AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager
|
|
- Leo Copeland
- 5 years ago
- Views:
Transcription
1 APPLICATION SECURITY SERVICES AppScan Deployment Colin Bell Applications Security Senior Practice Manager Copyright 2017 HCL Products & Platforms
2 The Evolution of Devops Continuous Integration / Continuous Delivery DevOps Extreme Prototyping / Programming AGILE Development RAD/JAD Rapid Application Development Joint Application Development 1980 s - Evolutionary Prototyping 1980 s - Throwaway Prototyping Prototyping 1960s - Monolithic Software Development
3 3 6/19/18
4 What are DevOps all about? The collaboration of Development and IT Operations. Its goal is Automation of the Software Delivery processes. Releasing software quickly and reliably. Development DevOps Continuous Delivery IT Operations Where does testing fit into this model? How do we maintain security of the applications? 4 6/19/18
5 What are DevOps all about? Testing is overcome by introducing QA into the model. An emphasis is on automation of the QA process through tooling. Development Acceptance Test Quality DevOps Continuous Delivery However Security is still not part of most DevOps models. (minor mention on the wiki Definition Page) Security is an afterthought! Quality Assurance IT Audit & Governance IT Operations 5 6/19/18
6 What are DevOps all about? Security needs to play a part for DevOps to truly work. However, it can t be a barrier to the objectives of DevOps. Tooling and Automation is essential Development Acceptance Test QA Security Test Continuous Delivery Security Build Automation Secure Quality DevOps Security Application Pen Test Security Operations (ISOC) Network Pen Test Are Organizations capable of reaching this?? Quality Assurance IT Audit & Governance IT Operations 6 6/19/18
7 Which Life Cycle? 7 6/19/18
8 SDLC - The Waterfall Approach Requirements Design STATIC ANALYSIS (Dev) IBM Security (SAST) Code & Unit Test DYNAMIC ANALYSIS (QA) IBM Security (DAST) Integration PENETRATION TEST (Security) (SAST) IBM Security AppScan Standard (DAST) Manual Testing System Test
9 SDLC DevOps suggests an Agile Approach (SAST) (Filtering on High Confidence) Daily Review SPRINT 2-3 weeks (SAST) (DAST) Product Backlog Sprint Backlog Iteration Product Shipping PENETRATION TEST (Security) (SAST) AppScan Standard (DAST) Manual Testing
10 SDLC - The Agile-Fall Approach This is the reality for most.is it any different to waterfall? Requirements Design (SAST) Integration DYNAMIC ANALYSIS (QA) (DAST) System Test PENETRATION TEST (Security) (SAST) AppScan Standard (DAST) Manual Testing
11 Application Security Maturity Operational Excellence Unaware Awareness Phase Internal Pen Testing Application Security Gates Vulnerability Reporting Internal Assessments Corrective Phase Code based Assessments Build integration Automation Security Gate / Pen Testing Application Risk Management Some Levels of Automation Developer IDE Scanning Devops Integration Build integration Automation Pass Fail Gates for CI Gate QA Security Testing Security Gate / Pen Testing Application Risk Management Repeatable Process No Application Security Program Source: If applicable, describe source origin
12 Increase SDLC testing to increase maturity Unaware Awareness Phase Corrective Phase Operations Excellence Phase Security Maturity Development Appscan Source QA Team Appscan Enterprise Development Appscan Source Appscan Enterprise QA Team Appscan Enterprise Security Team Security Team Security Team Appscan Standard Appscan Standard Appscan Standard Manual Pen Test Manual Pen Test Manual Pen Test Doing Nothing Ad Hoc Testing Testing Before Deployment Testing Throughout SDLC TIME
13 Example: Assessing application security risk with AppScan Application Name IT Help Product catalog Travel Reservation Online store Description Internal IT help Online product catalog Internal employee travel reservation Online store Exposure Internal External Internal External Stores sensitive information No No Yes Yes PCI compliance No No Yes Yes Business impact Low Medium High Critical Security assessment policy (based on Business Impact) Vulnerability Pre Prod Scan Annual Prod Test 2 Med: Session identifier not updated Code Scan on Builds Pre Prod Scan Manual Pen test Annual Prod Test Dev Code Scanning Code Scan on Builds QA Dynamic Scan Pre Prod Scan Manual Pen test Bi-Annual Prod Test Dev Code Scanning Code Scan on Builds QA Dynamic Scan Pre Prod Scan Manual Pen test External Security Test Quarterly Prod Test 2 High: SQL Injection 1 Med: Open redirect 1 High: SQL Injection Risk rating = Business Impact x Vulnerability Low High Medium Very High
14 DAST Deployment Models 14 6/19/18
15 The Life Cycle of an Application (DAST) CODE BUILD QA SECURITY PRODUCTION Development Gate QA Gate Security Gate Developers Quick Scans Continuous Integration DAST Automation Automated Scans Application Only Test Policy AppScan Standard Dynamic Scans Complete Test Policy Manual Pen Testing Internal & External testing Input Control Test Policy Developers & QA Testers Dynamic Scans Ad Hoc Testing Application Only Test Policy Security Champion Pen Testing deep dive review of application Gate Conditions Developer self Scan Optional gate Self assessment Gate Conditions All High & Medium risk Application issue resolved All Input Validation issues resolved Gate Conditions All High risk issue resolved All Medium risk issues > 30 days resolved Any Low risk issues > 90 days resolved
16 Dynamic Analysis Phase 1 Security Centric / Pen Testing Web Application(s) Conduct Scans AppScan Standard Desktop Client Triage findings & Results Verification PDF Reports Security Team AppScan Standard Conduct Scans, compliance reports Complete Full Coverage Test Policy Findings Summary & Compliance Reports PDF Reports Detailed Findings Report Development Teams Manual Pen Test Managers
17 Dynamic Analysis Phase 2 Enterprise Reporting Web Application(s) Conduct Scans AppScan Standard Server Desktop Client Enterprise Reporting User Administration Triage findings & Results Verification AppScan Enterprise DB Publish AppScan Standard Results Security Team AppScan Standard & Dynamic User Conduct Scans, ASE Administration, Create enterprise level metrics, trending and compliance reports Complete Full Coverage Test Policy Manual Pen Test Publish manual findings (CSV file)
18 Dynamic Analysis Phase 2 Enterprise Reporting Web Application(s) Conduct Scans AppScan Standard Server Desktop Client Enterprise Reporting User Administration Triage findings & Results Verification AppScan Enterprise DB Publish AppScan Standard Results Application Management Dashboards & Reports Security Team AppScan Standard & Dynamic User Conduct Scans, ASE Administration, Create enterprise level metrics, trending and compliance reports Complete Full Coverage Test Policy Manual Pen Test Publish manual findings (CSV file) Managers Reporting View enterprise level metrics, Application Management and compliance reports
19 Dynamic Analysis Phase 2 Enterprise Reporting Web Application(s) Conduct Scans AppScan Standard Server Desktop Client Enterprise Reporting User Administration Triage findings & Results Verification AppScan Enterprise DB Publish AppScan Standard Results Application Management Dashboards & Reports Manage Issues Security Team AppScan Standard & Dynamic User Conduct Scans, ASE Administration, Create enterprise level metrics, trending and compliance reports Complete Full Coverage Test Policy Manual Pen Test Publish manual findings (CSV file) Managers Reporting View enterprise level metrics, Application Management and compliance reports Review Results Development Teams manage issues, review findings
20 Dynamic Analysis Phase 3 Advanced Scanning & Reporting Web Application(s) Conduct Scans Conduct Scans Run on-demand or Scheduled Scans Headless & Automated Scans Dynamic Analysis Scanners Scan results AppScan Standard Server Desktop Client Enterprise Reporting User Administration Triage findings & Results Verification AppScan Enterprise DB Publish AppScan Standard Results Application Management Dashboards & Reports Manage Issues Security Team AppScan Standard & Dynamic User Conduct Scans, ASE Administration, Create enterprise level metrics, trending and compliance reports Complete Full Coverage Test Policy Manual Pen Test Publish manual findings (CSV file) Managers Reporting View enterprise level metrics, Application Management and compliance reports Review Results Development Teams manage issues, review findings
21 Dynamic Analysis Phase 4 Introduce QA Security Testing Web Application(s) Conduct Scans AppScan Standard Desktop Client Conduct Scans Run on-demand or Scheduled Scans Headless & Automated Scans Enterprise Reporting Dynamic Analysis Scanners Scan results Server User Administration Run on-demand or Scheduled Scans Review Results Manage Issues QA Teams Dynamic User Configure & Conduct Scans, manage issues, review findings Application Test Policy Triage findings & Results Verification AppScan Enterprise DB Publish AppScan Standard Results Application Management Dashboards & Reports Manage Issues Security Team AppScan Standard & Dynamic User Conduct Scans, ASE Administration, Create enterprise level metrics, trending and compliance reports Complete Full Coverage Test Policy Manual Pen Test Publish manual findings (CSV file) Managers Reporting View enterprise level metrics, Application Management and compliance reports Review Results Development Teams manage issues, review findings
22 Dynamic Analysis Phase 5 Full Enterprise wide testing Conduct Scans Web Application(s) Conduct Scans AppScan Standard Desktop Client Triage findings & Results Verification Conduct Scans Run on-demand or Scheduled Scans Headless & Automated Scans Enterprise Reporting Server AppScan Enterprise DB Dynamic Analysis Scanners Scan results User Administration Run on-demand or Scheduled Scans Review Results Manage Issues Scan results QA Teams Dynamic User Configure & Conduct Scans, manage issues, review findings Application Test Policy Dynamic Analysis Scanners Publish AppScan Standard Results Application Management Dashboards & Reports Manage Issues Run Quick Scans Security Team AppScan Standard & Dynamic User Conduct Scans, ASE Administration, Create enterprise level metrics, trending and compliance reports Complete Full Coverage Test Policy Manual Pen Test Publish manual findings (CSV file) Managers Reporting View enterprise level metrics, Application Management and compliance reports Review Results Development Teams Dynamic User Run Quick Scans, manage issues, review findings Limited / Input Control Test Policy
23 Dynamic Analysis Enterprise DAST Evolves over time Conduct Scans Web Application(s) Conduct Scans AppScan Standard Desktop Client Triage findings & Results Verification Conduct Scans Run on-demand or Scheduled Scans Headless & Automated Scans Enterprise Reporting Server AppScan Enterprise DB Dynamic Analysis Scanners Scan results User Administration Run on-demand or Scheduled Scans Review Results Manage Issues Scan results QA Teams Dynamic User Configure & Conduct Scans, manage issues, review findings Application Test Policy Dynamic Analysis Scanners Publish AppScan Standard Results Application Management Dashboards & Reports Manage Issues Run Quick Scans Security Team AppScan Standard & Dynamic User Conduct Scans, ASE Administration, Create enterprise level metrics, trending and compliance reports Complete Full Coverage Test Policy Manual Pen Test Publish manual findings (CSV file) Managers Reporting View enterprise level metrics, Application Management and compliance reports Review Results Development Teams Dynamic User Run Quick Scans, manage issues, review findings Limited / Input Control Test Policy
24 DAST Scanning Automation / Scan and Review Continuous Integration DAST Automation Application Only Test Policy Managers View Application Metrics Security Team are Champions Automation from Functional testing tools Web Application(s) Conduct Scans Application Security Management Reports & dashboards Dynamic Analysis Scanners Scan results SQL Server DB Security Team Create Policy Scan Applications Approve Findings Complete Test Policy Run detailed Scans Run on-demand or Scheduled Scans Developers & QA Scan Applications Review Findings Input Only Test Policy Review Results Approve Results Integration with QA testing tools for DAST Automation Regular scans can be conducted after every build or at strategic points such as the end of a sprint. QA conduct scans for Ad Hoc Testing Security team provide deep dive scanning in conjunction with manual pen testing Regular management metrics
25 DAST Process High Level Scan Validate Release Remediate Security IRMD - Set Goals for AVA scans - Approve authorisation - Govern AVA scanning schedule - Annual Review and Incident Response Application On- Boarding (configure and execute scan) AVA Scan Results Triage -Review trend -Determine security priorities -Evaluate Risk Reported Findings - Validate scan results - Verify fixes - Share results with HODs AVA scan findings remediated? Yes Code cleared for release App Lead AVA New Application Scan Configuration Completed Scan No Assign Remediation Tasks Developers Provide Application Details & Function Flows Review Findings Correct Code to Fix Vulnerabilities LEGEND Security App Lead Developer Infra
26 SAST Deployment Models 26 6/19/18
27 The Life Cycle of an Application (SAST) CODE BUILD QA SECURITY PRODUCTION CI - Development Gate Security Gate Continuous Integration IFA For Automation IFA Delta Findings For Analysis Periodic deep dive review of application Security Champion IFA For Analysis Onboard application using IFA to establish baseline Security Champion Gate Conditions Build process controls Pass / Fail IFA Delta Scans (only new issues reported) Gate Conditions All High risk issue resolved All Medium risk issues > 30 days resolved Any Low risk issues > 90 days resolved
28 CASE 1 Initial Distributed Model Application Security Management Reports & dashboards Managers Reporting View Application Metrics Manage Risk AppScan Source DB One Champion per Development team (10 in total) Developers For Remediation Open Assessments Fix Findings Administration (Access) Publish Assessments Create Shared configuration Files Create Shared filters (Security Policy) Markup Management Resolve lost sinks Identify lost sources Create custom rules Assessment Data (Bundles) Lead Developer Champion(s) Security Team For Analysis Scan (full coverage) Onboard Applications Conduct Scans For Analysis Review assessments Approve scan results Triage scan results Source Code & Dependencies Key objective was to get development teams scanning Security team not part of the process - IBM performed this role initially Management Metrics and Risk scoring were unclear Each team used different SDLC approaches Lots of Legacy code in scope
29 Should All Data be Trusted? Consider the interactions with one central Database 3 rd Party Application(s) Unknown Central Client Policy Database New Business Application.NET Untrusted Data Trusted Data Sanitize Data Trusted Data Trusted Data This data should NOT be trusted Reporting Application JAVA Trusted Data Middleware Unsanitized Return Data Trusted Data Mobile Application Android & ios Number Cruncher COBOL Customer Statements JAVA 29 6/19/18
30 CASE 2 Automation as a priority AUTO Publish Findings Application Security Management Reports & dashboards Managers / PCI Auditor Reporting View Application Metrics No Security Champions in place AppScan Source DB Build Server For Automation Scan (Auto) Config / Filter (Baseline Policy) Security Team For Analysis Create Policy / Baseline Review assessments Network Share Assessment Results Integration with Build Process (Jenkins Maven - CLI) Developers For Remediation Open Assessments Fix Findings Conduct Scans Source Code & Dependencies DevOps focused on automation and tooling Results and findings are less important than getting the scans run on a regular basis Full on-boarding of applications to be done at a later phase Education to Developers on secure coding also earmarked for a later phase
31 CASE 3 Developer Scanning Application Security Management Thousands of Developers No Security Champions in place AppScan Source DB Extract scan metrics Auto communicates scan statistics to server Developers For Development Scan Applications and Projects Fix Findings Administration Maintain users Maintain Application Management Scan Results Scan Metrics and usage Stats Conduct Scans Security Team For Analysis Create Policy / Baseline Review assessments Network Share Shared Scan configuration Files Shared Scan filters (Security Policy) Shared Scan Markup settings configuration, filters and updates pushed to developers workstations (end point management) Source Code & Dependencies Priority to get security scanning to each and every developer Very small Security team with minimal global reach Results not being reviewed by Security Metrics based on who has the software installed and who has run a scan Developers confused as to why this is happening Findings and risk a lower priority
32 CASE 3 DevOps CI Pipe expansion Developer Assisted Tooling Security Assurance Design & Plan CODE CI & BUILD TEST RUN Senior Developers SAST IDE Scanning For Development Scan Applications and Projects Interactive Application Security Test (IAST) Runtime Application Self Protection (RASP) SECURITY Self Service Portal Security Audit Security Team For Automation Submitted Application Code and Dependencies SAST Automation Portal Reporting Security Champions For Analysis Create Scan configuration Files Create Scan filters Markup Rules for applications
33 CASE 4 SAST Automation and Security Testing AUTO Publish Findings Application Security Management Reports & dashboards Managers Reporting View Application Metrics AppScan Source DB Security Team are Champions Each application scanned By Security team to ensure full coverage Build Server For Automation Scan (Auto) Custom rules (Application Policy) Markup Management Ensure Scan Coverage IFA Security Team For Analysis Create Policy / Baseline Scan applications Markup to ensure coverage Integration with Build Process (TFS - CLI) Network Share Assessment Results Developers For Remediation Open Assessments Fix Findings Conduct Scans Conduct Scans Source Code & Dependencies Security Team working through applications to onboard them Developers get results from the Security team and then set priorities Automation used to maintain steady state scanning On Premise Auto Triage (IFA) is used to speed up the triage process
34 - The Security Life Cycle of an Application IFA enhances continuous testing 34 6/19/18
35 Cognitive computing applied to security vulnerability analysis Machine learning with Intelligent Findings Analytics IFA * Now Available on Premise! Fast AppScan SAST results Intelligent Findings Analytics Fully automated review of scan findings Trained by IBM/HCL Security Experts Early and repeatable vulnerability analysis drives cost reduction for fixes 1 Learned results Reduce false positives Minimize unlikely attack scenarios Provide fix recommendations that resolve multiple vulnerabilities ** NOTE : Only available with Automation License
36 The Life Cycle of an Application (SAST) CODE BUILD QA SECURITY PRODUCTION CI - Development Gate Security Gate Continuous Integration IFA For Automation IFA Delta Findings For Analysis Periodic deep dive review of application Security Champion IFA For Analysis Onboard application using IFA to establish baseline Security Champion Gate Conditions Build process controls Pass / Fail IFA Delta Scans (only new issues reported) Gate Conditions All High risk issue resolved All Medium risk issues > 30 days resolved Any Low risk issues > 90 days resolved
37 Phase 1 : Application On Boarding Security Team are Champions Application Security Management Reports & dashboards AppScan Source DB Markup Management Maintain Confi & Filters Add missing Sources Resolve genuine Lost Sinks Ensure Scan coverage Each application is scanned by Security team Review conducted to ensure full coverage 1. Identified any Missing Sources 2. Resolve Lost Sinks to help resolve Scan Coverage exceptions 3. Mark only Genuine Sinks 4. Scan with a config that will automatically mark all remaining lost sinks as a taint propagators. Maximising the data flow. Security Team For Analysis Create Config / Filters Scan applications Rescans Markup to ensure coverage Conduct Scans Source Code & Dependencies
38 Phase 1 : Application On Boarding Security Team are Champions Application Security Management IFA Original OZASMT IFA Triage IFA- Delta Network Share Assessment Results The deeper triage of findings is conducted using Intelligent Findings Analytics (IFA) IFA to focus on Actionable findings IFA also used to provide delta reports. This initial cycle formulating the baseline Reports & dashboards AppScan Source DB Markup Management Maintain Confi & Filters Add missing Sources Resolve genuine Lost Sinks Ensure Scan coverage Security Team For Analysis Create Config / Filters Scan applications Markup to ensure coverage Conduct Scans Source Code & Dependencies
