Building Assurance Into Software Development Life- Cycle (SDLC)

Similar documents
Practical Applications of Software Security Model Chris Nagel

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

IBM Rational AppScan: Application security and risk management

Application Code Development Standards

HP Fortify application security

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

WebGoat for testing your Application Security tools

Learning objectives for today s session

Department of Education. Network Security Controls. Information Technology Audit

Security Testing and Vulnerability Management Process. e-governance

Rational AppScan & Ounce Products

HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA Enterprise Security

Worldwide Security and Vulnerability Management Forecast and 2013 Vendor Shares

Vulnerability Assessment: The Right Tools to Protect Your Critical Data

Passing PCI Compliance How to Address the Application Security Mandates

HP Application Security Center

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Breaking down silos of protection: An integrated approach to managing application security

Product Roadmap. Sushant Rao Principal Product Manager Fortify Software, a HP company

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Continuous Network Monitoring

Starting your Software Security Assurance Program. May 21, 2015 ITARC, Stockholm, Sweden

IBM Security QRadar Vulnerability Manager

Staying a step ahead of the hackers: the importance of identifying critical Web application vulnerabilities.

Information Technology Security Review April 16, 2012

Goals. Understanding security testing

From the Bottom to the Top: The Evolution of Application Monitoring

El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada

Fortify Training Services. Securing Your Entire Software Portfolio FRAMEWORK*SSA

Network Management and Defense Telos offers a full range of managed services for:

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

NETWORK PENETRATION TESTING

Application Security Center overview

New IBM Security Scanning Software Protects Businesses From Hackers

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

EMERGING THREATS & STRATEGIES FOR DEFENSE. Stephen Coty Chief Security

Strategies for assessing cloud security

Seven Practical Steps to Delivering More Secure Software. January 2011

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Cisco Security Optimization Service

Defending the Database Techniques and best practices

Security for a Smarter Planet IBM Corporation All Rights Reserved.

The AppSec How-To: 10 Steps to Secure Agile Development

WEB Penetration Testing

Security-as-a-Service (Sec-aaS) Framework. Service Introduction

Risk Management Guide for Information Technology Systems. NIST SP Overview

PCI-DSS Penetration Testing

STATE OF NEW JERSEY IT CIRCULAR

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

Risk-based solutions for managing application security

Four Top Emagined Security Services

defense through discovery

Space Ground Services in the Joint Information Environment (JIE)

Extreme Networks Security Analytics G2 Vulnerability Manager

elearning for Secure Application Development

IBM Innovate AppScan: Introducin g Security, a first. Bobby Walters Consultant, ATSC bwalters@atsc.com Application Security & Compliance

Integrated Threat & Security Management.

Penetration Testing Service. By Comsec Information Security Consulting

Be Fast, but be Secure a New Approach to Application Security July 23, 2015

Cutting Edge Practices for Secure Software Engineering

I D C A N A L Y S T C O N N E C T I O N

Application Security in the Software Development Lifecycle

How To Perform An External Security Vulnerability Assessment Of An External Computer System

Web Application Security Roadmap

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

IBM Rational AppScan: enhancing Web application security and regulatory compliance.

Securing the Cloud with IBM Security Systems. IBM Security Systems IBM Corporation IBM IBM Corporation Corporation

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

Testing Solutions to Tackle Application Security Checkpoint Technologies SQGNE. Jimmie Parson Checkpoint Technologies

Security Testing of Java web applications Using Static Bytecode Analysis of Deployed Applications

Web application security: automated scanning versus manual penetration testing.

HP Fortify Software Security Center

Impact of Cybersecurity Innovations in Key Sectors (Technical Insights)

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME:

PCI DSS Top 10 Reports March 2011

Transcription:

Application Software Assurance Center of Excellence (ASACoE) Building Assurance Into Software Development Life- Cycle (SDLC) James Woody Woodworth Operations Chief, ASACoE & Sean Barnum, Principal Consultant (Cigital) 554 Wired for War

Overview SDLC Waterfall Process How to Build Assurance Throughout SDLC Gain Knowledge of Secure Coding Practices Gain Knowledge of Tools Use Tools Throughout SDLC Why Use Operational Tools Where to Go to Get Started 554 Wired for War 2

SDLC Waterfall Process 1. Requirements Specification 2. Architecture 3. Code 4. Integrate 5. Test and Debug 6. Install 7. Maintain 554 Wired for War 3

Secure Coding Practices Defensive Programming: Attack and Defense: Developing Secure Code Common attacks against software Maps attacks to a set of common code-level weaknesses Reviews code bases to find the relevant weaknesses Demonstrates how to remediate vulnerabilities 554 Wired for War 4

Tool Training Source Code Analysis Tool Training Database Analysis Tool Training Web Application Penetration Tool Training Central Management Tool Training Operational Tool Training 554 Wired for War 5

Tool Usage Centralized Project Management (Fortify Manager) Vulnerability trend analysis and reporting; view multiple projects, all mission areas Application Defense (Fortify RTA and AppSec Inc. AppRadar) Monitor, prevent and report on intrusion attempts against Web-based applications Management Developers Source Code Analysis (SCA) (Fortify SCA) Proactive security with targeted, accurate analysis tuned for low false positives PR Security Ops Team Security Testers Penetration Testing (IBM AppScan and Fortify PTA, AppSec Inc. AppDetective) Scripted, controlled external probing of the application s security features RunTime Analysis Black box integration testing and vulnerability analysis Build Server Security Leads / Auditors Code Auditing (Fortify SCA) Pre-build security auditing and analysis of application s entire code base 554 Wired for War 6

Why Use Operational Tools? Weaknesses Take Time To Fix Staffing Limitations, Release Cycles, Fundamental Design Protection of Vulnerable Applications and Data Immediately Provides Significant Risk Mitigation Knowledge of Who Is Attacking Our Applications Invaluable Forensic Data For Operations and Developers Confidentiality, Integrity, and Availability of Data Compromised Data Puts the Air Force Mission at Risk Secure Data = Warfighter Success!!! 554 Wired for War 7

Where to Go to Get Started Application Software Assurance Center of Excellence (ASACoE) The mission of the Application Software Assurance Center of Excellence (ASACoE) is to foster security into the software development life cycle (SDLC) and software acquisitions through techniques, tools, and education. ASACoE will leverage information technology through the deployment of practices and automated tools to support and improve Air Force software development processes. 554 Wired for War 8

Current Training Focus Class Size 12 20 PMO Courses Defensive Programming (1 day) Fortify SCA (1 day) AppSecInc. AppDetective (1/2 day) Fortify 360 and RTA (1/2 day) Testing Organizations Courses Security Testing (1 day) IBM Rational AppScan (1 day) SCA, AppDetective, 360, & Fortify PTA Location Gunter 1 week per month On-site Combine multiple program offices if necessary 554 Wired for War 9

Multi-perspective Application Risk Assessment Conducted with PMO personnel as mentoring Scan software using a variety of tools Static analysis using Fortify SCA Web scanning/pentesting of running software using AppScan Data security analysis using AppDetective Conduct analysis of tool results Validate and normalize/align findings Characterize findings as risk and prioritize Identify recommended mitigation approach for findings 554 Wired for War 10

POCs Program Manager Mr. Dan Bartko 754th ELSG/DOC daniel.bartko@gunter.af.mil Chief Technology Officer Major Michael Kleffman 754th ELSG/DOC michael.kleffman@gunter.af.mil Operations Chief James Woodworth 754th ELSG/DOC james.woodworth@gunter.af.mil 554 Wired for War 11

Questions 554 Wired for War 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information