SlideShare a Scribd company logo

Shifting the conversation from active interception to proactive neutralization

Download as PPTX, PDF
Rogue Wave Software
Rogue Wave Software

When did we forget that old saying, “prevention is the best medicine”, when it comes to cybersecurity? The current focus on mitigating real-time attacks and creating stronger defensive networks has overshadowed the many ways to prevent attacks right at the source – where security management has the biggest impact. Source code is where it all begins and where attack mitigation is the most effective. In this webinar we’ll discuss methods of proactive threat assessment and mitigation that organizations use to advance cybersecurity goals today. From using static analysis to detect vulnerabilities as early as possible, to managing supply chain security through standards compliance, to scanning for and understanding potential risks in open source, these methods shift attack mitigation efforts left to simplify fixes and enable more cost-effective solutions. Webinar recording: http://www.roguewave.com/events/on-demand-webinars/shifting-the-conversation-from-active-interception

Software
1 of 31
Shifting the conversation from active interception to proactive neutralization Rod Cope, CTO
Presenters © 2015 Rogue Wave Software, Inc. All Rights Reserved. Rod Cope, CTO Rogue Wave Software 2
“With all software, there will be more security holes, you need to plan for it, have tooling, prepare for some notification process so you can quickly learn when there is an issue, whether it’s open source or from somewhere else, that you know there’s an issue, and then have a mitigation plan in place so you know what is affected.” -Rod Cope, CTO
Why the shift? 4© 2015 Rogue Wave Software, Inc. All Rights Reserved. 150X as much as fixing the bug during the requirements or design phase. 76% of organizations using open source don’t have meaningful controls over what components go into their applications 55% of organizations don’t have security awareness program in place 78% of development teams use time consuming manual testing processes to ensure code security 72% of developers believe they are responsible for security and safety testing of their code 70% of development organizations don’t have clear policies, procedures, and tools for using open source code
What are the risks? Risks include OSS security issues Unknown OSS Outside reprogramming of systems Code vulnerabilities 5© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Unknown OSS & security issues © 2015 Rogue Wave Software, Inc. All Rights Reserved 6
Outside reprogramming of systems 7© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Code vulnerabilities 8© 2015 Rogue Wave Software, Inc. All Rights Reserved.
© 2015 Rogue Wave Software, Inc. All Rights Reserved. Common attacks Organizations have failed to prevent attacks Lack of time Lack of focus Lack of tools/proper tools Survey: 1700 developers, 80% of them incorrectly answered key questions surrounding the protection of sensitive data SQL injection Unvalidated input Cross-site scripting Most breaches result from input trust issues Heartbleed: buffer overrun BMW patch: HTTP vs. HTTPS 9
Software suppliers can introduce risks (security, functional, compliance) before they reach you 10 Root causes of vulnerabilities Supply chain Software suppliers can introduce risks (security, functional, compliance) before they reach you Minimal testing Different platforms, processes, tools, standards, etc. require more effort to assess, test, and standardize Lack of prioritization Over 90% of companies use OSS components in commercial software1 46 million vulnerable open source components are downloaded each year Lack of developer education 1. Gartner © 2015 Rogue Wave Software, Inc. All Rights Reserved.
Multi-source software Open source Your product Legacy COTS Contractors ISV Integrate Test cost to fix defects $$$$ $ 11© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Traditional development: Security as a service © 2015 Rogue Wave Software, Inc. All Rights Reserved. 12 Adaptive Separation of duties for testing and auditing Separate testing tools, results fed to development Traditional Secure Development Lifecycle Activities Design • Establish design Requirements • Analyze attack surface • Threat modeling Build • Use approved tools • Deprecate unsafe functions Test • Static analysis • Dynamic analysis • Fuzz testing • Attack surface review • Open source review Deploy • Incident response plan • Final security review • Release archive Development, compliance, and security are independent functions Req's • Establish security requirements • Create quality gates • Risk assessments
Consequences of security as a service © 2015 Rogue Wave Software, Inc. All Rights Reserved. 13 Adaptive Cost of Remediation Source: Barry Boehm, “Equity Keynote Address” March 19, 2007 Cost of Remediation Increased remediation costs Delayed releases Security and development become adversarial 5x Design • Establish design requirements • Analyze attack surface • Threat modeling 10x Build • Use approved tools • Deprecate unsafe functions 20x 50x Test • Static analysis • Dynamic analysis • Fuzz testing • Attack surface review • Open source review 150x Deploy • Incident response plan • Final security review • Release archive 1x Req’s • Establish security requirements • Create quality gates • Risk assessments
