to campus, and publish a newsletter. 1. What do you do to make developers more aware of the security issues? 5. [Usable security team]
10 1. Where is this team? Do you sit near ordinary developers? 2. How many people do you have in this team? 3. Do the team members have different expertises? 6. [Company related questions] 1. Do developers in Microsoft use security tools? What are the tools they use? 2. Did Microsoft adopt any security tools in company level? How was this decision made? How was the security evaluated? 3. Is there anybody responsible for searching or developing security tools in Microsoft? 4. Does Microsoft allow developers use outside open source security tools? (Does Microsoft encourage individual level security tool adoption?) 7. [High level questions] 1. Do you think ask developers to use security tools would help them build more secure software? 2. Why security tools are underused? 3. False positive mentioned many times by developers, is there any way to make security tools smart enough to only present the result the users expect? References Goertzel, Karen, Theodore Winograd, et al. for Department of Homeland Security and Department of Defense Data and Analysis Center for Software. Enhancing the Development Life Cycle to Produce Secure Software: A Reference Guidebook on Software Assurance, October 2008.
Streamlining Application Vulnerability Management: Communication Between Development and Security Teams
Streamlining Application Vulnerability Management: Communication Between Development and Security Teams October 13, 2012 OWASP Boston Application Security Conference Agenda Introduction / Background Vulnerabilities
More informationApplication Code Development Standards
Application Code Development Standards Overview This document is intended to provide guidance to campus system owners and software developers regarding secure software engineering practices. These standards
More information1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.
Employee Security Awareness Survey Trenton Bond trent.bond@gmail.com Admin - Version 1.3 Security Awareness One of the most significant security risks that organizations and corporations face today is
More informationWill Dormann: Sure. Fuzz testing is a way of testing an application in a way that you want to actually break the program.
The Power of Fuzz Testing to Reduce Security Vulnerabilities Transcript Part 1: Why Fuzz Testing? Julia Allen: Welcome to CERT's podcast series: Security for Business Leaders. The CERT program is part
More informationANALYSIS OF SOFTWARE THREATS AND SOFTWARE SECURITY. Department of Computer Science & IT University of Jammu, Jammu
ANALYSIS OF SOFTWARE THREATS AND SOFTWARE SECURITY Dr. Deepshikha Jamwal Bhawana Sharma Research Scholar Research scholar jamwal.shivani@gmail.com bhawana32_mca@yahoo.co.in Department of Computer Science
More informationCyber Security & Data Privacy. January 22, 2014
Cyber Security & Data Privacy January 22, 2014 Today s Presenters Bob DiBella Director of Product Management Aclara Technologies Srinivasalu Ambati Application Architect, Consumer Engagement Aclara Technologies
More informationAnonymity Loves Company: Usability and the network effect. Roger Dingledine, Nick Mathewson The Free Haven Project
Anonymity Loves Company: Usability and the network effect Roger Dingledine, Nick Mathewson The Free Haven Project 1 Overview We design and deploy anonymity systems. Version 1: You guys are studying this
More informationTHE THREE ASPECTS OF SOFTWARE QUALITY: FUNCTIONAL, STRUCTURAL, AND PROCESS
David Chappell THE THREE ASPECTS OF SOFTWARE QUALITY: FUNCTIONAL, STRUCTURAL, AND PROCESS Sponsored by Microsoft Corporation Our world runs on software. Every business depends on it, every mobile phone
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationEngineering Secure Complex Software Systems and Services
Engineering Secure Complex Software Systems and Services Preparation of FP7-ICT WP 2009-2010 - Mini-Concertation Meeting Henrique Madeira University of Coimbra Portugal University of Coimbra Question 1
More informationMetrics, methods and tools to measure trustworthiness
Metrics, methods and tools to measure trustworthiness Henrique Madeira AMBER Coordination Action University of Coimbra March 9 th, 2009 1 Measuring trustworthiness Trustworthy ICT should be: Secure Dependable
More informationDigital Marketing Manager, Marketing Manager, Agency Owner. Bachelors in Marketing, Advertising, Communications, or equivalent experience
Persona name Amanda Industry, geographic or other segments B2B Roles Digital Marketing Manager, Marketing Manager, Agency Owner Reports to VP Marketing or Agency Owner Education Bachelors in Marketing,
More informationWhy Johnny Can't Encrypt: A Usability Study of PGP
Why Johnny Can't Encrypt: A Usability Study of PGP Jan Sousedek Technische Universität Berlin, Germany Erasmus program Summer semester 2008 Seminar: Internet Security jan.sousedek@seznam.cz Abstract Interfaces
More informationWhy The Security You Bought Yesterday, Won t Save You Today