39 Phase 1 : Application On Boarding Security Team are Champions The initial IFA Triage scan results are reviewed with the development team Application Security Management IFA Original OZASMT IFA Triage IFA- Delta Network Share Assessment Results Reports & dashboards AppScan Source DB Markup Management Maintain Confi & Filters Add missing Sources Resolve genuine Lost Sinks Ensure Scan coverage Developers For Remediation Open Assessments Fix Findings Security Team For Analysis Create Config / Filters Scan applications Markup to ensure coverage Conduct Scans Source Code & Dependencies
40 Phase 1 : Application On Boarding Security Team are Champions Application Security Management Reports & dashboards AppScan Source DB Markup Management Maintain Confi & Filters Add missing Sources Resolve genuine Lost Sinks Ensure Scan coverage IFA Original OZASMT IFA Triage IFA- Delta Network Share Assessment Results Developers For Remediation Open Assessments Fix Findings The initial IFA Triage scan results are reviewed with the development team The development team may choose to filter additional findings where data points can be trusted. The remainder are then assigned as defects to be corrected. Security Team For Analysis Create Config / Filters Scan applications Markup to ensure coverage Issue to Filter Fix code Conduct Scans Source Code & Dependencies
41 Phase 1 : Application On Boarding Security Team are Champions Application Security Management Reports & dashboards AppScan Source DB Publish Baseline Assessment Markup Management Maintain Confi & Filters Add missing Sources Resolve genuine Lost Sinks Ensure Scan coverage IFA Original OZASMT IFA Triage IFA- Delta Network Share Assessment Results Developers For Remediation Open Assessments Fix Findings The initial IFA Triage scan results are reviewed with the development team The development team may choose to filter additional findings where data points can be trusted. The remainder are then assigned as defects. A final scan is conducted and the results published as the baseline findings. Managers Reporting View Application Metrics Security Team For Analysis Create Config / Filters Scan applications Markup to ensure coverage Issue to Filter Fix code Conduct Scans Source Code & Dependencies
42 Phase 2 : Build Integration Security Team are Champions Application Security Management Reports & dashboards Managers Reporting View Application Metrics AppScan Source DB Build Server For Automation Publish Delta Assessment Scan (Auto) IFA Security Team For Analysis Update Config / Filters Integration with Build Process (Jenkins - CLI) Develop CLI Script to Scan, Run IFA and Publish via Build Conduct Scans Source Code & Dependencies With the application on boarded, CLI scripts can be developed to initiate the scan from the Build Cycle. Post build Script called from CI environment such Jenkins or TFS Script will scan the application run IFA and publish the delta results
43 Phase 3 : On Going Scan and Review Security Team are Champions Application Security Management Reports & dashboards Managers Reporting View Application Metrics AppScan Source DB Build Server For Automation Publish Delta Assessment Markup Management Modify Filters Scan (Auto) IFA Security Team For Analysis Update Config / Filters Issue to Filter Integration with Build Process (Jenkins - CLI) Original OZASMT IFA Triage IFA- Delta Network Share Assessment Results Developers For Remediation Open Assessments Fix Findings Fix code Conduct Scans Source Code & Dependencies Automation of the application is complete Regular scans can be conducted after every build or at strategic points such as the end of a sprint. Delta reports from the baseline report on only newly found issues Security team role is reduced to approving filter alterations
44 Phase 4 : Periodic Full Review Security Team are Champions Application Security Management Reports & dashboards AppScan Source DB Markup Management Add missing Sources Resolve genuine Lost Sinks Review excluded findings Mark no-trace findings IFA Network Share Assessment Results Developers For Remediation Open Assessments Fix Findings Security team provides periodic reviews of the application These reviews are needed to assess the rules written, the scan exclusions and investigate the scan coverage These reviews enhance the mark up of the application Provides a deeper level of analysis Security Team For Analysis Update Config / Filters Scan applications Markup to ensure coverage Issue to Filter Fix code Conduct Scans Source Code & Dependencies
45 Triage with IFA Suggested Workflow Security Analyst Lead Developer / Champion Developer Maintain Users Conduct Normal Scan Conduct Scan from IDE (optional) Define Scan Policies Any Scan Coverage Issues? No Conduct Auto Taint Propagation Scan Analyze Reported findings Periodically Review Scan Results Yes Maintain Scan Metrics Create Custom Rules (for sources and genuine Sinks) Filter False Positive (using pre scan filter) Manually Run IFA in Triage Mode Publish IFA Findings to ASE Is Finding Genuine? Yes Fix Finding No Report Findings
46 Application SAST Timeline Time spent for every 250K lines of Code (Hours) On Boarding Activities Build Integration Steps OnGoing Scan and Review Periodic Full Application SAST Review
47 - The Security Life Cycle of an Application ASoC Scanning and Enablement 47 6/19/18
48 Application Security on Cloud (ASoC) Dynamic Analysis Static Analysis Mobile Analysis Open Source Analysis
49 ASoC Application Security Gates Multiple Gates CODE BUILD QA SECURITY PRODUCTION CI - Development Gate QA Gate Security Gate Continuous Integration SAST Automation DAST Automation PEN Testing Ad Hoc Scanning Mobile Scanning DAST SAST Open Source IDE SAST Scanning Developers Developers Developers & QA Testers Security Champion Pen Testing Gate Conditions Build process controls Pass / Fail Must pass organizations BASELINE Filter Gate Conditions All High & Medium risk Application issue resolved All Input Validation issues resolved Gate Conditions All High risk issue resolved All Medium risk issues > 30 days resolved Any Low risk issues > 90 days resolved
50 ASoC Scanning Automation / Scan and Review Managers View Application Metrics Use a single console for managing application risk, test results, reporting and policies DAST Automation Automation from Functional testing tools Continuous Integration Web Application(s) Conduct Scans SAST Automation IRX (intermediate Representation of code) IDE Scans Run Mobile Scans Security Team Create Policy Scan Applications Approve Findings Developers Scan Applications Review Findings Mobile Interactive testing of a Mobile binary Integration with CI testing tools for DAST & SAST Automation Regular scans can be conducted after every build or at strategic points such as the end of a sprint. Open Source Analysis on all scans Mobile Scanning Analysis Regular management metrics
51 Questions??? 51 6/19/18
How to Secure Your Cloud with...a Cloud?
