5. How security process
looks in reality
Than start process of re-Coding, re-Building, re-Testing, re-Auditing
3rd party or internal audit
Tone of
security
defects
BACK to re-Coding, re-Building, re-Testing, re-Auditing
TIME to FIX
6. How much time you need to fix
security issues in app?
7. How it should look like
With proper Security Program number of
security defects should decrease from phase
to phase
Automated
security
Tests
CI
integrated
Manual
Security/penetration
Testing
OWASP methodology
Secure
Coding
trainings
Regular
Vulnerability
Scans
8. Minimize the costs of the Security related issues
Avoid repetitive security issues
Avoid inconsistent level of the security
Determine activities that pay back faster during current
state of the project
Primary Benefits
10. Ok, we will bay Security
Tool and scan our
code…
11. Top AST Tools 2013
Which one likes you?
Average Price near
$100K
12. Why code analysis do
not resolve all problems?
Many of the CWE vulnerability types,
are design issues, or business logic
issues.
Application security testing tools are
being sold as a solution to the problem of
insecure software.
13. 55%45%
Ability of Security Tools to identify real vulnerability
Not Covered Claimed Coverage
13
Tools – At Best 12%
• MITRE found that all application
security tool vendors’ claims put
together cover only 45% of the
known vulnerability types (695)
• They found very little overlap
between tools, so to get 45% you
need them all (assuming their
claims are true)
• Based on this new data from the
CSA at the NSA, SAST has 12%
vulnerability coverage
MITRE's study
14. Security Tooling – No
Silver Bullet
Design Flaws Security Bugs
1. Occur during the architecture phase
2. High level
3. More expensive to remediate – requires
architectural changes
4. Requires human analysis to uncover
5. Logical defects
6. Rights separation
7. Complex attack vectors
8. Defects in architecture and design
9. Real Cryptography level
1. Occur curing the code phase
2. Code level - Looking for known, defined
and predictable patterns
3. Cheaper to remediate – requires code
changes
4. Can be identified using automated tools
Can be resolved by:
SoftServe Expert
Can be resolved by:
Security Tool (Veracode, IBM Appscan,,
HP Fortify SCA
Both security tooling and security assessments are required to
address both types of vulnerabilities
15. QA Engineer Security Analyst
In functional and performance testing,
the expected results are documented
before the test begins, and the quality
assurance team looks at how well the
expected results match the actual results
In security testing, security
analysts team is concerned
only with unexpected results
and testing for the unknown
and looking for weaknesses.
VS.
16. Manual Pen testing
Manual penetration testing adds the benefit of specialized human expertise to our
automated static and dynamic analysis — and it uses the same methodology cyber-
criminals use to exploit application weaknesses such as business logic vulnerabilities.
Manual Penetration Testing involves one or more security experts performing tests
and simulating “in the wild” attacks. The goal of such testing is to determine the
potential for an attacker to successfully access and perform a variety of malicious
activities by exploiting vulnerabilities, either previously known or unknown, in the
software.
The results of this review will help strengthen the established security controls,
standards, and procedures to prevent unauthorized access to the organizational
systems, applications, and critical resources. As a result of SoftServe tests, the
SoftServe will prepare detailed work papers documenting the tests performed, a
report of SoftServe findings including recommendations for additional security
controls as required.
SoftServe MPT is designed to compliment and extend an automated assessment
18. Agile Secure Development Lifecycly
•Every-Sprint practices: Essential security
practices that should be performed in
every release.
•Bucket practices: Important security
practices that must be completed on a
regular basis but can be spread across
multiple sprints during the project
lifetime.
•One-Time practices: Foundational
security practices that must be
established once at the start of every new
Agile project.
20. Integrated Security process
Build
• Build code
with special
debug
options
Deploy
• Pack build
and code
• Deploy app
to VM for
test
Test
Security
• Run code
test
• Run Test
dynamic
web
application
from VM
with security
tools
Analyze
• Collect and
format
results
• Verify results
• Filter false
positive /
negative
• Tune
scanning
engine
• Fix defects
21. High level vision
Dynamic Security testingStatic Code Analysis
CI tools
Deploying application
Security Reports
Pull source code
22. Real project view
Dynamic Security testing
CI tools
Deploying application
Security Reports
Pull source code
23. We have best tools…
IBM AppScan
license
Burp Suite
license
HP Fortify
certification
Partnership
with Veracode
Available SaaS
25. SoftServe Expertise by Vendors
Mobile Security
Data Security
Cloud Security
Enterprise Security
26. SoftServe offer
• Certified security experts to control security on
project
• SoftServe utilize different set of tools to ensure
coverage (IBM, Veracode, PortSwinger, OpenVAS)
• Regulars scans that could be integrated to CI
• Education and Case study based on defect severity
for Dev and QA stuff
• Following Secure SDLC practices
• And many more
27. Annual development
expense cost savings
Application
Development
Cost Savings
Vulnerability
Remediation Cost
Savings
Compliance & Pen
Testing Cost Savings
Application
Outsourcing Pay for
Performance
Streamline & minimize
remediation costs for
application development by
identifying /fixing
vulnerabilities at their origin
Lower costs associated with
compliance testing fees and
penetration testing
Decrease 3rd party
development fees by
incenting software security
performance
28. The Benefit of SoftServe
Internal Testing vs. 3rd Party
SoftServe Internal Testing 3rd Party Scan
1. Finds issues large and small
2. Reports and resolves issues
directly to development
3. Objective
4. Credentialed
5. Industry standard toolset
1. Finds issues large and small
2. Reports issues to managers
3. Objective
4. Credentialed
5. Industry standard toolset
6. Can be scheduled any time
7. Keeps up with the 2 week
development cycle
8. Regular QA and Dev Team
trainings
29. The Benefit of SoftServe
Security Testing vs. 3rd Party
Benefit/Feature Description
Easy to start • Low initial cost
• Leverage internal resources to defray additional expense
• Maximizes assistance
• Maximizes internal resources and ongoing efforts
Provide more
actionable
information
• Focus on what really matters
• Validate your own internal processes and test procedures
Improve security
knowledge
• Security expertise within the solution
• Can assist in keeping test plans up to date
• Assist in validation of fixed items
• Stay on top of testing regression issues and new features
Increase technology
coverage
• Assurance in testing the latest technologies for the latest
vulnerabilities
• Increasing the speed and efficiency of building security into a
development lifecycle
30. Value
20-40% time for testing/re-testing decrease
Catch problems as soon as possible
Avoid repetitive security issues
Improve Security Expertise/Practices for current Team
Automation, Integration, Continuously
Proactive Security Reporting
Full coverage
Note: Clearly a level 1 review can’t do any more than what the tools can do, since it’s a tool based review. Given that tools don’t yet provide a huge amount of coverage of the application security problem space, level 1 reviews are understandable limited in their scope. But they are just the first level in the model. Higher levels provide better coverage and more rigor, as defined by the standard itself.