Hello, and welcome to a searchsecurity.com. podcast: How Security is Well Suited for Agile Development.

Similar documents
Show notes for today's conversation are available at the podcast website.

Hello, and welcome to another episode of. Getting the Most Out of IBM U2. This is Kenny Brunel, and

Welcome to this IBM Rational podcast, enhanced. development and delivery efficiency by improving initial

Welcome to this IBM Rational Podcast. I'm. Angelique Matheny. Joining me for this podcast, Delivering

Welcome to this IBM podcast, Realizing More. Value from Your IMS Compiler Upgrade. I'm Kimberly Gist

Welcome to this IBM Rational podcast, Using the. System Architect Migration Toolkit to Migrate Your DoDAF 1.5

Part 1: Critical Infrastructures and Their Reliance on Critical Information Infrastructures

Welcome to this IBM podcast, Object Management. Group's Telco ML, Example of a Mobile Communications API.

Part 1: Information Security for City Governments; Defining e-discovery

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Vulnerability Assessments and Penetration Testing

Practical Guide to Securing the SDLC

I'm Andy Glover and this is the Java Technical Series of. the developerworks podcasts. My guest is Brian Jakovich. He is the

Welcome to another episode of Getting the Most. Out of IBM U2. I'm Kenny Brunel, and I'm your host for

Module 6. Campaign Layering

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Predictive Insight, Automation and Expertise Drive Added Value for Managed Services

SECURITY AUTOMATION BEST PRACTICES. A Guide on Making Your Security Team Successful with Automation SECURITY AUTOMATION BEST PRACTICES - 1

HP Fortify Software Security Center

BBBT Podcast Transcript

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Cyber Resilience - Protecting your Business 1

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

Security Automation Best Practices

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Virtualization. Q&A with an industry leader. Virtualization is rapidly becoming a fact of life for agency executives,

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Texas Regional Infrastructure Security Conference (TRISC) Dan Cornell

Improving Security in the Application Development Life-cycle

Escaping PCI purgatory.

Product Security Program

Integrated Access Management Solutions. Access Televentures

The Convergence of Security and Compliance

A new approach to Cyber Security

Lecture 34 SDLC Phases and UML Diagrams

Survey Results: Virtual Insecurity

IBM AND THE FUTURE OF SMART IT. February 26, 2008

MITOCW watch?v=0jljzrnhwoi

Metrics That Matter: Quantifying Software Security Risk

Securing Digital Transformation

Bring Your Own Device (BYOD)

Security Automation & Orchestration That Won t Get You Fired. Syra Arif Advisory Security Solutions Architect November 2017

align security instill confidence

THE EMERGING PRODUCT SECURITY LEADER DISCIPLINE

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

Security Awareness at Unitil Corporation

P1_L3 Operating Systems Security Page 1

CATCH ERRORS BEFORE THEY HAPPEN. Lessons for a mature data governance practice

Transcript: A Day in the Life Desiree: 7 th Grade Learning Coach Profile

AS ATTACKERS TARGET APPLICATION CODING ERRORS, ARE STATIC ANALYSIS TOOLS THE ANSWER?

Securing Your Digital Transformation

Device Discovery for Vulnerability Assessment: Automating the Handoff

90% of data breaches are caused by software vulnerabilities.

Digital Marketing Manager, Marketing Manager, Agency Owner. Bachelors in Marketing, Advertising, Communications, or equivalent experience

Selecting Your Wordpress Theme

Secure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO

Is Your Web Application Really Secure? Ken Graf, Watchfire

CYBERSECURITY PENETRATION TESTING - INTRODUCTION

How Security Policy Orchestration Extends to Hybrid Cloud Platforms

DELIVERING SIMPLIFIED CYBER SECURITY JOURNEYS

Symantec Security Monitoring Services

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

WebSphere Portal development teams on Web 2.0 technologies. Hear how IBM has

Transcript: A Day in the Life of a K12 Seventh Grade Teacher

SEO For Security Guard Companies

MITOCW ocw f99-lec07_300k

MITOCW MIT6_01SC_rec2_300k.mp4

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

Securing a Dynamic Infrastructure. IT Virtualization new challenges

White Paper. Closing PCI DSS Security Gaps with Proactive Endpoint Monitoring and Protection

Comprehensive Database Security

locuz.com SOC Services

RED HAT ENTERPRISE LINUX. STANDARDIZE & SAVE.

