SlideShare a Scribd company logo

Good Security Starts with Software Assurance - Software Assurance Market Place (SWAMP) - DHS Continuous Assurance

Download as PPT, PDF
Phil Agcaoili
Phil Agcaoili
Technology
1 of 36
A transformative force in the software eco-system Welcome! The live event will begin at 2PM ET. Q&A sessions with the presenters will follow. Please have your speakers turned on. Do you hear the music? Tweet with us live @SWAMPTEAM & @TENandISE
A transformative force in the software eco-system Good Security Starts with Software Assurance Jan. 23, 2014
Agenda Agenda: 2:00pm EST – Welcome Remarks – Barton Miller 2:10pm EST – SWAMP High Level Overview – Pat Beyer 2:25pm EST – Executive Insight – Phil Agcaoili 2:45pm EST – Q&A 3:00pm EST – Program Conclusion You may earn 1CPE for this event. If you would like us to submit on your behalf, please email your certification number to Deb Jones at djones@ten-inc.com.
A transformative force in the software eco-system Welcome! Prof. Barton P. Miller, Chief Scientist
Nothing New Under the Sun In November 1988, Robert Morris Jr. released the first Internet worm that shutdown the entire Internet (literally): The enabling exploit was a buffer overflow caused by not checking the bounds on a C character buffer. In 1989, we introduced fuzz random testing and studied the robustness of system utilities on a wide variety of UNIX implementations (and could crash 25-40% of them): The #1 source of errors were uncheck bounds on strings. Still this year, in the CWE/SANS Top 25 Most Dangerous Software Errors (www.mitre.org/top25): #3 on the list is unchecked bounds on strings.
And Plenty of New Stuff, Too Since then, we also have to worry about: Injections (SQL, command line, code) Numeric attacks Exception attacks Race attacks (TOCTOU) File path name manipulations Privilege escalations Sandbox escapes VM escapes DNS spoofing Web attacks (cross site scripting, cross site forgeries, session hijacking, open redirect) … just to mention a few.
Your First Line of Defense: Clean Code We need to teach our programmers to write code with security in mind. … and … We need to equip them with the tools to help them do so: Software assurance tools are our first line of defense: source code analysis, binary analysis, dynamic analysis, and domain specific (mobile, web) … and … We need to make it easy to run these tools: The SWAMP will be a key asset.
Run the Tools Early, Run Them Often Build in security from day one, or the task becomes overwhelming for the programmer to fix them all: dthread.h: In constructor ‘ScopeLock::ScopeLock(Mutex&)’: dthread.h:132: warning: unused variable ‘result’ dthread.h: In constructor ‘ScopeLock::ScopeLock(CondVar&)’: dthread.h:140: warning: unused variable ‘result’ src/irpc.C: In member function ‘void int_iRPC::setState(int_iRPC::State)’: src/irpc.C:118: warning: unused variable ‘old_state’ src/irpc.C:119: warning: unused variable ‘new_state’ src/irpc.C: In member function ‘bool int_iRPC::saveRPCState()’: src/irpc.C:714: warning: unused variable ‘result’ src/irpc.C:723: warning: unused variable ‘result’ src/irpc.C:736: warning: unused variable ‘result’ src/irpc.C:1030: warning: unused variable ‘result’ src/irpc.C:1041: warning: unused variable ‘result’ src/irpc.C:1081: warning: unused variable ‘result’ dyninst/proccontrol/src/response.h:35, dyninst/proccontrol/src/int_process.h:39, dyninst/proccontrol/src/mailbox.C:33: dthread.h: In constructor ‘ScopeLock::ScopeLock(Mutex&)’: dthread.h:132: warning: unused variable ‘result’ dthread.h: In constructor ‘ScopeLock::ScopeLock(CondVar&)’: dthread.h:140: warning: unused variable ‘result’
Provide the Facilities Needed to Run Them Early and Often The SWAMP offers: •The automation to run tools easily: applying a tool to a new software package takes little effort. •The automation to run tools easily: get feedback on each code update or commit. •The resources to run many tools over each software package on each relevant platform. •The smarts to combine results in unified reports. •The ability to track progress and trends over time.
Help for Both the Novice and Expert The novice will be able to start using assurance tools with little effort or preparation. With management guidance that requires clean commits, the code stays in stable condition. The expert does familiar tasks, but with less effort and more precision. Running tools is easier, tracking results is easier, and understanding their performance over time is easier.
And Now, a Message from the Front Lines
A transformative force in the software eco-system Vision of the SWAMP Patrick D. Beyer PhD, PMP Project Manager Software Assurance Marketplace Morgridge Institute for Research
THE SWAMP This five year, $23M project is led by the Morgridge Institute for Research, which also provides a state-of-the-art, secure hosting facility.
What is the SWAMP? The Software Assurance Marketplace is: •5 year, $23 Million Grant •Funded by Department of Homeland Security, Science and Technology Directorate •Goal is to build a facility where open source software can be tested for vulnerabilities for FREE •Enable Software Researchers a place where they can do research in new testing tools
Team Profile Building and Operating the SWAMP is a joint effort of four research institutions – Morgridge Institute for Research (lead), Indiana University, University of Illinois Urbana Champaign and University of Wisconsin – Madison
The Problem Increased Use of Open Source Software in product development •Why use open Source Software* • High reliability • Peer Reviewed • Low Cost • Speeds Development cycle •Concerns • Unverified Code • Unknown Source • Hidden Vulnerabilities * Open Source Initiative – opensource.org
Solution Test and Analyze Open Source Software •Many Analysis tools available (Not One Size Fits all) •May Require dedicated test environment (Sand Box) •Cost/Time prohibitive for small developers to maintain tools •Non-standard Results from Different tools
Continuous Integration vs. Continuous Assurance Continuous integration (CI) is the practice, in software engineering, of merging all developer working copies with a shared mainline several times a day. Continuous Assurance (CoA) takes the software engineering practice of Continuous Integration to a new level. CoA incorporates SwA tools into the frequent process of building and testing the software throughout its life cycle.
