SlideShare une entreprise Scribd logo

Software Security Assurance - Bruce Jenkins

I
IT-oLogy

Software Security Assurance - Managing risk in the face of digital transformation.

Technologie
1  sur  42
Télécharger pour lire hors ligne
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. SoftwareSecurityAssurance Managingriskinthefaceofdigitaltransformation
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2 IT-oLogy Trends 2015 –Columbia, SC Bruce C Jenkins CISM, CISSP, CSSLP Fortify Security Lead AppSec Program Strategist Hewlett-Packard Company Current  Fortify product and information security  HP-internal application security program strategy  Customer-facing appsec workshops and strategy Former  Fortify Pro Services, 2007-2011  US Air Force, 1979-2007 About me
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3 IT-oLogy Trends 2015 –Columbia, SC • 2005: USAir Force personnel systembreached; 33Krecords exfiltrated • 2006: VA employee’s personal external drive stolen; 26M VA records at risk • 2007-2011: ??? • 2012: Thrift Saving Plan contractor’s systemattacked; 123KSSNs stolen • 2013: Target POS systemcompromised; up to 70M customers impacted • 2014: University of Maryland, 309Krecords; Home Depot, e-mail, cr cds • 2015: Several… + Office of Personnel Management, 18M records About my motivation for developing secure systems…
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4 IT-oLogy Trends 2015 –Columbia, SC Let’s talk about risk management…
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.5 IT-oLogy Trends 2015 –Columbia, SC What is “Security”?
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6 IT-oLogy Trends 2015 –Columbia, SC What is “Security”? Definitions from The American Heritage® Dictionary of the English Language, 4th Edition n. Freedom from risk or danger; safety. n. Freedom from doubt, anxiety, or fear; confidence. n. Something that gives or assures safety
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7 IT-oLogy Trends 2015 –Columbia, SC Security Issue?
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8 IT-oLogy Trends 2015 –Columbia, SC “Security is never black and white, and context matters more than technology” – Bruce Schneier Secrets & Lies: Digital Security in a Networked World Security Issue?
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9 IT-oLogy Trends 2015 –Columbia, SC So… Security Issue?
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10 IT-oLogy Trends 2015 –Columbia, SC So… Security Issue? As you go about the business of developing and enhancing systems in support of today’s digital transformation, it’s important to keep findings in perspective. Pay attention to the weeds—youmay need to eliminate them—but don’t get lostin them. Maybe
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11 IT-oLogy Trends 2015 –Columbia, SC Agenda Why Software Security is Hard Creating a Foundation Building Security In Lessons Learned
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. WhySoftwareSecurityisHard
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13 IT-oLogy Trends 2015 –Columbia, SC Current solutions protect the perimeter Yet, 84% of breaches occur in the application software
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14 IT-oLogy Trends 2015 –Columbia, SC The number of apps is growing IN-HOUSE DEVELOPMENTLEGACY SOFTWARE OPEN SOURCEOUTSOURCED COMMERCIAL PRODUCTION Increasing platforms and complexity …many delivery models
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15 IT-oLogy Trends 2015 –Columbia, SC 15 “I just want to be a coder; I’m really not interested in security.” – Security Consultant Candidate Developers are NOT trained to be security experts
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16 IT-oLogy Trends 2015 –Columbia, SC Attacks have a proven life cycle Research Research potential targets Monetization Data sold on black market Infiltration Phishing attack and malware Discovery Mapping breached environment Capture Obtain data Exfiltration Exfiltrate/destroy stolen data
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17 IT-oLogy Trends 2015 –Columbia, SC Attack life cycle risk mitigation Research Research Potential Targets Monetization Data sold on black market Infiltration Phishing Attack and Malware Discovery Mapping Breached Environment Capture Obtain data Exfiltration Exfiltrate/destroy Stolen data Threat intelligence • Security Research Block adversary • Network • Software Detect adversary • SEIM • UBA Protect data • At rest • In motion Mitigate damage • Breach Response
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18 IT-oLogy Trends 2015 –Columbia, SC median time to detect breach205days 2013 January February March April May June July August September October November December 2014 January February March April Source:Mandiant M-Trends 2015Threat Report
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.19 IT-oLogy Trends 2015 –Columbia, SC Conflicting views over the priority of security 1 Source: Osterman Research White Paper, Jan 2015
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20 IT-oLogy Trends 2015 –Columbia, SC Top challenges in achieving software security goals* Source:Gatepoint Research Pulse Report,Oct 2014 n = 300 executives *Read as: software security assurance (SSA) program goals
© Copyright2015 Hewlett-Packard Development Company, L.P. Theinformation contained herein issubject to change withoutnotice. “Itisnecessarythatpeopleworktogether inunisontowardcommonobjectivesand avoidworkingatcrosspurposesat all levelsifthe ultimateinefficiencyand achievementisto beobtained.” Dave Packard Co-founder,Hewlett-Packard
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. CreatingaFoundation
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.23 IT-oLogy Trends 2015 –Columbia, SC Obtain stakeholder alignment with a common vision Creating a Foundation • Establish security-related goals that are directly tied to the firm’s mission Mission Goals Objectives Strategy m m m KPI Policy Standards Training
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24 IT-oLogy Trends 2015 –Columbia, SC Example: Hewlett-Packard Co Creating a Foundation Profit Customer Loyalty Growth Market Leadership Commitment to Employees Leadership Capability Global Citizenship Hewlett-Packard ... Goal 1 ...... Goal n HPSoftware ... Goal 1 ... Goal n Fortify … Security Goal 1 ……… Security Goal n Security Group Goal 1 ......... Ent. Security ... Goal n See HP’s Corporate Objectivesat http://www8.hp.com/us/en/hp-information/about-hp/corporate-objectives.html
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25 IT-oLogy Trends 2015 –Columbia, SC Example: Hewlett-Packard Co Creating a Foundation Profit Customer Loyalty Growth Market Leadership Commitment to Employees Leadership Capability Global Citizenship Hewlett-Packard ... Goal 1 ...... Goal n HPSoftware Goal 1 ......... Ent. Security ... Goal 1 ... Goal n Fortify … Security Goal 1 ……… Security Goal n Security Group ... Goal n See HP’s Corporate Objectivesat http://www8.hp.com/us/en/hp-information/about-hp/corporate-objectives.html