A company built on security

New Zealand Government IBM Infrastructure as a Service

Improving Data Governance in Your Organization. Faire Co Regional Manger, Information Management Software, ASEAN

Q&A Session for Connect with Remedy - CMDB Best Practices Coffee Break

9 th CA 2E/CA Plex Worldwide Developer Conference 1

White Paper. How to Write an MSSP RFP

Introduction... 1 Part I: How ITIL Can Help You... 7

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Professional Services for Cloud Management Solutions

Dell helps you simplify IT

Ruby on Rails Welcome. Using the exercise files

Certified Information Security Manager (CISM) Course Overview

Metrics That Matter:

to Enhance Your Cyber Security Needs

Cybersecurity. Securely enabling transformation and change

MITOCW ocw f99-lec12_300k

NEXT GENERATION SECURITY OPERATIONS CENTER

An Aflac Case Study: Moving a Security Program from Defense to Offense

How To Make 3-50 Times The Profits From Your Traffic

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

BBC Learning English 6 Minute English Work s

About Us. Services CONSULTING OUTSOURCING TRAINING MENTORING STAFF AUGMENTATION 9/9/2016

Transcription:

[ MUSIC ] Hello, and welcome to a searchsecurity.com podcast: How Security is Well Suited for Agile Development. My name is Kyle Leroy, and I'll be moderating this podcast. I'd like to start by introducing our expert. Joining us today is Patrick Vandenberg, Manager, IBM Rational Security and Compliance. Welcome, Patrick, and thanks for joining us today. VANDENBERG: Happy to be here. This podcast is being brought to you by IBM. For more information on IBM, please visit their Web site at www.ibm.com. All right, so let's jump right in to our discussion. How do you fit in to IT security? VANDENBERG: So, our group, Rational Security Compliance, is actually part of a larger brand in IBM called IBM Security. And that brand has five pillars, and we sit in the application and process security. So really we focus on the vulnerabilities that are present in applications and help organizations address those so that they can improve the overall security in IT. So, for example, if we want to look at Web applications -- -1-

which is a pretty popular concern today -- there is a number of ways in which organizations need to protect Web applications from network protection to the application. And we would focus on the part that looks at the vulnerabilities within the application. And the reason why the multiple pillars exist in IBM Security, a defense indepth approach is very much required. So we need to look at the many different ways that malicious attacks can look at compromising assets in an organization. So we do need to pay attention to the application layer, the network layer, identity and access management, even physical security as well as data and information. So all of these elements combine to a full service approach to IT security. All right, so what should the development team...sorry, I'm going to ask that one again. So, why should the development team care about security? VANDENBERG: Yes, that's an interesting point. As we all know, development is mandated to deliver quality functionality on time, on budget. And some other group in the organizations, typically in IT operations, is responsible for security. -2-

And while the awareness is certainly increasing and the investment is starting in this area, it's predominately owned by IT security and even some new investment around having a security practitioner focus on application security where you have somebody who's aware of the vulnerabilities within the code. And while it's great that somebody in IT security is starting to look at vulnerabilities in the application itself, the real challenge here is that all this code, the software, is actually coming from the development organization and for several different reasons there's the opportunity to address application security does reside with development. So for instance, there are vulnerabilities that are readily identified by a security practitioner, and so much so that it creates a bottleneck for the security practitioner. Well, to have that issue remediated, we have to go back to the development organization, fix that code so that the vulnerability doesn't exist in the first place. And this is why application security is necessary. It's very different from having real-time operational protection of network assets, as an example, with application security. We're talking about issues that are within the code itself, and because of that nature, we rely on the development -3-

community to be able to help improve the security posture of these applications. All right. Could you elaborate? What are the first steps an organization should take? VANDENBERG: Yes, so this is an interesting discussion and it can be quite a lengthy one. And from what we've seen over time in a few thousand customers is that there is a progression. And we sometimes refer to this as the customer maturity model. So, naturally, with an issue that is not as prevalent in the market or it hasn't been historically, there is a commensurate smaller investment by organizations and a smaller number of skilled resources to address application security. So what can typically happen is an organization's first step is to outsource the security testing effort called penetration testing, or even bring this in house, to, as I mentioned, a security practitioner who's going to do the security audit. But what we've seen here, especially for organizations that have a continuous stream of applications that are in development and that they look to deploy is that there is a -4-