Continuous Assurance Laboratory (COSALAB) Housed in the Wisconsin Institutes for Discovery •Intel Xeon Processors •700 cores •5 TB of RAM •104 TB of HDD space •Capable of 12 teraFLOPS (12 trillion floating-point operations per second)
Initial Operating Capabilities Once Live, the SWAMP will give users access to: •5 Assurance tools (2 Java, 3 C/C++) •100 Packages (Code with Known Vulnerabilities to test tools) •Support for 8 Operating Systems (Linux, Windows)
The SWAMP will provide a simple result viewer: •Output parsed to individual weaknesses with location •A single software package can be assessed multiple times • Different Tools • Different Tool Versions • Different Operating Systems • Multiple results merged, filtered and sorted into a common viewer interface Results Viewer
Results Viewer The SWAMP will provide a Commercial Viewing Tool: Code Dx (DHS SwA Grant Performer) Code Dx is a software assurance visual analytics tool that is being built by Secure Decisions to visualize and correlate weakness data from disparate code analysis tools, putting them into the proper context for effective triage and mitigation.
SWAMP Core Services • Manage Accounts, Projects and Access Control • Manage Software Packages and SwA Tools • Assess a Software Package • View Assessment Results and the Dashboard • Conduct Continuous Assurance JOIN SWAMP JOIN SWAMP Build Assessment Run Build Assessment Run RUN AN ASSESSMENT RUN AN ASSESSMENT VIEW RESULTS VIEW RESULTS SWAMP Standard Tools/Packages SWAMP Standard Tools/Packages
Future Capabilities
A transformative force in the software eco-system Software Assurance Executive Insight Phil Agcaoili Jan. 23, 2014
“An ounce of prevention beats a pound of cure.” ~Ben Franklin
Discussion Points • The Ubiquitous Presence of Software • The Appetite for Assured Software • Assured Software is Smartware • By the Numbers • Assured Software Benefits • The Path Forward
The Ubiquitous Presence of Software It’s the driving force behind day-to-day life (literally) •Right now, you are reading this rendering enabled by millions of lines of code…software •Transportation: It runs your car’s Controller Area Network (CAN) bus and manages control surfaces and a whole bunch of other stuff on aircraft…software •Power: utilities, water, natural gas all delivered via...software •Banking and finance: ATM, POS systems...yup software •Manufacturing: Oh, that precision targeting maneuver performed by the gamma knife at the medical center…..uh-huh, software controlled We put a lot of faith in unassured and incompetent software. Would you let a 7 year old drive you around on the highway? Pilot an aircraft or balance your checkbook?
The Appetite for Assured Software The organizational appetite for assured software is driven by the net losses realized from compromised software •The consumer has been living with nearly 60 years of poorly developed and incompetent software. •Hundreds of millions of dollars are spent annually on post software compromise and incident recovery, lost opportunities and productivity (ask me). •Insecure software represents a pervasive kinetic threat to critical infrastructure and our way of life…..make no mistake about it. The prudent approach is to take a proactive one. That is, software assurance measures must be a top integration priority in the enterprise cyber security risk management schema.
Assured Software is Smartware Smartware is software which contains superior qualitative and qualitative attributes. It is: •Secure – Free of common vulnerabilities and exposures •Safe – Any single function does not conflict or impede upon other software functions resulting in severe and deleterious outcomes •Reliable – Code can perform repeatedly, as expected, over extended periods of time without degradation •Functional – Code is efficient and is designed to only perform a discrete (purposeful) function and no more •Extensible – Code is modular and has strong reuse characteristics (secure, safe, reliable and functional)
By the Numbers Feel my pain. Lack of a good software assurance program is a painful experience At one time – 127 applications were tested and; •81 (64%) contained high vulnerabilities that facilitated exposure of sensitive data or system take over; •45 applications (36%) exposed Personally Identifiable Information (PII) At another time – 50 applications were tested and; •41 applications (82%) hosted OWASP top 10 defects •5 applications (10%) taken offline due to high risk •19 (38%) contained high vulnerabilities that facilitated exposure of sensitive data or system take over •12 applications (24%) exposed PII
Assured Software Benefits Programs such as the SWAMP provide excellent bottom line and programmatic benefits. •Over time, application development gets faster and software quality increases significantly because developers learn to code securely (Thank you John Keane) •Program managers can clearly demonstrate cost avoidance through defect identification and remediation during the development and test stages •Software built under assurance standards processes streamline security approvals. Subsequent applications that adhere to the same standards can readily inherit accreditation and authorization
The Path Forward The SWAMP is ripe for providing assurances that software is secure. The time to implement software assurance in the development lifecycle is now. •Patching is passé. Frankly, I’m tired of buying toys that are already broken when I take them out of the box •Given the austere budget environment, showing value through ROI and cost avoidance goes a very, very long way •The SWAMP provides mechanisms that can render the security posture of the enterprise “measurable better” •Community. This must be a community effort. No single tool, process, person or organization can solve this issue. While this challenge appears intractable, it is not. The whole is in fact greater than the sum of its parts and to that end, we must continue to take on the challenge as a community.
Things I challenge you to think out…. • Is software security important for you and your company? If not, why? • Where have you been successful promoting and implementing application security? • Where are you stuck? • What's holding you back? • Funding? Support? The need to deliver over security? • How do we fix this?
Any questions?
A transformative force in the software eco-system Thank you for attending! An on-demand version of today’s event with Q&A session will be offered soon for viewing by you and your colleagues. An announcement will be emailed when the on-demand event premiers. @SWAMPTEAM