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.26 IT-oLogy Trends 2015 –Columbia, SC Example: Hewlett-Packard Co Creating a Foundation Profit Customer Loyalty Growth Market Leadership Commitment to Employees Leadership Capability Global Citizenship Hewlett-Packard ... Goal 1 ...... Goal n HPSoftware Goal 1 ......... Ent. Security ... Goal 1 ... Goal n Fortify … Security Goal 1 ……… Security Goal n Security Group ... Goal n See HP’s Corporate Objectivesat http://www8.hp.com/us/en/hp-information/about-hp/corporate-objectives.html
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27 IT-oLogy Trends 2015 –Columbia, SC Example: Hewlett-Packard Co Creating a Foundation Profit Customer Loyalty Growth Market Leadership Commitment to Employees Leadership Capability Global Citizenship Hewlett-Packard ... Goal 1 ...... Goal n HPSoftware Goal 1 ......... Ent. Security ... Goal 1 ... Goal n Fortify … Security Goal 1 ……… Security Group ... Goal n Security Goal n See HP’s Corporate Objectivesat http://www8.hp.com/us/en/hp-information/about-hp/corporate-objectives.html
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.28 IT-oLogy Trends 2015 –Columbia, SC Example: Private SectorFinancial Creating a Foundation Corp Mission Statement Goal 1 Goal 2 Goal 3 Protect our customers’ data Goal n
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.29 IT-oLogy Trends 2015 –Columbia, SC Example: Private SectorFinancial Creating a Foundation Corp Mission Statement Goal 1 Goal 2 Goal 3 Protect our customers’ data Goal n Corp Security Group Security Goal 1 Security Goal 2 Security Goal 3 Security Goal n
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.30 IT-oLogy Trends 2015 –Columbia, SC Example: Private SectorFinancial Creating a Foundation Corp Mission Statement Goal 1 Goal 2 Goal 3 Protect our customers’ data Goal n Corp Security Group Security Goal 1 Security Goal 2 Security Goal 3 Security Goal n Proactively identify and mitigateriskin all Mission Critical applications
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. BuildingSecurityIn
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.34 IT-oLogy Trends 2015 –Columbia, SC Consider using a software security framework (SSF)as a guide Building Security In • Establish security-related goals that are directly tied to the firm’s mission • Develop a security strategy that is designed to support achievement of the security goal(s) Mission Goals Objectives Strategy m m m KPI Policy Standards Training
© Copyright2015 Hewlett-Packard Development Company, L.P. Theinformation contained herein issubject to change withoutnotice. “There are knownknowns. These are things weknowthat we know.Thereareknown unknowns.Thatisto say,there arethings thatweknowwedon'tknow.But there are also unknownunknowns. There are things wedon't knowwedon't know. Donald Rumsfeld FormerUS Secretary ofDefence
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.36 IT-oLogy Trends 2015 –Columbia, SC Building Security In Design Construct Test Deploy Establish a security gate to understand security posture of portfolio Security Gate Governance • Strategy and Metrics • Policy and Compliance • Education and Guidance Construction • Security Requirements • Threat Assessment • Security Architecture Verification • Design Review • Implementation Review • Security testing Operations • Environment Hardening • Issue Management • Operational Enablement
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.37 IT-oLogy Trends 2015 –Columbia, SC With assessment results available, the unknown is known Building Security In • Establish security-related goals that are directly tied to the firm’s mission • Develop a security strategy that is designed to support achievement of the security goal(s) • Based upon business priorities and portfolio risk*, design time-constrained, measurable objectives • Only choosemetrics and constructKPI’s that show progress toward meeting the objectives; nothing else *portfolio isknown, classified and risk-ranked Mission Goals Objectives Strategy m m m KPI Policy Standards Training
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.41 IT-oLogy Trends 2015 –Columbia, SC Measure thoughtfully Building Security In • Establish security-related goals that are directly tied to the firm’s mission • Develop a security strategy that is designed to support achievement of the security goal(s) • Based upon business priorities and portfolio risk*, design time-constrained, measurable objectives • Only choosemetrics and constructKPI’s that show progress toward meeting the objectives; nothing else *portfolio isknown, classified and risk-ranked Mission Goals Objectives Strategy m m m KPI Policy Standards Training
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.42 IT-oLogy Trends 2015 –Columbia, SC Building Security In: Lessons Learned • Complex problems with complex solutions • All organizational levels must be made aware of the risks associated with software vulnerabilities • No education / training == unmet expectations Awareness, Education and Training
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.43 IT-oLogy Trends 2015 –Columbia, SC • Before assessment,establish policies and set expectations • Ensure that policies and expectations are communicated to all stakeholders • Consistently enforce policies and measure expectation achievement Clear Communication Regarding Security Building Security In: Lessons Learned
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.44 IT-oLogy Trends 2015 –Columbia, SC • Network Security / Information Assurance people are not software security people • Development background is a necessity • Even with a development background, extensive training and experience is needed Software Security is a Unique Skill Set Building Security In: Lessons Learned
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.45 IT-oLogy Trends 2015 –Columbia, SC • Network Security / Information Assurance people are not software security people • Development background is a necessity • Even with a development background, extensive training and experience is needed • Developers should NOT be expected to be security experts Software Security is a Unique Skill Set Building Security In: Lessons Learned
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.46 IT-oLogy Trends 2015 –Columbia, SC Summary • Workto gain and maintain executive-levelsupport • Developsecuritygoals, strategy& objectives • Train staffto comply withpolicy • Use technologyappropriately • Measure,report,adjust Managing risk in the face of digital transformation
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Thankyou hp.com/go/fortifyssa Bruce C Jenkins bcj@hpe.com

