SlideShare a Scribd company logo

Agile Secure Software Development in a Large Software Development Organisation: Security Testing

Achim D. Brucker
Achim D. Brucker

Security testing is an important part of any (agile) secure software development lifecyle. Still, security testing is often understood as an activity done by security testers in the time between "end of development" and "offering the product to customers." Learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, we believe that security testing should be integrated into the daily development activities. To achieve this, we developed a security testing strategy, as part of SAP's security development lifecycle which supports the specific needs of the various software development models at SAP. In this presentation, we will briefly presents SAP's approach to an agile secure software development process in general and, in particular, present SAP's Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools.

Technology
1 of 39
Download to read offline
Agile Secure Software Development in a Large Software Development Organisation Security Testing Achim D. Brucker achim.brucker@sap.com http://www.brucker.ch/ SAP SE, Vincenz-Priessnitz-Str. 1, 76131 Karlsruhe, Germany ASSD Keynote First International Workshop on Agile Secure Software Development (ASSD) Toulouse, France, August 24–28, 2015
Agile Secure Software Development in a Large Software Development Organisation Security Testing Abstract Security testing is an important part of any (agile) secure software development lifecyle. Still, security testing is often understood as an activity done by security testers in the time between “end of development” and “offering the product to customers.” Learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, we believe that security testing should be integrated into the daily development activities. To achieve this, we developed a security testing strategy, as part of SAP’s security development lifecycle which supports the specific needs of the various software development models at SAP. In this presentation, we will briefly presents SAP’s approach to an agile secure software development process in general and, in particular, present SAP’s Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools. © 2015 SAP SE. All Rights Reserved. Page 2 of 28
Agenda 1 Background 2 Motivation 3 Risk-based Security Testing as Part of SAP’s S2 DL 4 Lesson’s Learned 5 How Does This Resonate With Agile Development? © 2015 SAP SE. All Rights Reserved. Page 3 of 28
SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms, e.g., • In-memory database and application server (HANA) • Netweaver for ABAP and Java • More than 25 industries • 63% of the world’s transaction revenue touches an SAP system • over 68 000 employees worldwide over 25 000 software developers • Headquarters: Walldorf, Germany (close to Heidelberg) © 2015 SAP SE. All Rights Reserved. Page 4 of 28
Personal Background • I wear two hats: • (Global) Security Testing Strategist • Research Expert/Architect Working for the central software security team • Background: Security, Formal Methods, Software Engineering • Current work areas: • Static code analysis • (Dynamic) Security Testing • Mobile Security • Security Development Lifecycle • Secure Software Development Lifecycle http://www.brucker.ch/ © 2015 SAP SE. All Rights Reserved. Page 5 of 28
SAP Uses a De-centralised Secure Development Approach • Central security expert team (S2 DL owner) • Organizes security trainings • Defines product standard “Security” • Defines risk and threat assessment methods • Defines security testing strategy • Selects and provides security testing tools • Validates products • Defines and executes response process • Local security experts • Embedded into development teams • Organize local security activities • Support developers and architects • Support product owners (responsibles) • Development teams • Select technologies • Select development model • Design and execute security testing plan • . . . © 2015 SAP SE. All Rights Reserved. Page 6 of 28
Agenda 1 Background 2 Motivation 3 Risk-based Security Testing as Part of SAP’s S2 DL 4 Lesson’s Learned 5 How Does This Resonate With Agile Development? © 2015 SAP SE. All Rights Reserved. Page 7 of 28
Vulnerability Distribution 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 0 500 1000 1500 2000 2500 3000 Code Execution DoS Overflow Memory Corruption Sql Injection XSS Directory Traversal Bypass something Gain Privileges CSRF © 2015 SAP SE. All Rights Reserved. Page 8 of 28
When Do We Fix Bugs © 2015 SAP SE. All Rights Reserved. Page 9 of 28
Microsoft’s SDL © 2015 SAP SE. All Rights Reserved. Page 10 of 28
Agenda 1 Background 2 Motivation 3 Risk-based Security Testing as Part of SAP’s S2 DL 4 Lesson’s Learned 5 How Does This Resonate With Agile Development? © 2015 SAP SE. All Rights Reserved. Page 11 of 28
Our Start: SAST as a Baseline ABAP Java C JavaScript Others SAST tools used at SAP: Language Tool Vendor ABAP CVA (SLIN_SEC) SAP JavaScript Checkmarx CxSAST Checkmarx C/C++ Coverity Coverity Others Fortify HP • Since 2010, mandatory for all SAP products • Multiple billions lines analyzed • Constant improvement of tool configuration • Further details: Deploying Static Application Security Testing on a Large Scale. In GI Sicherheit 2014. Lecture Notes in Informatics, 228, pages 91-101, GI, 2014. © 2015 SAP SE. All Rights Reserved. Page 12 of 28
Combining Multiple Security Testing Methods and Tools Client Application Web Browser Server Application Runtime Container Backend Systems • Risks of only using only SAST • Wasting effort that could be used more wisely elsewhere • Shipping insecure software • Examples of SAST limitations • Not all programming languages supported • Covers not all layers of the software stack © 2015 SAP SE. All Rights Reserved. Page 13 of 28
Combining Multiple Security Testing Methods and Tools Client Application Web Browser Server Application Runtime Container Backend Systems Checkmarx (JavaScript) Fortify (Java) Coverity (C/C++) • Risks of only using only SAST • Wasting effort that could be used more wisely elsewhere • Shipping insecure software • Examples of SAST limitations • Not all programming languages supported • Covers not all layers of the software stack © 2015 SAP SE. All Rights Reserved. Page 13 of 28
Combining Multiple Security Testing Methods and Tools Client Application Web Browser Server Application Runtime Container Backend Systems Checkmarx (JavaScript) Fortify (Java) DOMinator Coverity (C/C++) HPWebInspect/IBMAppScan • Risks of only using only SAST • Wasting effort that could be used more wisely elsewhere • Shipping insecure software • Examples of SAST limitations • Not all programming languages supported • Covers not all layers of the software stack © 2015 SAP SE. All Rights Reserved. Page 13 of 28
Combining Multiple Security Testing Methods and Tools Client Application Web Browser Server Application Runtime Container Backend Systems Checkmarx Fortify (Java) DOMinator HPWebInspect/IBMAppScan • Risks of only using only SAST • Wasting effort that could be used more wisely elsewhere • Shipping insecure software • Examples of SAST limitations • Not all programming languages supported • Covers not all layers of the software stack © 2015 SAP SE. All Rights Reserved. Page 13 of 28
A Risk-based Test Plan Select from a list of predefined application types Implementation detao;s ,e.g., programming languages, frameworks Priority of SAP Security Requirements Security Test Plan RISK ASSESMENT (e.g., SECURIM, Threat Modelling, OWASP ASVS) • Combines multiple security testing methods, e.g., code scans, dynamic analysis, manual penetration testing or fuzzing • Selects the most efficient test tools and test cases based on the risks and the technologies used in the project • Re-adjusts priorities of test cases based on identified risks for the project • Monitors false negative findings in the results of risk assessment © 2015 SAP SE. All Rights Reserved. Page 14 of 28
SAP’ Secure Software Development Lifecycle (S2 DL) Figure: SAP SSDL © 2015 SAP SE. All Rights Reserved. Page 15 of 28
Security Validation • Acts as first customer • Is not a replacement for security testing during development • Security Validation • Check for “flaws” in the implementation of the S2 DL • Ideally, security validation finds: • No issues that can be fixed/detected earlier • Only issues that cannot be detect earlier (e.g., insecure default configurations, missing security documentation) © 2015 SAP SE. All Rights Reserved. Page 16 of 28
Security Validation • Acts as first customer • Is not a replacement for security testing during development • Security Validation • Check for “flaws” in the implementation of the S2 DL • Ideally, security validation finds: • No issues that can be fixed/detected earlier • Only issues that cannot be detect earlier (e.g., insecure default configurations, missing security documentation) Penetration tests in productive environments are different: • They test the actual configuration • They test the productive environment (e.g., cloud/hosting) © 2015 SAP SE. All Rights Reserved. Page 16 of 28
How to Measure Success • Analyze the vulnerabilities reported by • Security Validation • External security researchers • Vulnerability not detected by our security testing tools • Improve tool configuration • Introduce new tools • Vulnerability detected by our security testing tools • Vulnerability in older software release • Analyze reason for missing vulnerability © 2015 SAP SE. All Rights Reserved. Page 17 of 28
How to Measure Success • Analyze the vulnerabilities reported by • Security Validation • External security researchers • Vulnerability not detected by our security testing tools • Improve tool configuration • Introduce new tools • Vulnerability detected by our security testing tools • Vulnerability in older software release • Analyze reason for missing vulnerability Covered Not Covered Success criteria: Percentage of vulnerabilities not covered by our security testing tools increases © 2015 SAP SE. All Rights Reserved. Page 17 of 28
How to Measure Success • Analyze the vulnerabilities reported by • Security Validation • External security researchers • Vulnerability not detected by our security testing tools • Improve tool configuration • Introduce new tools • Vulnerability detected by our security testing tools • Vulnerability in older software release • Analyze reason for missing vulnerability Covered Not Covered Success criteria: Percentage of vulnerabilities not covered by our security testing tools increases © 2015 SAP SE. All Rights Reserved. Page 17 of 28
How to Measure Success • Analyze the vulnerabilities reported by • Security Validation • External security researchers • Vulnerability not detected by our security testing tools • Improve tool configuration • Introduce new tools • Vulnerability detected by our security testing tools • Vulnerability in older software release • Analyze reason for missing vulnerability Covered Not Covered Newly Covered Success criteria: Percentage of vulnerabilities not covered by our security testing tools increases © 2015 SAP SE. All Rights Reserved. Page 17 of 28
Agenda 1 Background 2 Motivation 3 Risk-based Security Testing as Part of SAP’s S2 DL 4 Lesson’s Learned 5 How Does This Resonate With Agile Development? © 2015 SAP SE. All Rights Reserved. Page 18 of 28
Key Success Factors • A holistic security awareness program for • Developers • Managers © 2015 SAP SE. All Rights Reserved. Page 19 of 28
Key Success Factors • A holistic security awareness program for • Developers • Managers • Yes, security awareness is important © 2015 SAP SE. All Rights Reserved. Page 19 of 28
Key Success Factors • A holistic security awareness program for • Developers • Managers • Yes, security awareness is important but © 2015 SAP SE. All Rights Reserved. Page 19 of 28
Key Success Factors • A holistic security awareness program for • Developers • Managers • Yes, security awareness is important but Developer awareness is even more important! © 2015 SAP SE. All Rights Reserved. Page 19 of 28
Listen to Your Developers! We are often talking about a lack of security awareness and, by that, forget the problem of lacking development awareness. • Building a secure system more difficult than finding a successful attack. • Do not expect your developers to become penetration testers (or security experts)! © 2015 SAP SE. All Rights Reserved. Page 20 of 28
Security Testing for Developers Security testing tools for developers, need to • Be applicable from the start of development • Automate the security knowledge • Be deeply integrated into the dev. env., e.g., • IDE (instant feedback) • Continuous integration • Provide easy to understand fix recommendations • Declare their “sweet spots” © 2015 SAP SE. All Rights Reserved. Page 21 of 28
Collaborate! Security experts need to collaborate with development experts to • Create easy to use security APIs (ever tried to use an SSL API securely) • Create languages and frameworks that make it hard to implement insecure systems • Explain how to program securely © 2015 SAP SE. All Rights Reserved. Page 22 of 28
Agenda 1 Background 2 Motivation 3 Risk-based Security Testing as Part of SAP’s S2 DL 4 Lesson’s Learned 5 How Does This Resonate With Agile Development? © 2015 SAP SE. All Rights Reserved. Page 23 of 28
Agile Development • What is agile for you? SCRUM, Continuous Delivery, DevOps, SCRUM, Cloud development, . . . • Cloud/agile development lifecycle t Deliveries © 2015 SAP SE. All Rights Reserved. Page 24 of 28
Secure Agile Development Level of TrustLevel of Trust Risk IdentificationRisk Identification Threat ModellingThreat Modelling Security Measures Security Measures Security Testing Security Testing PSC SecurityPSC Security Risk Mitigation & TestingRisk Mitigation & Testing Static TestingStatic Testing Dynamic TestingDynamic Testing Manual TestingManual Testing Security ValidationSecurity Validation Secure ProgrammingSecure Programming Security Response Security Response © 2015 SAP SE. All Rights Reserved. Page 25 of 28
Open (Research) Questions • Social aspects • Does the SecDevOps model increase security awareness? (Developers and their managers are also responsible for operational risks) • Does this impact the willingness to take (security) risks and/or the risk assessment? • Process and organisational aspects • What services should be offered centrally? • How to ensure a certain level of security across all products? • How to ensure a certain level of security across the end-to-end supply chain? • Technical and fundamental aspects • How do we need to adapt development support • How do we need to adapt threat modelling or risk assessment methods • How do we need to adapt security testing techniques • The big challenge in practice: Products are often offered in the cloud (SaaS) and on premise © 2015 SAP SE. All Rights Reserved. Page 26 of 28
Thank you! http://xkcd.com/327/ Dr. Achim D. Brucker achim.brucker@sap.com http://www.brucker.ch/
Related Publications Ruediger Bachmann and Achim D. Brucker. Developing secure software: A holistic approach to security testing. Datenschutz und Datensicherheit (DuD), 38(4):257–261, April 2014. http://www.brucker.ch/bibliography/abstract/bachmann.ea-security-testing-2014. Achim D. Brucker, Lukas Brügger, and Burkhart Wolff. Formal firewall conformance testing: An application of test and proof techniques. Software Testing, Verification & Reliability (STVR), 25(1):34–71, 2015. http://www.brucker.ch/bibliography/abstract/brucker.ea-formal-fw-testing-2014. Achim D. Brucker and Uwe Sodan. Deploying static application security testing on a large scale. In Stefan Katzenbeisser, Volkmar Lotz, and Edgar Weippl, editors, gi Sicherheit 2014, volume 228 of Lecture Notes in Informatics, pages 91–101. gi, March 2014. ISBN 978-3-88579-622-0. http://www.brucker.ch/bibliography/abstract/brucker.ea-sast-expierences-2014. Achim D. Brucker and Burkhart Wolff. On theorem prover-based testing. Formal Aspects of Computing (FAC), 25(5):683–721, 2013. ISSN 0934-5043. http://www.brucker.ch/bibliography/abstract/brucker.ea-theorem-prover-2012. © 2015 SAP SE. All Rights Reserved. Page 28 of 28
© 2015 SAP SE. All rights reserved No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP SE. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence. The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages. © 2015 SAP SE. All Rights Reserved. Page 29 of 28

Recommended

Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
Achim D. Brucker
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
Achim D. Brucker
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Sigma Software
 
Coverity Data Sheet
Coverity Data SheetCoverity Data Sheet
Coverity Data Sheet
Jon Lundquist
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009
Klocwork
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
Suman Sourav
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 

Recommended

Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
Achim D. Brucker
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
Achim D. Brucker
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Sigma Software
 
Coverity Data Sheet
Coverity Data SheetCoverity Data Sheet
Coverity Data Sheet
Jon Lundquist
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009
Klocwork
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
Suman Sourav
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Raphael Denipotti
 
Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your Organisation
Ives Laaf
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Denim Group
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
n|u - The Open Security Community
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Source Conference
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
Oleg Gryb
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
Maurice Dawson
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
Checkmarx
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
Paul Yang
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
Derek E. Weeks
 
Introduction to the CII Badge Programe, OW2con'16, Paris.
Introduction to the CII Badge Programe, OW2con'16, Paris. Introduction to the CII Badge Programe, OW2con'16, Paris.
Introduction to the CII Badge Programe, OW2con'16, Paris.
OW2
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOps
Pawel Krawczyk
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
Michele Chubirka
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0
Dinis Cruz
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
Denim Group
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
Continous Integration of (JS) projects & check-build philosophy
Continous Integration of (JS) projects & check-build philosophyContinous Integration of (JS) projects & check-build philosophy
Continous Integration of (JS) projects & check-build philosophy
François-Guillaume Ribreau
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
Denim Group
 

More Related Content

What's hot

Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
Suman Sourav
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Denim Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
Denim Group
 

What's hot (20)

Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
 
Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your Organisation
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
Remediation Statistics: What Does Fixing Application Vulnerabilities Cost?
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
ABN AMRO DevSecOps Journey
ABN AMRO DevSecOps JourneyABN AMRO DevSecOps Journey
ABN AMRO DevSecOps Journey
 
Introduction to the CII Badge Programe, OW2con'16, Paris.
Introduction to the CII Badge Programe, OW2con'16, Paris. Introduction to the CII Badge Programe, OW2con'16, Paris.
Introduction to the CII Badge Programe, OW2con'16, Paris.
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOps
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
 

Viewers also liked

AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
Denim Group
 
Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testing
seleniumconf
 
New Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application SecurityNew Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application Security
James Wickett
 

Viewers also liked (20)

Continous Integration of (JS) projects & check-build philosophy
Continous Integration of (JS) projects & check-build philosophyContinous Integration of (JS) projects & check-build philosophy
Continous Integration of (JS) projects & check-build philosophy
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
 
Pythonista も ls を読むべきか?
Pythonista も ls を読むべきか?Pythonista も ls を読むべきか?
Pythonista も ls を読むべきか?
 
Rugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsRugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOps
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testing
 
Continuous Security Testing in a Devops World #OWASPHelsinki
Continuous Security Testing in a Devops World #OWASPHelsinkiContinuous Security Testing in a Devops World #OWASPHelsinki
Continuous Security Testing in a Devops World #OWASPHelsinki
 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbers
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
 
Building Risk Management into Enterprise Architecture
Building Risk Management into Enterprise ArchitectureBuilding Risk Management into Enterprise Architecture
Building Risk Management into Enterprise Architecture
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous Integration
 
Integración contínua con Jenkins
Integración contínua con JenkinsIntegración contínua con Jenkins
Integración contínua con Jenkins
 
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!
 
New Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application SecurityNew Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application Security
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
Continuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConContinuous Security Testing - DevSecCon
Continuous Security Testing - DevSecCon
 

Similar to Agile Secure Software Development in a Large Software Development Organisation: Security Testing

Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software Development
Achim D. Brucker
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
gealehegn
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLC
Rahul Raghavan
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Achim D. Brucker
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.ppt
DrBasemMohamedElomda
 

Similar to Agile Secure Software Development in a Large Software Development Organisation: Security Testing (20)

Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Industrial Challenges of Secure Software Development
Industrial Challenges of Secure Software DevelopmentIndustrial Challenges of Secure Software Development
Industrial Challenges of Secure Software Development
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
 
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
4_25655_SE731_2020_1__2_1_Lecture 1 - Course Outline and Secure SDLC.ppt
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLC
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
The QA/Testing Process
The QA/Testing ProcessThe QA/Testing Process
The QA/Testing Process
 
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
 
4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendations
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
 
Lecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.pptLecture Course Outline and Secure SDLC.ppt
Lecture Course Outline and Secure SDLC.ppt
 

More from Achim D. Brucker

Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A Nightmare
Achim D. Brucker
 
Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and Proof
Achim D. Brucker
 
Combining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsCombining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid Apps
Achim D. Brucker
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your Browser
Achim D. Brucker
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure Code
Achim D. Brucker
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
Achim D. Brucker
 
Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?
Achim D. Brucker
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedEncoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Achim D. Brucker
 
A Framework for Secure Service Composition
A Framework for Secure Service CompositionA Framework for Secure Service Composition
A Framework for Secure Service Composition
Achim D. Brucker
 
Extending Access Control Models with Break-glass
Extending Access Control Models with Break-glassExtending Access Control Models with Break-glass
Extending Access Control Models with Break-glass
Achim D. Brucker
 
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessIntegrating Application Security into a Software Development Process
Integrating Application Security into a Software Development Process
Achim D. Brucker
 

More from Achim D. Brucker (18)

Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A Nightmare
 
Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and Proof
 
Your (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the InternetYour (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the Internet
 
Combining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsCombining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid Apps
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your Browser
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure Code
 
Developing Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorDeveloping Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software Vendor
 
Isabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof AssistantIsabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof Assistant
 
SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial Tools
 
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
 
Model-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security PropertiesModel-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security Properties
 
Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedEncoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
 
A Framework for Secure Service Composition
A Framework for Secure Service CompositionA Framework for Secure Service Composition
A Framework for Secure Service Composition
 
Extending Access Control Models with Break-glass
Extending Access Control Models with Break-glassExtending Access Control Models with Break-glass
Extending Access Control Models with Break-glass
 
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessIntegrating Application Security into a Software Development Process
Integrating Application Security into a Software Development Process
 
Security in the Context of Business Processes: Thoughts from a System Vendor'...
Security in the Context of Business Processes: Thoughts from a System Vendor'...Security in the Context of Business Processes: Thoughts from a System Vendor'...
Security in the Context of Business Processes: Thoughts from a System Vendor'...
 

Recently uploaded

JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
ScyllaDB
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
CzechDreamin
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 

Recently uploaded (20)

IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 

Agile Secure Software Development in a Large Software Development Organisation: Security Testing

  • 1. Agile Secure Software Development in a Large Software Development Organisation Security Testing Achim D. Brucker achim.brucker@sap.com http://www.brucker.ch/ SAP SE, Vincenz-Priessnitz-Str. 1, 76131 Karlsruhe, Germany ASSD Keynote First International Workshop on Agile Secure Software Development (ASSD) Toulouse, France, August 24–28, 2015
  • 2. Agile Secure Software Development in a Large Software Development Organisation Security Testing Abstract Security testing is an important part of any (agile) secure software development lifecyle. Still, security testing is often understood as an activity done by security testers in the time between “end of development” and “offering the product to customers.” Learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, we believe that security testing should be integrated into the daily development activities. To achieve this, we developed a security testing strategy, as part of SAP’s security development lifecycle which supports the specific needs of the various software development models at SAP. In this presentation, we will briefly presents SAP’s approach to an agile secure software development process in general and, in particular, present SAP’s Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools. © 2015 SAP SE. All Rights Reserved. Page 2 of 28
  • 3. Agenda 1 Background 2 Motivation 3 Risk-based Security Testing as Part of SAP’s S2 DL 4 Lesson’s Learned 5 How Does This Resonate With Agile Development? © 2015 SAP SE. All Rights Reserved. Page 3 of 28
  • 4. SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms, e.g., • In-memory database and application server (HANA) • Netweaver for ABAP and Java • More than 25 industries • 63% of the world’s transaction revenue touches an SAP system • over 68 000 employees worldwide over 25 000 software developers • Headquarters: Walldorf, Germany (close to Heidelberg) © 2015 SAP SE. All Rights Reserved. Page 4 of 28
  • 5. Personal Background • I wear two hats: • (Global) Security Testing Strategist • Research Expert/Architect Working for the central software security team • Background: Security, Formal Methods, Software Engineering • Current work areas: • Static code analysis • (Dynamic) Security Testing • Mobile Security • Security Development Lifecycle • Secure Software Development Lifecycle http://www.brucker.ch/ © 2015 SAP SE. All Rights Reserved. Page 5 of 28
  • 6. SAP Uses a De-centralised Secure Development Approach • Central security expert team (S2 DL owner) • Organizes security trainings • Defines product standard “Security” • Defines risk and threat assessment methods • Defines security testing strategy • Selects and provides security testing tools • Validates products • Defines and executes response process • Local security experts • Embedded into development teams • Organize local security activities • Support developers and architects • Support product owners (responsibles) • Development teams • Select technologies • Select development model • Design and execute security testing plan • . . . © 2015 SAP SE. All Rights Reserved. Page 6 of 28
  • 7. Agenda 1 Background 2 Motivation 3 Risk-based Security Testing as Part of SAP’s S2 DL 4 Lesson’s Learned 5 How Does This Resonate With Agile Development? © 2015 SAP SE. All Rights Reserved. Page 7 of 28
  • 8. Vulnerability Distribution 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 0 500 1000 1500 2000 2500 3000 Code Execution DoS Overflow Memory Corruption Sql Injection XSS Directory Traversal Bypass something Gain Privileges CSRF © 2015 SAP SE. All Rights Reserved. Page 8 of 28
  • 9. When Do We Fix Bugs © 2015 SAP SE. All Rights Reserved. Page 9 of 28
  • 10. Microsoft’s SDL © 2015 SAP SE. All Rights Reserved. Page 10 of 28
  • 11. Agenda 1 Background 2 Motivation 3 Risk-based Security Testing as Part of SAP’s S2 DL 4 Lesson’s Learned 5 How Does This Resonate With Agile Development? © 2015 SAP SE. All Rights Reserved. Page 11 of 28
  • 12. Our Start: SAST as a Baseline ABAP Java C JavaScript Others SAST tools used at SAP: Language Tool Vendor ABAP CVA (SLIN_SEC) SAP JavaScript Checkmarx CxSAST Checkmarx C/C++ Coverity Coverity Others Fortify HP • Since 2010, mandatory for all SAP products • Multiple billions lines analyzed • Constant improvement of tool configuration • Further details: Deploying Static Application Security Testing on a Large Scale. In GI Sicherheit 2014. Lecture Notes in Informatics, 228, pages 91-101, GI, 2014. © 2015 SAP SE. All Rights Reserved. Page 12 of 28
  • 13. Combining Multiple Security Testing Methods and Tools Client Application Web Browser Server Application Runtime Container Backend Systems • Risks of only using only SAST • Wasting effort that could be used more wisely elsewhere • Shipping insecure software • Examples of SAST limitations • Not all programming languages supported • Covers not all layers of the software stack © 2015 SAP SE. All Rights Reserved. Page 13 of 28
  • 14. Combining Multiple Security Testing Methods and Tools Client Application Web Browser Server Application Runtime Container Backend Systems Checkmarx (JavaScript) Fortify (Java) Coverity (C/C++) • Risks of only using only SAST • Wasting effort that could be used more wisely elsewhere • Shipping insecure software • Examples of SAST limitations • Not all programming languages supported • Covers not all layers of the software stack © 2015 SAP SE. All Rights Reserved. Page 13 of 28
  • 15. Combining Multiple Security Testing Methods and Tools Client Application Web Browser Server Application Runtime Container Backend Systems Checkmarx (JavaScript) Fortify (Java) DOMinator Coverity (C/C++) HPWebInspect/IBMAppScan • Risks of only using only SAST • Wasting effort that could be used more wisely elsewhere • Shipping insecure software • Examples of SAST limitations • Not all programming languages supported • Covers not all layers of the software stack © 2015 SAP SE. All Rights Reserved. Page 13 of 28
  • 16. Combining Multiple Security Testing Methods and Tools Client Application Web Browser Server Application Runtime Container Backend Systems Checkmarx Fortify (Java) DOMinator HPWebInspect/IBMAppScan • Risks of only using only SAST • Wasting effort that could be used more wisely elsewhere • Shipping insecure software • Examples of SAST limitations • Not all programming languages supported • Covers not all layers of the software stack © 2015 SAP SE. All Rights Reserved. Page 13 of 28
  • 17. A Risk-based Test Plan Select from a list of predefined application types Implementation detao;s ,e.g., programming languages, frameworks Priority of SAP Security Requirements Security Test Plan RISK ASSESMENT (e.g., SECURIM, Threat Modelling, OWASP ASVS) • Combines multiple security testing methods, e.g., code scans, dynamic analysis, manual penetration testing or fuzzing • Selects the most efficient test tools and test cases based on the risks and the technologies used in the project • Re-adjusts priorities of test cases based on identified risks for the project • Monitors false negative findings in the results of risk assessment © 2015 SAP SE. All Rights Reserved. Page 14 of 28
  • 18. SAP’ Secure Software Development Lifecycle (S2 DL) Figure: SAP SSDL © 2015 SAP SE. All Rights Reserved. Page 15 of 28
  • 19. Security Validation • Acts as first customer • Is not a replacement for security testing during development • Security Validation • Check for “flaws” in the implementation of the S2 DL • Ideally, security validation finds: • No issues that can be fixed/detected earlier • Only issues that cannot be detect earlier (e.g., insecure default configurations, missing security documentation) © 2015 SAP SE. All Rights Reserved. Page 16 of 28
  • 20. Security Validation • Acts as first customer • Is not a replacement for security testing during development • Security Validation • Check for “flaws” in the implementation of the S2 DL • Ideally, security validation finds: • No issues that can be fixed/detected earlier • Only issues that cannot be detect earlier (e.g., insecure default configurations, missing security documentation) Penetration tests in productive environments are different: • They test the actual configuration • They test the productive environment (e.g., cloud/hosting) © 2015 SAP SE. All Rights Reserved. Page 16 of 28
  • 21. How to Measure Success • Analyze the vulnerabilities reported by • Security Validation • External security researchers • Vulnerability not detected by our security testing tools • Improve tool configuration • Introduce new tools • Vulnerability detected by our security testing tools • Vulnerability in older software release • Analyze reason for missing vulnerability © 2015 SAP SE. All Rights Reserved. Page 17 of 28
  • 22. How to Measure Success • Analyze the vulnerabilities reported by • Security Validation • External security researchers • Vulnerability not detected by our security testing tools • Improve tool configuration • Introduce new tools • Vulnerability detected by our security testing tools • Vulnerability in older software release • Analyze reason for missing vulnerability Covered Not Covered Success criteria: Percentage of vulnerabilities not covered by our security testing tools increases © 2015 SAP SE. All Rights Reserved. Page 17 of 28
  • 23. How to Measure Success • Analyze the vulnerabilities reported by • Security Validation • External security researchers • Vulnerability not detected by our security testing tools • Improve tool configuration • Introduce new tools • Vulnerability detected by our security testing tools • Vulnerability in older software release • Analyze reason for missing vulnerability Covered Not Covered Success criteria: Percentage of vulnerabilities not covered by our security testing tools increases © 2015 SAP SE. All Rights Reserved. Page 17 of 28
  • 24. How to Measure Success • Analyze the vulnerabilities reported by • Security Validation • External security researchers • Vulnerability not detected by our security testing tools • Improve tool configuration • Introduce new tools • Vulnerability detected by our security testing tools • Vulnerability in older software release • Analyze reason for missing vulnerability Covered Not Covered Newly Covered Success criteria: Percentage of vulnerabilities not covered by our security testing tools increases © 2015 SAP SE. All Rights Reserved. Page 17 of 28
  • 25. Agenda 1 Background 2 Motivation 3 Risk-based Security Testing as Part of SAP’s S2 DL 4 Lesson’s Learned 5 How Does This Resonate With Agile Development? © 2015 SAP SE. All Rights Reserved. Page 18 of 28
  • 26. Key Success Factors • A holistic security awareness program for • Developers • Managers © 2015 SAP SE. All Rights Reserved. Page 19 of 28
  • 27. Key Success Factors • A holistic security awareness program for • Developers • Managers • Yes, security awareness is important © 2015 SAP SE. All Rights Reserved. Page 19 of 28
  • 28. Key Success Factors • A holistic security awareness program for • Developers • Managers • Yes, security awareness is important but © 2015 SAP SE. All Rights Reserved. Page 19 of 28
  • 29. Key Success Factors • A holistic security awareness program for • Developers • Managers • Yes, security awareness is important but Developer awareness is even more important! © 2015 SAP SE. All Rights Reserved. Page 19 of 28
  • 30. Listen to Your Developers! We are often talking about a lack of security awareness and, by that, forget the problem of lacking development awareness. • Building a secure system more difficult than finding a successful attack. • Do not expect your developers to become penetration testers (or security experts)! © 2015 SAP SE. All Rights Reserved. Page 20 of 28
  • 31. Security Testing for Developers Security testing tools for developers, need to • Be applicable from the start of development • Automate the security knowledge • Be deeply integrated into the dev. env., e.g., • IDE (instant feedback) • Continuous integration • Provide easy to understand fix recommendations • Declare their “sweet spots” © 2015 SAP SE. All Rights Reserved. Page 21 of 28
  • 32. Collaborate! Security experts need to collaborate with development experts to • Create easy to use security APIs (ever tried to use an SSL API securely) • Create languages and frameworks that make it hard to implement insecure systems • Explain how to program securely © 2015 SAP SE. All Rights Reserved. Page 22 of 28
  • 33. Agenda 1 Background 2 Motivation 3 Risk-based Security Testing as Part of SAP’s S2 DL 4 Lesson’s Learned 5 How Does This Resonate With Agile Development? © 2015 SAP SE. All Rights Reserved. Page 23 of 28
  • 34. Agile Development • What is agile for you? SCRUM, Continuous Delivery, DevOps, SCRUM, Cloud development, . . . • Cloud/agile development lifecycle t Deliveries © 2015 SAP SE. All Rights Reserved. Page 24 of 28
  • 35. Secure Agile Development Level of TrustLevel of Trust Risk IdentificationRisk Identification Threat ModellingThreat Modelling Security Measures Security Measures Security Testing Security Testing PSC SecurityPSC Security Risk Mitigation & TestingRisk Mitigation & Testing Static TestingStatic Testing Dynamic TestingDynamic Testing Manual TestingManual Testing Security ValidationSecurity Validation Secure ProgrammingSecure Programming Security Response Security Response © 2015 SAP SE. All Rights Reserved. Page 25 of 28
  • 36. Open (Research) Questions • Social aspects • Does the SecDevOps model increase security awareness? (Developers and their managers are also responsible for operational risks) • Does this impact the willingness to take (security) risks and/or the risk assessment? • Process and organisational aspects • What services should be offered centrally? • How to ensure a certain level of security across all products? • How to ensure a certain level of security across the end-to-end supply chain? • Technical and fundamental aspects • How do we need to adapt development support • How do we need to adapt threat modelling or risk assessment methods • How do we need to adapt security testing techniques • The big challenge in practice: Products are often offered in the cloud (SaaS) and on premise © 2015 SAP SE. All Rights Reserved. Page 26 of 28
  • 37. Thank you! http://xkcd.com/327/ Dr. Achim D. Brucker achim.brucker@sap.com http://www.brucker.ch/
  • 38. Related Publications Ruediger Bachmann and Achim D. Brucker. Developing secure software: A holistic approach to security testing. Datenschutz und Datensicherheit (DuD), 38(4):257–261, April 2014. http://www.brucker.ch/bibliography/abstract/bachmann.ea-security-testing-2014. Achim D. Brucker, Lukas Brügger, and Burkhart Wolff. Formal firewall conformance testing: An application of test and proof techniques. Software Testing, Verification & Reliability (STVR), 25(1):34–71, 2015. http://www.brucker.ch/bibliography/abstract/brucker.ea-formal-fw-testing-2014. Achim D. Brucker and Uwe Sodan. Deploying static application security testing on a large scale. In Stefan Katzenbeisser, Volkmar Lotz, and Edgar Weippl, editors, gi Sicherheit 2014, volume 228 of Lecture Notes in Informatics, pages 91–101. gi, March 2014. ISBN 978-3-88579-622-0. http://www.brucker.ch/bibliography/abstract/brucker.ea-sast-expierences-2014. Achim D. Brucker and Burkhart Wolff. On theorem prover-based testing. Formal Aspects of Computing (FAC), 25(5):683–721, 2013. ISSN 0934-5043. http://www.brucker.ch/bibliography/abstract/brucker.ea-theorem-prover-2012. © 2015 SAP SE. All Rights Reserved. Page 28 of 28
  • 39. © 2015 SAP SE. All rights reserved No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP SE. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence. The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages. © 2015 SAP SE. All Rights Reserved. Page 29 of 28