Build-only analysis in dev process Build Analysis / Test 14© 2015 Rogue Wave Software, Inc. All Rights Reserved. Cost of defects
Defect introduction 50% of defects introduced here Build Analysis / Test 15© 2015 Rogue Wave Software, Inc. All Rights Reserved. Cost of defects
Solutions
© 2015 Rogue Wave Software, Inc. All Rights Reserved. Shift your plan of attack Agile, continuous integration, continuous delivery Understanding processes Educating teams Implementing tools Enforcing compliance Measuring success Adopting new standards Systems integrators vs. systems builders Multiple development teams 17
Prevent software failure due to defects Your team worries about Problems with array indexes Errors in error handlers Untrapped exceptions Memory leaks Unchecked stacks and buffers Misplaced pointers 18© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Analysis and testing Check code faster 19 Source: https://uwaterloo.ca/counselling-services/curve-forgetting © 2015 Rogue Wave Software, Inc. All Rights Reserved. Issues identified at your desktop 1 Real-time feedback Correct code before check-in2 All areas impacted by a given defect are highlighted3 After system build, the impact of other developers code is also delivered to the desktop for corrective action 4
Traditionally used to find simple, annoying bugs Modern, state-of-the-art SCA Sophisticated inter- procedural control and data-flow analysis Model-based simulation of runtime expectation Provides an automated view of all possible execution paths Find complex bugs and runtime errors: memory leaks concurrency violations buffer overflows Check compliance with internationally recognized standards: MISRA CWE OWASP ISO26262 20 Static code analysis © 2015 Rogue Wave Software, Inc. All Rights Reserved.
• Hundreds of checkers for C, C++, C# and Java • Support for numerous standards • Customizable: – Turn checkers on or off – Change the severity of identified defects – Add custom checkers Klocwork static analysis engine • MISRA, DISA, CWE, CERT, etc. • Dead code • Unreachable code Calculated values that are never used • Unused function parameters • … Coding Standards & Maintainability • Memory and resource leaks • Concurrency violations • Infinite loops • Dereferencing NULL pointers • Usage of uninitialized data • Resource management • Memory allocation errors • … Reliability • Buffer overflow • Un-validated user input • SQL injection • Path injection • File injection • Cross-site scripting • Information leakage • Vulnerable coding practices • … Security © 2015 Rogue Wave Software, Inc. All Rights Reserved. 20
Klocwork finds Heartbleed 22© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Use open source software safely 23 “So the mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn’t happened more often.” -Steve Marquess, OpenSSL Software Foundation on the Heartbleed bug 80% of developers need not prove the security of OSS they’re using Only 7% of organizations have an OSS policy around security © 2015 Rogue Wave Software, Inc. All Rights Reserved.
Application code 3rd party components If you’re using open source, security verification is up to you Do you know all the open source you are using? Test your code Look for flaws early Make security a priority © 2015 Rogue Wave Software, Inc. All Rights Reserved. 24
 Use only trusted packages  Notify and update security fixes Maintain with OSS support  Automated, repeatable way to locate OSS packages (and packages within packages!) and licensing obligations  Look for scanning tools that are SaaS and protect your IP by not requiring source code upload Know your inventory with OSS scanning Reducing open source risk 25  Get notified of latest patches, risks, and bugs Establish an OSS policy to minimize risk © 2015 Rogue Wave Software, Inc. All Rights Reserved.
Open source management: OpenLogic Commercial-grade technical support for hundreds of open source packages Web-based platform for open source governance Open source scanning solutions Library of certified open source software with proactive security notifications 26© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Security vulnerability example 27© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Scan results example 28© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Conclusions Tooling Notification processes OSS security notifications, latest patches Mitigation plan Shift from security as a service to security at the developer, correcting vulnerabilities as early as possible Code analysis and OSS scanning 29© 2015 Rogue Wave Software, Inc. All Rights Reserved.
See us in action: www.roguewave.com Rod Cope| rod.cope@roguewave.com
Shifting the conversation from active interception to proactive neutralization