Recommandé

2015 1029 webinar_meet_the_tech_savvy_cfo
2015 1029 webinar_meet_the_tech_savvy_cfo2015 1029 webinar_meet_the_tech_savvy_cfo
2015 1029 webinar_meet_the_tech_savvy_cfo
Intacct Corporation
 
CPA ONE 2016 - Big data: big decisions or big fallacy
CPA ONE 2016 - Big data: big decisions or big fallacyCPA ONE 2016 - Big data: big decisions or big fallacy
CPA ONE 2016 - Big data: big decisions or big fallacy
Laurie Desautels
 
GTEC 2016 beyond waterfall lessons learned on agile in digital government, Pw...
GTEC 2016 beyond waterfall lessons learned on agile in digital government, Pw...GTEC 2016 beyond waterfall lessons learned on agile in digital government, Pw...
GTEC 2016 beyond waterfall lessons learned on agile in digital government, Pw...
Laurie Desautels
 
ผลไม้
ผลไม้ผลไม้
ผลไม้
Pongsathorn Seangdet
 
Cv in short form
Cv in short formCv in short form
Cv in short form
Dwight Vick
 
คู่มือการสร้างบล็อก
คู่มือการสร้างบล็อกคู่มือการสร้างบล็อก
คู่มือการสร้างบล็อก
Marisa Mongkonkool
 
PresentacióN Revista Digital De EducacióN Y Nuevas TecnologíAs
PresentacióN Revista Digital De EducacióN Y Nuevas TecnologíAsPresentacióN Revista Digital De EducacióN Y Nuevas TecnologíAs
PresentacióN Revista Digital De EducacióN Y Nuevas TecnologíAs
guest16f9315
 
20.第六天.哥多華百花巷.晚餐.住宿
20.第六天.哥多華百花巷.晚餐.住宿20.第六天.哥多華百花巷.晚餐.住宿
20.第六天.哥多華百花巷.晚餐.住宿
溫秀嬌
 

Recommandé

2015 1029 webinar_meet_the_tech_savvy_cfo
2015 1029 webinar_meet_the_tech_savvy_cfo2015 1029 webinar_meet_the_tech_savvy_cfo
2015 1029 webinar_meet_the_tech_savvy_cfo
Intacct Corporation
 
CPA ONE 2016 - Big data: big decisions or big fallacy
CPA ONE 2016 - Big data: big decisions or big fallacyCPA ONE 2016 - Big data: big decisions or big fallacy
CPA ONE 2016 - Big data: big decisions or big fallacy
Laurie Desautels
 
GTEC 2016 beyond waterfall lessons learned on agile in digital government, Pw...
GTEC 2016 beyond waterfall lessons learned on agile in digital government, Pw...GTEC 2016 beyond waterfall lessons learned on agile in digital government, Pw...
GTEC 2016 beyond waterfall lessons learned on agile in digital government, Pw...
Laurie Desautels
 
ผลไม้
ผลไม้ผลไม้
ผลไม้
Pongsathorn Seangdet
 
Cv in short form
Cv in short formCv in short form
Cv in short form
Dwight Vick
 
คู่มือการสร้างบล็อก
คู่มือการสร้างบล็อกคู่มือการสร้างบล็อก
คู่มือการสร้างบล็อก
Marisa Mongkonkool
 
PresentacióN Revista Digital De EducacióN Y Nuevas TecnologíAs
PresentacióN Revista Digital De EducacióN Y Nuevas TecnologíAsPresentacióN Revista Digital De EducacióN Y Nuevas TecnologíAs
PresentacióN Revista Digital De EducacióN Y Nuevas TecnologíAs
guest16f9315
 
20.第六天.哥多華百花巷.晚餐.住宿
20.第六天.哥多華百花巷.晚餐.住宿20.第六天.哥多華百花巷.晚餐.住宿
20.第六天.哥多華百花巷.晚餐.住宿
溫秀嬌
 
โครงงานคอมพิวเตอร์
โครงงานคอมพิวเตอร์โครงงานคอมพิวเตอร์
โครงงานคอมพิวเตอร์
Thanvikan Treetrairattanakul
 
โครงงานคอมพิวเตอร์ 2559
โครงงานคอมพิวเตอร์ 2559โครงงานคอมพิวเตอร์ 2559
โครงงานคอมพิวเตอร์ 2559
shinishi
 
10 อันดับทะเลปอโอ
10 อันดับทะเลปอโอ10 อันดับทะเลปอโอ
10 อันดับทะเลปอโอ
OporfunJubJub
 
матеріали для мякої іграшки
матеріали для мякої іграшкиматеріали для мякої іграшки
матеріали для мякої іграшки
Andy Levkovich
 
Mémoire M2 PRO Teodora Virban
Mémoire M2 PRO Teodora VirbanMémoire M2 PRO Teodora Virban
Mémoire M2 PRO Teodora Virban
Teodora Virban
 
Досвід роботи соціального педагога Тараненко К. В.
Досвід роботи соціального педагога Тараненко К. В.Досвід роботи соціального педагога Тараненко К. В.
Досвід роботи соціального педагога Тараненко К. В.
school-2
 
Internet marketing
Internet marketingInternet marketing
Internet marketing
SAMI KHAN
 
Vertical control in straight wire technique , intrusion mechanics
Vertical control in straight wire technique , intrusion mechanics Vertical control in straight wire technique , intrusion mechanics
Vertical control in straight wire technique , intrusion mechanics
Indian dental academy
 
Gender Inequality
Gender InequalityGender Inequality
Gender Inequality
r3h1na
 
PPC Audit Sample & AdWords Review from Markitors
PPC Audit Sample & AdWords Review from MarkitorsPPC Audit Sample & AdWords Review from Markitors
PPC Audit Sample & AdWords Review from Markitors
Brett Farmiloe
 
ЧарIвна краса вишиванки
ЧарIвна краса вишиванкиЧарIвна краса вишиванки
ЧарIвна краса вишиванки
Централізована бібліотечна система для дітей
 
Rapport projet pfe
Rapport projet pfeRapport projet pfe
Rapport projet pfe
Hicham Moujahid
 
nfcpy 0.10.0 でハマった話
nfcpy 0.10.0 でハマった話nfcpy 0.10.0 でハマった話
nfcpy 0.10.0 でハマった話
Masaki Yamamoto
 
SK8
SK8SK8
SK8
Phurinut Polharn
 
Executive guidedatastrategy email
Executive guidedatastrategy emailExecutive guidedatastrategy email
Executive guidedatastrategy email
DATAVERSITY
 
Stop looking for the silver bullet start thinking like a bad guy - IDC IT Sec...
Stop looking for the silver bullet start thinking like a bad guy - IDC IT Sec...Stop looking for the silver bullet start thinking like a bad guy - IDC IT Sec...
Stop looking for the silver bullet start thinking like a bad guy - IDC IT Sec...
Jimmy Blake
 
Big Data Goes to Work - Liberating Latent Value in a Connected World - P.Coffee
Big Data Goes to Work - Liberating Latent Value in a Connected World - P.CoffeeBig Data Goes to Work - Liberating Latent Value in a Connected World - P.Coffee
Big Data Goes to Work - Liberating Latent Value in a Connected World - P.Coffee
Peter Coffee
 
3 tips to funding your security program
3 tips to funding your security program3 tips to funding your security program
3 tips to funding your security program
CloudBees
 
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
CA Technologies
 
Roadmap Your Senior Leader Selection: Step 3. Insight
Roadmap Your Senior Leader Selection: Step 3. InsightRoadmap Your Senior Leader Selection: Step 3. Insight
Roadmap Your Senior Leader Selection: Step 3. Insight
DDI | Development Dimensions International
 
HP Helion - Copaco Cloud Event 2015 (break-out 4)
HP Helion - Copaco Cloud Event 2015 (break-out 4)HP Helion - Copaco Cloud Event 2015 (break-out 4)
HP Helion - Copaco Cloud Event 2015 (break-out 4)
Copaco Nederland
 
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data BreachHP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Enterprise Italia
 

Contenu connexe

En vedette

10 อันดับทะเลปอโอ
10 อันดับทะเลปอโอ10 อันดับทะเลปอโอ
10 อันดับทะเลปอโอ
OporfunJubJub
 
Mémoire M2 PRO Teodora Virban
Mémoire M2 PRO Teodora VirbanMémoire M2 PRO Teodora Virban
Mémoire M2 PRO Teodora Virban
Teodora Virban
 

En vedette (14)

โครงงานคอมพิวเตอร์
โครงงานคอมพิวเตอร์โครงงานคอมพิวเตอร์
โครงงานคอมพิวเตอร์
 
โครงงานคอมพิวเตอร์ 2559
โครงงานคอมพิวเตอร์ 2559โครงงานคอมพิวเตอร์ 2559
โครงงานคอมพิวเตอร์ 2559
 
10 อันดับทะเลปอโอ
10 อันดับทะเลปอโอ10 อันดับทะเลปอโอ
10 อันดับทะเลปอโอ
 
матеріали для мякої іграшки
матеріали для мякої іграшкиматеріали для мякої іграшки
матеріали для мякої іграшки
 
Mémoire M2 PRO Teodora Virban
Mémoire M2 PRO Teodora VirbanMémoire M2 PRO Teodora Virban
Mémoire M2 PRO Teodora Virban
 
Досвід роботи соціального педагога Тараненко К. В.
Досвід роботи соціального педагога Тараненко К. В.Досвід роботи соціального педагога Тараненко К. В.
Досвід роботи соціального педагога Тараненко К. В.
 
Internet marketing
Internet marketingInternet marketing
Internet marketing
 
Vertical control in straight wire technique , intrusion mechanics
Vertical control in straight wire technique , intrusion mechanics Vertical control in straight wire technique , intrusion mechanics
Vertical control in straight wire technique , intrusion mechanics
 
Gender Inequality
Gender InequalityGender Inequality
Gender Inequality
 
PPC Audit Sample & AdWords Review from Markitors
PPC Audit Sample & AdWords Review from MarkitorsPPC Audit Sample & AdWords Review from Markitors
PPC Audit Sample & AdWords Review from Markitors
 
ЧарIвна краса вишиванки
ЧарIвна краса вишиванкиЧарIвна краса вишиванки
ЧарIвна краса вишиванки
 
Rapport projet pfe
Rapport projet pfeRapport projet pfe
Rapport projet pfe
 
nfcpy 0.10.0 でハマった話
nfcpy 0.10.0 でハマった話nfcpy 0.10.0 でハマった話
nfcpy 0.10.0 でハマった話
 
SK8
SK8SK8
SK8
 

Similaire à Software Security Assurance - Bruce Jenkins

Executive guidedatastrategy email
Executive guidedatastrategy emailExecutive guidedatastrategy email
Executive guidedatastrategy email
DATAVERSITY
 
Suddenly I am a Software Company
Suddenly I am a Software CompanySuddenly I am a Software Company
Suddenly I am a Software Company
Milind Patwardhan
 
Enabling a Culture of Self-Service Analytics
Enabling a Culture of Self-Service AnalyticsEnabling a Culture of Self-Service Analytics
Enabling a Culture of Self-Service Analytics
Precisely
 
When Downtime Isn’t an Option: Performance Optimization Analytics in the Era ...
When Downtime Isn’t an Option: Performance Optimization Analytics in the Era ...When Downtime Isn’t an Option: Performance Optimization Analytics in the Era ...
When Downtime Isn’t an Option: Performance Optimization Analytics in the Era ...
CA Technologies
 
Data science capabilities
Data science capabilitiesData science capabilities
Data science capabilities
Yann Lecourt
 

Similaire à Software Security Assurance - Bruce Jenkins (20)

Executive guidedatastrategy email
Executive guidedatastrategy emailExecutive guidedatastrategy email
Executive guidedatastrategy email
 
Stop looking for the silver bullet start thinking like a bad guy - IDC IT Sec...
Stop looking for the silver bullet start thinking like a bad guy - IDC IT Sec...Stop looking for the silver bullet start thinking like a bad guy - IDC IT Sec...
Stop looking for the silver bullet start thinking like a bad guy - IDC IT Sec...
 
Big Data Goes to Work - Liberating Latent Value in a Connected World - P.Coffee
Big Data Goes to Work - Liberating Latent Value in a Connected World - P.CoffeeBig Data Goes to Work - Liberating Latent Value in a Connected World - P.Coffee
Big Data Goes to Work - Liberating Latent Value in a Connected World - P.Coffee
 
3 tips to funding your security program
3 tips to funding your security program3 tips to funding your security program
3 tips to funding your security program
 
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
 
Roadmap Your Senior Leader Selection: Step 3. Insight
Roadmap Your Senior Leader Selection: Step 3. InsightRoadmap Your Senior Leader Selection: Step 3. Insight
Roadmap Your Senior Leader Selection: Step 3. Insight
 
HP Helion - Copaco Cloud Event 2015 (break-out 4)
HP Helion - Copaco Cloud Event 2015 (break-out 4)HP Helion - Copaco Cloud Event 2015 (break-out 4)
HP Helion - Copaco Cloud Event 2015 (break-out 4)
 
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data BreachHP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
 
Criminal Education: Lessons from the Criminals and Their Methods
Criminal Education: Lessons from the Criminals and Their MethodsCriminal Education: Lessons from the Criminals and Their Methods
Criminal Education: Lessons from the Criminals and Their Methods
 
Suddenly I am a Software Company
Suddenly I am a Software CompanySuddenly I am a Software Company
Suddenly I am a Software Company
 
Enabling a Culture of Self-Service Analytics
Enabling a Culture of Self-Service AnalyticsEnabling a Culture of Self-Service Analytics
Enabling a Culture of Self-Service Analytics
 
8 Steps to Creating a Data Strategy
8 Steps to Creating a Data Strategy8 Steps to Creating a Data Strategy
8 Steps to Creating a Data Strategy
 
When Downtime Isn’t an Option: Performance Optimization Analytics in the Era ...
When Downtime Isn’t an Option: Performance Optimization Analytics in the Era ...When Downtime Isn’t an Option: Performance Optimization Analytics in the Era ...
When Downtime Isn’t an Option: Performance Optimization Analytics in the Era ...
 
Incorporating cloud computing for enhanced communication v2
Incorporating cloud computing for enhanced communication v2Incorporating cloud computing for enhanced communication v2
Incorporating cloud computing for enhanced communication v2
 
Breakthrough experiments in data science: Practical lessons for success
Breakthrough experiments in data science: Practical lessons for successBreakthrough experiments in data science: Practical lessons for success
Breakthrough experiments in data science: Practical lessons for success
 
Data science capabilities
Data science capabilitiesData science capabilities
Data science capabilities
 
Data science capabilities
Data science capabilitiesData science capabilities
Data science capabilities
 
Data science capabilities
Data science capabilitiesData science capabilities
Data science capabilities
 
5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels
 
Mike Morsch - Gartner Supply Chain Peer Forum Presentation on Transforming Fu...
Mike Morsch - Gartner Supply Chain Peer Forum Presentation on Transforming Fu...Mike Morsch - Gartner Supply Chain Peer Forum Presentation on Transforming Fu...
Mike Morsch - Gartner Supply Chain Peer Forum Presentation on Transforming Fu...
 

Plus de IT-oLogy

IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy
 
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy
 
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC L...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC L...IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC L...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC L...
IT-oLogy
 
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC L...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC L...IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC L...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC L...
IT-oLogy
 
IT-oLogy Summit on Information Technology: Regional Impact and Issues in Rock...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in Rock...IT-oLogy Summit on Information Technology: Regional Impact and Issues in Rock...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in Rock...
IT-oLogy
 
IT-oLogy Summit on Information Technology: Regional Impact and Issues in Rock...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in Rock...IT-oLogy Summit on Information Technology: Regional Impact and Issues in Rock...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in Rock...
IT-oLogy
 
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC M...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC M...IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC M...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC M...
IT-oLogy
 
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy
 
IT-oLogy Summit on Information Technology: KEYNOTE: Matt Gardner
IT-oLogy Summit on Information Technology: KEYNOTE: Matt GardnerIT-oLogy Summit on Information Technology: KEYNOTE: Matt Gardner
IT-oLogy Summit on Information Technology: KEYNOTE: Matt Gardner
IT-oLogy
 

Plus de IT-oLogy (20)

Low Cost Tools for Security Challenges - Timothy De Block
Low Cost Tools for Security Challenges - Timothy De BlockLow Cost Tools for Security Challenges - Timothy De Block
Low Cost Tools for Security Challenges - Timothy De Block
 
How Smart Leaders Anticipate Breach to Protect Their Companies - Michael Sant...
How Smart Leaders Anticipate Breach to Protect Their Companies - Michael Sant...How Smart Leaders Anticipate Breach to Protect Their Companies - Michael Sant...
How Smart Leaders Anticipate Breach to Protect Their Companies - Michael Sant...
 
National Cyber Security Awareness Month - Michael Kaiser
National Cyber Security Awareness Month - Michael KaiserNational Cyber Security Awareness Month - Michael Kaiser
National Cyber Security Awareness Month - Michael Kaiser
 
Keep Your Family Safe Online - Michael Kaiser
Keep Your Family Safe Online - Michael KaiserKeep Your Family Safe Online - Michael Kaiser
Keep Your Family Safe Online - Michael Kaiser
 
ID Theft: What You Need to Know - Juliana Harris
ID Theft: What You Need to Know - Juliana HarrisID Theft: What You Need to Know - Juliana Harris
ID Theft: What You Need to Know - Juliana Harris
 
Cyber Breach: A Legal Perspective - Jarrett Coco
Cyber Breach: A Legal Perspective - Jarrett CocoCyber Breach: A Legal Perspective - Jarrett Coco
Cyber Breach: A Legal Perspective - Jarrett Coco
 
Cybersecurity in South Carolina - Major General Les Eisner
Cybersecurity in South Carolina - Major General Les EisnerCybersecurity in South Carolina - Major General Les Eisner
Cybersecurity in South Carolina - Major General Les Eisner
 
Open Security - Chad Cravens
Open Security - Chad CravensOpen Security - Chad Cravens
Open Security - Chad Cravens
 
Live Exploit - Chad Cravens
Live Exploit - Chad CravensLive Exploit - Chad Cravens
Live Exploit - Chad Cravens
 
In the Wake of Ashley Madison - Jim Salter
In the Wake of Ashley Madison - Jim SalterIn the Wake of Ashley Madison - Jim Salter
In the Wake of Ashley Madison - Jim Salter
 
Passwords in the Internet Age - Jim Salter
Passwords in the Internet Age - Jim SalterPasswords in the Internet Age - Jim Salter
Passwords in the Internet Age - Jim Salter
 
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
 
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
 
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC L...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC L...IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC L...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC L...
 
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC L...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC L...IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC L...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC L...
 
IT-oLogy Summit on Information Technology: Regional Impact and Issues in Rock...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in Rock...IT-oLogy Summit on Information Technology: Regional Impact and Issues in Rock...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in Rock...
 
IT-oLogy Summit on Information Technology: Regional Impact and Issues in Rock...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in Rock...IT-oLogy Summit on Information Technology: Regional Impact and Issues in Rock...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in Rock...
 
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC M...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC M...IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC M...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC M...
 
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
 
IT-oLogy Summit on Information Technology: KEYNOTE: Matt Gardner
IT-oLogy Summit on Information Technology: KEYNOTE: Matt GardnerIT-oLogy Summit on Information Technology: KEYNOTE: Matt Gardner
IT-oLogy Summit on Information Technology: KEYNOTE: Matt Gardner
 

Dernier

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Dernier (20)