A New Era of Thinking How to Secure Your Cloud with...a Cloud? Eitan Worcel Offering Manager - Application Security on Cloud IBM Security 1 2016 IBM Corporation 1 A New Era of Thinking Agenda IBM Cloud
More informationManaging an Application Vulnerability Management Program in a CI/CD Environment. March 29, 2018 OWASP Vancouver - Karim Lalji 1
Managing an Application Vulnerability Management Program in a CI/CD Environment March 29, 2018 OWASP Vancouver - Karim Lalji 1 About Me Karim Lalji Managing Security Consultant (VA/PT) at TELUS Previously:
More informationWeb Applications (Part 2) The Hackers New Target
Web Applications (Part 2) The Hackers New Target AppScan Source Edition Terence Chow Advisory Technical Consultant An IBM Rational IBM Software Proof of Technology Hacking 102: Integrating Web Application
More informationApplication Security at Scale
Jake Marcinko Standards Manager, PCI Security Standards Council Jeff Williams CTO, Contrast Security Application Security at Scale AppSec at Scale Delivering Timely Security Solutions / Services to Meet
More informationIBM Application Security on Cloud
April, 2017 IBM Application Security on Cloud Service Overview Security has and will always be about understanding, managing, and mitigating the risk to an organization s most critical assets. - Dr. Eric
More informationSuman Sourav Director DevSecOps, Vantage Point Security. OWASP Indonesia Day 2017
Suman Sourav Director DevSecOps, Vantage Point Security OWASP Indonesia Day 2017 About me Certified Secure Software Lifecycle Professional (CSSLP) 12+ Years of Experience in Software Security Co-Founder
More informationPut Security Into Your DevOps NOW. Or Prepare for the Flood Matthew Fisher Solution Architect, Fortify Federal 08MAR2018
Put Security Into Your DevOps NOW Or Prepare for the Flood Matthew Fisher Solution Architect, Fortify Federal 08MAR2018 Defining Devops State of Devops Report (Puppet, Dora):..set of practices and cultural
More informationTest Automation Strategies in Continuous Delivery. Nandan Shinde Test Automation Architect (Tech CoE) Cognizant Technology Solutions
Test Automation Strategies in Continuous Delivery Nandan Shinde Test Automation Architect (Tech CoE) Cognizant Technology Solutions The world of application is going through a monumental shift.. Evolving
More informationTHE ART OF SECURING 100 PRODUCTS. Nir
THE ART OF SECURING 100 PRODUCTS Nir Valtman @ValtmaNir I work for as the Application Security 1st time speaking publicly, except at Mmmm OH, AND Neither of my previous startups succeeded!
More informationIBM Rational Software
IBM Rational Software Development Conference 2008 Our Vision for Application Security David Ng Rational Software Security, Asean IBM Software Group 2008 IBM Corporation Agenda Application Security Defined
More informationWHITEHAT SENTINEL PRODUCT FAMILY. WhiteHat Sentinel Product Family
WHITEHAT PRODUCT FAMILY WhiteHat Sentinel Product Family Combining technology with human intelligence to deliver the world's most powerful and accurate application security WhiteHat Sentinel is a software-as-a-service
More informationWeaving Security into Every Application
Weaving Security into Every Application Paul Fox AVP Technology AT&T 2018 TM Forum 1 Cyber Security Accelerating Threat Telecom Breaches 300,000 Number of complaints filed with the FBI Internet Crime Complaint
More informationDevOps A How To for Agility with Security
DevOps A How To for Agility with Security Murray Goldschmidt, COO Compliance, Protection & Business Confidence Sense of Security Pty Ltd Sydney Level 8, 66 King Street Sydney NSW 2000 Australia Melbourne
More informationAdopting Agile Practices
Adopting Agile Practices Ian Charlton Managing Consultant ReleasePoint Software Testing Solutions ANZTB SIGIST (Perth) 30 November 2010 Tonight s Agenda What is Agile? Why is Agile Important to Testers?
More informationIn collaborazione con
In collaborazione con 1. Software Security Introduction 2. SDLC frameworks: how OWASP can help on software security 3. OWASP Software Security 5 Dimension Framework 4. Apply the models to a real
More informationIBM Security AppScan Enterprise v9.0.1 Importing Issues from Third Party Scanners
IBM Security AppScan Enterprise v9.0.1 Importing Issues from Third Party Scanners Anton Barua antonba@ca.ibm.com October 14, 2014 Abstract: To manage the challenge of addressing application security at
More informationContinuously Discover and Eliminate Security Risk in Production Apps
White Paper Security Continuously Discover and Eliminate Security Risk in Production Apps Table of Contents page Continuously Discover and Eliminate Security Risk in Production Apps... 1 Continuous Application
More informationSAMPLE QUESTIONS for: Test C , Security Dynamic and Static Applications V2, Fundamentals
SAMPLE QUESTIONS for: Test C2150-500, Security Dynamic and Static Applications V2, Fundamentals Note: The bolded response option is the correct answer. Item 500.1.1.5 A customer of five years calls on
More informationManaged Application Security trends and best practices in application security
Managed Application Security trends and best practices in application security Adrian Locusteanu, B2B Delivery Director, Telekom Romania adrian.locusteanu@telekom.ro About Me Adrian Locusteanu is the B2B
More informationTHE CONTRAST ASSESS COST ADVANTAGE
WHITEPAPER THE CONTRAST ASSESS COST ADVANTAGE APPLICATION SECURITY TESTING COSTS COMPARED WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE CONTRASTSECURITY.COM EXECUTIVE SUMMARY Applications account for
More informationDiscover Best of Show März 2016, Düsseldorf
Discover Best of Show 2016 2. - 3. März 2016, Düsseldorf 2. - 3. März 2016 Softwaresicherheit im Zeitalter von DevOps Lucas von Stockhausen Regional Product Manager Fortify The case for Application Security
More informationRethinking Product Security: Cloud Demands a New Way
SESSION ID: CSV-R11 Rethinking Product Security: Cloud Demands a New Way Reeny Sondhi Chief of Product Security Autodesk Inc. @reenysondhi Tony Arous Head of Application Security Autodesk Inc. @tonyarous
More informationManaged Security Services - Endpoint Managed Security on Cloud
Services Description Managed Security Services - Endpoint Managed Security on Cloud The services described herein are governed by the terms and conditions of the agreement specified in the Order Document
More informationSecurity Solution. Web Application
Web Application Security Solution Netsparker is a web application security solution that can be deployed on premise, on demand or a combination of both. Unlike other web application security scanners,
More informationWITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:
SOLUTION OVERVIEW: ALERT LOGIC THREAT MANAGER WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE Protecting your business assets and sensitive data requires regular vulnerability assessment,
More informationTRIPWIRE VULNERABILITY RISK METRICS CONNECTING SECURITY TO THE BUSINESS
CONFIDENCE: SECURED WHITE PAPER IRFAHN KHIMJI, CISSP TRIPWIRE VULNERABILITY RISK METRICS CONNECTING SECURITY TO THE BUSINESS ADVANCED THREAT PROTECTION, SECURITY AND COMPLIANCE EXECUTIVE SUMMARY A vulnerability
More informationTrustwave Managed Security Testing
Trustwave Managed Security Testing SOLUTION OVERVIEW Trustwave Managed Security Testing (MST) gives you visibility and insight into vulnerabilities and security weaknesses that need to be addressed to
More informationMcAfee Product Security Practices
McAfee Product Security Practices 12 October 2017 McAfee Public Page 1 of 8 12 October 2017 Expires 12 Apr 2018 Importance of Security At McAfee (formerly Intel Security) we take product security very
More informationStrengthen and Scale security using DevSecOps
OWASP Indonesia Meetup Strengthen and Scale security using DevSecOps $ www.teachera.io!"# @secfigo % secfigo@gmail.com # whoami Author, Speaker and Community Leader. Speaker/Trainer at Blackhat, AppSec EU,
More informationA Strategic Approach to Web Application Security
A STRATEGIC APPROACH TO WEB APP SECURITY WHITE PAPER A Strategic Approach to Web Application Security Extending security across the entire software development lifecycle The problem: websites are the new
More informationINTERACTIVE APPLICATION SECURITY TESTING (IAST)
WHITEPAPER INTERACTIVE APPLICATION SECURITY TESTING (IAST) Software affects virtually every aspect of an individual s finances, safety, government, communication, businesses, and even happiness. Individuals
More informationHP Fortify Software Security Center
HP Fortify Software Security Center Proactively Eliminate Risk in Software Trust Your Software 92% of exploitable vulnerabilities are in software National Institute for Standards and Technology (NIST)
More informationMicro Focus Fortify Application Security
Micro Focus Fortify Application Security Petr Kunstat SW Consultant +420 603 400 377 petr.kunstat@microfocus.com My web/mobile app is secure. What about yours? High level IT Delivery process Business Idea
More informationQuality Assurance and IT Risk Management
Quality Assurance and IT Risk Deutsche Bank s QA and Testing Transformation Journey Michael Venditti Head of Enterprise Testing Services, Deutsche Bank IT RISK - REGULATORY GOVERNANCE Major shifts in the
More informationName Aaron Clark. Title: Security Shifts to the Application
Name Aaron Clark Title: Security Shifts to the Application You re late to the party Some found that out the hard way Night Dragon Sony LizaMoon HBGary Federal Others were told they had to go PCI Disa STIG
More informationVulnerability Management
Vulnerability Management Modern Vulnerability Management The IT landscape today is changing and because of that, vulnerability management needs to change too. IT environments today are filled with both
More informationTHE THREE WAYS OF SECURITY. Jeff Williams Co-founder and CTO Contrast Security
THE THREE WAYS OF SECURITY Jeff Williams Co-founder and CTO Contrast Security 1. TODAY S AVERAGE APPLICATION IS A SECURITY DISASTER 2. SOFTWARE IS LEAVING SECURITY IN THE DUST SOFTWARE Typical enterprise
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationSOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion
More informationAzure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region
Azure DevOps Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region What is DevOps? People. Process. Products. Build & Test Deploy DevOps is the union of people, process, and products to
More informationShift Left Testing: are you ready? Live Webinar, Sept 19
Shift Left Testing: are you ready? Live Webinar, Sept 19 Guy Arieli CTO, Experitest 01 What exactly is Shift Left? Agenda 02 03 How Shift Left affects application development & testing organizational structures
More informationQuality Engineering in DevOps world a Strategic Enabler
www.cigniti.com Unsolicited Distribution is Restricted. Copyright 2015-16, Cigniti Technologies Quality Engineering in DevOps world a Strategic Enabler » Analyst Speak» DevOps in a nutshell» DevOps vs
More informationPresentation Overview
Presentation Overview Basic Application Security (AppSec) Fundamentals Risks Associated With Vulnerable Applications Understanding the Software Attack Surface Mean Time to Fix (MTTF) Explained Application
More informationBrochure. Fortify on Demand. Fortify on Demand. Static Application Security Testing
Fortify on Demand Static Application Security Testing Brochure Fortify on Demand Brochure Fortify on Demand Static Application Security Testing Static Application Security Testing Micro Focus Fortify on
More informationGain Control Over Your Cloud Use with Cisco Cloud Consumption Professional Services
Solution Overview Gain Control Over Your Cloud Use with Cisco Cloud Consumption Professional Services OPTIMIZE YOUR CLOUD SERVICES TO DRIVE BETTER BUSINESS OUTCOMES Reduce Cloud Business Risks and Costs
More informationCOMPLIANCE AUTOMATION BRIDGING THE GAP BETWEEN DEVELOPMENT AND INFORMATION SECURITY
COMPLIANCE AUTOMATION BRIDGING THE GAP BETWEEN DEVELOPMENT AND INFORMATION SECURITY Published January, 2018 : BRIDGING THE GAP BETWEEN DEVELOPMENT AND INFORMATION SECURITY Speed is nothing without control.
More informationWeb Applications Part 1 The Weak Link in Information Security Your Last Line of Defense
Web Applications Part 1 The Weak Link in Information Security Your Last Line of Defense Anthony Lim MBA FCITIL CISSP CSSLP Director, Security Rational Software - Asia Pacific 1 Hong Kong 17 Nov 2009 Welcome
More informationCloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.
George Gerchow, Sumo Logic Chief Information Security Officer Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops. Agenda Sumo Security
More informationSIEMLESS THREAT DETECTION FOR AWS
SOLUTION OVERVIEW: ALERT LOGIC FOR AMAZON WEB SERVICES (AWS) SIEMLESS THREAT DETECTION FOR AWS Few things are as important to your business as maintaining the security of your sensitive data. Protecting
More informationSDLC Maturity Models
www.pwc.com SDLC Maturity Models SecAppDev 2017 Bart De Win Bart De Win? 20 years of Information Security Experience Ph.D. in Computer Science - Application Security Author of >60 scientific publications
More informationSecure DevOps: A Puma s Tail
Secure DevOps: A Puma s Tail SANS Secure DevOps Summit Tuesday, October 10th 2017 Eric Johnson (@emjohn20) Eric Johnson, CISSP, GSSP, GWAPT Cypress Data Defense Principal Security Consultant Static code
More informationSecurity In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.
Modular Security Services Offering - BFSI Security In A Box A new concept to Security Services Delivery. 2017 Skillmine Technology Consulting Pvt. Ltd. The information in this document is the property
More informationAutomated Testing of Tableau Dashboards
Kinesis Technical Whitepapers April 2018 Kinesis CI Automated Testing of Tableau Dashboards Abstract Companies make business critical decisions every day, based on data from their business intelligence
More informationMicro Focus Security Fortify. Application Security
Micro Focus Security Fortify Application Security Secure the new Application security in DevOps Agenda: - Fortify in brief (Offerings) - Fortify Source Code Analyzer - Fortify WebInspect - Using Fortify
More informationBrochure. Security. Fortify on Demand Dynamic Application Security Testing
Brochure Security Fortify on Demand Dynamic Application Security Testing Brochure Fortify on Demand Application Security as a Service Dynamic Application Security Testing Fortify on Demand delivers application
More informationHow to shift from compliance to proactive security
How to shift from compliance to proactive security and make engineers your competitive advantage Răzvan Tudor, Chapter Lead, ING Tech Cloud & Cyber Security Expo, London, March 2019 Whoami Răzvan Tudor
More informationSuma Soft s IT Risk & Security Management Solutions for Global Enterprises
Suma Soft s IT Risk & Security Management Solutions for Global Enterprises Overview: For over 16 years, Suma Soft has provided IT risk management solutions for varied SMEs and MNCs and helped solve regulatory,
More information113 BSIMM Activities at a Glance
113 BSIMM Activities at a Glance (Red indicates most observed BSIMM activity in that practice) Level 1 Activities Governance Strategy & Metrics (SM) Publish process (roles, responsibilities, plan), evolve
More informationSecure Development Lifecycle
Secure Development Lifecycle Strengthening Cisco Products The Cisco Secure Development Lifecycle (SDL) is a repeatable and measurable process designed to increase Cisco product resiliency and trustworthiness.
More informationCONTRAST ASSESS MARKET-DEFINING APPLICATION SECURITY TESTING FOR MODERN AGILE AND DEVOPS TEAMS WHITEPAPER
WHITEPAPER CONTRAST ASSESS MARKET-DEFINING APPLICATION SECURITY TESTING FOR MODERN AGILE AND DEVOPS TEAMS WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE CONTRASTSECURITY.COM CONTENTS What is Interactive
More informationIntegrate IBM Rational Application Developer and IBM Security AppScan Source Edition
Integrate IBM Rational Application Developer and IBM Security AppScan Source Edition Security testing for the Rational Application Developer application G Kiran Kumar Singh & Arnab Roy July 19, 2012 Page
More informationBUYER S GUIDE APPLICATION SECURITY BUYER S GUIDE:
BUYER S GUIDE APPLICATION SECURITY BUYER S GUIDE: 15 Questions to Ask Yourself and Your DAST Vendor > An Introduction to the AppSec Market Page 3 Dynamic Application Security Testing Requirements Page
More informationVisual Studio Team Services
bgourley@microsoft.com Visual Studio Team Services Topics What are the current products What are Visual Studio Subscriptions Subscriber Benefits DevOps and VSTS VSTS licensing Developer Tools Deployment
More informationPCI Compliance Assessment Module with Inspector
Quick Start Guide PCI Compliance Assessment Module with Inspector Instructions to Perform a PCI Compliance Assessment Performing a PCI Compliance Assessment (with Inspector) 2 PCI Compliance Assessment
More informationMicro Focus Security Fortify Audit Assistant
White Paper Security Micro Focus Security Fortify Audit Assistant Table of Contents page Introduction... 1 Why Static Application Security Testing?............................................. 1 Confirmation
More informationIT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18
Pierce County Classification Description IT SECURITY OFFICER Department: Information Technology Job Class #: 634900 Pay Range: Professional 18 FLSA: Exempt Represented: No Classification descriptions are
More informationThe New Era of Cognitive Security
The New Era of Cognitive Security IBM WATSON SUMMIT KANOKSAK RATCHAPAT Senior Technical Sales 1 Today s security challenges ACTORS TARGETS VECTORS REALITY Organized Crime Healthcare Ransomware Cloud, mobile,
More informationFROM VSTS TO AZURE DEVOPS
#DOH18 FROM VSTS TO AZURE DEVOPS People. Process. Products. Gaetano Paternò @tanopaterno info@gaetanopaterno.it 2 VSTS #DOH18 3 Azure DevOps Azure Boards (ex Work) Deliver value to your users faster using
More informationDevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY
DevOps Anti-Patterns Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! 31 Anti-Pattern: Throw it Over the Wall Development Operations 32 Anti-Pattern: DevOps Team Silo
More informationSIEMLESS THREAT MANAGEMENT
SOLUTION BRIEF: SIEMLESS THREAT MANAGEMENT SECURITY AND COMPLIANCE COVERAGE FOR APPLICATIONS IN ANY ENVIRONMENT Evolving threats, expanding compliance risks, and resource constraints require a new approach.
More informationSecuring Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software
Securing Your Web Application against security vulnerabilities Alvin Wong, Brand Manager IBM Rational Software Agenda Security Landscape Vulnerability Analysis Automated Vulnerability Analysis IBM Rational
More informationSix Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP
Six Weeks to Security Operations The AMP Story Mike Byrne Cyber Security AMP 1 Agenda Introductions The AMP Security Operations Story Lessons Learned 2 Speaker Introduction NAME: Mike Byrne TITLE: Consultant
More informationShift Left, Automation, and Other Smart Strategies for Getting Ahead in QA
Welcome! Test Early, Test Often Shift Left, Automation, and Other Smart Strategies for Getting Ahead in QA A little bit about us Jeff Van Fleet President and CEO Lighthouse Technologies 30+ years software/qa
More informationHow to Build an Appium Continuous Testing Pipeline
How to Build an Appium Continuous Testing Pipeline Step-by-Step Tutorial November, 2017 Today s speakers Guy Arieli, CTO, Experitest Ruth Zamir Marketing Director Experitest 01 Why do we need continuous
More informationDevSecOps Why Aren t You Doing It? Brian Liceaga, CISSP 1
DevSecOps Why Aren t You Doing It? Brian Liceaga, CISSP 1 Agenda State of DevOps Value of DevOps Benefitting from DevOps DevSecOps What you can do as InfoSec 2 The State of DevOps - 2017 Automation is
More informationConverged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products
Converged security Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products Increased risk and wasted resources Gartner estimates more than $1B in
More informationDemystifying Governance, Risk, and Compliance (GRC) with 4 Simple Use Cases. Gen Fields Senior Solution Consultant, Federal Government ServiceNow
Demystifying Governance, Risk, and Compliance (GRC) with 4 Simple Use Cases Gen Fields Senior Solution Consultant, Federal Government ServiceNow 1 Agenda The Current State of Governance, Risk, and Compliance
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationFintech District. The First Testing Cyber Security Platform. In collaboration with CISCO. Cloud or On Premise Platform
Fintech District The First Testing Cyber Security Platform In collaboration with CISCO Cloud or On Premise Platform WHAT IS SWASCAN? SWASCAN SERVICES Cloud On premise Web Application Vulnerability Scan
More informationTable of Contents Table of Contents...2 Introduction...3 Mission of IT...3 Primary Service Delivery Objectives...3 Availability of Systems...
Table of Contents Table of Contents...2 Introduction...3 Mission of IT...3 Primary Service Delivery Objectives...3 Availability of Systems...3 Improve Processes...4 Innovation...4 IT Planning & Alignment
More informationComprehensive Test Management with Parametrization Manual and Automated Test Execution Test Case Library Management & Re-use Requirements Test
Comprehensive Test Management with Parametrization Manual and Automated Test Execution Test Case Library Management & Re-use Requirements Test Coverage Analysis Reporting & Audit Trail Dashboard Defect
More informationAn Introduction to the Waratek Application Security Platform
Product Analysis January 2017 An Introduction to the Waratek Application Security Platform The Transformational Application Security Technology that Improves Protection and Operations Highly accurate.
More informationModern Database Architectures Demand Modern Data Security Measures
Forrester Opportunity Snapshot: A Custom Study Commissioned By Imperva January 2018 Modern Database Architectures Demand Modern Data Security Measures GET STARTED Introduction The fast-paced, ever-changing
More informationChallenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9
HAWK Overview Agenda Contents Slide Challenges 3 HAWK Introduction 4 Key Benefits 6 About Gavin Technologies 7 Our Security Practice 8 Security Services Approach 9 Why Gavin Technologies 10 Key Clients
More informationDevelopment*Process*for*Secure* So2ware
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationTechnology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 04/12/2017
Technology Roadmap for Managed IT and Security Michael Kirby II, Scott Yoshimura 04/12/2017 Agenda Managed IT Roadmap Operational Risk and Compliance Cybersecurity Managed Security Services 2 Managed IT
More informationMarc Hornbeek DevOps-the-Gray Principal DevOps Consultant, Trace3 Author, DevOps Test Engineering Course The DevOps Institute
HOST EXPERT PANEL Shashi Kiran CMO Quali Marc Hornbeek DevOps-the-Gray Principal DevOps Consultant, Trace3 Author, DevOps Test Engineering Course The DevOps Institute Pascal Joly Director, Technology Partnerships
More informationNOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect
NOTHING IS WHAT IT SIEMs: COVER PAGE Simpler Way to Effective Threat Management TEMPLATE Dan Pitman Principal Security Architect Cybersecurity is harder than it should be 2 SIEM can be harder than it should
More informationSECURITY TRAINING SECURITY TRAINING
SECURITY TRAINING SECURITY TRAINING Addressing software security effectively means applying a framework of focused activities throughout the software lifecycle in addition to implementing sundry security
More informationManaging Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow
Managing Privacy Risk & Compliance in Financial Services Brett Hamilton Advisory Solutions Consultant ServiceNow 1 Speaker Introduction INSERT PHOTO Name: Brett Hamilton Title: Advisory Solutions Consultant
More informationTurbo boost your digital app test automation with Jenkins
Turbo boost your digital app test automation with Jenkins Step-by-Step Tutorial May, 2018 Speakers Sheli Ashkenazi Sr. Product Manager Experitest Jonathan Aharon Sr. Sales Engineer Experitest 2 01 The
More informationSecure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO
Secure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO tom.stiehm@coveros.com 1 About Coveros Coveros helps organizations accelerate the delivery of business value through
More informationBuilding a Resilient Security Posture for Effective Breach Prevention
SESSION ID: GPS-F03B Building a Resilient Security Posture for Effective Breach Prevention Avinash Prasad Head Managed Security Services, Tata Communications Agenda for discussion 1. Security Posture 2.
More informationPROFESSIONAL SERVICES (Solution Brief)
(Solution Brief) The most effective way for organizations to reduce the cost of maintaining enterprise security and improve security postures is to automate and optimize information security. Vanguard
More informationDATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI
DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI EXECUTIVE SUMMARY The shortage of cybersecurity skills Organizations continue to face a shortage of IT skill
More informationPEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech
PEACH API SECURITY AUTOMATING API SECURITY TESTING Peach.tech Table of Contents Introduction... 3 Industry Trends... 3 API growth... 3 Agile and Continuous Development Frameworks... 4 Gaps in Tooling...
More informationWHITEHAT SECURITY. T.C. NIEDZIALKOWSKI Technical Evangelist. DECEMBER 2012
WHITEHAT SECURITY DECEMBER 2012 T.C. NIEDZIALKOWSKI Technical Evangelist tc@whitehatsec.com WhiteHat Security Company Overview Headquartered in Santa Clara, CA WhiteHat Sentinel SaaS end-to-end website
More informationBuilding Security Into Applications
Building Security Into Applications Cincinnati Chapter Meetings Marco Morana Chapter Lead Blue Ash, July 30 th 2008 Copyright 2008 The Foundation Permission is granted to copy, distribute and/or modify
More informationTechnology Roadmap for Managed IT and Security. Michael Kirby II, Scott Yoshimura 05/24/2017
Technology Roadmap for Managed IT and Security Michael Kirby II, Scott Yoshimura 05/24/2017 Agenda Managed IT Roadmap Operational Risk and Compliance Cybersecurity Managed Security Services 2 Managed IT
More informationMeeting PCI DSS 3.2 Compliance with RiskSense Solutions
Meeting PCI DSS 3.2 Compliance with Solutions Platform the industry s most comprehensive, intelligent platform for managing cyber risk. 2018, Inc. What s Changing with PCI DSS? Summary of PCI Business
More information