Recommended

Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Klocwork
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017Suman Sourav
 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps WorldParasoft
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for securitySuman Sourav
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLCPaul Yang
 

Recommended

Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Klocwork
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017Suman Sourav
 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps WorldParasoft
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for securitySuman Sourav
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLCPaul Yang
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsSuman Sourav
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiRaphael Denipotti
 
Driving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareDriving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareParasoft
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Kevin Fealey
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure DevelopmentNazar Tymoshyk, CEH, Ph.D.
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps JourneyVeracode
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous DeliveryTom Stiehm
 
Increasing Quality with DevOps
Increasing Quality with DevOpsIncreasing Quality with DevOps
Increasing Quality with DevOpsCoveros, Inc.
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Suman Sourav
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile DevelopmentCheckmarx
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...Parasoft
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application securityRogue Wave Software
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareRogue Wave Software
 

More Related Content

What's hot

A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsSuman Sourav
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiRaphael Denipotti
 
Driving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareDriving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareParasoft
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Kevin Fealey
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps JourneyVeracode
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous DeliveryTom Stiehm
 
Increasing Quality with DevOps
Increasing Quality with DevOpsIncreasing Quality with DevOps
Increasing Quality with DevOpsCoveros, Inc.
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Suman Sourav
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile DevelopmentCheckmarx
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...Parasoft
 

What's hot (20)

A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
 
Driving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive SoftwareDriving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive Software
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
A Secure DevOps Journey
A Secure DevOps JourneyA Secure DevOps Journey
A Secure DevOps Journey
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
 
Increasing Quality with DevOps
Increasing Quality with DevOpsIncreasing Quality with DevOps
Increasing Quality with DevOps
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile Development
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
 
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
The Legend of Software Hollow: Defeating the Headless Horseman of Faulty Appl...
 

Similar to Shifting the conversation from active interception to proactive neutralization

Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application securityRogue Wave Software
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareRogue Wave Software
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurityRogue Wave Software
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015Rogue Wave Software
 
Navigating agile automotive software development
Navigating agile automotive software development Navigating agile automotive software development
Navigating agile automotive software development Rogue Wave Software
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeOpen DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeEmerasoft, solutions to collaborate
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for DevopsJerika Phelps
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Perforce
 
Create Agile confidence for better application security
Create Agile confidence for better application securityCreate Agile confidence for better application security
Create Agile confidence for better application securityRogue Wave Software
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...WhiteSource
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?Black Duck by Synopsys
 

Similar to Shifting the conversation from active interception to proactive neutralization (20)

Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015
 
Navigating agile automotive software development
Navigating agile automotive software development Navigating agile automotive software development
Navigating agile automotive software development
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeOpen DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for Devops
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Find & fix the flaws in your code
Find & fix the flaws in your codeFind & fix the flaws in your code
Find & fix the flaws in your code
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Create Agile confidence for better application security
Create Agile confidence for better application securityCreate Agile confidence for better application security
Create Agile confidence for better application security
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
 

More from Rogue Wave Software

The Global Influence of Open Banking, API Security, and an Open Data Perspective
The Global Influence of Open Banking, API Security, and an Open Data PerspectiveThe Global Influence of Open Banking, API Security, and an Open Data Perspective
The Global Influence of Open Banking, API Security, and an Open Data PerspectiveRogue Wave Software
 
No liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureNo liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureRogue Wave Software
 
Disrupt or be disrupted – Using secure APIs to drive digital transformation
Disrupt or be disrupted – Using secure APIs to drive digital transformationDisrupt or be disrupted – Using secure APIs to drive digital transformation
Disrupt or be disrupted – Using secure APIs to drive digital transformationRogue Wave Software
 
Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Rogue Wave Software
 
Adding layers of security to an API in real-time
Adding layers of security to an API in real-timeAdding layers of security to an API in real-time
Adding layers of security to an API in real-timeRogue Wave Software
 
Getting the most from your API management platform: A case study
Getting the most from your API management platform: A case studyGetting the most from your API management platform: A case study
Getting the most from your API management platform: A case studyRogue Wave Software
 
Advanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applicationsAdvanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applicationsRogue Wave Software
 
The forgotten route: Making Apache Camel work for you
The forgotten route: Making Apache Camel work for youThe forgotten route: Making Apache Camel work for you
The forgotten route: Making Apache Camel work for youRogue Wave Software
 
Are open source and embedded software development on a collision course?
Are open source and embedded software development on a collision course?Are open source and embedded software development on a collision course?
Are open source and embedded software development on a collision course?Rogue Wave Software
 
Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices Rogue Wave Software
 
5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure successRogue Wave Software
 
PSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and compliancePSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and complianceRogue Wave Software
 
Java 10 and beyond: Keeping up with the language and planning for the future
Java 10 and beyond: Keeping up with the language and planning for the futureJava 10 and beyond: Keeping up with the language and planning for the future
Java 10 and beyond: Keeping up with the language and planning for the futureRogue Wave Software
 
How to keep developers happy and lawyers calm (Presented at ESC Boston)
How to keep developers happy and lawyers calm (Presented at ESC Boston)How to keep developers happy and lawyers calm (Presented at ESC Boston)
How to keep developers happy and lawyers calm (Presented at ESC Boston)Rogue Wave Software
 
Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)Rogue Wave Software
 
How to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to LinuxHow to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to LinuxRogue Wave Software
 
Approaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC appsApproaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC appsRogue Wave Software
 
Enterprise Linux: Justify your migration from Red Hat to CentOS
Enterprise Linux: Justify your migration from Red Hat to CentOSEnterprise Linux: Justify your migration from Red Hat to CentOS
Enterprise Linux: Justify your migration from Red Hat to CentOSRogue Wave Software
 
Walk through an enterprise Linux migration
Walk through an enterprise Linux migrationWalk through an enterprise Linux migration
Walk through an enterprise Linux migrationRogue Wave Software
 
How to keep developers happy and lawyers calm
How to keep developers happy and lawyers calmHow to keep developers happy and lawyers calm
How to keep developers happy and lawyers calmRogue Wave Software
 

More from Rogue Wave Software (20)

The Global Influence of Open Banking, API Security, and an Open Data Perspective
The Global Influence of Open Banking, API Security, and an Open Data PerspectiveThe Global Influence of Open Banking, API Security, and an Open Data Perspective
The Global Influence of Open Banking, API Security, and an Open Data Perspective
 
No liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureNo liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failure
 
Disrupt or be disrupted – Using secure APIs to drive digital transformation
Disrupt or be disrupted – Using secure APIs to drive digital transformationDisrupt or be disrupted – Using secure APIs to drive digital transformation
Disrupt or be disrupted – Using secure APIs to drive digital transformation
 
Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...
 
Adding layers of security to an API in real-time
Adding layers of security to an API in real-timeAdding layers of security to an API in real-time
Adding layers of security to an API in real-time
 
Getting the most from your API management platform: A case study
Getting the most from your API management platform: A case studyGetting the most from your API management platform: A case study
Getting the most from your API management platform: A case study
 
Advanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applicationsAdvanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applications
 
The forgotten route: Making Apache Camel work for you
The forgotten route: Making Apache Camel work for youThe forgotten route: Making Apache Camel work for you
The forgotten route: Making Apache Camel work for you
 
Are open source and embedded software development on a collision course?
Are open source and embedded software development on a collision course?Are open source and embedded software development on a collision course?
Are open source and embedded software development on a collision course?
 
Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices
 
5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success
 
PSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and compliancePSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and compliance
 
Java 10 and beyond: Keeping up with the language and planning for the future
Java 10 and beyond: Keeping up with the language and planning for the futureJava 10 and beyond: Keeping up with the language and planning for the future
Java 10 and beyond: Keeping up with the language and planning for the future
 
How to keep developers happy and lawyers calm (Presented at ESC Boston)
How to keep developers happy and lawyers calm (Presented at ESC Boston)How to keep developers happy and lawyers calm (Presented at ESC Boston)
How to keep developers happy and lawyers calm (Presented at ESC Boston)
 
Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)
 
How to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to LinuxHow to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to Linux
 
Approaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC appsApproaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC apps
 
Enterprise Linux: Justify your migration from Red Hat to CentOS
Enterprise Linux: Justify your migration from Red Hat to CentOSEnterprise Linux: Justify your migration from Red Hat to CentOS
Enterprise Linux: Justify your migration from Red Hat to CentOS
 
Walk through an enterprise Linux migration
Walk through an enterprise Linux migrationWalk through an enterprise Linux migration
Walk through an enterprise Linux migration
 
How to keep developers happy and lawyers calm
How to keep developers happy and lawyers calmHow to keep developers happy and lawyers calm
How to keep developers happy and lawyers calm
 

Recently uploaded

%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfVishalKumarJha10
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Nitya salvi
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...kalichargn70th171
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfproinshot.com
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...SelfMade bd
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 

Recently uploaded (20)

%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 

Shifting the conversation from active interception to proactive neutralization

  • 1. Shifting the conversation from active interception to proactive neutralization Rod Cope, CTO
  • 2. Presenters © 2015 Rogue Wave Software, Inc. All Rights Reserved. Rod Cope, CTO Rogue Wave Software 2
  • 3. “With all software, there will be more security holes, you need to plan for it, have tooling, prepare for some notification process so you can quickly learn when there is an issue, whether it’s open source or from somewhere else, that you know there’s an issue, and then have a mitigation plan in place so you know what is affected.” -Rod Cope, CTO
  • 4. Why the shift? 4© 2015 Rogue Wave Software, Inc. All Rights Reserved. 150X as much as fixing the bug during the requirements or design phase. 76% of organizations using open source don’t have meaningful controls over what components go into their applications 55% of organizations don’t have security awareness program in place 78% of development teams use time consuming manual testing processes to ensure code security 72% of developers believe they are responsible for security and safety testing of their code 70% of development organizations don’t have clear policies, procedures, and tools for using open source code
  • 5. What are the risks? Risks include OSS security issues Unknown OSS Outside reprogramming of systems Code vulnerabilities 5© 2015 Rogue Wave Software, Inc. All Rights Reserved.
  • 6. Unknown OSS & security issues © 2015 Rogue Wave Software, Inc. All Rights Reserved 6
  • 7. Outside reprogramming of systems 7© 2015 Rogue Wave Software, Inc. All Rights Reserved.
  • 8. Code vulnerabilities 8© 2015 Rogue Wave Software, Inc. All Rights Reserved.
  • 9. © 2015 Rogue Wave Software, Inc. All Rights Reserved. Common attacks Organizations have failed to prevent attacks Lack of time Lack of focus Lack of tools/proper tools Survey: 1700 developers, 80% of them incorrectly answered key questions surrounding the protection of sensitive data SQL injection Unvalidated input Cross-site scripting Most breaches result from input trust issues Heartbleed: buffer overrun BMW patch: HTTP vs. HTTPS 9
  • 10. Software suppliers can introduce risks (security, functional, compliance) before they reach you 10 Root causes of vulnerabilities Supply chain Software suppliers can introduce risks (security, functional, compliance) before they reach you Minimal testing Different platforms, processes, tools, standards, etc. require more effort to assess, test, and standardize Lack of prioritization Over 90% of companies use OSS components in commercial software1 46 million vulnerable open source components are downloaded each year Lack of developer education 1. Gartner © 2015 Rogue Wave Software, Inc. All Rights Reserved.
  • 11. Multi-source software Open source Your product Legacy COTS Contractors ISV Integrate Test cost to fix defects $$$$ $ 11© 2015 Rogue Wave Software, Inc. All Rights Reserved.
  • 12. Traditional development: Security as a service © 2015 Rogue Wave Software, Inc. All Rights Reserved. 12 Adaptive Separation of duties for testing and auditing Separate testing tools, results fed to development Traditional Secure Development Lifecycle Activities Design • Establish design Requirements • Analyze attack surface • Threat modeling Build • Use approved tools • Deprecate unsafe functions Test • Static analysis • Dynamic analysis • Fuzz testing • Attack surface review • Open source review Deploy • Incident response plan • Final security review • Release archive Development, compliance, and security are independent functions Req's • Establish security requirements • Create quality gates • Risk assessments
  • 13. Consequences of security as a service © 2015 Rogue Wave Software, Inc. All Rights Reserved. 13 Adaptive Cost of Remediation Source: Barry Boehm, “Equity Keynote Address” March 19, 2007 Cost of Remediation Increased remediation costs Delayed releases Security and development become adversarial 5x Design • Establish design requirements • Analyze attack surface • Threat modeling 10x Build • Use approved tools • Deprecate unsafe functions 20x 50x Test • Static analysis • Dynamic analysis • Fuzz testing • Attack surface review • Open source review 150x Deploy • Incident response plan • Final security review • Release archive 1x Req’s • Establish security requirements • Create quality gates • Risk assessments
  • 14. Build-only analysis in dev process Build Analysis / Test 14© 2015 Rogue Wave Software, Inc. All Rights Reserved. Cost of defects
