SlideShare a Scribd company logo

Create code confidence for better application security

Rogue Wave Software
Rogue Wave Software

Network intrusion. Information theft. Outside reprogramming of systems. These examples are just a few of the several reasons why software security is becoming increasingly more important to all industries. No system is immune, so it’s more important than ever to understand why secure code matters and how to create safer applications. With this presentation you'll learn how to: -Protect your systems from risk -Comply with security standards -Ensure the entire codebase is bulletproof

Software
1 of 40
Download to read offline
Create code confidence for better application security June 11, 2015 SC Congress Toronto 2015
Jeff Hildreth, Automotive Account Manager Rogue Wave Software Presenter
How many people are ready for a sales pitch?
Agenda • We’re all saying the same thing • Wrangling order from chaos • A holistic approach to cybersecurity • Take action! • Conclusions: Managing your Supply Chain • Q&A
We’re all saying the same thing
Network intrusions 6© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Information theft 7© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Outside reprogramming of systems 8© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Code vulnerabilities 9© 2015 Rogue Wave Software, Inc. All Rights Reserved.
© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 10 “We all clearly created these presentations in a vacuum because we’re all using the same material.” IQPC Automotive Cyber Security Summit, two months ago Develop a specific strategy that fits into what we’re already doing Be different You have the tools already
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 11 Wrangling order from chaos Look at the data you’re already faced with: 1000s of bugs How do you handle this information overload? Run time simulation testing Customer defects Avg. number of security risks: 22.4 Safety requirements
© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 12 Security overload News Blogs, social media conferences Security standards OWASP, CWE, CERT, etc. Senator Markey report NVD, White Hat, Black Hat OEMs, internal Media More and more software running inside your car Standards and legislation Research Requirements Developers don’t know security (80% failed security knowledge survey)
Where do organizations fail? Organizations have failed to prevent attacks Lack of time Lack of focus/ priority Lack of tools/proper tools Survey: 1700 developers, 80% of them incorrectly answered key questions surrounding the protection of sensitive data SQL injection Unvalidated input Cross-site scripting Most breaches result from input trust issues Heartbleed: buffer overrun BMW patch: HTTP vs. HTTPS © 2015 Rogue Wave Software, Inc. All Rights Reserved. 9
What are the risks? • Risks include Network intrusion Information theft Outside reprogramming of systems Code vulnerabilities 14© 2015 Rogue Wave Software, Inc. All Rights Reserved.
All of the supply chain needs to be secure, not just your code but the code of the packages included in your software Follow a well-known security standard applicable to your domain What can you do? Need to “bake in” security Educate the development team, provide security based training, guidance and checklists Automate! 15 Perform Threat Assessment © 2015 Rogue Wave Software, Inc. All Rights Reserved.
Do you agree that security testing adds 25% of time to your release schedule?
Accept Sprint 1 Sprint 2 Sprint n Release Change Adjust and Track Feedback Review Next Iteration No! Yes! Release to Market Integrate and Test Integrate and Test Integrate and Test Agile Development – Integrated Security Characteristics • Multiple testing points • Rapid feedback required • “Outside” testing does not meet agile needs
Idea proposed Understand Needs & Invent Solutions Develop, Commit & Build Functional Testing Deploy Solution Customer Value Load, Performance, Security, … Testing UAT/ Exploratory Testing Release Decision • Too Much WIP • Inability to quickly try out ideas Lack of access to dev & test environments • Lack of effective build/integration automation • Manual testing • Design complexity Lack of effective API-driven test automation Lack of effective release candidate quality information Manual environment management and deployment Lack of effective customer insight Ever-present bottlenecks: hand-offs and wait time Typical bottlenecks
Smaller batches/ payload (Agile) Infrastructure As Code, Environments On Demand, Cloned/ Templated Environments • Continuous Integration • Continuous Testing • Loose architectural coupling Continuous Testing Sufficient test data to make decisions • Infrastructure as Code • Release Automation Application analytics, CX data Everywhere: Cross-functional teams, simplified roles Idea proposed Understand Needs & Invent Solutions Develop, Commit & Build Functional Testing Deploy Solution Customer Value Load, Performance, Security, … Testing UAT/ Exploratory Testing Release Decision Enablers
A holistic approach to cybersecurity © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 20 Threat Model Internal Threat Metric External Data Action Information overload Develop an adaptive threat model
© 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 21 Threat model  Scanning to discover open Threat modelling identifies, quantifies, and addresses security risks by: 1. Understanding the application & environment 2. Identifying & prioritizing threats 3. Determining mitigation actions Identify Assets System Overview Decompose Application Identify Threats Prioritize Threats
