Improving Security in the Application Development Life-cycle

Similar documents
TRAINING CURRICULUM 2017 Q2

Metrics That Matter:

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

LESSONS LEARNED IN SMART GRID CYBER SECURITY

HP Fortify Software Security Center

How NOT To Get Hacked

IBM Rational Software

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Is Your Web Application Really Secure? Ken Graf, Watchfire

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Certified Information Security Manager (CISM) Course Overview

Application. Security. on line training. Academy. by Appsec Labs

Metrics That Matter: Quantifying Software Security Risk

SECURITY TRAINING SECURITY TRAINING

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

CSWAE Certified Secure Web Application Engineer

Continuously Discover and Eliminate Security Risk in Production Apps

Security Solutions. Overview. Business Needs

Securing SharePoint TASSCC TEC 2009 Web 2.0 Conference

WORKSHARE SECURITY OVERVIEW

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

Security Communications and Awareness

OWASP - SAMM. OWASP 12 March The OWASP Foundation Matt Bartoldus Gotham Digital Science

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

An ICS Whitepaper Choosing the Right Security Assessment

Cisco Self Defending Network

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Hacker Academy UK. Black Suits, White Hats!

EU General Data Protection Regulation (GDPR) Achieving compliance

locuz.com SOC Services

Suma Soft s IT Risk & Security Management Solutions for Global Enterprises

SDLC Maturity Models

State of Software Security Report Volume 2. Jeff Ennis, CEH Solutions Architect Veracode

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office

Automating the Top 20 CIS Critical Security Controls

A White Paper Analysis from Orasi Software. Enterprise Security. Attacking the Problems of Application and Mobile Security

ClearPath Secure Java Overview For ClearPath Libra and Dorado Servers

.NET JAVA C ASE. Certified. Certified. Application Security Engineer.

Web Applications Security. Radovan Gibala F5 Networks

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Certified Cyber Security Specialist

Security Communications and Awareness

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

How were the Credit Card Numbers Published on the Web? February 19, 2004

A Security Practice Evaluation Framework

Product Security Program

External Supplier Control Obligations. Cyber Security

Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Ingram Micro Cyber Security Portfolio

Securing Your Digital Transformation

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

MARCH Secure Software Development WHAT TO CONSIDER

Comprehensive Database Security

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

Nine Steps to Smart Security for Small Businesses

Hacking by Numbers OWASP. The OWASP Foundation

Reinvent Your 2013 Security Management Strategy

OWASP Top 10 The Ten Most Critical Web Application Security Risks

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Consolidation Committee Final Report

Keys to a more secure data environment

SECURITY & PRIVACY DOCUMENTATION

EC-Council. Program Brochure. EC-Council. Page 1

INSIDE. Integrated Security: Creating the Secure Enterprise. Symantec Enterprise Security

What is Penetration Testing?

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

22 BEVIS MARKS, LONDON, EC3A 7JB

Secure Development Lifecycle

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

Secure coding practices

The Value of Automated Penetration Testing White Paper

Vulnerability Management Policy

Choosing the Right Security Assessment

Threat Control and Containment in Intelligent Networks. Philippe Roggeband - Product Manager, Security, Emerging Markets

Secure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO

Building Security Into Applications

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Cloud Essentials for Architects using OpenStack

Certified Secure Web Application Engineer

Nebraska CERT Conference

Building a Case for Mainframe Security

Global Security Consulting Services, compliancy and risk asessment services

Micro Focus Security Fortify Audit Assistant

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Continuous protection to reduce risk and maintain production availability

Development*Process*for*Secure* So2ware

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Cybersecurity in Government

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Combating Today s Cyber Threats Inside Look at McAfee s Security

NEXT GENERATION SECURITY OPERATIONS CENTER

Hello, and welcome to a searchsecurity.com. podcast: How Security is Well Suited for Agile Development.