9th Annual Courts and Local Government Technology Conference Why The Security You Bought Yesterday, Won t Save You Today Ian Robertson Director of Information Security Michael Gough Sr. Risk Analyst About
More informationSoftware Development & Education Center. Microsoft Dynamics
Software Development & Education Center Microsoft Dynamics CRM 2011 Exam MB2-886, Course 80294B Microsoft Dynamics CRM 2011 Customization and Configuration About this Course This course describes the techniques
More informationComplete Web Application Security. Phase1-Building Web Application Security into Your Development Process
Complete Web Application Security Phase1-Building Web Application Security into Your Development Process Table of Contents Introduction 3 Thinking of security as a process 4 The Development Life Cycle
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationHP Fortify application security
HP Fortify application security Erik Costlow Enterprise Security The problem Cyber attackers are targeting applications Networks Hardware Applications Intellectual Property Security Measures Switch/Router
More informationCritical analysis. Be more critical! More analysis needed! That s what my tutors say about my essays. I m not really sure what they mean.
Critical analysis Be more critical! More analysis needed! That s what my tutors say about my essays. I m not really sure what they mean. I thought I had written a really good assignment this time. I did
More informationDEVELOPING A SOCIAL MEDIA STRATEGY
DEVELOPING A SOCIAL MEDIA STRATEGY Creating a social media strategy for your business 2 April 2012 Version 1.0 Contents Contents 2 Introduction 3 Skill Level 3 Video Tutorials 3 Getting Started with Social
More informationIncident Management. Mitigation and Remediation. Presented By Carl Grayson. 2007 Security-Assessment.com
Incident Management Mitigation and Remediation Presented By Carl Grayson What are we Looking at Today? The Why The What A (very) little bit of How The Who Preparation going a long way Some probably good
More informationSecurity within a development lifecycle. Enhancing product security through development process improvement
Security within a development lifecycle Enhancing product security through development process improvement Who I am Working within a QA environment, with a focus on security for 10 years Primarily web
More informationAccelerating Software Security With HP. Rob Roy Federal CTO HP Software
Accelerating Software Security With HP Rob Roy Federal CTO HP Software If we were in a cyberwar today, the United States would lose. Mike McConnell Former DNI, NSA. Head of Booz Allen Hamilton National
More informationClient Server Registration Protocol
Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are
More information2012 Application Security Gap Study: A Survey of IT Security & Developers
2012 Application Gap Study: A Survey of IT & s Research sponsored by Innovation Independently Conducted by Ponemon Institute LLC March 2012 1 2012 Application Gap Study: A Survey of IT & s March 2012 Part
More informationThe introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.
1 Cyber-attacks frequently take advantage of software weaknesses unintentionally created during development. This presentation discusses some ways that improved acquisition practices can reduce the likelihood
More informationHP Application Security Center
HP Application Security Center Web application security across the application lifecycle Solution brief HP Application Security Center helps security professionals, quality assurance (QA) specialists and
More informationManaging Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services
Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult
More informationAutomatic vs. Manual Code Analysis
Automatic vs. Manual Code Analysis 2009-11-17 Ari Kesäniemi Senior Security Architect Nixu Oy ari.kesaniemi@nixu.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this
More informationWORKING WITH CRIMINAL JUSTICE CLIENTS IN DRUG AND ALCOHOL TREATMENT
WORKING WITH CRIMINAL JUSTICE CLIENTS IN DRUG AND ALCOHOL TREATMENT Interviewer: Alison Churchill (AC), CEO, Community Restorative Centre Interviewee: Astrid Birgden (AB), Director, Compulsory Drug Treatment
More information5 Tips to a Successful & Profitable ecommerce Website
5 Tips to a Successful & Profitable ecommerce Website 2011 Keystone Click LLC www.keystoneclick.com www.facebook.com/keystoneclick www.twitter.com/keystoneclick 414-810-6650 info@keystoneclick.com Congrats
More informationHow to Avoid an Attack - Security Testing as Part of Your Software Testing Process
How to Avoid an Attack - Security Testing as Part of Your Software Testing Process Recent events in the field of information security, which have been publicized extensively in the media - such as the
More informationSoftware Application Control and SDLC
Software Application Control and SDLC Albert J. Marcella, Jr., Ph.D., CISA, CISM 1 The most effective way to achieve secure software is for its development life cycle processes to rigorously conform to
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationHow to Deploy the Survey Below are some ideas and elements to consider when deploying this survey.
SECURITY AWARENESS SURVEY Is a survey necessary A survey will give you insight into information security awareness within your company. The industry has increasingly realized that people are at least as
More informationDANNY ALLAN, STRATEGIC RESEARCH ANALYST. A whitepaper from Watchfire
WEB APPLICATION SECURITY: AUTOMATED SCANNING OR MANUAL PENETRATION TESTING? DANNY ALLAN, STRATEGIC RESEARCH ANALYST A whitepaper from Watchfire TABLE OF CONTENTS Introduction... 1 History... 1 Vulnerability
More informationReal-time hybrid analysis:
Real-time hybrid : Find more, fix faster Technology white paper Brian Chess, Ph.D., Distinguished Technologist, HP Founder and Chief Scientist, HP Fortify Summary Real-time hybrid marks a substantial evolution
More informationStreamlining Web and Email Security
How to Protect Your Business from Malware, Phishing, and Cybercrime The SMB Security Series Streamlining Web and Email Security sponsored by Introduction to Realtime Publishers by Don Jones, Series Editor
More informationWorking Practices for Protecting Electronic Information
Information Security Framework Working Practices for Protecting Electronic Information 1. Purpose The following pages provide more information about the minimum working practices which seek to ensure that
More informationParents recording social workers - A guidance note for parents and professionals
Parents recording social workers - A guidance note for parents and professionals The Transparency Project December 2015 www.transparencyproject.org.uk info@transparencyproject.org.uk (Charity Registration
More informationApplication security testing: Protecting your application and data
E-Book Application security testing: Protecting your application and data Application security testing is critical in ensuring your data and application is safe from security attack. This ebook offers
More informationNETWORK SECURITY. 3 Key Elements
NETWORK SECURITY 3 Key Elements OVERVIEW Network is fast becoming critical and required infrastructure in organizations or even in our live nowadays. Human networking is important in many aspects especially
More informationVulnerability management lifecycle: defining vulnerability management
Framework for building a vulnerability management lifecycle program http://searchsecurity.techtarget.com/magazinecontent/framework-for-building-avulnerability-management-lifecycle-program August 2011 By
More informationPenetration Testing Walkthrough
Penetration Testing Walkthrough Table of Contents Penetration Testing Walkthrough... 3 Practical Walkthrough of Phases 2-5... 4 Chose Tool BackTrack (Armitage)... 5 Choose Target... 6 Phase 2 - Basic Scan...
More informationJumpstart a Web Application Secure Coding Program: A Five Step Process
Secure Coding Program: A Five Step Process SANS STI Application Security Written Assignment Author: Advisor: Johannes Ulrich Abstract Web application security has been top of mind for information security
More informationWhat s Happening with Summation? FAQs
What s Happening with Summation? FAQs WHY? Why did AccessData choose Summation over competing products, such as Concordance or CaseLogistix? Actually that is a fairly difficult question to answer, because
More informationOVERVIEW OF INTERNET MARKETING
OVERVIEW OF INTERNET MARKETING Introduction to the various ways in which you can market your business online 2 April 2012 Version 1.0 Contents Contents 2 Introduction 4 Skill Level 4 Terminology 4 What
More informationWeb application security: automated scanning versus manual penetration testing.
Web application security White paper January 2008 Web application security: automated scanning versus manual penetration testing. Danny Allan, strategic research analyst, IBM Software Group Page 2 Contents
More informationSecurity and Vulnerability Testing How critical it is?
Security and Vulnerability Testing How critical it is? It begins and ends with your willingness and drive to change the way you perform testing today Security and Vulnerability Testing - Challenges and
More informationHow Integrated Marketing Communications (IMC) Can Build Strong Brand Equity?
How Integrated Marketing Communications (IMC) Can Build Strong Brand Equity? Prepared by: Edmond Saadah Marketing & Training Consultant Contents 1. IMC 2. Brand Equity 3. How IMC Build Brand Equity? 4.
More informationSix Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business
6 Six Essential Elements of Web Application Security Cost Effective Strategies for Defending Your Business An Introduction to Defending Your Business Against Today s Most Common Cyber Attacks When web
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationIBM Security Strategy
IBM Security Strategy Intelligence, Integration and Expertise Kate Scarcella CISSP Security Tiger Team Executive M.S. Information Security IBM Security Systems IBM Security: Delivering intelligence, integration
More informationSoftware Outsourcing - Software Development. info@westtownwebservices.com
Hi I m Tony Radford from West Town Web Services. We area UK based great value, high quality software development and outsourcing solutions business. If you need software built or looked after please get
More informationQuestions that Ask Us 24/7 Public Librarians are hesitant to answer
Questions that Ask Us 24/7 Public Librarians are hesitant to answer Math Possible sites to help: Wolfram Alpha for Educators: http://www.wolframalpha.com/educators/lessonplans.html Wolfram Alpha Blog,
More informationRealistic Job Preview Family Services Specialist (FSS)
Realistic Job Preview Family Services Specialist (FSS) Carol Sideris: I m Carol Sideris, Director of the Division of Client Services, and I m delighted that you re considering a position with us. Over
More informationDiploma of Management 1 BSB51107
Diploma of Management Diploma of Management 1 BSB51107 Diploma of Management BSB51107 Employers are looking for individuals who can demonstrate skills and techniques to effectively manage staff and take
More informationSecurity Think beyond! Patrick Hildenbrand, SAP HANA Platform Extensions June 17, 2014
Security Think beyond! Patrick Hildenbrand, SAP HANA Platform Extensions June 17, 2014 Disclaimer This presentation outlines our general product direction and should not be relied on in making a purchase
More informationEngagement Guide 2015 Virtual OSEP Project Directors Conference
Engagement Guide 2015 Virtual OSEP Project Directors Conference Purpose of This Guide This guide provides helpful information so you are prepared to engage with presenters, online materials, and other
More informationSecureCom Mobile s mission is to help people keep their private communication private.
About SecureCom Mobile SecureCom Mobile s mission is to help people keep their private communication private. We believe people have a right to share ideas with each other, confident that only the intended
More informationSoftware Assurance Forum for Excellence in Code
Software Assurance Forum for Excellence in Code Security Engineering Training: Building the Foundation for Software Security Success March 2012 About SAFECode The Software Assurance Forum for Excellence
More informationEd Adams, CEO Security Innovation. Dr. Larry Ponemon Ponemon Institute. 2012 ISACA Webinar Program. 2012 ISACA. All rights reserved.
2012 Study on Application Security: AS Survey of fits Security and dd Developers Ed Adams, CEO Security Innovation Dr. Larry Ponemon Ponemon Institute 2012 ISACA Webinar Program. 2012 ISACA. All rights
More informationBringing Security Testing to Development. How to Enable Developers to Act as Security Experts
Bringing Security Testing to Development How to Enable Developers to Act as Security Experts Background: SAP SE SAP SE Business Software Vendor Over 68000 employees Worldwide development Myself Security
More informationBig Data and Cyber Security A bibliometric study Jacky Akoka, Isabelle Comyn-Wattiau, Nabil Laoufi Workshop SCBC - 2015 (ER 2015) 1 Big Data a new generation of technologies and architectures, designed
More informationSIP and VoIP 1 / 44. SIP and VoIP
What is SIP? What s a Control Channel? History of Signaling Channels Signaling and VoIP Complexity Basic SIP Architecture Simple SIP Calling Alice Calls Bob Firewalls and NATs SIP URIs Multiple Proxies
More informationTeaching the Faith Christian Education
Teaching the Faith Christian Education Course Introduction When you become a pastor, one most important responsibility you will have is teaching the Christian faith. If you lead a Bible study, teach a
More informationBI solutions with Visio Graphical visualizations with Visio, SharePoint and Visio Services
BI solutions with Visio Graphical visualizations with Visio, SharePoint and Visio Services More or less every user of Microsoft office in an organization knows Visio or gets to know it sooner or later.
More informationDealing with the unsupported Windows XP
Dealing with the unsupported Windows XP What Should You Do? A White Paper by: Windows Vulnerabilities XP has substantial and HIPAA design Compliancy vulnerabilities Make that put Upgrading an entire organization
More informationJOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City
JOOMLA SECURITY by Oliver Hummel ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City CONTACT Nicholas Butler 051-393524 089-4278112 info@irelandwebsitedesign.com Contents Introduction 3 Installation
More informationAm I An Atheist Or An Agnostic?
Am I An Atheist Or An Agnostic? A Plea For Tolerance In The Face Of New Dogmas by Bertrand Russell (1947) I speak as one who was intended by my father to be brought up as a Rationalist. He was quite as
More informationQuickBooks Online: Security & Infrastructure
QuickBooks Online: Security & Infrastructure May 2014 Contents Introduction: QuickBooks Online Security and Infrastructure... 3 Security of Your Data... 3 Access Control... 3 Privacy... 4 Availability...
More informationBlack Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand different types of application assessments and how they differ Be
More informationSure, yeah, and thank you for having me on.
Introduction: Welcome to the Enchanting Lawyer Podcast. The show that walks you step by step to improving strategies you can use today to grow your business. We show you how being kind, useful, and, of
More informationComparing the Effectiveness of Penetration Testing and Static Code Analysis
Comparing the Effectiveness of Penetration Testing and Static Code Analysis Detection of SQL Injection Vulnerabilities in Web Services PRDC 2009 Nuno Antunes, nmsa@dei.uc.pt, mvieira@dei.uc.pt University
More informationCertificate IV in Business Certificate IV in Business 1 BSB40212. opentraining.edu.au. Course Guide
Certificate IV in Business Certificate IV in Business 1 BSB40212 Certificate IV in Business BSB40212 No matter what aspect of business you re interested in, you ll often be asked to solve problems, assess
More informationTotal Recall Survey Report
Total Recall Survey Report Enrico Bertini, Denis Lalanne University of Fribourg Abstract The overall objective of the TotalRecall project is to support humans memory in the professional life, and more
More informationTHE NEXT AD BIDDING GUIDE AN EASY GUIDE TO HELP YOU OPTIMISE YOUR BIDDING STRATEGY
THE NEXT AD BIDDING GUIDE AN EASY GUIDE TO HELP YOU OPTIMISE YOUR BIDDING STRATEGY Bidding strategy 3 steps for setting up your bidding strategy 1 Define your business goal 2 Choose your bidding strategy
More informationHow to Evaluate a CRM System
How to Evaluate a CRM System Implementing an effective Customer Relationships Management (CRM) software system is becoming increasingly necessary for companies struggling to weather the recession to build
More informationThree Ways to Secure Virtual Applications
WHITE PAPER Detect, Scan, Prioritize, and Remediate Vulnerabilities Table of Contents Subtitle 1 Headline 3 Headline 3 Sub-Headline 3 ConcIusion 3 About BeyondTrust 4 2 2013. BeyondTrust Software, Inc.
More informationHP WebInspect Tutorial
HP WebInspect Tutorial Introduction: With the exponential increase in internet usage, companies around the world are now obsessed about having a web application of their own which would provide all the
More informationUnderstanding IBM Tivoli Monitoring 6.1 Agents In A Microsoft Clustered Environment 06/01/2006
Page 1 of 17 Introduction Understanding IBM Tivoli Monitoring 6.1 Agents In A Microsoft Clustered Environment 06/01/2006 The purpose of this document is to describe the IBM Tivoli Monitoring 6.1 agents
More informationFirewall Cracking and Security By: Lukasz Majowicz Dr. Stefan Robila 12/15/08
Firewall Cracking and Security By: Lukasz Majowicz Dr. Stefan Robila 12/15/08 What is a firewall? Firewalls are programs that were designed to protect computers from unwanted attacks and intrusions. Wikipedia
More informationStep-by-Step Guest Blogging for Lawyers
Step-by-Step Guest Blogging for Lawyers By James Druman In this short guide, you will learn how to harness one of the most powerful content marketing strategies on the Internet guest blogging. What is
More informationIBM Rational AppScan: Application security and risk management
IBM Software Security November 2011 IBM Rational AppScan: Application security and risk management Identify, prioritize, track and remediate critical security vulnerabilities and compliance demands 2 IBM
More informationTOOL EVALUATION REPORT: FORTIFY
TOOL EVALUATION REPORT: FORTIFY Derek D Souza, Yoon Phil Kim, Tim Kral, Tejas Ranade, Somesh Sasalatti ABOUT THE TOOL Background The tool that we have evaluated is the Fortify Source Code Analyzer (Fortify
More informationSoftware Supply Chains: Another Bug Bites the Dust.