External data sources © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 22 Standards • Common Weakness Enumeration (MITRE) • Open Web Application Security Project (OWASP) • CERT (Carnegie Mellon University) National Governing Bodies CVE database National Vulnerability Database OEM RFP requirements Research White Hat/Black Hat University studies Media Development Team
Would you agree that customer requirements have the biggest influence on your decisions on security requirements?
Internal metrics © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 24 Testing Automated unit tests Hardware in the Loop (HIL) testing Security Team Penetration tests Open source scanning Software Tools Static Code Analysis (SCA) Compiler warnings Requirements Development Team
Developing a Threat Metric © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 25 Build Score • Automated and functional testing can give you a pass fail metric on every run of the test suite • A metric can be generated from penetration testing based on the number of exploitable paths in your code base • Software quality tools can give you a count of critical static analysis and compiler warnings • A metric can be developed based on the presence of snippets of open source code previously undetected or open source with new known vulnerabilities • All of these metrics can be generated on every build of your software
Smaller batches/ payload (Agile) Infrastructure As Code, Environments On Demand, Cloned/ Templated Environments • Continuous Integration • Continuous Testing • Loose architectural coupling Continuous Testing Sufficient test data to make decisions • Infrastructure as Code • Release Automation Application analytics, CX data Everywhere: Cross-functional teams, simplified roles Idea proposed Understand Needs & Invent Solutions Develop, Commit & Build Functional Testing Deploy Solution Customer Value Load, Performance, Security, … Testing UAT/ Exploratory Testing Release Decision Enablers
Standards Governing bodies OEM RFP requirements Research Media Continuous metric updates © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 27 Testing Pen tests OSS scanning Software tools Requirements Development Team
Accept Sprint 1 Sprint 2 Sprint n Release Change Adjust and Track Feedback Review Next Iteration No! Yes! Release to Market Integrate and Test Integrate and Test Integrate and Test Agile Development – Integrated Security Characteristics • Multiple testing points • Rapid feedback required • “Outside” testing does not meet agile needs
Example: ECU © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 29 Front ADAS Gateway Infotainment Rear distribution amplifier Camera Radar X by wire Telematics Power train Camera Radar
API Enabled Metrics Producers
Static code analysis © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 31 Static code analysis Traditionally used to find simple, annoying bugs Modern, state-of-the-art SCA Sophisticated inter- procedural control and data-flow analysis Model-based simulation of runtime expectation Provides an automated view of all possible execution paths Find complex bugs and runtime errors, such as memory leaks, concurrency violations, buffer overflows Check compliance with internationally recognized standards: MISRA CWE OWASP ISO26262
Static Code Analysis © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 32 How to keep your metric up to date • Standards: Rely on your static code analysis vendor to provide updates to the latest security standards • Research: Rely on your vendor to develop custom rules based on research shared by security analysts • OEM Requirements: prove that standards have been enforced
Take action © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 33 Check code faster • Issues identified at your desktop – Correct code before check-in – All areas impacted by a given defect are highlighted – After system build, the impact of other developers’ code is also delivered to the desktop for corrective action • Create custom checkers to meet specific needs • Debugger-like call-stack highlights the cause of the issues • Context-sensitive help provides industry best-practices and explanations 50% of defects introduced here Build Analysis / Test
Open source scanning © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 34 How to keep your metric up to date • Deploy a governance and provisioning platform to white list/black list open source packages • Be informed when new vulnerabilities are published through the National Vulnerability Database • Know what is in your source code by scanning for source code snippets that have been copied and pasted
Measuring open source risks © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 35 • Know your inventory with OSS scanning – Automated, repeatable way to locate OSS packages (and packages within packages!) and licensing obligations – Look for scanning tools that: • are SaaS – easier to set up and maintain • Protect your IP by not requiring source code upload • Maintain OSS support – Get notified of latest patches, risks, bugs • Establish an OSS policy to minimize risk – Use only trusted packages – Notify and update security fixes
Scan results example © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 36
© 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 37 Conclusions The application security world is fluid Create concrete, actionable strategies (Threat Metric, analysis & scanning) Delivery cycles are short Update regularly with well- defined process (Agile, CI)
Q&A
See us in action: www.roguewave.com Jeff Hildreth | jeff.hildreth@roguewave.com
Create code confidence for better application security

Recommended

Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Klocwork
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Create Agile confidence for better application security
Create Agile confidence for better application securityCreate Agile confidence for better application security
Create Agile confidence for better application securityRogue Wave Software
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Making the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network CommunicationMaking the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network CommunicationBlack Duck by Synopsys
 

Recommended

Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Klocwork
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Create Agile confidence for better application security
Create Agile confidence for better application securityCreate Agile confidence for better application security
Create Agile confidence for better application securityRogue Wave Software
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesBlack Duck by Synopsys
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Making the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network CommunicationMaking the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network CommunicationBlack Duck by Synopsys
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareRogue Wave Software
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous DeliveryTom Stiehm
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiRaphael Denipotti
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRogue Wave Software
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateMahaut Gouhier
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for securitySuman Sourav
 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps WorldParasoft
 
Flight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at DocusignFlight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at DocusignSynopsys Software Integrity Group
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationDenim Group
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017Suman Sourav
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLCPaul Yang
 
Eclipse rcp 정리(enabled when, contextmenu)
Eclipse rcp 정리(enabled when, contextmenu)Eclipse rcp 정리(enabled when, contextmenu)
Eclipse rcp 정리(enabled when, contextmenu)SangHun Lee
 
Android Lab Test : Creating a menu context (english)
Android Lab Test : Creating a menu context (english)Android Lab Test : Creating a menu context (english)
Android Lab Test : Creating a menu context (english)Bruno Delb
 

More Related Content

What's hot

Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareRogue Wave Software
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous DeliveryTom Stiehm
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiRaphael Denipotti
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRogue Wave Software
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateMahaut Gouhier
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for securitySuman Sourav
 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps WorldParasoft
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationDenim Group
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017Suman Sourav
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLCPaul Yang
 

What's hot (20)

Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life Cycle
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.Monate
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
 
AppsSec In a DevOps World
AppsSec In a DevOps WorldAppsSec In a DevOps World
AppsSec In a DevOps World
 
Flight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at DocusignFlight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at Docusign
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017DevSecOps-OWASP Indonesia Day 2017
DevSecOps-OWASP Indonesia Day 2017
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
 

Viewers also liked

Eclipse rcp 정리(enabled when, contextmenu)
Eclipse rcp 정리(enabled when, contextmenu)Eclipse rcp 정리(enabled when, contextmenu)
Eclipse rcp 정리(enabled when, contextmenu)SangHun Lee
 
Android Lab Test : Creating a menu context (english)
Android Lab Test : Creating a menu context (english)Android Lab Test : Creating a menu context (english)
Android Lab Test : Creating a menu context (english)Bruno Delb
 
Report on Rogue Security Software
Report on Rogue Security SoftwareReport on Rogue Security Software
Report on Rogue Security SoftwareSymantec Italia
 
Symantec Report On Rogue Security Software
Symantec Report On Rogue Security SoftwareSymantec Report On Rogue Security Software
Symantec Report On Rogue Security SoftwareSymantec
 
Team Learning and Knowledge Creation PhD research presentation June 2013
Team Learning and Knowledge Creation PhD research presentation June 2013Team Learning and Knowledge Creation PhD research presentation June 2013
Team Learning and Knowledge Creation PhD research presentation June 2013Peter Cauwelier
 
Microsoft Security Incident Report
Microsoft Security Incident ReportMicrosoft Security Incident Report
Microsoft Security Incident Reportukdpe
 
Binomial heap (a concept of Data Structure)
Binomial heap (a concept of Data Structure)Binomial heap (a concept of Data Structure)
Binomial heap (a concept of Data Structure)Saliha Bilal
 
Team learning in the upper secondary school - focus changes from teaching to ...
Team learning in the upper secondary school - focus changes from teaching to ...Team learning in the upper secondary school - focus changes from teaching to ...
Team learning in the upper secondary school - focus changes from teaching to ...Sanna Leinonen
 
Linear programming production strategy body plus 100, 200
Linear programming production strategy body plus 100, 200Linear programming production strategy body plus 100, 200
Linear programming production strategy body plus 100, 200Prabhat Taneja
 
Fibonacci Heaps
Fibonacci Heaps Fibonacci Heaps
Fibonacci Heaps Naseeba P P
 
Linear Programming Application
Linear Programming ApplicationLinear Programming Application
Linear Programming ApplicationKashif Latif
 
Navigating agile automotive software development
Navigating agile automotive software development Navigating agile automotive software development
Navigating agile automotive software development Rogue Wave Software
 
Agile Software Development - Learn It Yourself
Agile Software Development - Learn It YourselfAgile Software Development - Learn It Yourself
Agile Software Development - Learn It YourselfTathagat Varma
 
Лекция 6. Фибоначчиевы кучи (Fibonacci heaps)
Лекция 6. Фибоначчиевы кучи (Fibonacci heaps)Лекция 6. Фибоначчиевы кучи (Fibonacci heaps)
Лекция 6. Фибоначчиевы кучи (Fibonacci heaps)Mikhail Kurnosov
 
Binomial Heaps and Fibonacci Heaps
Binomial Heaps and Fibonacci HeapsBinomial Heaps and Fibonacci Heaps
Binomial Heaps and Fibonacci HeapsAmrinder Arora
 

Viewers also liked (20)

Eclipse rcp 정리(enabled when, contextmenu)
Eclipse rcp 정리(enabled when, contextmenu)Eclipse rcp 정리(enabled when, contextmenu)
Eclipse rcp 정리(enabled when, contextmenu)
 
Android Lab Test : Creating a menu context (english)
Android Lab Test : Creating a menu context (english)Android Lab Test : Creating a menu context (english)
Android Lab Test : Creating a menu context (english)
 
Remedie OSDC.TW
Remedie OSDC.TWRemedie OSDC.TW
Remedie OSDC.TW
 
Report on Rogue Security Software
Report on Rogue Security SoftwareReport on Rogue Security Software
Report on Rogue Security Software
 
Symantec Report On Rogue Security Software
Symantec Report On Rogue Security SoftwareSymantec Report On Rogue Security Software
Symantec Report On Rogue Security Software
 
Team Learning and Knowledge Creation PhD research presentation June 2013
Team Learning and Knowledge Creation PhD research presentation June 2013Team Learning and Knowledge Creation PhD research presentation June 2013
Team Learning and Knowledge Creation PhD research presentation June 2013
 
Team Learning Test
Team Learning TestTeam Learning Test
Team Learning Test
 
Microsoft Security Incident Report
Microsoft Security Incident ReportMicrosoft Security Incident Report
Microsoft Security Incident Report
 
Borgman - Privacy, Policy and Data Governance in the University
Borgman - Privacy, Policy and Data Governance in the UniversityBorgman - Privacy, Policy and Data Governance in the University
Borgman - Privacy, Policy and Data Governance in the University
 
Binomial heap (a concept of Data Structure)
Binomial heap (a concept of Data Structure)Binomial heap (a concept of Data Structure)
Binomial heap (a concept of Data Structure)
 
ISTR XV
ISTR XVISTR XV
ISTR XV
 
android menus
android menusandroid menus
android menus
 
Team learning in the upper secondary school - focus changes from teaching to ...
Team learning in the upper secondary school - focus changes from teaching to ...Team learning in the upper secondary school - focus changes from teaching to ...
Team learning in the upper secondary school - focus changes from teaching to ...
 
Linear programming production strategy body plus 100, 200
Linear programming production strategy body plus 100, 200Linear programming production strategy body plus 100, 200
Linear programming production strategy body plus 100, 200
 
Fibonacci Heaps
Fibonacci Heaps Fibonacci Heaps
Fibonacci Heaps
 
Linear Programming Application
Linear Programming ApplicationLinear Programming Application
Linear Programming Application
 
Navigating agile automotive software development
Navigating agile automotive software development Navigating agile automotive software development
Navigating agile automotive software development
 
Agile Software Development - Learn It Yourself
Agile Software Development - Learn It YourselfAgile Software Development - Learn It Yourself
Agile Software Development - Learn It Yourself
 
Лекция 6. Фибоначчиевы кучи (Fibonacci heaps)
Лекция 6. Фибоначчиевы кучи (Fibonacci heaps)Лекция 6. Фибоначчиевы кучи (Fibonacci heaps)
Лекция 6. Фибоначчиевы кучи (Fibonacci heaps)
 
Binomial Heaps and Fibonacci Heaps
Binomial Heaps and Fibonacci HeapsBinomial Heaps and Fibonacci Heaps
Binomial Heaps and Fibonacci Heaps
 

Similar to Create code confidence for better application security

The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurityRogue Wave Software
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application securityRogue Wave Software
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015Rogue Wave Software
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Five ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecksFive ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecksRogue Wave Software
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Cybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminarCybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminarRogue Wave Software
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Perforce
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeHow to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeRogue Wave Software
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?Black Duck by Synopsys
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 

Similar to Create code confidence for better application security (20)

The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
 
Autos, Wi-Fi, and IoT
Autos, Wi-Fi, and IoTAutos, Wi-Fi, and IoT
Autos, Wi-Fi, and IoT
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Five ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecksFive ways to protect your software supply chain from hacks, quacks, and wrecks
Five ways to protect your software supply chain from hacks, quacks, and wrecks
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Cybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminarCybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminar
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeHow to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less time
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 

More from Rogue Wave Software

The Global Influence of Open Banking, API Security, and an Open Data Perspective
The Global Influence of Open Banking, API Security, and an Open Data PerspectiveThe Global Influence of Open Banking, API Security, and an Open Data Perspective
The Global Influence of Open Banking, API Security, and an Open Data PerspectiveRogue Wave Software
 
No liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureNo liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureRogue Wave Software
 
Disrupt or be disrupted – Using secure APIs to drive digital transformation
Disrupt or be disrupted – Using secure APIs to drive digital transformationDisrupt or be disrupted – Using secure APIs to drive digital transformation
Disrupt or be disrupted – Using secure APIs to drive digital transformationRogue Wave Software
 
Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Rogue Wave Software
 
Adding layers of security to an API in real-time
Adding layers of security to an API in real-timeAdding layers of security to an API in real-time
Adding layers of security to an API in real-timeRogue Wave Software
 
Getting the most from your API management platform: A case study
Getting the most from your API management platform: A case studyGetting the most from your API management platform: A case study
Getting the most from your API management platform: A case studyRogue Wave Software
 
Advanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applicationsAdvanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applicationsRogue Wave Software
 
The forgotten route: Making Apache Camel work for you
The forgotten route: Making Apache Camel work for youThe forgotten route: Making Apache Camel work for you
The forgotten route: Making Apache Camel work for youRogue Wave Software
 
Are open source and embedded software development on a collision course?
Are open source and embedded software development on a collision course?Are open source and embedded software development on a collision course?
Are open source and embedded software development on a collision course?Rogue Wave Software
 
Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices Rogue Wave Software
 
5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure successRogue Wave Software
 
PSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and compliancePSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and complianceRogue Wave Software
 
Java 10 and beyond: Keeping up with the language and planning for the future
Java 10 and beyond: Keeping up with the language and planning for the futureJava 10 and beyond: Keeping up with the language and planning for the future
Java 10 and beyond: Keeping up with the language and planning for the futureRogue Wave Software
 
How to keep developers happy and lawyers calm (Presented at ESC Boston)
How to keep developers happy and lawyers calm (Presented at ESC Boston)How to keep developers happy and lawyers calm (Presented at ESC Boston)
How to keep developers happy and lawyers calm (Presented at ESC Boston)Rogue Wave Software
 
Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)Rogue Wave Software
 
How to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to LinuxHow to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to LinuxRogue Wave Software
 
Approaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC appsApproaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC appsRogue Wave Software
 
Enterprise Linux: Justify your migration from Red Hat to CentOS
Enterprise Linux: Justify your migration from Red Hat to CentOSEnterprise Linux: Justify your migration from Red Hat to CentOS
Enterprise Linux: Justify your migration from Red Hat to CentOSRogue Wave Software
 
Walk through an enterprise Linux migration
Walk through an enterprise Linux migrationWalk through an enterprise Linux migration
Walk through an enterprise Linux migrationRogue Wave Software
 
How to keep developers happy and lawyers calm
How to keep developers happy and lawyers calmHow to keep developers happy and lawyers calm
How to keep developers happy and lawyers calmRogue Wave Software
 

More from Rogue Wave Software (20)

The Global Influence of Open Banking, API Security, and an Open Data Perspective
The Global Influence of Open Banking, API Security, and an Open Data PerspectiveThe Global Influence of Open Banking, API Security, and an Open Data Perspective
The Global Influence of Open Banking, API Security, and an Open Data Perspective
 
No liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureNo liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failure
 
Disrupt or be disrupted – Using secure APIs to drive digital transformation
Disrupt or be disrupted – Using secure APIs to drive digital transformationDisrupt or be disrupted – Using secure APIs to drive digital transformation
Disrupt or be disrupted – Using secure APIs to drive digital transformation
 
Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...
 
Adding layers of security to an API in real-time
Adding layers of security to an API in real-timeAdding layers of security to an API in real-time
Adding layers of security to an API in real-time
 
Getting the most from your API management platform: A case study
Getting the most from your API management platform: A case studyGetting the most from your API management platform: A case study
Getting the most from your API management platform: A case study
 
Advanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applicationsAdvanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applications
 
The forgotten route: Making Apache Camel work for you
The forgotten route: Making Apache Camel work for youThe forgotten route: Making Apache Camel work for you
The forgotten route: Making Apache Camel work for you
 
Are open source and embedded software development on a collision course?
Are open source and embedded software development on a collision course?Are open source and embedded software development on a collision course?
Are open source and embedded software development on a collision course?
 
Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices
 
5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success
 
PSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and compliancePSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and compliance
 
Java 10 and beyond: Keeping up with the language and planning for the future
Java 10 and beyond: Keeping up with the language and planning for the futureJava 10 and beyond: Keeping up with the language and planning for the future
Java 10 and beyond: Keeping up with the language and planning for the future
 
How to keep developers happy and lawyers calm (Presented at ESC Boston)
How to keep developers happy and lawyers calm (Presented at ESC Boston)How to keep developers happy and lawyers calm (Presented at ESC Boston)
How to keep developers happy and lawyers calm (Presented at ESC Boston)
 
Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)
 
How to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to LinuxHow to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to Linux
 
Approaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC appsApproaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC apps
 
Enterprise Linux: Justify your migration from Red Hat to CentOS
Enterprise Linux: Justify your migration from Red Hat to CentOSEnterprise Linux: Justify your migration from Red Hat to CentOS
Enterprise Linux: Justify your migration from Red Hat to CentOS
 
Walk through an enterprise Linux migration
Walk through an enterprise Linux migrationWalk through an enterprise Linux migration
Walk through an enterprise Linux migration
 
How to keep developers happy and lawyers calm
How to keep developers happy and lawyers calmHow to keep developers happy and lawyers calm
How to keep developers happy and lawyers calm
 

Recently uploaded

英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noidabntitsolutionsrishis
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfLivetecs LLC
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 

Recently uploaded (20)

英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdf
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 

Create code confidence for better application security

  • 1. Create code confidence for better application security June 11, 2015 SC Congress Toronto 2015
  • 2. Jeff Hildreth, Automotive Account Manager Rogue Wave Software Presenter
  • 3. How many people are ready for a sales pitch?
  • 4. Agenda • We’re all saying the same thing • Wrangling order from chaos • A holistic approach to cybersecurity • Take action! • Conclusions: Managing your Supply Chain • Q&A
  • 5. We’re all saying the same thing
  • 6. Network intrusions 6© 2015 Rogue Wave Software, Inc. All Rights Reserved.
  • 7. Information theft 7© 2015 Rogue Wave Software, Inc. All Rights Reserved.
  • 8. Outside reprogramming of systems 8© 2015 Rogue Wave Software, Inc. All Rights Reserved.
  • 9. Code vulnerabilities 9© 2015 Rogue Wave Software, Inc. All Rights Reserved.
  • 10. © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 10 “We all clearly created these presentations in a vacuum because we’re all using the same material.” IQPC Automotive Cyber Security Summit, two months ago Develop a specific strategy that fits into what we’re already doing Be different You have the tools already
  • 11. © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 11 Wrangling order from chaos Look at the data you’re already faced with: 1000s of bugs How do you handle this information overload? Run time simulation testing Customer defects Avg. number of security risks: 22.4 Safety requirements
  • 12. © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 12 Security overload News Blogs, social media conferences Security standards OWASP, CWE, CERT, etc. Senator Markey report NVD, White Hat, Black Hat OEMs, internal Media More and more software running inside your car Standards and legislation Research Requirements Developers don’t know security (80% failed security knowledge survey)
  • 13. Where do organizations fail? Organizations have failed to prevent attacks Lack of time Lack of focus/ priority Lack of tools/proper tools Survey: 1700 developers, 80% of them incorrectly answered key questions surrounding the protection of sensitive data SQL injection Unvalidated input Cross-site scripting Most breaches result from input trust issues Heartbleed: buffer overrun BMW patch: HTTP vs. HTTPS © 2015 Rogue Wave Software, Inc. All Rights Reserved. 9
  • 14. What are the risks? • Risks include Network intrusion Information theft Outside reprogramming of systems Code vulnerabilities 14© 2015 Rogue Wave Software, Inc. All Rights Reserved.
  • 15. All of the supply chain needs to be secure, not just your code but the code of the packages included in your software Follow a well-known security standard applicable to your domain What can you do? Need to “bake in” security Educate the development team, provide security based training, guidance and checklists Automate! 15 Perform Threat Assessment © 2015 Rogue Wave Software, Inc. All Rights Reserved.
  • 16. Do you agree that security testing adds 25% of time to your release schedule?
  • 17. Accept Sprint 1 Sprint 2 Sprint n Release Change Adjust and Track Feedback Review Next Iteration No! Yes! Release to Market Integrate and Test Integrate and Test Integrate and Test Agile Development – Integrated Security Characteristics • Multiple testing points • Rapid feedback required • “Outside” testing does not meet agile needs
  • 18. Idea proposed Understand Needs & Invent Solutions Develop, Commit & Build Functional Testing Deploy Solution Customer Value Load, Performance, Security, … Testing UAT/ Exploratory Testing Release Decision • Too Much WIP • Inability to quickly try out ideas Lack of access to dev & test environments • Lack of effective build/integration automation • Manual testing • Design complexity Lack of effective API-driven test automation Lack of effective release candidate quality information Manual environment management and deployment Lack of effective customer insight Ever-present bottlenecks: hand-offs and wait time Typical bottlenecks
  • 19. Smaller batches/ payload (Agile) Infrastructure As Code, Environments On Demand, Cloned/ Templated Environments • Continuous Integration • Continuous Testing • Loose architectural coupling Continuous Testing Sufficient test data to make decisions • Infrastructure as Code • Release Automation Application analytics, CX data Everywhere: Cross-functional teams, simplified roles Idea proposed Understand Needs & Invent Solutions Develop, Commit & Build Functional Testing Deploy Solution Customer Value Load, Performance, Security, … Testing UAT/ Exploratory Testing Release Decision Enablers
  • 20. A holistic approach to cybersecurity © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 20 Threat Model Internal Threat Metric External Data Action Information overload Develop an adaptive threat model
  • 21. © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 21 Threat model  Scanning to discover open Threat modelling identifies, quantifies, and addresses security risks by: 1. Understanding the application & environment 2. Identifying & prioritizing threats 3. Determining mitigation actions Identify Assets System Overview Decompose Application Identify Threats Prioritize Threats
  • 22. External data sources © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 22 Standards • Common Weakness Enumeration (MITRE) • Open Web Application Security Project (OWASP) • CERT (Carnegie Mellon University) National Governing Bodies CVE database National Vulnerability Database OEM RFP requirements Research White Hat/Black Hat University studies Media Development Team
  • 23. Would you agree that customer requirements have the biggest influence on your decisions on security requirements?
  • 24. Internal metrics © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 24 Testing Automated unit tests Hardware in the Loop (HIL) testing Security Team Penetration tests Open source scanning Software Tools Static Code Analysis (SCA) Compiler warnings Requirements Development Team
  • 25. Developing a Threat Metric © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 25 Build Score • Automated and functional testing can give you a pass fail metric on every run of the test suite • A metric can be generated from penetration testing based on the number of exploitable paths in your code base • Software quality tools can give you a count of critical static analysis and compiler warnings • A metric can be developed based on the presence of snippets of open source code previously undetected or open source with new known vulnerabilities • All of these metrics can be generated on every build of your software
  • 26. Smaller batches/ payload (Agile) Infrastructure As Code, Environments On Demand, Cloned/ Templated Environments • Continuous Integration • Continuous Testing • Loose architectural coupling Continuous Testing Sufficient test data to make decisions • Infrastructure as Code • Release Automation Application analytics, CX data Everywhere: Cross-functional teams, simplified roles Idea proposed Understand Needs & Invent Solutions Develop, Commit & Build Functional Testing Deploy Solution Customer Value Load, Performance, Security, … Testing UAT/ Exploratory Testing Release Decision Enablers
  • 27. Standards Governing bodies OEM RFP requirements Research Media Continuous metric updates © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 27 Testing Pen tests OSS scanning Software tools Requirements Development Team
  • 28. Accept Sprint 1 Sprint 2 Sprint n Release Change Adjust and Track Feedback Review Next Iteration No! Yes! Release to Market Integrate and Test Integrate and Test Integrate and Test Agile Development – Integrated Security Characteristics • Multiple testing points • Rapid feedback required • “Outside” testing does not meet agile needs
  • 29. Example: ECU © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 29 Front ADAS Gateway Infotainment Rear distribution amplifier Camera Radar X by wire Telematics Power train Camera Radar
  • 31. Static code analysis © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 31 Static code analysis Traditionally used to find simple, annoying bugs Modern, state-of-the-art SCA Sophisticated inter- procedural control and data-flow analysis Model-based simulation of runtime expectation Provides an automated view of all possible execution paths Find complex bugs and runtime errors, such as memory leaks, concurrency violations, buffer overflows Check compliance with internationally recognized standards: MISRA CWE OWASP ISO26262
  • 32. Static Code Analysis © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 32 How to keep your metric up to date • Standards: Rely on your static code analysis vendor to provide updates to the latest security standards • Research: Rely on your vendor to develop custom rules based on research shared by security analysts • OEM Requirements: prove that standards have been enforced
  • 33. Take action © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 33 Check code faster • Issues identified at your desktop – Correct code before check-in – All areas impacted by a given defect are highlighted – After system build, the impact of other developers’ code is also delivered to the desktop for corrective action • Create custom checkers to meet specific needs • Debugger-like call-stack highlights the cause of the issues • Context-sensitive help provides industry best-practices and explanations 50% of defects introduced here Build Analysis / Test
  • 34. Open source scanning © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 34 How to keep your metric up to date • Deploy a governance and provisioning platform to white list/black list open source packages • Be informed when new vulnerabilities are published through the National Vulnerability Database • Know what is in your source code by scanning for source code snippets that have been copied and pasted
  • 35. Measuring open source risks © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 35 • Know your inventory with OSS scanning – Automated, repeatable way to locate OSS packages (and packages within packages!) and licensing obligations – Look for scanning tools that: • are SaaS – easier to set up and maintain • Protect your IP by not requiring source code upload • Maintain OSS support – Get notified of latest patches, risks, bugs • Establish an OSS policy to minimize risk – Use only trusted packages – Notify and update security fixes
  • 36. Scan results example © 2015 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 36
  • 37. © 2014 ROGUE WAVE SOFTWARE, INC. ALL RIGHTS RESERVED 37 Conclusions The application security world is fluid Create concrete, actionable strategies (Threat Metric, analysis & scanning) Delivery cycles are short Update regularly with well- defined process (Agile, CI)
  • 38. Q&A
  • 39. See us in action: www.roguewave.com Jeff Hildreth | jeff.hildreth@roguewave.com