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 

Software Security Assurance - Bruce Jenkins

  • 1. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. SoftwareSecurityAssurance Managingriskinthefaceofdigitaltransformation
  • 2. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2 IT-oLogy Trends 2015 –Columbia, SC Bruce C Jenkins CISM, CISSP, CSSLP Fortify Security Lead AppSec Program Strategist Hewlett-Packard Company Current  Fortify product and information security  HP-internal application security program strategy  Customer-facing appsec workshops and strategy Former  Fortify Pro Services, 2007-2011  US Air Force, 1979-2007 About me
  • 3. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3 IT-oLogy Trends 2015 –Columbia, SC • 2005: USAir Force personnel systembreached; 33Krecords exfiltrated • 2006: VA employee’s personal external drive stolen; 26M VA records at risk • 2007-2011: ??? • 2012: Thrift Saving Plan contractor’s systemattacked; 123KSSNs stolen • 2013: Target POS systemcompromised; up to 70M customers impacted • 2014: University of Maryland, 309Krecords; Home Depot, e-mail, cr cds • 2015: Several… + Office of Personnel Management, 18M records About my motivation for developing secure systems…
  • 4. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4 IT-oLogy Trends 2015 –Columbia, SC Let’s talk about risk management…
  • 5. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.5 IT-oLogy Trends 2015 –Columbia, SC What is “Security”?
  • 6. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6 IT-oLogy Trends 2015 –Columbia, SC What is “Security”? Definitions from The American Heritage® Dictionary of the English Language, 4th Edition n. Freedom from risk or danger; safety. n. Freedom from doubt, anxiety, or fear; confidence. n. Something that gives or assures safety
  • 7. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7 IT-oLogy Trends 2015 –Columbia, SC Security Issue?
  • 8. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8 IT-oLogy Trends 2015 –Columbia, SC “Security is never black and white, and context matters more than technology” – Bruce Schneier Secrets & Lies: Digital Security in a Networked World Security Issue?
  • 9. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9 IT-oLogy Trends 2015 –Columbia, SC So… Security Issue?
  • 10. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10 IT-oLogy Trends 2015 –Columbia, SC So… Security Issue? As you go about the business of developing and enhancing systems in support of today’s digital transformation, it’s important to keep findings in perspective. Pay attention to the weeds—youmay need to eliminate them—but don’t get lostin them. Maybe
  • 11. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11 IT-oLogy Trends 2015 –Columbia, SC Agenda Why Software Security is Hard Creating a Foundation Building Security In Lessons Learned
  • 12. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. WhySoftwareSecurityisHard
  • 13. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13 IT-oLogy Trends 2015 –Columbia, SC Current solutions protect the perimeter Yet, 84% of breaches occur in the application software
  • 14. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14 IT-oLogy Trends 2015 –Columbia, SC The number of apps is growing IN-HOUSE DEVELOPMENTLEGACY SOFTWARE OPEN SOURCEOUTSOURCED COMMERCIAL PRODUCTION Increasing platforms and complexity …many delivery models
  • 15. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15 IT-oLogy Trends 2015 –Columbia, SC 15 “I just want to be a coder; I’m really not interested in security.” – Security Consultant Candidate Developers are NOT trained to be security experts
  • 16. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16 IT-oLogy Trends 2015 –Columbia, SC Attacks have a proven life cycle Research Research potential targets Monetization Data sold on black market Infiltration Phishing attack and malware Discovery Mapping breached environment Capture Obtain data Exfiltration Exfiltrate/destroy stolen data
  • 17. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17 IT-oLogy Trends 2015 –Columbia, SC Attack life cycle risk mitigation Research Research Potential Targets Monetization Data sold on black market Infiltration Phishing Attack and Malware Discovery Mapping Breached Environment Capture Obtain data Exfiltration Exfiltrate/destroy Stolen data Threat intelligence • Security Research Block adversary • Network • Software Detect adversary • SEIM • UBA Protect data • At rest • In motion Mitigate damage • Breach Response
  • 18. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18 IT-oLogy Trends 2015 –Columbia, SC median time to detect breach205days 2013 January February March April May June July August September October November December 2014 January February March April Source:Mandiant M-Trends 2015Threat Report
  • 19. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.19 IT-oLogy Trends 2015 –Columbia, SC Conflicting views over the priority of security 1 Source: Osterman Research White Paper, Jan 2015
  • 20. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20 IT-oLogy Trends 2015 –Columbia, SC Top challenges in achieving software security goals* Source:Gatepoint Research Pulse Report,Oct 2014 n = 300 executives *Read as: software security assurance (SSA) program goals
  • 21. © Copyright2015 Hewlett-Packard Development Company, L.P. Theinformation contained herein issubject to change withoutnotice. “Itisnecessarythatpeopleworktogether inunisontowardcommonobjectivesand avoidworkingatcrosspurposesat all levelsifthe ultimateinefficiencyand achievementisto beobtained.” Dave Packard Co-founder,Hewlett-Packard
  • 22. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. CreatingaFoundation
  • 23. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.23 IT-oLogy Trends 2015 –Columbia, SC Obtain stakeholder alignment with a common vision Creating a Foundation • Establish security-related goals that are directly tied to the firm’s mission Mission Goals Objectives Strategy m m m KPI Policy Standards Training
  • 24. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24 IT-oLogy Trends 2015 –Columbia, SC Example: Hewlett-Packard Co Creating a Foundation Profit Customer Loyalty Growth Market Leadership Commitment to Employees Leadership Capability Global Citizenship Hewlett-Packard ... Goal 1 ...... Goal n HPSoftware ... Goal 1 ... Goal n Fortify … Security Goal 1 ……… Security Goal n Security Group Goal 1 ......... Ent. Security ... Goal n See HP’s Corporate Objectivesat http://www8.hp.com/us/en/hp-information/about-hp/corporate-objectives.html
  • 25. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25 IT-oLogy Trends 2015 –Columbia, SC Example: Hewlett-Packard Co Creating a Foundation Profit Customer Loyalty Growth Market Leadership Commitment to Employees Leadership Capability Global Citizenship Hewlett-Packard ... Goal 1 ...... Goal n HPSoftware Goal 1 ......... Ent. Security ... Goal 1 ... Goal n Fortify … Security Goal 1 ……… Security Goal n Security Group ... Goal n See HP’s Corporate Objectivesat http://www8.hp.com/us/en/hp-information/about-hp/corporate-objectives.html