  • 15. Defect introduction 50% of defects introduced here Build Analysis / Test 15© 2015 Rogue Wave Software, Inc. All Rights Reserved. Cost of defects
  • 17. © 2015 Rogue Wave Software, Inc. All Rights Reserved. Shift your plan of attack Agile, continuous integration, continuous delivery Understanding processes Educating teams Implementing tools Enforcing compliance Measuring success Adopting new standards Systems integrators vs. systems builders Multiple development teams 17
  • 18. Prevent software failure due to defects Your team worries about Problems with array indexes Errors in error handlers Untrapped exceptions Memory leaks Unchecked stacks and buffers Misplaced pointers 18© 2015 Rogue Wave Software, Inc. All Rights Reserved.
  • 19. Analysis and testing Check code faster 19 Source: https://uwaterloo.ca/counselling-services/curve-forgetting © 2015 Rogue Wave Software, Inc. All Rights Reserved. Issues identified at your desktop 1 Real-time feedback Correct code before check-in2 All areas impacted by a given defect are highlighted3 After system build, the impact of other developers code is also delivered to the desktop for corrective action 4
  • 20. Traditionally used to find simple, annoying bugs Modern, state-of-the-art SCA Sophisticated inter- procedural control and data-flow analysis Model-based simulation of runtime expectation Provides an automated view of all possible execution paths Find complex bugs and runtime errors: memory leaks concurrency violations buffer overflows Check compliance with internationally recognized standards: MISRA CWE OWASP ISO26262 20 Static code analysis © 2015 Rogue Wave Software, Inc. All Rights Reserved.
  • 21. • Hundreds of checkers for C, C++, C# and Java • Support for numerous standards • Customizable: – Turn checkers on or off – Change the severity of identified defects – Add custom checkers Klocwork static analysis engine • MISRA, DISA, CWE, CERT, etc. • Dead code • Unreachable code Calculated values that are never used • Unused function parameters • … Coding Standards & Maintainability • Memory and resource leaks • Concurrency violations • Infinite loops • Dereferencing NULL pointers • Usage of uninitialized data • Resource management • Memory allocation errors • … Reliability • Buffer overflow • Un-validated user input • SQL injection • Path injection • File injection • Cross-site scripting • Information leakage • Vulnerable coding practices • … Security © 2015 Rogue Wave Software, Inc. All Rights Reserved. 20
  • 22. Klocwork finds Heartbleed 22© 2015 Rogue Wave Software, Inc. All Rights Reserved.
  • 23. Use open source software safely 23 “So the mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn’t happened more often.” -Steve Marquess, OpenSSL Software Foundation on the Heartbleed bug 80% of developers need not prove the security of OSS they’re using Only 7% of organizations have an OSS policy around security © 2015 Rogue Wave Software, Inc. All Rights Reserved.
  • 24. Application code 3rd party components If you’re using open source, security verification is up to you Do you know all the open source you are using? Test your code Look for flaws early Make security a priority © 2015 Rogue Wave Software, Inc. All Rights Reserved. 24
  • 25.  Use only trusted packages  Notify and update security fixes Maintain with OSS support  Automated, repeatable way to locate OSS packages (and packages within packages!) and licensing obligations  Look for scanning tools that are SaaS and protect your IP by not requiring source code upload Know your inventory with OSS scanning Reducing open source risk 25  Get notified of latest patches, risks, and bugs Establish an OSS policy to minimize risk © 2015 Rogue Wave Software, Inc. All Rights Reserved.
  • 26. Open source management: OpenLogic Commercial-grade technical support for hundreds of open source packages Web-based platform for open source governance Open source scanning solutions Library of certified open source software with proactive security notifications 26© 2015 Rogue Wave Software, Inc. All Rights Reserved.
  • 27. Security vulnerability example 27© 2015 Rogue Wave Software, Inc. All Rights Reserved.
  • 28. Scan results example 28© 2015 Rogue Wave Software, Inc. All Rights Reserved.
  • 29. Conclusions Tooling Notification processes OSS security notifications, latest patches Mitigation plan Shift from security as a service to security at the developer, correcting vulnerabilities as early as possible Code analysis and OSS scanning 29© 2015 Rogue Wave Software, Inc. All Rights Reserved.
  • 30. See us in action: www.roguewave.com Rod Cope| rod.cope@roguewave.com