Symantec Security Monitoring Services

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Web Applications Part 1 The Weak Link in Information Security Your Last Line of Defense

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Transcription:

Improving Security in the Application Development Life-cycle Migchiel de Jong Software Security Engineer mdejong@fortifysoftware.com March 9, 2006 General contact: Jurgen Teulings, 06-30072736 jteulings@fortifysoftware.com FORTIFY SOFTWARE INCORPORATED

Business Issues Staying off of the front page because of a hack Protect your customer assets and goodwill Risk with outsourced software Insecurity of third party and business partner software Protect against malicious insider activity Document and monitor a secure development lifecycle in support of regulatory compliance The total cost impact on the financial services sector from an inadequate software-testing infrastructure is estimated to be $3.3 billion, according to the National Institute of Standards & Technology. 2

Security: Layered Solutions To Mitigate Risk Hackers Worms & Viruses Traditional network/perimeter defenses Malicious Insiders Critical Software Automation Of Key Operational Processes 3

Software Apps Cut Through The Layers Outsourcing Legacy App Integration Web Facing Applications Employee Self-Service 4 Connectivity w/ Partners & Suppliers

Today Hackers (and Insiders) Use The Software There is an emerging and robust science of hacking software: SQL Injections Buffer Overflows Information Leakage Numerous Other Categories According to Gartner Group, Over 70 percent of security vulnerabilities exist at the application layer, not the network layer. It s not just operating systems or web browsers, but all types of applications particularly applications that automate key business processes. 5

Leading Organizations Starting To Address The Problem Security Design Reviews Network-based Solutions Source Code Audits Developer Training Application Penetration Tests 6

Steps to take to deliver more secure Code Evaluate and Plan Specify the Risk and Threats to the Software Review the Code Test and Verify the Code Build a Gate Measure Educate 7

A simple Check List Internal Security experts exist and have been identified Threat analysis completed for every project Education programs for security occur regularly Specific tools and resources have been acquired and allocated Post-deployment security if fully integrated in the overall process Vulnerability response maximizes benefits and prevents repeats 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 8

First Step Software Security as a Gate Used as final check pre-deployment Acceptance of outsourced software A first step in a comprehensive program 1 The Gate PLAN DESIGN CODE FUNCTIONAL TEST ACCEPTANCE TEST DEPLOY 9

Second Step Software Security With Specialists At Discrete Process Points Automation make specialists more productive Central repository makes comparisons possible Build awareness of security within development process 2 Software Security Specialists PLAN DESIGN CODE FUNCTIONAL TEST ACCEPTANCE TEST DEPLOY 10

Ultimate Goal Software Security Throughout Development Process Eliminate vulnerabilities when they are least costly Continual artifacts for compliance and secure quality assurance Built in protection 3 Integrated Adoption through the Software Lifecycle PLAN DESIGN CODE FUNCTIONAL TEST ACCEPTANCE TEST DEPLOY 11

Automation support Source Code Analysis Source Code Security Audits Security Testing Security Automation For QA Application Defense Run-Time Protection PLAN DESIGN CODE FUNCTIONAL TEST ACCEPTANCE TEST DEPLOY Software Security Management Software Security Metrics and Reporting 12

Source Code Analysis CODE C, C++,.Net Java, JSP, PLSQL, TSQL, XML, Cold Fusion 3 RD PARTY IDE PLUG-INS ANALYSIS ENGINE Semantic Global Data Flow Control Flow Configuration Structural MANAGER AUDITOR / DEVELOPER SECURE CODING RULES 13 Packaged Custom

Data Flow Analysis Ability to follow data flow across tiers Doing this kind a analysis is really time consuming (at least without automation) Ability to follow data flow across languages Reduces audit, development and testing skill set 14

Source code analysis demonstration Static analysis of OWASP s WEBGOAT version 3.7 Metrics 15

Thank You General contact: Jurgen Teulings, 06-30072736 jteulings@fortifysoftware.com FORTIFY SOFTWARE INCORPORATED

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback