Continuous Delivery and Risk Management



Similar documents
Secure Code Development

JusticeConnect AVL for Windows SETUP GUIDE

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

Ensuring the Security of Your Company s Data & Identities. a best practices guide

SQL Server Setup for Assistant/Pro applications Compliance Information Systems

Cloud Security Fails & How the SDLC could (not?) have prevented them

Copyright

Web Application Firewall

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

! Resident of Kauai, Hawaii

Task Management. JobTraQ Core Features

Questionmark OnDemand

Christchurch Polytechnic Institute of Technology Information Systems Acquisition, Development and Maintenance Security Standard

Synchronization with Microsoft Team Foundation Server 2010

Building Security into the Software Life Cycle

Your Location Instant NOC using Kaseya. Administrator at Remote Location Secure access to Management Console from anywhere using only a browser

Creating a Digital Signature in Adobe Acrobat Created on 1/11/2013 2:48:00 PM

ImportManager 5 Installation Manual

HP Certified Professional

Lumension Endpoint Management and Security Suite

MT4-MT4 Bridge User Guide

Reporting works by connecting reporting tools directly to the database and retrieving stored information from the database.

A Rackspace White Paper Spring 2010

Developing Microsoft SharePoint Server 2013 Advanced Solutions MOC 20489

Intel Security Certified Product Specialist Security Information Event Management (SIEM)

CloudPassage Halo Technical Overview

CenturyLink Cloud Configuration

Blue Jeans Network Security Features

Electronic Questionnaires for Investigations Processing (e-qip)

Update Instructions

SAS Agent for Outlook Web Access

Server-Virtualisierung mit Windows Server Hyper-V und System Center MOC 20409

Merchant Portal Guide. TradeRoute Copyright All Rights Reserved.

SANS Top 20 Critical Controls for Effective Cyber Defense

CONFIGURATION AND APPLICATIONS DEPLOYMENT IN WEBSPHERE 6.1

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Course Details V1.0. Selinis Technologies Pvt Ltd. 2012, All Rights Reserved

ensuring security the way how we do it

BroadSoft BroadWorks ver. 17 SIP Configuration Guide

Training module 2 Installing VMware View

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

SECURITY DOCUMENT. BetterTranslationTechnology

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Best Overall Use of Technology. Jaspersoft

Security and Compliance Suite Rollout Guide. August 4, 2015

DIRECT DATA FLOW CHANNEL (SECURE FILE TRANSFER)/ IBM CONNECT:DIRECT GUIDE

Comodo Mobile Device Manager Software Version 1.0

How To Protect Your Data From Attack

Configuring an Client to Connect to CASS Mail Servers

Print Audit 6 Network Installation Guide

Configuration Guide - OneDesk to SalesForce Connector

VoIP Intercom and Cisco Call Manager Server Setup Guide

InHand Device Cloud Service DN 4.0 Quick Start Guide

To access your FVCC via a Smart phone or other mobile device:

Using TLS Encryption with Microsoft Outlook 2007

Cloud Based Device Management Using Enterprise Mobility Suite Production Pilot Service Definition Document

THE BLUENOSE SECURITY FRAMEWORK

How To Comply With The Pci Ds.S.A.S

Outlook Express. Make Changes in Red: Open up Outlook Express. From the Menu Bar. Tools to Accounts - Click on Mail Tab.

Faster, Cheaper, Safer: Improving Agility, TCO, and Security with Agentless Job Scheduling. A White Paper Prepared for BMC Software August 2006

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

Rational Team Concert. Scrum Project Management Tutorial

How to configure Mac OS X Server

Administration Guide BES12. Version 12.3

Automated backup. of the LumaSoft Gas database

Developing a highly dynamic web application for a large bank using rules-based technology

Active Directory Integration for Greentree

The Essential Security Checklist. for Enterprise Endpoint Backup

Securing Administrator Access to Internal Windows Servers

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

Dial-up Installation for CWOPA Users (Windows Operating System)

OneLogin Integration User Guide

Course Outline: Course 20489B: Developing Microsoft SharePoint Server 2013 Advanced Solutions

Installation & Configuration Guide Professional Edition

HarePoint Workflow Extensions for Office 365. Quick Start Guide

Managing Qualys Scanners

NetMotion + YubiRADIUS Quick Start Guide

Server Virtualization with Windows Server Hyper-V and System Center

How To Create A Microsoft.Com/Sql Server 2000 Instance For Act! (For A Powerpoint) For A Powerline.Com (For Microsoft) Or A Microscientific.Com Or A Windows

Windows Firewall Configuration with Group Policy for SyAM System Client Installation

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

Versions Addressed: Microsoft Office Outlook 2010/2013. Document Updated: Copyright 2014 Smarsh, Inc. All right reserved

Implementation Guide for. Juniper SSL VPN SSO with OWA. with. BlackShield ID

Remote Access Platform. Architecture and Security Overview

NET UX Series with Microsoft Lync 2010 and CyberData VoIP Intercom

PIM SOFTWARE TR50. Configuring the Syslog Feature TECHNICAL REFERENCE page 1

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Jenkins World Tour 2015 Santa Clara, CA, September 2-3

MCS-HIPAA LOGING IN Version 7.0.web BGSoftinc.com Medical Billing Software Revised 09/27/2015

SJRWMD Cloud-Based Quick-Start Guide

Transcription:

Continuous Delivery and Risk Management SESSION ID: SEC-T10 Shaik Mokhinuddeen Director, Software Engineering CA Technologies Ravindra Rajaram Principal Software Engineer CA Technologies

Development Deployment Operations 2

Development - Challenges Non-compliant Secure SDLC Adopting Agile Many working releases Many assessments! Harder to keep track of issues Bigger the complexity, longer it takes for a thorough assessment Development practices Finish the sprint; lets worry about secure coding practices in the last sprint Lazy APIs 3

Development - Recommendations Strong Secure SDLC BSIMM Open standard BSIMM score card Custom implementation Policy & Procedure Assessments Code analysis Penetration testing Design analysis Vulnerability management Internal External Training and Awareness 4

Development Recommendations Well defined checkpoints and processes Contd.. Hold product owners accountable for security checkpoints Not going to happen overnight Implement levels of acceptability Split the assessments into Standard and Advanced Warn the engineering on judicious use of tools Training programs at all levels Make the product owner accountable to run part of the assessment 5

Development Recommendations Architects Contd.. Recommended blueprint Compliance requirements Audit requirements Security requirements Track 3 rd party software use Useful when a vulnerability is disclosed 6

Development Recommendations Checkpoints for Secure SDLC Contd.. 7

Deployment - Challenges Making it work becomes the top priority Always an integration : In-house/licensed Never works out-of-the-box Custom code: I didn t write that code! Is it a web service? Never mind, open that port! Security takes a back seat Security is out of the window between Load balancer and App Server Default passwords/configuration Security assessment just before deployment Delays in getting to the market 8

Deployment - Recommendations Include the Deployment team in defining the blueprint of the deployment architecture Identify and arrive at the best possible deployment scenario for Penetration testing during Secure SDLC Document secure configuration best practices for application servers, database servers etc,. Hand-over the reports from Secure SDLC assessments to be shared as necessary for compliance and auditing checks Central location with limited access for all the reports Custom report templates to share internally and externally 9

Deployment Recommendations Contd.. Tools for security assessment Common platform for assigning severity of the issues Priority channel for communication between Engineering team Secure SDLC team Deployment team Custom code should be shared to the engineering To be included as supported features 10

Operations - Challenges Highly reactive WAFs not very effective Data formats Signatures Keeping it quite! Internal leaks Downtime Not enough Bug Bounties Password re-set problems 11

Operations - Recommendations Bug bounties Response team Action plan Advisory - immediately Well defined mass password re-set policy Less response time Block logins for affected users E-mail communication with reset links (possibly with a two-factor authentication) Idiot-proof technology Fool-proof approval process Limited access to the shiny red button 12

Recap Thorough process of Secure SDLC Proper checkpoints Empower the developers Training Tools Handoff of Secure SDLC artifacts to the Ops team Data, Data & Data Use a systems management software that uses analytics to help you be proactive Password re-set Predefined policy 13

14

Thank you 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information