bottleneck for typically that one or two people that are responsible for identifying vulnerabilities. What ends up happening is these resources are tasked with protecting the organizational assets. And if they see too much risk in these organizations, they're going to have to say, look, I cannot allow this application to be deployed. It's going to create risk for the organization. And as a result, we get a bottleneck which results in delays, opportunity cost for that project not getting deployed on time, and also we do know that those issues at some point need to get remediated by a development organization. So, they're going to be touching all the hands in the application lifecycle and that process over again. So there's increasing costs for doing this. Now, there is a great opportunity for organizations engaging a development organization, and what can happen here is if we can have security addressed earlier in the development process, then we can alleviate that bottleneck, and we can also remove that effect of having multiple stakeholders touch these issues multiple times -- which is very costly. So, the earlier we can have security addressed, the more cost effective this is. We don't have the bottleneck at the security audit stage, and we don't have that lost -5-

opportunity cost of delayed projects. Now, you might say, why do we need the security practitioners in the first place? Well, there's a tremendous experience with these people who are able, if we can relieve the bottleneck for them, then we can leverage them as an acceptance test to make sure that the security posture of these applications is acceptable to be deployed. And we can use their expertise to find maybe the tougher to find security issues in a deployed state. But at the same time, what we can do by engaging the development organization at the code or build or test stage is we have many more resources to scale to find the volumes of easy to find and fix issues. And we're not suggesting here that you'd be looking at deploying security practitioner tools to these people. That's not something that is practical. That's not something that's going to be successful. What we do condone, though, is helping the education and awareness and adopting some practices to bring in some capabilities that support the existing use cases and environments that are in use. So, solutions that integrate with developer IDEs, with the build system that fully integrate into the test scripts so -6-

that as you're writing a script for functional performance and services testing, an automated security scan happens as well. And then you fold these vulnerabilities into the remediation effort that developers are already engaged in. This is a way to engage security -- the practice of security -- into the existing process, have a governance model that's going to manage these issues and track them through, and support collaboration between development QA and security. So, Patrick, how is security relevant and feasible in an agile model? VANDENBERG: Yes, that's a great question, because a lot of people will feel on first discussions that security requires a lot of heavy lifting. And while adopting existing practices is not an easy...there are a lot of dynamics in play, you've got cultural change, you've got some training and awareness that will need to happen... What is actually interesting and not typically seen up front is that security is very conducive to an agile environment. So as I mentioned earlier, if you're going to have somebody late in the process who's going to stop these projects because it's posing risk for the organization and they don't have a choice but to do that, because that is their job... -7-

Then you're really running counter to an agile environment. In embedding security early into the process what you're doing is you're allowing lightweight quick checks for security just like in the same stream as the rest of the activity that is going to avoid this heavy lifting slowdown that can happen by doing a full security test late in the process. So, it really allows vulnerability testing and remediation to go hand in hand with agile. Right? Let's piece this down, let's have a quick process so that there's a lightweight effort and it's not going to be disruptive and allow us to get a quick response or a quick delivery on our project out the door. All right, and finally, what are some key techniques and practices which need to be adopted to support security in an agile environment? VANDENBERG: So, I think I touched on a few of these already with some of the other questions, and really what this requires is the support of the different communities to embrace this model in the software lifecycle management process. So if you have considerations of collaboration and governance of embedding security into the existing use cases -8-

and tooling that are in place and there is software and solutions available to do this from IBM and the necessary services, then you can go hand in hand with your transformation through an agile process. So, for example, integrating into the IDE, or integrating into the build stage, as an example, to do that, to do that test. And security becomes a regular process. And your security practitioners or your auditors can become, can operate as an admin in the background that can set up standardized scan templates that can be, really all that detail can be extracted from your development community. So we're not derailing all that brainpower and time. They can do the triage of these vulnerabilities to support the developers so that we're stripping out all the noise, as much noise as possible so that the bugs, the security bugs or defects that the developers are receiving and intermediate on are easy to find, easy to fix and are validated as being real issues. In this way, the investment on the part of the developers, but as I said, has been chugged down to being lightweight on a quick turn in the normal process, becomes more of a lightweight effort, a very non-disruptive or non-intrusive approach to leveraging the opportunity to scale with all the resources we have in our development community versus -9-

waiting for one or two people to slow the entire process down and do an exhaustive test late in the cycle. All right, great. Thanks, Patrick. This has been an interesting and informative discussion. Thank you for your time today, and thanks to our listeners for taking time out of their day. I'd like to thank IBM for bringing us this searchsecurity.com podcast. I thank you all so much for joining us. [ MUSIC ] [END OF SEGMENT] -10-

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback