SlideShare a Scribd company logo

Engineering Secure SAS Products

CMR WORLD TECH
CMR WORLD TECH

Sas software-security-framework-107607

Science
1 of 7
Download to read offline
SAS® Software Security Framework: Engineering Secure Products   WhitePaper
Contents The SAS® Software Security Framework ......................1 Education .................................................................................2 Secure Architecture and Design.........................................2 Secure Development Standards ........................................2 Security Testing and Validation............................................3 SAS Product Security Response and Remediation..........3 The SAS® Commitment to Security ..............................4
1 Across an increasingly interconnected marketplace, the impact of software security breaches on organizations and consumers is driving more investment in security. Technology analysts report software security as a top initiative that will get increasing attention and investment. At SAS, ensuring the quality and security of our products is more than a goal. It’s a requirement that drives the way that we develop and test technology. To create the most stable and secure products possible, we develop, test and deliver tech- nology using proven methodologies for secure software development. We know that keeping data and software secure is a fundamental expectation for our customers. Organizations are establishing dialogues and building partner- ships with their vendors to focus on security requirements. They want to know how the software they purchase can meet those demands. SAS welcomes that partnership with its customers, especially since feedback from the field is critical to delivering high-quality and secure software that exceeds customer expec- tations and industry requirements. This document provides an overview of the SAS Software Security Framework. It explains the structures, processes and procedures that SAS has in place to deliver secure software for our global customer base. The SAS® Software Security Framework The SAS Software Security Framework defines the SAS software development process and provides principles for the develop- ment, delivery and support processes used to build and support SAS software. The framework includes a process for continuous learning and awareness of global security activities and standards – and incorporating them into SAS development practices. The components of the framework include: • Education – At its core, the SAS Software Security Framework is based on building a team trained to meet today’s security challenges. SAS software engineers receive education on current and emerging industry security threats, and they leverage that information to design, develop and support products that are built with security requirements in mind. • Secure architecture and design – SAS implements a security architecture that provides strong authentication, authoriza- tion, availability, data integrity and confidentiality. • Secure development standards – SAS developers work with standards and guidelines that provide the foundation for building secure software. These coding guidelines and examples help SAS developers and the services staff create and implement secure software. • Security testing and validation – The SAS Software Security Framework includes testing and validation processes that provide checks for security throughout the development process. SAS runs industry-standard security scanning software during the development cycle. These scans are designed to detect security vulnerabilities, and SAS follows up to evaluate and address identified issues before completing product development. • Product security response and remediation – SAS recognizes that some security issues or questions occur after products are released. The SAS Software Security Framework includes a method to provide clear updates about these issues. After identifying a vulnerability, SAS will deliver workarounds and fixes as appropriate – and announce those fixes publicly through the appropriate customer communications channels.
2 SECURITYASSURA NCE SECURITY PRODUCT SECURITY RESPONSE AND REMEDIATION SECURE ARCHITECTURE & DESIGN SECURE DEVELOPMENT STANDARDS SECURITY TESTING AND VALIDATION Figure 1: The SAS Software Security Framework uses broad- based education to train the development staff on security issues – and how to apply best practices throughout the SAS software development life cycle. Education Education is the foundation for our efforts to identify and resolve security issues. The SAS Software Security Framework helps everyone responsible for creating, testing and imple- menting SAS technology to share knowledge of the scope and importance of security topics. The education element of the framework takes a number of forms, including: • Development, test and support organizations receive training classes, refresher training, and peer mentoring for security topics. • SAS security teams provide guidelines and coding examples associated with development standards. • SAS internal IT teams collaborate with SAS development to provide insight into the security challenges faced by IT, and to guide choices based on proven practices and internal consistency. • SAS development and test engineers strive to implement and validate a consistent set of protections and features across SAS products. The education program allows these teams to recognize and avoid potential vulnerabilities during the software development life cycle. Additionally, the tech- nical support staff receives training on how to identify and handle security issues after software release so that issues are resolved quickly and communicated to customers. SecureArchitectureandDesign Delivering secure software begins with a product design based on standards and processes. SAS developers work with the architecture team to conduct design reviews. Checkpoints throughout the development process help SAS engineers prior- itize secure design concepts in product development tasks. Overseeing the architecture and design efforts is an internal, specialized security architecture team that consults with devel- opers during design and development phases. This design phase provides a framework for planning new features that are built on strong security architecture options. The architectural design guides developers to maintain security for processes like authentication, authorization, availability, integrity and confiden- tiality. Security features implemented by many SAS products may include role-based access control, single sign-on integra- tion, audit logging, and encryption of data in transit and at rest. SecureDevelopmentStandards The SASTechnology Office monitors current and evolving security trends and standards as input to the SAS Software Security Framework. From this, the team creates specific coding guide- linesandbestpracticeexamplestoguideSASsoftwaredevelopment. SAS development standards employ industry standards. The standards used by SAS development include the Open Web Application Security Project (OWASP) list of the top 10 critical web security flaws and the CWE/SANS Top 25. These lists provide awareness of common security vulnerabilities in software as well as the methods to avoid them during develop- ment and testing. At SAS, security extends beyond the code being developed. SAS developers work in a secure environment. In addition to infrastructure security maintained by the SAS IT organization, SAS source code is accessible only to those who have a legiti- mate need for access. Once access is granted, password policies are strictly enforced. For more information about campus and code security, see the Quality Imperative, which provides a guide to SAS’ commitment to product quality and customer satisfaction.
3 SecurityTestingandValidation SAS performs a variety of security tests, including authentication testing, authorization (access) testing and web application vulnerability testing. SAS performs vulnerability testing before delivering feature releases and maintenance releases. This testing reinforces development standards to support secure software throughout the process. In addition to scanning web applications and the web applica- tion server environment (using guidance from leading security organizations), SAS employs a suite of tests specific to SAS tech- nology. Depending on the type of software being tested, the tests can include: • Testing with users who have different security levels to make sure that each has the appropriate access levels. • Confirming data access permissions, based on row-level permissions, to confirm that data authorization is applied appropriately for each user. • Validating password and encryption security for SAS and for SAS Scalable Performance Data Server data sets. • Testing SAS/ACCESS® engines for connectivity security (such as user ID and password) during connection testing. • Testing appropriate user authorization and error handling. • Testing web applications via static-source scanning and external security assessments, along with assessments using guidance from OWASP and SANS Institute. Test teams use third-party dynamic vulnerability scanning tools to focus on classes of vulnerabilities that have been the root cause of known security issues in web-based software. These tools and test cases help developers focus on eliminating security vulnerabilities such as the OWASP Top 10 and the CWE/SANS Top 25. Issues found during a scan are entered into a defect tracking system and evaluated for appropriate response and remediation. As part of the SAS Software Security Framework, our testing processes, strategies and tools are kept up to date with current security requirements. The testing and validation process for SAS products combines both internally-developed and third- party scanning and vulnerability tools. In addition, SAS continu- ally expands the test suites for our software. SAS recognizes that organizations use a variety of testing tools to scan for vulnerabilities. When customer-driven assessments raise potential security issues, customers should contact SAS Technical Support for response and feedback. Results of vulnerability tests and scans conducted by SAS are company confidential. By policy, SAS does not share the tests or the individual results. The SAS security bulletins page provides updates about security issues, and security fixes for released products are highlighted through the standard technical support process for hot fixes. Customers can sign up for the support newsletter to receive regular updates about hot fixes and other important news from SAS. Visit the technical support hot fixes site for more information. SAS performs a variety of security tests, including authentication testing, authorization (access) testing and web application vulnerability testing.
4 SASProductSecurityResponse andRemediation SAS recognizes that some security issues emerge after products are released. As a result, the SAS Software Security Framework includes processes to assess vulnerabilities and provide clear and timely updates about their status. Customers with questions about security, including potential security vulnerabilities, should use the SAS Technical Support process to start a dialogue and get more information. Once a security question surfaces, a multidivisional team helps respond to questions and assess potential vulnerabilities. Like most technology vendors, SAS has a Product Security Incident Response Team (PSIRT) process that investigates security vulner- ability incidents and mobilizes resources to address identified incidents. Incidents are prioritized based on the potential severity of the vulnerability. SAS leverages the Common Vulnerability Scoring System (CVSS) during the vulnerability assessment. After the initial investigation, SAS provides updates to our customers through SAS Technical Support. Depending on the severity of the security situation, SAS may communicate responses via one or more channels, such as software release notes, bulletins, support forum updates or direct customer outreach emails. Some resolutions may require configuration changes or deployment of software fixes. Ultimately, the resolu- tion of a reported incident may require customers to upgrade to a more current version of SAS software. Throughout the assessment and remediation processes for reported vulnerabilities, SAS is committed to clear and consis- tent communication with affected customers. The SAS Technical Support team provides one-on-one support around the world, including support for security incidents. In addition, SAS publishes updates and summaries of known problems on the SAS security bulletins page. The SAS® Commitment to Security Maintaining software security requires diligence and commitment. The SAS Software Security Framework applies industry-standard best practices for secure development life cycles to all organiza- tions that perform SAS product engineering and maintenance processes. This helps SAS deliver and maintain products designed to meet the business needs and security require- ments of our customers.
To contact your local SAS office, please visit: sas.com/offices SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. ® indicates USA registration. Other brand and product names are trademarks of their respective companies. Copyright © 2015, SAS Institute Inc. All rights reserved. 107607_S134871.0315

Recommended

Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security FrameworksMarco Morana
 
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessIntegrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessAchim D. Brucker
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
 
Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsPriyanka Aash
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
Integrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIntegrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIshrath Sultana
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 

Recommended

Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security FrameworksMarco Morana
 
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessIntegrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessAchim D. Brucker
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
 
Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsPriyanka Aash
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
Integrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIntegrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIshrath Sultana
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLCPaul Yang
 
CompTIA CAS-002 VCE Outline
CompTIA CAS-002 VCE OutlineCompTIA CAS-002 VCE Outline
CompTIA CAS-002 VCE OutlineExamcollection
 
4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycleEnov8
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsSonatype
 
Threat Simulation and Modeling Training
Threat Simulation and Modeling TrainingThreat Simulation and Modeling Training
Threat Simulation and Modeling TrainingBryan Len
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Salesforce Security
Salesforce SecuritySalesforce Security
Salesforce SecuritySFSupport
 
Security Testing
Security TestingSecurity Testing
Security TestingPratham Software (PSI)
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Importance of Azure infrastructure?-Microsoft Azure security infrastructure Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Importance of Azure infrastructure?-Microsoft Azure security infrastructureZabeel Institute
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Sonatype
 
AV-Comparatives’ 2017 business software review
AV-Comparatives’ 2017 business software reviewAV-Comparatives’ 2017 business software review
AV-Comparatives’ 2017 business software reviewJermund Ottermo
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxSource Conference
 
Prayer in public schools
Prayer in public schoolsPrayer in public schools
Prayer in public schoolsrbooker71
 
Discuss issues of difficulty and accessibility in relation to two or more of ...
Discuss issues of difficulty and accessibility in relation to two or more of ...Discuss issues of difficulty and accessibility in relation to two or more of ...
Discuss issues of difficulty and accessibility in relation to two or more of ...Emily Lees-Fitzgibbon
 
3a... Falsifikovanje lekova (deo 1 - pojam, uticaj, zastupljenost)
3a... Falsifikovanje lekova (deo 1 - pojam, uticaj, zastupljenost)3a... Falsifikovanje lekova (deo 1 - pojam, uticaj, zastupljenost)
3a... Falsifikovanje lekova (deo 1 - pojam, uticaj, zastupljenost)Igor Lazarevi?, MSc Economics
 
Гайдн
ГайднГайдн
Гайднинна ветрова
 
M4 wqat activity_a_seals
M4 wqat activity_a_sealsM4 wqat activity_a_seals
M4 wqat activity_a_sealsAmanda D. Seals
 
COMPOSITIONS
COMPOSITIONSCOMPOSITIONS
COMPOSITIONSBryan Mejia
 
07-290bsacCitizensCommittee_00
07-290bsacCitizensCommittee_0007-290bsacCitizensCommittee_00
07-290bsacCitizensCommittee_00Jeffrey Teichert
 

More Related Content

What's hot

Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLCPaul Yang
 
CompTIA CAS-002 VCE Outline
CompTIA CAS-002 VCE OutlineCompTIA CAS-002 VCE Outline
CompTIA CAS-002 VCE OutlineExamcollection
 
4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycleEnov8
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsSonatype
 
Threat Simulation and Modeling Training
Threat Simulation and Modeling TrainingThreat Simulation and Modeling Training
Threat Simulation and Modeling TrainingBryan Len
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Salesforce Security
Salesforce SecuritySalesforce Security
Salesforce SecuritySFSupport
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Importance of Azure infrastructure?-Microsoft Azure security infrastructure Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Importance of Azure infrastructure?-Microsoft Azure security infrastructureZabeel Institute
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Sonatype
 
AV-Comparatives’ 2017 business software review
AV-Comparatives’ 2017 business software reviewAV-Comparatives’ 2017 business software review
AV-Comparatives’ 2017 business software reviewJermund Ottermo
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxSource Conference
 

What's hot (15)

Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
 
CompTIA CAS-002 VCE Outline
CompTIA CAS-002 VCE OutlineCompTIA CAS-002 VCE Outline
CompTIA CAS-002 VCE Outline
 
4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
 
Threat Simulation and Modeling Training
Threat Simulation and Modeling TrainingThreat Simulation and Modeling Training
Threat Simulation and Modeling Training
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
Salesforce Security
Salesforce SecuritySalesforce Security
Salesforce Security
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Importance of Azure infrastructure?-Microsoft Azure security infrastructure Importance of Azure infrastructure?-Microsoft Azure security infrastructure
Importance of Azure infrastructure?-Microsoft Azure security infrastructure
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
 
AV-Comparatives’ 2017 business software review
AV-Comparatives’ 2017 business software reviewAV-Comparatives’ 2017 business software review
AV-Comparatives’ 2017 business software review
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security Toolbox
 

Viewers also liked

Prayer in public schools
Prayer in public schoolsPrayer in public schools
Prayer in public schoolsrbooker71
 
Discuss issues of difficulty and accessibility in relation to two or more of ...
Discuss issues of difficulty and accessibility in relation to two or more of ...Discuss issues of difficulty and accessibility in relation to two or more of ...
Discuss issues of difficulty and accessibility in relation to two or more of ...Emily Lees-Fitzgibbon
 
3a... Falsifikovanje lekova (deo 1 - pojam, uticaj, zastupljenost)
3a... Falsifikovanje lekova (deo 1 - pojam, uticaj, zastupljenost)3a... Falsifikovanje lekova (deo 1 - pojam, uticaj, zastupljenost)
3a... Falsifikovanje lekova (deo 1 - pojam, uticaj, zastupljenost)Igor Lazarevi?, MSc Economics
 
M4 wqat activity_a_seals
M4 wqat activity_a_sealsM4 wqat activity_a_seals
M4 wqat activity_a_sealsAmanda D. Seals
 
07-290bsacCitizensCommittee_00
07-290bsacCitizensCommittee_0007-290bsacCitizensCommittee_00
07-290bsacCitizensCommittee_00Jeffrey Teichert
 
The mobile library/librarian
The mobile library/librarianThe mobile library/librarian
The mobile library/librarianSuzanne Reymer
 

Viewers also liked (9)

Prayer in public schools
Prayer in public schoolsPrayer in public schools
Prayer in public schools
 
Discuss issues of difficulty and accessibility in relation to two or more of ...
Discuss issues of difficulty and accessibility in relation to two or more of ...Discuss issues of difficulty and accessibility in relation to two or more of ...
Discuss issues of difficulty and accessibility in relation to two or more of ...
 
3a... Falsifikovanje lekova (deo 1 - pojam, uticaj, zastupljenost)
3a... Falsifikovanje lekova (deo 1 - pojam, uticaj, zastupljenost)3a... Falsifikovanje lekova (deo 1 - pojam, uticaj, zastupljenost)
3a... Falsifikovanje lekova (deo 1 - pojam, uticaj, zastupljenost)
 
Гайдн
ГайднГайдн
Гайдн
 
M4 wqat activity_a_seals
M4 wqat activity_a_sealsM4 wqat activity_a_seals
M4 wqat activity_a_seals
 
COMPOSITIONS
COMPOSITIONSCOMPOSITIONS
COMPOSITIONS
 
07-290bsacCitizensCommittee_00
07-290bsacCitizensCommittee_0007-290bsacCitizensCommittee_00
07-290bsacCitizensCommittee_00
 
The mobile library/librarian
The mobile library/librarianThe mobile library/librarian
The mobile library/librarian
 
oyo transcript
oyo transcriptoyo transcript
oyo transcript
 

Similar to Engineering Secure SAS Products

Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Perforce
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
How DevSecOps Can Help You Deliver Software Faster and Safer.pptx
How DevSecOps Can Help You Deliver Software Faster and Safer.pptxHow DevSecOps Can Help You Deliver Software Faster and Safer.pptx
How DevSecOps Can Help You Deliver Software Faster and Safer.pptxDev Software
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsSuman Sourav
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideAryan G
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCRahul Raghavan
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile DevelopmentCheckmarx
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Why Implement DevSecOps with AWS? | The Enterprise World
Why Implement DevSecOps with AWS? | The Enterprise WorldWhy Implement DevSecOps with AWS? | The Enterprise World
Why Implement DevSecOps with AWS? | The Enterprise WorldTEWMAGAZINE
 
Building an Enterprise-scale DevSecOps Infrastructure: Lessons Learned
Building an Enterprise-scale DevSecOps Infrastructure: Lessons LearnedBuilding an Enterprise-scale DevSecOps Infrastructure: Lessons Learned
Building an Enterprise-scale DevSecOps Infrastructure: Lessons LearnedPrateek Mishra
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Streamlining Your Security with These Essential DevSecOps Tools
Streamlining Your Security with These Essential DevSecOps ToolsStreamlining Your Security with These Essential DevSecOps Tools
Streamlining Your Security with These Essential DevSecOps ToolsDev Software
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideLudovic Petit
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOpsOpsta
 
1412676jhhhhhhhhhhhhhhhhhhhbnvvnvnvvv2.ppt
1412676jhhhhhhhhhhhhhhhhhhhbnvvnvnvvv2.ppt1412676jhhhhhhhhhhhhhhhhhhhbnvvnvnvvv2.ppt
1412676jhhhhhhhhhhhhhhhhhhhbnvvnvnvvv2.pptMeseAK
 
DevOps Security: How to Secure Your Software Development and Delivery
DevOps Security: How to Secure Your Software Development and DeliveryDevOps Security: How to Secure Your Software Development and Delivery
DevOps Security: How to Secure Your Software Development and DeliveryDev Software
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.pptgealehegn
 
DevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLCDevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLCDev Software
 

Similar to Engineering Secure SAS Products (20)

Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
How DevSecOps Can Help You Deliver Software Faster and Safer.pptx
How DevSecOps Can Help You Deliver Software Faster and Safer.pptxHow DevSecOps Can Help You Deliver Software Faster and Safer.pptx
How DevSecOps Can Help You Deliver Software Faster and Safer.pptx
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference Guide
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLC
 
10 Steps To Secure Agile Development
10 Steps To Secure Agile Development10 Steps To Secure Agile Development
10 Steps To Secure Agile Development
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Why Implement DevSecOps with AWS? | The Enterprise World
Why Implement DevSecOps with AWS? | The Enterprise WorldWhy Implement DevSecOps with AWS? | The Enterprise World
Why Implement DevSecOps with AWS? | The Enterprise World
 
Building an Enterprise-scale DevSecOps Infrastructure: Lessons Learned
Building an Enterprise-scale DevSecOps Infrastructure: Lessons LearnedBuilding an Enterprise-scale DevSecOps Infrastructure: Lessons Learned
Building an Enterprise-scale DevSecOps Infrastructure: Lessons Learned
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Streamlining Your Security with These Essential DevSecOps Tools
Streamlining Your Security with These Essential DevSecOps ToolsStreamlining Your Security with These Essential DevSecOps Tools
Streamlining Your Security with These Essential DevSecOps Tools
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
 
1412676jhhhhhhhhhhhhhhhhhhhbnvvnvnvvv2.ppt
1412676jhhhhhhhhhhhhhhhhhhhbnvvnvnvvv2.ppt1412676jhhhhhhhhhhhhhhhhhhhbnvvnvnvvv2.ppt
1412676jhhhhhhhhhhhhhhhhhhhbnvvnvnvvv2.ppt
 
DevOps Security: How to Secure Your Software Development and Delivery
DevOps Security: How to Secure Your Software Development and DeliveryDevOps Security: How to Secure Your Software Development and Delivery
DevOps Security: How to Secure Your Software Development and Delivery
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLCDevSecOps: Integrating Security Into Your SDLC
DevSecOps: Integrating Security Into Your SDLC
 

More from CMR WORLD TECH

Cyber Security for Everyone Course - Final Project Presentation
Cyber Security for Everyone Course - Final Project PresentationCyber Security for Everyone Course - Final Project Presentation
Cyber Security for Everyone Course - Final Project PresentationCMR WORLD TECH
 
Cpq basics bycesaribeiro
Cpq basics bycesaribeiroCpq basics bycesaribeiro
Cpq basics bycesaribeiroCMR WORLD TECH
 
Questoes processautomation
Questoes processautomationQuestoes processautomation
Questoes processautomationCMR WORLD TECH
 
Aws migration-whitepaper-en
Aws migration-whitepaper-enAws migration-whitepaper-en
Aws migration-whitepaper-enCMR WORLD TECH
 
Delivery readness for pick season and higth volume
Delivery readness for pick season and higth volumeDelivery readness for pick season and higth volume
Delivery readness for pick season and higth volumeCMR WORLD TECH
 
Why digital-will-become-the-primary-channel-for-b2 b-engagement
Why digital-will-become-the-primary-channel-for-b2 b-engagementWhy digital-will-become-the-primary-channel-for-b2 b-engagement
Why digital-will-become-the-primary-channel-for-b2 b-engagementCMR WORLD TECH
 
Transcript Micrsosft Java Azure
Transcript Micrsosft Java Azure Transcript Micrsosft Java Azure
Transcript Micrsosft Java Azure CMR WORLD TECH
 
Buisiness UK Trading Marketing Finance
Buisiness UK Trading Marketing Finance Buisiness UK Trading Marketing Finance
Buisiness UK Trading Marketing Finance CMR WORLD TECH
 
Hyperledger arch wg_paper_1_consensus
Hyperledger arch wg_paper_1_consensusHyperledger arch wg_paper_1_consensus
Hyperledger arch wg_paper_1_consensusCMR WORLD TECH
 
Apexand visualforcearchitecture
Apexand visualforcearchitectureApexand visualforcearchitecture
Apexand visualforcearchitectureCMR WORLD TECH
 
Trailblazers guide-to-apps
Trailblazers guide-to-appsTrailblazers guide-to-apps
Trailblazers guide-to-appsCMR WORLD TECH
 
Berkeley program on_data_science___analytics_1
Berkeley program on_data_science___analytics_1Berkeley program on_data_science___analytics_1
Berkeley program on_data_science___analytics_1CMR WORLD TECH
 
Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_
Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_
Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_CMR WORLD TECH
 
Salesforce voice-and-tone
Salesforce voice-and-toneSalesforce voice-and-tone
Salesforce voice-and-toneCMR WORLD TECH
 

More from CMR WORLD TECH (20)

Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Cyber Security for Everyone Course - Final Project Presentation
Cyber Security for Everyone Course - Final Project PresentationCyber Security for Everyone Course - Final Project Presentation
Cyber Security for Everyone Course - Final Project Presentation
 
CPQ Básico
CPQ BásicoCPQ Básico
CPQ Básico
 
Cpq basics bycesaribeiro
Cpq basics bycesaribeiroCpq basics bycesaribeiro
Cpq basics bycesaribeiro
 
Apexbasic
ApexbasicApexbasic
Apexbasic
 
Questoes processautomation
Questoes processautomationQuestoes processautomation
Questoes processautomation
 
Process automationppt
Process automationpptProcess automationppt
Process automationppt
 
Transcript mva.cesar
Transcript mva.cesarTranscript mva.cesar
Transcript mva.cesar
 
Aws migration-whitepaper-en
Aws migration-whitepaper-enAws migration-whitepaper-en
Aws migration-whitepaper-en
 
Delivery readness for pick season and higth volume
Delivery readness for pick season and higth volumeDelivery readness for pick season and higth volume
Delivery readness for pick season and higth volume
 
Why digital-will-become-the-primary-channel-for-b2 b-engagement
Why digital-will-become-the-primary-channel-for-b2 b-engagementWhy digital-will-become-the-primary-channel-for-b2 b-engagement
Why digital-will-become-the-primary-channel-for-b2 b-engagement
 
Transcript Micrsosft Java Azure
Transcript Micrsosft Java Azure Transcript Micrsosft Java Azure
Transcript Micrsosft Java Azure
 
Buisiness UK Trading Marketing Finance
Buisiness UK Trading Marketing Finance Buisiness UK Trading Marketing Finance
Buisiness UK Trading Marketing Finance
 
Hyperledger arch wg_paper_1_consensus
Hyperledger arch wg_paper_1_consensusHyperledger arch wg_paper_1_consensus
Hyperledger arch wg_paper_1_consensus
 
Master lob-e-book
Master lob-e-bookMaster lob-e-book
Master lob-e-book
 
Apexand visualforcearchitecture
Apexand visualforcearchitectureApexand visualforcearchitecture
Apexand visualforcearchitecture
 
Trailblazers guide-to-apps
Trailblazers guide-to-appsTrailblazers guide-to-apps
Trailblazers guide-to-apps
 
Berkeley program on_data_science___analytics_1
Berkeley program on_data_science___analytics_1Berkeley program on_data_science___analytics_1
Berkeley program on_data_science___analytics_1
 
Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_
Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_
Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_
 
Salesforce voice-and-tone
Salesforce voice-and-toneSalesforce voice-and-tone
Salesforce voice-and-tone
 

Recently uploaded

PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...Sérgio Sacani
 
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡anilsa9823
 
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Sérgio Sacani
 
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptxSOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptxkessiyaTpeter
 
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Lokesh Kothari
 
Formation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksFormation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksSérgio Sacani
 
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral AnalysisRaman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral AnalysisDiwakar Mishra
 
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...Sérgio Sacani
 
A relative description on Sonoporation.pdf
A relative description on Sonoporation.pdfA relative description on Sonoporation.pdf
A relative description on Sonoporation.pdfnehabiju2046
 
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptxUnlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptxanandsmhk
 
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |aasikanpl
 
Analytical Profile of Coleus Forskohlii | Forskolin .pdf
Analytical Profile of Coleus Forskohlii | Forskolin .pdfAnalytical Profile of Coleus Forskohlii | Forskolin .pdf
Analytical Profile of Coleus Forskohlii | Forskolin .pdfSwapnil Therkar
 
Isotopic evidence of long-lived volcanism on Io
Isotopic evidence of long-lived volcanism on IoIsotopic evidence of long-lived volcanism on Io
Isotopic evidence of long-lived volcanism on IoSérgio Sacani
 
Grafana in space: Monitoring Japan's SLIM moon lander in real time
Grafana in space: Monitoring Japan's SLIM moon lander in real timeGrafana in space: Monitoring Japan's SLIM moon lander in real time
Grafana in space: Monitoring Japan's SLIM moon lander in real timeSatoshi NAKAHIRA
 
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRStunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRDelhi Call girls
 
Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...RohitNehra6
 
G9 Science Q4- Week 1-2 Projectile Motion.ppt
G9 Science Q4- Week 1-2 Projectile Motion.pptG9 Science Q4- Week 1-2 Projectile Motion.ppt
G9 Science Q4- Week 1-2 Projectile Motion.pptMAESTRELLAMesa2
 
Boyles law module in the grade 10 science
Boyles law module in the grade 10 scienceBoyles law module in the grade 10 science
Boyles law module in the grade 10 sciencefloriejanemacaya1
 
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...jana861314
 
GFP in rDNA Technology (Biotechnology).pptx
GFP in rDNA Technology (Biotechnology).pptxGFP in rDNA Technology (Biotechnology).pptx
GFP in rDNA Technology (Biotechnology).pptxAleenaTreesaSaji
 

Recently uploaded (20)

PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
 
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
 
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
 
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptxSOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
 
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
 
Formation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disksFormation of low mass protostars and their circumstellar disks
Formation of low mass protostars and their circumstellar disks
 
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral AnalysisRaman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
Raman spectroscopy.pptx M Pharm, M Sc, Advanced Spectral Analysis
 
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
All-domain Anomaly Resolution Office U.S. Department of Defense (U) Case: “Eg...
 
A relative description on Sonoporation.pdf
A relative description on Sonoporation.pdfA relative description on Sonoporation.pdf
A relative description on Sonoporation.pdf
 
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptxUnlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
 
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
 
Analytical Profile of Coleus Forskohlii | Forskolin .pdf
Analytical Profile of Coleus Forskohlii | Forskolin .pdfAnalytical Profile of Coleus Forskohlii | Forskolin .pdf
Analytical Profile of Coleus Forskohlii | Forskolin .pdf
 
Isotopic evidence of long-lived volcanism on Io
Isotopic evidence of long-lived volcanism on IoIsotopic evidence of long-lived volcanism on Io
Isotopic evidence of long-lived volcanism on Io
 
Grafana in space: Monitoring Japan's SLIM moon lander in real time
Grafana in space: Monitoring Japan's SLIM moon lander in real timeGrafana in space: Monitoring Japan's SLIM moon lander in real time
Grafana in space: Monitoring Japan's SLIM moon lander in real time
 
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRStunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
 
Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...
 
G9 Science Q4- Week 1-2 Projectile Motion.ppt
G9 Science Q4- Week 1-2 Projectile Motion.pptG9 Science Q4- Week 1-2 Projectile Motion.ppt
G9 Science Q4- Week 1-2 Projectile Motion.ppt
 
Boyles law module in the grade 10 science
Boyles law module in the grade 10 scienceBoyles law module in the grade 10 science
Boyles law module in the grade 10 science
 
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
 
GFP in rDNA Technology (Biotechnology).pptx
GFP in rDNA Technology (Biotechnology).pptxGFP in rDNA Technology (Biotechnology).pptx
GFP in rDNA Technology (Biotechnology).pptx
 

Engineering Secure SAS Products

  • 1. SAS® Software Security Framework: Engineering Secure Products   WhitePaper
  • 2. Contents The SAS® Software Security Framework ......................1 Education .................................................................................2 Secure Architecture and Design.........................................2 Secure Development Standards ........................................2 Security Testing and Validation............................................3 SAS Product Security Response and Remediation..........3 The SAS® Commitment to Security ..............................4
  • 3. 1 Across an increasingly interconnected marketplace, the impact of software security breaches on organizations and consumers is driving more investment in security. Technology analysts report software security as a top initiative that will get increasing attention and investment. At SAS, ensuring the quality and security of our products is more than a goal. It’s a requirement that drives the way that we develop and test technology. To create the most stable and secure products possible, we develop, test and deliver tech- nology using proven methodologies for secure software development. We know that keeping data and software secure is a fundamental expectation for our customers. Organizations are establishing dialogues and building partner- ships with their vendors to focus on security requirements. They want to know how the software they purchase can meet those demands. SAS welcomes that partnership with its customers, especially since feedback from the field is critical to delivering high-quality and secure software that exceeds customer expec- tations and industry requirements. This document provides an overview of the SAS Software Security Framework. It explains the structures, processes and procedures that SAS has in place to deliver secure software for our global customer base. The SAS® Software Security Framework The SAS Software Security Framework defines the SAS software development process and provides principles for the develop- ment, delivery and support processes used to build and support SAS software. The framework includes a process for continuous learning and awareness of global security activities and standards – and incorporating them into SAS development practices. The components of the framework include: • Education – At its core, the SAS Software Security Framework is based on building a team trained to meet today’s security challenges. SAS software engineers receive education on current and emerging industry security threats, and they leverage that information to design, develop and support products that are built with security requirements in mind. • Secure architecture and design – SAS implements a security architecture that provides strong authentication, authoriza- tion, availability, data integrity and confidentiality. • Secure development standards – SAS developers work with standards and guidelines that provide the foundation for building secure software. These coding guidelines and examples help SAS developers and the services staff create and implement secure software. • Security testing and validation – The SAS Software Security Framework includes testing and validation processes that provide checks for security throughout the development process. SAS runs industry-standard security scanning software during the development cycle. These scans are designed to detect security vulnerabilities, and SAS follows up to evaluate and address identified issues before completing product development. • Product security response and remediation – SAS recognizes that some security issues or questions occur after products are released. The SAS Software Security Framework includes a method to provide clear updates about these issues. After identifying a vulnerability, SAS will deliver workarounds and fixes as appropriate – and announce those fixes publicly through the appropriate customer communications channels.
  • 4. 2 SECURITYASSURA NCE SECURITY PRODUCT SECURITY RESPONSE AND REMEDIATION SECURE ARCHITECTURE & DESIGN SECURE DEVELOPMENT STANDARDS SECURITY TESTING AND VALIDATION Figure 1: The SAS Software Security Framework uses broad- based education to train the development staff on security issues – and how to apply best practices throughout the SAS software development life cycle. Education Education is the foundation for our efforts to identify and resolve security issues. The SAS Software Security Framework helps everyone responsible for creating, testing and imple- menting SAS technology to share knowledge of the scope and importance of security topics. The education element of the framework takes a number of forms, including: • Development, test and support organizations receive training classes, refresher training, and peer mentoring for security topics. • SAS security teams provide guidelines and coding examples associated with development standards. • SAS internal IT teams collaborate with SAS development to provide insight into the security challenges faced by IT, and to guide choices based on proven practices and internal consistency. • SAS development and test engineers strive to implement and validate a consistent set of protections and features across SAS products. The education program allows these teams to recognize and avoid potential vulnerabilities during the software development life cycle. Additionally, the tech- nical support staff receives training on how to identify and handle security issues after software release so that issues are resolved quickly and communicated to customers. SecureArchitectureandDesign Delivering secure software begins with a product design based on standards and processes. SAS developers work with the architecture team to conduct design reviews. Checkpoints throughout the development process help SAS engineers prior- itize secure design concepts in product development tasks. Overseeing the architecture and design efforts is an internal, specialized security architecture team that consults with devel- opers during design and development phases. This design phase provides a framework for planning new features that are built on strong security architecture options. The architectural design guides developers to maintain security for processes like authentication, authorization, availability, integrity and confiden- tiality. Security features implemented by many SAS products may include role-based access control, single sign-on integra- tion, audit logging, and encryption of data in transit and at rest. SecureDevelopmentStandards The SASTechnology Office monitors current and evolving security trends and standards as input to the SAS Software Security Framework. From this, the team creates specific coding guide- linesandbestpracticeexamplestoguideSASsoftwaredevelopment. SAS development standards employ industry standards. The standards used by SAS development include the Open Web Application Security Project (OWASP) list of the top 10 critical web security flaws and the CWE/SANS Top 25. These lists provide awareness of common security vulnerabilities in software as well as the methods to avoid them during develop- ment and testing. At SAS, security extends beyond the code being developed. SAS developers work in a secure environment. In addition to infrastructure security maintained by the SAS IT organization, SAS source code is accessible only to those who have a legiti- mate need for access. Once access is granted, password policies are strictly enforced. For more information about campus and code security, see the Quality Imperative, which provides a guide to SAS’ commitment to product quality and customer satisfaction.
  • 5. 3 SecurityTestingandValidation SAS performs a variety of security tests, including authentication testing, authorization (access) testing and web application vulnerability testing. SAS performs vulnerability testing before delivering feature releases and maintenance releases. This testing reinforces development standards to support secure software throughout the process. In addition to scanning web applications and the web applica- tion server environment (using guidance from leading security organizations), SAS employs a suite of tests specific to SAS tech- nology. Depending on the type of software being tested, the tests can include: • Testing with users who have different security levels to make sure that each has the appropriate access levels. • Confirming data access permissions, based on row-level permissions, to confirm that data authorization is applied appropriately for each user. • Validating password and encryption security for SAS and for SAS Scalable Performance Data Server data sets. • Testing SAS/ACCESS® engines for connectivity security (such as user ID and password) during connection testing. • Testing appropriate user authorization and error handling. • Testing web applications via static-source scanning and external security assessments, along with assessments using guidance from OWASP and SANS Institute. Test teams use third-party dynamic vulnerability scanning tools to focus on classes of vulnerabilities that have been the root cause of known security issues in web-based software. These tools and test cases help developers focus on eliminating security vulnerabilities such as the OWASP Top 10 and the CWE/SANS Top 25. Issues found during a scan are entered into a defect tracking system and evaluated for appropriate response and remediation. As part of the SAS Software Security Framework, our testing processes, strategies and tools are kept up to date with current security requirements. The testing and validation process for SAS products combines both internally-developed and third- party scanning and vulnerability tools. In addition, SAS continu- ally expands the test suites for our software. SAS recognizes that organizations use a variety of testing tools to scan for vulnerabilities. When customer-driven assessments raise potential security issues, customers should contact SAS Technical Support for response and feedback. Results of vulnerability tests and scans conducted by SAS are company confidential. By policy, SAS does not share the tests or the individual results. The SAS security bulletins page provides updates about security issues, and security fixes for released products are highlighted through the standard technical support process for hot fixes. Customers can sign up for the support newsletter to receive regular updates about hot fixes and other important news from SAS. Visit the technical support hot fixes site for more information. SAS performs a variety of security tests, including authentication testing, authorization (access) testing and web application vulnerability testing.
  • 6. 4 SASProductSecurityResponse andRemediation SAS recognizes that some security issues emerge after products are released. As a result, the SAS Software Security Framework includes processes to assess vulnerabilities and provide clear and timely updates about their status. Customers with questions about security, including potential security vulnerabilities, should use the SAS Technical Support process to start a dialogue and get more information. Once a security question surfaces, a multidivisional team helps respond to questions and assess potential vulnerabilities. Like most technology vendors, SAS has a Product Security Incident Response Team (PSIRT) process that investigates security vulner- ability incidents and mobilizes resources to address identified incidents. Incidents are prioritized based on the potential severity of the vulnerability. SAS leverages the Common Vulnerability Scoring System (CVSS) during the vulnerability assessment. After the initial investigation, SAS provides updates to our customers through SAS Technical Support. Depending on the severity of the security situation, SAS may communicate responses via one or more channels, such as software release notes, bulletins, support forum updates or direct customer outreach emails. Some resolutions may require configuration changes or deployment of software fixes. Ultimately, the resolu- tion of a reported incident may require customers to upgrade to a more current version of SAS software. Throughout the assessment and remediation processes for reported vulnerabilities, SAS is committed to clear and consis- tent communication with affected customers. The SAS Technical Support team provides one-on-one support around the world, including support for security incidents. In addition, SAS publishes updates and summaries of known problems on the SAS security bulletins page. The SAS® Commitment to Security Maintaining software security requires diligence and commitment. The SAS Software Security Framework applies industry-standard best practices for secure development life cycles to all organiza- tions that perform SAS product engineering and maintenance processes. This helps SAS deliver and maintain products designed to meet the business needs and security require- ments of our customers.
  • 7. To contact your local SAS office, please visit: sas.com/offices SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. ® indicates USA registration. Other brand and product names are trademarks of their respective companies. Copyright © 2015, SAS Institute Inc. All rights reserved. 107607_S134871.0315