The document discusses security breaches that occur through third party systems and vendors. It describes how attackers were able to access Target's corporate network by compromising a refrigeration contractor called Fazio Mechanical through a phishing email. This allowed malware called Citadel to be installed on Fazio computers. The document also discusses the importance of implementing a secure software development lifecycle (SDLC) and using tools like Dimensions CM to integrate code reviews, continuous inspection, and maintain a centralized secure vault for source code repositories.
6. 6
FUG2016
Breaches by 3rd Party Systems
• The attackers backed their way into Target's corporate
network by compromising a third-party vendor. The
number of vendors targeted is unknown. However, it only took
one. That happened to be Fazio Mechanical, a refrigeration
contractor.
• A phishing email duped at least one Fazio employee,
allowing Citadel, a variant of the Zeus banking trojan, to be
installed on Fazio computers. With Citadel in place, the
attackers waited until the malware offered what they were
looking for -- Fazio Mechanical's login credentials.
• At the time of the breach, all major versions of enterprise anti-
malware detected the Citadel malware. Unsubstantiated
sources mentioned Fazio used the free version of
Malwarebytes anti-malware, which offered no real-time
protection being an on-demand scanner. (Note: Malwarebytes
anti-malware is highly regarded by experts when used in the
correct manner.)
13. 13
FUG2016
Serena Dimensions CM - Integrated Peer Code Review
Develop with velocity - collaboratively, securely and efficiently
Key Capabilities
• Collaborative web based architecture
• Integrates with Agile stories and requests
• Linked to Continuous Inspection
• Strengthens audit trail & governance
• Configurable for Projects & Teams
Value Benefits
• Improved code quality
• Find 70-90% of all defects earlier
• Cost reduction
• Save up to 30% of re-work hours
• Developer productivity
• Up to 25% improvement in coding
Peer Reviews in Software - A Practical Guide by Karl E. Wiegers
14. 14
FUG2016
Serena Dimensions CM – Continuous Inspection Toolchain
Develop with velocity - collaboratively, securely and efficiently
Key Capabilities
• Extensible plug-in architecture
• Schedule & inspect code changes
• Report findings & vulnerabilities
• Aggregated KPI Metrics
• Supports DevOps “Shift-Left”
Value Benefits
• Display results in code review
• Real-time developer feedback
• Reduce coding risks & issues
• Monitor code health & quality
• Speed release readiness
"Given enough eyeballs, all bugs are shallow."
The Cathedral and the Bazar —Eric Raymond
15. 15
FUG2016
• Code Hygiene
• Refers to the “cleanliness” of an application – in particular, minimizing vulnerabilities and
code complexity.
• Good code hygiene requires visibility into all the components used to build the
application.
• Several activities in the software development lifecycle support good code hygiene, including threat
modeling and automated testing (i.e., static and dynamic analysis).
• The shortcoming of each of these activities is that they only provide a point-in-time snapshot of
code hygiene, and can’t account for a changing threat space.
• You have to continuously monitor or continuously apply good hygiene.
• More than 4,000 new vulnerabilities were disclosed by the National Vulnerability Database in open-
source components in 2014 alone. The fact that your open-source code bases are free from
vulnerabilities today doesn’t mean you can ignore them for the next year.
• OWASP Dependency-Check
Open Source
18. 18
FUG2016
No Built-in Security and Authorization
• Read/Write security on all objects
• Group role assignments
• Full audit trail of all objects
19. 19
FUG2016
Git/SVN Goes into the Dimensions CM Secure Vault
Release Control
Dev DevOps Ops
Dimensions CM Deployment Automation
CM
Secure
Vault
ChangeMan ZMF
Deployment pipeline
Deployment pipeline
Deployment pipeline
Deployment pipeline
20. 20
FUG2016
Better Solution – Git Connector
Dimensions CM Vault
Dimensions CM
Deployment Pipeline
Serena Deployment
Automation
Dimensions CM = Git Master Repository
Dimensions CM Pulse
DimensionsCM
GitConnector
21. 21
FUG2016
• The Developers don’t have to
change the tools they are using
• The Business gets the control it
needs
– Single source of truth
– Enterprise Security
– Robust and scalable
• With the additional value of
Dimensions CM
– Continuous Inspection
– Enterprise Change Management
– Control over path to production
– Full audit trail across all components
Dimensions CM Git Connector Benefit
22. 22
FUG2016
Customer Quotes
“
We’re a bank not a startup, and we need to be
using appropriate tools to ensure the integrity
and security of change, not tools that add to a
developers resume. We don’t want to be the next
big headline!
”
Richard landoli
SVP QA
Brown Brothers Harriman
“
The visibility and insight that Dimensions CM 14
provides, allows us to see if we are converging
to quality or diverging from quality in real time.
”
Ken Vane
IT Change & Configuration Manager,
Navy Federal Credit Union