Editor's Notes

  1. There are several risks involved in securing embedded systems, some of those risks revolve around network intrusion, information theft, outside reprogramming of systems, and code vulnerabilities.
  2. So when we examine security as it often happens during development, the functions are separate. In a traditional development environment, security, compliance, and development are separate, autonomous groups. The argument for this is the principal of Separation of Duties – in this case making sure that independence exists between development and security. Development builds a release, tests it for functionality, then passes it to security for testing. Security tools have traditionally been used only by security personnel, typically later in the development lifecycle. Tools include static analysis of source code, dynamic analysis of running applications, and scanning for vulnerable open source components. At each phase of the Secure Development Lifecycle, there are a number of best practices. Security requirements, threat modeling, and several other activities help organizations avoid problems later in the secure software development lifecycle.
  3. The problem with this, in particular as it applies to an Agile environment, is that the testing happens late in the development process, independent of the development team. For example, Traditional static testing requires a compilable application, complete with all dependencies, usually only possible after significant development efforts.. Dynamic analysis, or pen testing, requires a finished application in a test environment, complete with data. By definition this will be very late in the development process. There have been many studies on the costs associated with delaying security testing, but the numbers remain fairly consistent. The later in the process a bug is identified, the more costly it is to remediate; up to 150X as much as fixing the bug during the requirements or design phase. It’s easy to understand why. Not only is it likely that more code refactoring will be required once an application is “fully baked”, but organizational costs come into play, including triage, prioritization, research, recoding, and retesting to ensure the fix didn’t introduce other problems. In short, costs are higher and releases are delayed. We recently had Jeffrey Hammond of Forrester present at an event, and he said “"It takes 18 months to deploy a new release of a project/product/app where a single line of code is changed.” Finally, we’ve seen this model result in conflicts between security and development teams. The development teams often feel that security has little involvement during the build process, to only parachute in late in the process, run code through their magic boxes, and produce a long list of bugs – with lots of false positives – just when the product is getting to its release date.
  4. Everyone has seen this chart at some point I’m sure. It maps where software defects are found and the cost to fix them along the software development process. The later you find them the more it costs to fix them. With the Build-only approach to source code analysis, issues are being found before release but later in the cycle than most desirable.
  5. Now we will discuss some solutions that we offer to ensure your developers are delivering secure, defect-free software in their embedded systems
  6. Memory leak – a failure in a program to release discarded memory, which can build up over time causing impaired performance or failure. Untrapped exceptions – a failure at a higher level to catch errors generated at a lower level, causing unexpected behavior or crashes Unchecked stacks and buffers – unchecked areas where data is stored Misplaced pointers – does your pointer actually work/make sense? Problems with array indexes – Did your team put the array indexing in the appropriate place? Errors in error handlers – Error handling refers to the anticipation, detection, and resolution of programming, application, and communications errors. Sometimes there are errors within these areas. These types of bugs occur all the time and are sometimes easy to fix, sometimes not. The trick is detecting where these flaws are, especially in code that’s split over multiple files or even many developers
  7. Graph: Continuous improvement fits well with the Agile methodology, which is built around brief, repeatable processes. Helping Agile teams avoid, rather than fix security issues should be a high priority. Rather than forcing developers to look up remediation advice on the web, or from internal coding standards, push that information directly to the IDE where it can be easily used. Studies show that people learn through repetition. The graph represents what is known as the “forgetting curve”. The black line in the graph shows memory retention from a single class. In terms of security training, this means that holding a secure coding training event can be helpful, but if the information is not reinforced quickly and consistently, over 90% of the knowledge from that class can vanish with the first week! If brief reminders are provided, as shown by the yellow line in the graph, knowledge retention improves dramatically, until it ultimately becomes part of a student’s long term memory. Pushing security testing and remediation guidance to the IDE also provides developers with near real-time feedback, improving their ability to recognize risky coding structures and self-correct.
  8. We support hundreds of checkers which can be selected on an individual basis to fit the customer’s needs. We support numerous coding standards.
  9. Julia to present this slide as we transition into open source software—OpenLogic
  10. Support - Ensure your release dates with OpenLogic technical support, providing the same level of confidence for open source code as technical support for commercial products. Supporting hundreds of open source software packages for issues encountered in both development and production environments, OpenLogic technical support has you covered. Scanning - Knowing what, where, and how open source software is used within your organization is key to reducing risk and minimizing liability. Understanding the technical issues, licensing models, and security flaws before using open source code is critical to making good choices. Delivering applications on time, including open source that you're confident of, is achievable. Our scanning tool is a software-as-a-service (SaaS) governance platform for comprehensive governance and provisioning of open source software. Our tool scans source code as well as binaries to identify open source code and licenses – even when the open source code has been copied or modified. Services – Application Audit - Our Application Audit service analyzes internally-developed software for open source packages and identifies the bill of materials (BOM) and bill of licenses for open source components. After comprehensive code scanning, we aggregate the results to create comprehensive reports that help you make informed decisions about distribution. Application Certification – Provides certification that an application has been scanned for open source software and licenses, and that all open source license obligations have been met. With this certification, you avoid customer objections and potential litigation. License Obligation Analysis - Our License Obligation Analysis service uncovers the license information you need to understand open source license obligations and to reduce potential risks. We identify the licenses, obligations, and requirements associated with open source packages your organization uses. With this service, we provide comprehensive reports that give legal and compliance staff the information they need to make informed decisions about open source deployments and distribution. M&A Open Source Audit - Buyers, venture capitalists, legal and compliance teams, and other interested parties use M&A Open Source Audits to ensure that products are correctly licensed and free of intellectual property conflicts. Sellers can use the M&A Open Source Audit service to ensure mergers and acquisitions move forward smoothly and without asset devaluation. Cloud Services - We offer pre-configured stacks on the AWS Marketplace, Certified CentOS images, and, as always, trusted OSS support. Professional Services - We also offer best-practice advice and hands-on assistance. Consulting packages are available with varying levels of hands-on guidance and technical depth to address different needs and levels of complexity. http://www.openlogic.com/products-services
  11. What attacks will these software components be exposed to? Will it be accessible over some type of network? Is remote access possible? Is the weakness easy to comprehend by the average attacker? How do we gauge the “security health” of code coming in? How do we achieve compliance? Lengthy process, unclear expectations, lots of resources Let’s not forget the regular bugs Can automated testing be more effective?