SESSION ID: STR-T08 Software Supply Chains: Another Bug Bites the Dust. Todd Inskeep 1 Global Security Assessments VP Samsung Business Services @Todd_Inskeep Series of Recent, Large, Long-term Security
More informationDevelopment Processes (Lecture outline)
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationBrainstorm a bit with friends and colleagues and add in these ideas. You'll have thousands of keywords in a very short period of time.
MKKH Marketing & Consulting www.mkkhmarketing.com 1-888-324-3878 Adwords Survival Tips Advertising on Google's Adwords can best be described as operating in a hostile environment. Even though the search
More informationCSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office
CSUSB, Information Security & Emerging Technologies Office Last Revised: 03/17/2015 Draft REVISION CONTROL Document Title: Author: File Reference: CSUSB Web Application Security Standard Javier Torner
More informationopentraining.edu.au Course Guide Diploma of Business 1 BSB50207
Diploma of Business Diploma of Business 1 BSB50207 Diploma of Business BSB50207 Our Diploma of Business will equip you with skills to lead and support a wide range of enterprise functions. You'll become
More informationHow To Make A Presentation In Powerpoint
Yes, it s bad on purpose. Sheesh. Feel free to print this out and share it. The file isn t copy-protected, so you are able to share the digital version, but if you buy this from Amazon by clicking here,
More informationCertificate IV in Marketing Certificate IV in Marketing 1 BSB41307. opentraining.edu.au. Course Guide
Certificate IV in Marketing Certificate IV in Marketing 1 BSB41307 Certificate IV in Marketing BSB41307 The best brands are the ones that cut-through because they offer something relevant. It s about creating
More informationIntegrigy Corporate Overview
mission critical applications mission critical security Application and Database Security Auditing, Vulnerability Assessment, and Compliance Integrigy Corporate Overview Integrigy Overview Integrigy Corporation
More informationThreat Modeling. Frank Piessens (Frank.Piessens@cs.kuleuven.be ) KATHOLIEKE UNIVERSITEIT LEUVEN
Threat Modeling Frank Piessens (Frank.Piessens@cs.kuleuven.be ) Secappdev 2007 1 Overview Introduction Key Concepts Threats, Vulnerabilities, Countermeasures Example Microsoft s Threat Modeling Process
More informationMicrosoft Baseline Security Analyzer (MBSA)
Microsoft Baseline Security Analyzer Microsoft Baseline Security Analyzer (MBSA) is a software tool released by Microsoft to determine security state by assessing missing security updates and lesssecure
More informationA Review on Zero Day Attack Safety Using Different Scenarios
Available online www.ejaet.com European Journal of Advances in Engineering and Technology, 2015, 2(1): 30-34 Review Article ISSN: 2394-658X A Review on Zero Day Attack Safety Using Different Scenarios
More informationU.S. Small Business Administration Ron Johnson Interview with Paula Murphy. Ron Johnson: In Part III of our series, Where Will Your
U.S. Small Business Administration Ron Johnson Interview with Paula Murphy Ron Johnson: In Part III of our series, Where Will Your Next Customers Come From? we ll explore preparing for global markets.
More informationTrend Micro. Advanced Security Built for the Cloud
datasheet Trend Micro deep security as a service Advanced Security Built for the Cloud Organizations are embracing the economic and operational benefits of cloud computing, turning to leading cloud providers
More informationOpen Software and Trust Better Than Free? April 28, 2015 Start Time: 9am US Pacific /12 noon US Eastern/ 5pm London Time
Open Software and Trust Better Than Free? April 28, 2015 Start Time: 9am US Pacific /12 noon US Eastern/ 5pm London Time 1 T Sponsored by: #ISSAWebConf 2 Welcome Conference Moderator Phillip Griffin CISM,
More information