Submit Search
Upload
Software Security Assurance - Bruce Jenkins
•
3 likes
•
482 views
I
IT-oLogy
Follow
Software Security Assurance - Managing risk in the face of digital transformation.
Read less
Read more
Technology
Report
Share
Report
Share
1 of 42
Download now
Download to read offline
Recommended
2015 1029 webinar_meet_the_tech_savvy_cfo
2015 1029 webinar_meet_the_tech_savvy_cfo
Intacct Corporation
CPA ONE 2016 - Big data: big decisions or big fallacy
CPA ONE 2016 - Big data: big decisions or big fallacy
Laurie Desautels
GTEC 2016 beyond waterfall lessons learned on agile in digital government, Pw...
GTEC 2016 beyond waterfall lessons learned on agile in digital government, Pw...
Laurie Desautels
ผลไม้
ผลไม้
Pongsathorn Seangdet
Cv in short form
Cv in short form
Dwight Vick
คู่มือการสร้างบล็อก
คู่มือการสร้างบล็อก
Marisa Mongkonkool
PresentacióN Revista Digital De EducacióN Y Nuevas TecnologíAs
PresentacióN Revista Digital De EducacióN Y Nuevas TecnologíAs
guest16f9315
20.第六天.哥多華百花巷.晚餐.住宿
20.第六天.哥多華百花巷.晚餐.住宿
溫秀嬌
Recommended
2015 1029 webinar_meet_the_tech_savvy_cfo
2015 1029 webinar_meet_the_tech_savvy_cfo
Intacct Corporation
CPA ONE 2016 - Big data: big decisions or big fallacy
CPA ONE 2016 - Big data: big decisions or big fallacy
Laurie Desautels
GTEC 2016 beyond waterfall lessons learned on agile in digital government, Pw...
GTEC 2016 beyond waterfall lessons learned on agile in digital government, Pw...
Laurie Desautels
ผลไม้
ผลไม้
Pongsathorn Seangdet
Cv in short form
Cv in short form
Dwight Vick
คู่มือการสร้างบล็อก
คู่มือการสร้างบล็อก
Marisa Mongkonkool
PresentacióN Revista Digital De EducacióN Y Nuevas TecnologíAs
PresentacióN Revista Digital De EducacióN Y Nuevas TecnologíAs
guest16f9315
20.第六天.哥多華百花巷.晚餐.住宿
20.第六天.哥多華百花巷.晚餐.住宿
溫秀嬌
โครงงานคอมพิวเตอร์
โครงงานคอมพิวเตอร์
Thanvikan Treetrairattanakul
โครงงานคอมพิวเตอร์ 2559
โครงงานคอมพิวเตอร์ 2559
shinishi
10 อันดับทะเลปอโอ
10 อันดับทะเลปอโอ
OporfunJubJub
матеріали для мякої іграшки
матеріали для мякої іграшки
Andy Levkovich
Mémoire M2 PRO Teodora Virban
Mémoire M2 PRO Teodora Virban
Teodora Virban
Досвід роботи соціального педагога Тараненко К. В.
Досвід роботи соціального педагога Тараненко К. В.
school-2
Internet marketing
Internet marketing
SAMI KHAN
Vertical control in straight wire technique , intrusion mechanics
Vertical control in straight wire technique , intrusion mechanics
Indian dental academy
Gender Inequality
Gender Inequality
r3h1na
PPC Audit Sample & AdWords Review from Markitors
PPC Audit Sample & AdWords Review from Markitors
Brett Farmiloe
ЧарIвна краса вишиванки
ЧарIвна краса вишиванки
Централізована бібліотечна система для дітей
Rapport projet pfe
Rapport projet pfe
Hicham Moujahid
nfcpy 0.10.0 でハマった話
nfcpy 0.10.0 でハマった話
Masaki Yamamoto
SK8
SK8
Phurinut Polharn
Executive guidedatastrategy email
Executive guidedatastrategy email
DATAVERSITY
Stop looking for the silver bullet start thinking like a bad guy - IDC IT Sec...
Stop looking for the silver bullet start thinking like a bad guy - IDC IT Sec...
Jimmy Blake
Big Data Goes to Work - Liberating Latent Value in a Connected World - P.Coffee
Big Data Goes to Work - Liberating Latent Value in a Connected World - P.Coffee
Peter Coffee
3 tips to funding your security program
3 tips to funding your security program
CloudBees
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
CA Technologies
Roadmap Your Senior Leader Selection: Step 3. Insight
Roadmap Your Senior Leader Selection: Step 3. Insight
DDI | Development Dimensions International
HP Helion - Copaco Cloud Event 2015 (break-out 4)
HP Helion - Copaco Cloud Event 2015 (break-out 4)
Copaco Nederland
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Enterprise Italia
More Related Content
Viewers also liked
โครงงานคอมพิวเตอร์
โครงงานคอมพิวเตอร์
Thanvikan Treetrairattanakul
โครงงานคอมพิวเตอร์ 2559
โครงงานคอมพิวเตอร์ 2559
shinishi
10 อันดับทะเลปอโอ
10 อันดับทะเลปอโอ
OporfunJubJub
матеріали для мякої іграшки
матеріали для мякої іграшки
Andy Levkovich
Mémoire M2 PRO Teodora Virban
Mémoire M2 PRO Teodora Virban
Teodora Virban
Досвід роботи соціального педагога Тараненко К. В.
Досвід роботи соціального педагога Тараненко К. В.
school-2
Internet marketing
Internet marketing
SAMI KHAN
Vertical control in straight wire technique , intrusion mechanics
Vertical control in straight wire technique , intrusion mechanics
Indian dental academy
Gender Inequality
Gender Inequality
r3h1na
PPC Audit Sample & AdWords Review from Markitors
PPC Audit Sample & AdWords Review from Markitors
Brett Farmiloe
ЧарIвна краса вишиванки
ЧарIвна краса вишиванки
Централізована бібліотечна система для дітей
Rapport projet pfe
Rapport projet pfe
Hicham Moujahid
nfcpy 0.10.0 でハマった話
nfcpy 0.10.0 でハマった話
Masaki Yamamoto
SK8
SK8
Phurinut Polharn
Viewers also liked
(14)
โครงงานคอมพิวเตอร์
โครงงานคอมพิวเตอร์
โครงงานคอมพิวเตอร์ 2559
โครงงานคอมพิวเตอร์ 2559
10 อันดับทะเลปอโอ
10 อันดับทะเลปอโอ
матеріали для мякої іграшки
матеріали для мякої іграшки
Mémoire M2 PRO Teodora Virban
Mémoire M2 PRO Teodora Virban
Досвід роботи соціального педагога Тараненко К. В.
Досвід роботи соціального педагога Тараненко К. В.
Internet marketing
Internet marketing
Vertical control in straight wire technique , intrusion mechanics
Vertical control in straight wire technique , intrusion mechanics
Gender Inequality
Gender Inequality
PPC Audit Sample & AdWords Review from Markitors
PPC Audit Sample & AdWords Review from Markitors
ЧарIвна краса вишиванки
ЧарIвна краса вишиванки
Rapport projet pfe
Rapport projet pfe
nfcpy 0.10.0 でハマった話
nfcpy 0.10.0 でハマった話
SK8
SK8
Similar to Software Security Assurance - Bruce Jenkins
Executive guidedatastrategy email
Executive guidedatastrategy email
DATAVERSITY
Stop looking for the silver bullet start thinking like a bad guy - IDC IT Sec...
Stop looking for the silver bullet start thinking like a bad guy - IDC IT Sec...
Jimmy Blake
Big Data Goes to Work - Liberating Latent Value in a Connected World - P.Coffee
Big Data Goes to Work - Liberating Latent Value in a Connected World - P.Coffee
Peter Coffee
3 tips to funding your security program
3 tips to funding your security program
CloudBees
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
CA Technologies
Roadmap Your Senior Leader Selection: Step 3. Insight
Roadmap Your Senior Leader Selection: Step 3. Insight
DDI | Development Dimensions International
HP Helion - Copaco Cloud Event 2015 (break-out 4)
HP Helion - Copaco Cloud Event 2015 (break-out 4)
Copaco Nederland
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Enterprise Italia
Criminal Education: Lessons from the Criminals and Their Methods
Criminal Education: Lessons from the Criminals and Their Methods
HP Enterprise Italia
Suddenly I am a Software Company
Suddenly I am a Software Company
Milind Patwardhan
Enabling a Culture of Self-Service Analytics
Enabling a Culture of Self-Service Analytics
Precisely
8 Steps to Creating a Data Strategy
8 Steps to Creating a Data Strategy
Silicon Valley Data Science
When Downtime Isn’t an Option: Performance Optimization Analytics in the Era ...
When Downtime Isn’t an Option: Performance Optimization Analytics in the Era ...
CA Technologies
Incorporating cloud computing for enhanced communication v2
Incorporating cloud computing for enhanced communication v2
Christian Verstraete
Breakthrough experiments in data science: Practical lessons for success
Breakthrough experiments in data science: Practical lessons for success
Amanda Sirianni
Data science capabilities
Data science capabilities
Yann Lecourt
Data science capabilities
Data science capabilities
Vincent Bellamy
Data science capabilities
Data science capabilities
Mathieu Boucher
5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels
IBM Security
Mike Morsch - Gartner Supply Chain Peer Forum Presentation on Transforming Fu...
Mike Morsch - Gartner Supply Chain Peer Forum Presentation on Transforming Fu...
Mike Morsch
Similar to Software Security Assurance - Bruce Jenkins
(20)
Executive guidedatastrategy email
Executive guidedatastrategy email
Stop looking for the silver bullet start thinking like a bad guy - IDC IT Sec...
Stop looking for the silver bullet start thinking like a bad guy - IDC IT Sec...
Big Data Goes to Work - Liberating Latent Value in a Connected World - P.Coffee
Big Data Goes to Work - Liberating Latent Value in a Connected World - P.Coffee
3 tips to funding your security program
3 tips to funding your security program
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Tech Talk: Isn’t One Authentication Mechanism z Systems Enough?
Roadmap Your Senior Leader Selection: Step 3. Insight
Roadmap Your Senior Leader Selection: Step 3. Insight
HP Helion - Copaco Cloud Event 2015 (break-out 4)
HP Helion - Copaco Cloud Event 2015 (break-out 4)
HP Software Performance Tour 2014 - Guarding against the Data Breach
HP Software Performance Tour 2014 - Guarding against the Data Breach
Criminal Education: Lessons from the Criminals and Their Methods
Criminal Education: Lessons from the Criminals and Their Methods
Suddenly I am a Software Company
Suddenly I am a Software Company
Enabling a Culture of Self-Service Analytics
Enabling a Culture of Self-Service Analytics
8 Steps to Creating a Data Strategy
8 Steps to Creating a Data Strategy
When Downtime Isn’t an Option: Performance Optimization Analytics in the Era ...
When Downtime Isn’t an Option: Performance Optimization Analytics in the Era ...
Incorporating cloud computing for enhanced communication v2
Incorporating cloud computing for enhanced communication v2
Breakthrough experiments in data science: Practical lessons for success
Breakthrough experiments in data science: Practical lessons for success
Data science capabilities
Data science capabilities
Data science capabilities
Data science capabilities
Data science capabilities
Data science capabilities
5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels
Mike Morsch - Gartner Supply Chain Peer Forum Presentation on Transforming Fu...
Mike Morsch - Gartner Supply Chain Peer Forum Presentation on Transforming Fu...
More from IT-oLogy
Low Cost Tools for Security Challenges - Timothy De Block
Low Cost Tools for Security Challenges - Timothy De Block
IT-oLogy
How Smart Leaders Anticipate Breach to Protect Their Companies - Michael Sant...
How Smart Leaders Anticipate Breach to Protect Their Companies - Michael Sant...
IT-oLogy
National Cyber Security Awareness Month - Michael Kaiser
National Cyber Security Awareness Month - Michael Kaiser
IT-oLogy
Keep Your Family Safe Online - Michael Kaiser
Keep Your Family Safe Online - Michael Kaiser
IT-oLogy
ID Theft: What You Need to Know - Juliana Harris
ID Theft: What You Need to Know - Juliana Harris
IT-oLogy
Cyber Breach: A Legal Perspective - Jarrett Coco
Cyber Breach: A Legal Perspective - Jarrett Coco
IT-oLogy
Cybersecurity in South Carolina - Major General Les Eisner
Cybersecurity in South Carolina - Major General Les Eisner
IT-oLogy
Open Security - Chad Cravens
Open Security - Chad Cravens
IT-oLogy
Live Exploit - Chad Cravens
Live Exploit - Chad Cravens
IT-oLogy
In the Wake of Ashley Madison - Jim Salter
In the Wake of Ashley Madison - Jim Salter
IT-oLogy
Passwords in the Internet Age - Jim Salter
Passwords in the Internet Age - Jim Salter
IT-oLogy
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC L...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC L...
IT-oLogy
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC L...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC L...
IT-oLogy
IT-oLogy Summit on Information Technology: Regional Impact and Issues in Rock...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in Rock...
IT-oLogy
IT-oLogy Summit on Information Technology: Regional Impact and Issues in Rock...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in Rock...
IT-oLogy
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC M...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC M...
IT-oLogy
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy
IT-oLogy Summit on Information Technology: KEYNOTE: Matt Gardner
IT-oLogy Summit on Information Technology: KEYNOTE: Matt Gardner
IT-oLogy
More from IT-oLogy
(20)
Low Cost Tools for Security Challenges - Timothy De Block
Low Cost Tools for Security Challenges - Timothy De Block
How Smart Leaders Anticipate Breach to Protect Their Companies - Michael Sant...
How Smart Leaders Anticipate Breach to Protect Their Companies - Michael Sant...
National Cyber Security Awareness Month - Michael Kaiser
National Cyber Security Awareness Month - Michael Kaiser
Keep Your Family Safe Online - Michael Kaiser
Keep Your Family Safe Online - Michael Kaiser
ID Theft: What You Need to Know - Juliana Harris
ID Theft: What You Need to Know - Juliana Harris
Cyber Breach: A Legal Perspective - Jarrett Coco
Cyber Breach: A Legal Perspective - Jarrett Coco
Cybersecurity in South Carolina - Major General Les Eisner
Cybersecurity in South Carolina - Major General Les Eisner
Open Security - Chad Cravens
Open Security - Chad Cravens
Live Exploit - Chad Cravens
Live Exploit - Chad Cravens
In the Wake of Ashley Madison - Jim Salter
In the Wake of Ashley Madison - Jim Salter
Passwords in the Internet Age - Jim Salter
Passwords in the Internet Age - Jim Salter
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC L...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC L...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC L...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC L...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in Rock...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in Rock...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in Rock...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in Rock...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC M...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC M...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy Summit on Information Technology: Regional Impact and Issues in SC U...
IT-oLogy Summit on Information Technology: KEYNOTE: Matt Gardner
IT-oLogy Summit on Information Technology: KEYNOTE: Matt Gardner
Recently uploaded
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Mark Billinghurst
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Alfredo García Lavilla
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Wonjun Hwang
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
carlostorres15106
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
Kalema Edgar
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
Slibray Presentation
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
ScyllaDB
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Rizwan Syed
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Safe Software
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
charlottematthew16
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
Miki Katsuragi
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Fwdays
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
Padma Pradeep
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
charlottematthew16
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
shyamraj55
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
Addepto
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Fwdays
Recently uploaded
(20)
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Software Security Assurance - Bruce Jenkins
1.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. SoftwareSecurityAssurance Managingriskinthefaceofdigitaltransformation
2.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2 IT-oLogy Trends 2015 –Columbia, SC Bruce C Jenkins CISM, CISSP, CSSLP Fortify Security Lead AppSec Program Strategist Hewlett-Packard Company Current Fortify product and information security HP-internal application security program strategy Customer-facing appsec workshops and strategy Former Fortify Pro Services, 2007-2011 US Air Force, 1979-2007 About me
3.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3 IT-oLogy Trends 2015 –Columbia, SC • 2005: USAir Force personnel systembreached; 33Krecords exfiltrated • 2006: VA employee’s personal external drive stolen; 26M VA records at risk • 2007-2011: ??? • 2012: Thrift Saving Plan contractor’s systemattacked; 123KSSNs stolen • 2013: Target POS systemcompromised; up to 70M customers impacted • 2014: University of Maryland, 309Krecords; Home Depot, e-mail, cr cds • 2015: Several… + Office of Personnel Management, 18M records About my motivation for developing secure systems…
4.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4 IT-oLogy Trends 2015 –Columbia, SC Let’s talk about risk management…
5.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.5 IT-oLogy Trends 2015 –Columbia, SC What is “Security”?
6.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6 IT-oLogy Trends 2015 –Columbia, SC What is “Security”? Definitions from The American Heritage® Dictionary of the English Language, 4th Edition n. Freedom from risk or danger; safety. n. Freedom from doubt, anxiety, or fear; confidence. n. Something that gives or assures safety
7.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7 IT-oLogy Trends 2015 –Columbia, SC Security Issue?
8.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8 IT-oLogy Trends 2015 –Columbia, SC “Security is never black and white, and context matters more than technology” – Bruce Schneier Secrets & Lies: Digital Security in a Networked World Security Issue?
9.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9 IT-oLogy Trends 2015 –Columbia, SC So… Security Issue?
10.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10 IT-oLogy Trends 2015 –Columbia, SC So… Security Issue? As you go about the business of developing and enhancing systems in support of today’s digital transformation, it’s important to keep findings in perspective. Pay attention to the weeds—youmay need to eliminate them—but don’t get lostin them. Maybe
11.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11 IT-oLogy Trends 2015 –Columbia, SC Agenda Why Software Security is Hard Creating a Foundation Building Security In Lessons Learned
12.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. WhySoftwareSecurityisHard
13.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13 IT-oLogy Trends 2015 –Columbia, SC Current solutions protect the perimeter Yet, 84% of breaches occur in the application software
14.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14 IT-oLogy Trends 2015 –Columbia, SC The number of apps is growing IN-HOUSE DEVELOPMENTLEGACY SOFTWARE OPEN SOURCEOUTSOURCED COMMERCIAL PRODUCTION Increasing platforms and complexity …many delivery models
15.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15 IT-oLogy Trends 2015 –Columbia, SC 15 “I just want to be a coder; I’m really not interested in security.” – Security Consultant Candidate Developers are NOT trained to be security experts
16.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16 IT-oLogy Trends 2015 –Columbia, SC Attacks have a proven life cycle Research Research potential targets Monetization Data sold on black market Infiltration Phishing attack and malware Discovery Mapping breached environment Capture Obtain data Exfiltration Exfiltrate/destroy stolen data
17.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17 IT-oLogy Trends 2015 –Columbia, SC Attack life cycle risk mitigation Research Research Potential Targets Monetization Data sold on black market Infiltration Phishing Attack and Malware Discovery Mapping Breached Environment Capture Obtain data Exfiltration Exfiltrate/destroy Stolen data Threat intelligence • Security Research Block adversary • Network • Software Detect adversary • SEIM • UBA Protect data • At rest • In motion Mitigate damage • Breach Response
18.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18 IT-oLogy Trends 2015 –Columbia, SC median time to detect breach205days 2013 January February March April May June July August September October November December 2014 January February March April Source:Mandiant M-Trends 2015Threat Report
19.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.19 IT-oLogy Trends 2015 –Columbia, SC Conflicting views over the priority of security 1 Source: Osterman Research White Paper, Jan 2015
20.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20 IT-oLogy Trends 2015 –Columbia, SC Top challenges in achieving software security goals* Source:Gatepoint Research Pulse Report,Oct 2014 n = 300 executives *Read as: software security assurance (SSA) program goals
21.
© Copyright2015 Hewlett-Packard
Development Company, L.P. Theinformation contained herein issubject to change withoutnotice. “Itisnecessarythatpeopleworktogether inunisontowardcommonobjectivesand avoidworkingatcrosspurposesat all levelsifthe ultimateinefficiencyand achievementisto beobtained.” Dave Packard Co-founder,Hewlett-Packard
22.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. CreatingaFoundation
23.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.23 IT-oLogy Trends 2015 –Columbia, SC Obtain stakeholder alignment with a common vision Creating a Foundation • Establish security-related goals that are directly tied to the firm’s mission Mission Goals Objectives Strategy m m m KPI Policy Standards Training
24.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24 IT-oLogy Trends 2015 –Columbia, SC Example: Hewlett-Packard Co Creating a Foundation Profit Customer Loyalty Growth Market Leadership Commitment to Employees Leadership Capability Global Citizenship Hewlett-Packard ... Goal 1 ...... Goal n HPSoftware ... Goal 1 ... Goal n Fortify … Security Goal 1 ……… Security Goal n Security Group Goal 1 ......... Ent. Security ... Goal n See HP’s Corporate Objectivesat http://www8.hp.com/us/en/hp-information/about-hp/corporate-objectives.html
25.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25 IT-oLogy Trends 2015 –Columbia, SC Example: Hewlett-Packard Co Creating a Foundation Profit Customer Loyalty Growth Market Leadership Commitment to Employees Leadership Capability Global Citizenship Hewlett-Packard ... Goal 1 ...... Goal n HPSoftware Goal 1 ......... Ent. Security ... Goal 1 ... Goal n Fortify … Security Goal 1 ……… Security Goal n Security Group ... Goal n See HP’s Corporate Objectivesat http://www8.hp.com/us/en/hp-information/about-hp/corporate-objectives.html
26.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.26 IT-oLogy Trends 2015 –Columbia, SC Example: Hewlett-Packard Co Creating a Foundation Profit Customer Loyalty Growth Market Leadership Commitment to Employees Leadership Capability Global Citizenship Hewlett-Packard ... Goal 1 ...... Goal n HPSoftware Goal 1 ......... Ent. Security ... Goal 1 ... Goal n Fortify … Security Goal 1 ……… Security Goal n Security Group ... Goal n See HP’s Corporate Objectivesat http://www8.hp.com/us/en/hp-information/about-hp/corporate-objectives.html
27.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27 IT-oLogy Trends 2015 –Columbia, SC Example: Hewlett-Packard Co Creating a Foundation Profit Customer Loyalty Growth Market Leadership Commitment to Employees Leadership Capability Global Citizenship Hewlett-Packard ... Goal 1 ...... Goal n HPSoftware Goal 1 ......... Ent. Security ... Goal 1 ... Goal n Fortify … Security Goal 1 ……… Security Group ... Goal n Security Goal n See HP’s Corporate Objectivesat http://www8.hp.com/us/en/hp-information/about-hp/corporate-objectives.html
28.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.28 IT-oLogy Trends 2015 –Columbia, SC Example: Private SectorFinancial Creating a Foundation Corp Mission Statement Goal 1 Goal 2 Goal 3 Protect our customers’ data Goal n
29.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.29 IT-oLogy Trends 2015 –Columbia, SC Example: Private SectorFinancial Creating a Foundation Corp Mission Statement Goal 1 Goal 2 Goal 3 Protect our customers’ data Goal n Corp Security Group Security Goal 1 Security Goal 2 Security Goal 3 Security Goal n
30.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.30 IT-oLogy Trends 2015 –Columbia, SC Example: Private SectorFinancial Creating a Foundation Corp Mission Statement Goal 1 Goal 2 Goal 3 Protect our customers’ data Goal n Corp Security Group Security Goal 1 Security Goal 2 Security Goal 3 Security Goal n Proactively identify and mitigateriskin all Mission Critical applications
31.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. BuildingSecurityIn
32.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.34 IT-oLogy Trends 2015 –Columbia, SC Consider using a software security framework (SSF)as a guide Building Security In • Establish security-related goals that are directly tied to the firm’s mission • Develop a security strategy that is designed to support achievement of the security goal(s) Mission Goals Objectives Strategy m m m KPI Policy Standards Training
33.
© Copyright2015 Hewlett-Packard
Development Company, L.P. Theinformation contained herein issubject to change withoutnotice. “There are knownknowns. These are things weknowthat we know.Thereareknown unknowns.Thatisto say,there arethings thatweknowwedon'tknow.But there are also unknownunknowns. There are things wedon't knowwedon't know. Donald Rumsfeld FormerUS Secretary ofDefence
34.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.36 IT-oLogy Trends 2015 –Columbia, SC Building Security In Design Construct Test Deploy Establish a security gate to understand security posture of portfolio Security Gate Governance • Strategy and Metrics • Policy and Compliance • Education and Guidance Construction • Security Requirements • Threat Assessment • Security Architecture Verification • Design Review • Implementation Review • Security testing Operations • Environment Hardening • Issue Management • Operational Enablement
35.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.37 IT-oLogy Trends 2015 –Columbia, SC With assessment results available, the unknown is known Building Security In • Establish security-related goals that are directly tied to the firm’s mission • Develop a security strategy that is designed to support achievement of the security goal(s) • Based upon business priorities and portfolio risk*, design time-constrained, measurable objectives • Only choosemetrics and constructKPI’s that show progress toward meeting the objectives; nothing else *portfolio isknown, classified and risk-ranked Mission Goals Objectives Strategy m m m KPI Policy Standards Training
36.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.41 IT-oLogy Trends 2015 –Columbia, SC Measure thoughtfully Building Security In • Establish security-related goals that are directly tied to the firm’s mission • Develop a security strategy that is designed to support achievement of the security goal(s) • Based upon business priorities and portfolio risk*, design time-constrained, measurable objectives • Only choosemetrics and constructKPI’s that show progress toward meeting the objectives; nothing else *portfolio isknown, classified and risk-ranked Mission Goals Objectives Strategy m m m KPI Policy Standards Training
37.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.42 IT-oLogy Trends 2015 –Columbia, SC Building Security In: Lessons Learned • Complex problems with complex solutions • All organizational levels must be made aware of the risks associated with software vulnerabilities • No education / training == unmet expectations Awareness, Education and Training
38.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.43 IT-oLogy Trends 2015 –Columbia, SC • Before assessment,establish policies and set expectations • Ensure that policies and expectations are communicated to all stakeholders • Consistently enforce policies and measure expectation achievement Clear Communication Regarding Security Building Security In: Lessons Learned
39.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.44 IT-oLogy Trends 2015 –Columbia, SC • Network Security / Information Assurance people are not software security people • Development background is a necessity • Even with a development background, extensive training and experience is needed Software Security is a Unique Skill Set Building Security In: Lessons Learned
40.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.45 IT-oLogy Trends 2015 –Columbia, SC • Network Security / Information Assurance people are not software security people • Development background is a necessity • Even with a development background, extensive training and experience is needed • Developers should NOT be expected to be security experts Software Security is a Unique Skill Set Building Security In: Lessons Learned
41.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.46 IT-oLogy Trends 2015 –Columbia, SC Summary • Workto gain and maintain executive-levelsupport • Developsecuritygoals, strategy& objectives • Train staffto comply withpolicy • Use technologyappropriately • Measure,report,adjust Managing risk in the face of digital transformation
42.
© Copyright 2015
Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Thankyou hp.com/go/fortifyssa Bruce C Jenkins bcj@hpe.com
Download now