  • 26. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.26 IT-oLogy Trends 2015 –Columbia, SC Example: Hewlett-Packard Co Creating a Foundation Profit Customer Loyalty Growth Market Leadership Commitment to Employees Leadership Capability Global Citizenship Hewlett-Packard ... Goal 1 ...... Goal n HPSoftware Goal 1 ......... Ent. Security ... Goal 1 ... Goal n Fortify … Security Goal 1 ……… Security Goal n Security Group ... Goal n See HP’s Corporate Objectivesat http://www8.hp.com/us/en/hp-information/about-hp/corporate-objectives.html
  • 27. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27 IT-oLogy Trends 2015 –Columbia, SC Example: Hewlett-Packard Co Creating a Foundation Profit Customer Loyalty Growth Market Leadership Commitment to Employees Leadership Capability Global Citizenship Hewlett-Packard ... Goal 1 ...... Goal n HPSoftware Goal 1 ......... Ent. Security ... Goal 1 ... Goal n Fortify … Security Goal 1 ……… Security Group ... Goal n Security Goal n See HP’s Corporate Objectivesat http://www8.hp.com/us/en/hp-information/about-hp/corporate-objectives.html
  • 28. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.28 IT-oLogy Trends 2015 –Columbia, SC Example: Private SectorFinancial Creating a Foundation Corp Mission Statement Goal 1 Goal 2 Goal 3 Protect our customers’ data Goal n
  • 29. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.29 IT-oLogy Trends 2015 –Columbia, SC Example: Private SectorFinancial Creating a Foundation Corp Mission Statement Goal 1 Goal 2 Goal 3 Protect our customers’ data Goal n Corp Security Group Security Goal 1 Security Goal 2 Security Goal 3 Security Goal n
  • 30. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.30 IT-oLogy Trends 2015 –Columbia, SC Example: Private SectorFinancial Creating a Foundation Corp Mission Statement Goal 1 Goal 2 Goal 3 Protect our customers’ data Goal n Corp Security Group Security Goal 1 Security Goal 2 Security Goal 3 Security Goal n Proactively identify and mitigateriskin all Mission Critical applications
  • 31. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. BuildingSecurityIn
  • 32. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.34 IT-oLogy Trends 2015 –Columbia, SC Consider using a software security framework (SSF)as a guide Building Security In • Establish security-related goals that are directly tied to the firm’s mission • Develop a security strategy that is designed to support achievement of the security goal(s) Mission Goals Objectives Strategy m m m KPI Policy Standards Training
  • 33. © Copyright2015 Hewlett-Packard Development Company, L.P. Theinformation contained herein issubject to change withoutnotice. “There are knownknowns. These are things weknowthat we know.Thereareknown unknowns.Thatisto say,there arethings thatweknowwedon'tknow.But there are also unknownunknowns. There are things wedon't knowwedon't know. Donald Rumsfeld FormerUS Secretary ofDefence
  • 34. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.36 IT-oLogy Trends 2015 –Columbia, SC Building Security In Design Construct Test Deploy Establish a security gate to understand security posture of portfolio Security Gate Governance • Strategy and Metrics • Policy and Compliance • Education and Guidance Construction • Security Requirements • Threat Assessment • Security Architecture Verification • Design Review • Implementation Review • Security testing Operations • Environment Hardening • Issue Management • Operational Enablement
  • 35. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.37 IT-oLogy Trends 2015 –Columbia, SC With assessment results available, the unknown is known Building Security In • Establish security-related goals that are directly tied to the firm’s mission • Develop a security strategy that is designed to support achievement of the security goal(s) • Based upon business priorities and portfolio risk*, design time-constrained, measurable objectives • Only choosemetrics and constructKPI’s that show progress toward meeting the objectives; nothing else *portfolio isknown, classified and risk-ranked Mission Goals Objectives Strategy m m m KPI Policy Standards Training
  • 36. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.41 IT-oLogy Trends 2015 –Columbia, SC Measure thoughtfully Building Security In • Establish security-related goals that are directly tied to the firm’s mission • Develop a security strategy that is designed to support achievement of the security goal(s) • Based upon business priorities and portfolio risk*, design time-constrained, measurable objectives • Only choosemetrics and constructKPI’s that show progress toward meeting the objectives; nothing else *portfolio isknown, classified and risk-ranked Mission Goals Objectives Strategy m m m KPI Policy Standards Training
  • 37. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.42 IT-oLogy Trends 2015 –Columbia, SC Building Security In: Lessons Learned • Complex problems with complex solutions • All organizational levels must be made aware of the risks associated with software vulnerabilities • No education / training == unmet expectations Awareness, Education and Training
  • 38. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.43 IT-oLogy Trends 2015 –Columbia, SC • Before assessment,establish policies and set expectations • Ensure that policies and expectations are communicated to all stakeholders • Consistently enforce policies and measure expectation achievement Clear Communication Regarding Security Building Security In: Lessons Learned
  • 39. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.44 IT-oLogy Trends 2015 –Columbia, SC • Network Security / Information Assurance people are not software security people • Development background is a necessity • Even with a development background, extensive training and experience is needed Software Security is a Unique Skill Set Building Security In: Lessons Learned
  • 40. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.45 IT-oLogy Trends 2015 –Columbia, SC • Network Security / Information Assurance people are not software security people • Development background is a necessity • Even with a development background, extensive training and experience is needed • Developers should NOT be expected to be security experts Software Security is a Unique Skill Set Building Security In: Lessons Learned
  • 41. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.46 IT-oLogy Trends 2015 –Columbia, SC Summary • Workto gain and maintain executive-levelsupport • Developsecuritygoals, strategy& objectives • Train staffto comply withpolicy • Use technologyappropriately • Measure,report,adjust Managing risk in the face of digital transformation
  • 42. © Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Thankyou hp.com/go/fortifyssa Bruce C Jenkins bcj@hpe.com