Recommended

OWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingOWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingPhil Agcaoili
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...Denim Group
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Jeff Williams
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP LondonJeff Williams
 
Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictPriyanka Aash
 

Recommended

OWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingOWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingPhil Agcaoili
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...Denim Group
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Jeff Williams
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleJeff Williams
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP London2017-11 Three Ways of Security - OWASP London
2017-11 Three Ways of Security - OWASP LondonJeff Williams
 
Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictPriyanka Aash
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure DevelopmentNazar Tymoshyk, CEH, Ph.D.
 
Appsec Agility: A Brief Tour
Appsec Agility: A Brief TourAppsec Agility: A Brief Tour
Appsec Agility: A Brief TourRobert Keefer
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiNazar Tymoshyk, CEH, Ph.D.
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application securityRogue Wave Software
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Revised IEEE 1633 Recommended Practices for Software Reliability
Revised IEEE 1633 Recommended Practices for Software ReliabilityRevised IEEE 1633 Recommended Practices for Software Reliability
Revised IEEE 1633 Recommended Practices for Software ReliabilityAnn Marie Neufelder
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Ann Marie Neufelder
 
Five Common Mistakes made when Conducting a Software FMECA
Five Common Mistakes made when Conducting a Software FMECAFive Common Mistakes made when Conducting a Software FMECA
Five Common Mistakes made when Conducting a Software FMECAAnn Marie Neufelder
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareRogue Wave Software
 
Software FMEA and Software FTA – An Effective Tool for Embedded Software Qual...
Software FMEA and Software FTA – An Effective Tool for Embedded Software Qual...Software FMEA and Software FTA – An Effective Tool for Embedded Software Qual...
Software FMEA and Software FTA – An Effective Tool for Embedded Software Qual...Mahindra Satyam
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Introduction to Software Failure Modes Effects Analysis
Introduction to Software Failure Modes Effects AnalysisIntroduction to Software Failure Modes Effects Analysis
Introduction to Software Failure Modes Effects AnalysisAnn Marie Neufelder
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Denim Group
 
Software fmea for medical devices
Software fmea for medical devicesSoftware fmea for medical devices
Software fmea for medical devicesOnlineCompliance Panel
 
Software Failure Modes Effects Analysis Overview
Software Failure Modes Effects Analysis OverviewSoftware Failure Modes Effects Analysis Overview
Software Failure Modes Effects Analysis OverviewAnn Marie Neufelder
 
Web Ex2 28 Jan09
Web Ex2 28 Jan09Web Ex2 28 Jan09
Web Ex2 28 Jan09Lawrence Bernstein
 
Texto de Ayuda Un2_Taller de ingles
Texto de Ayuda Un2_Taller de inglesTexto de Ayuda Un2_Taller de ingles
Texto de Ayuda Un2_Taller de inglesMeztli Valeriano Orozco
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Ann Marie Neufelder
 
Cisco Prime Security Manager
Cisco Prime Security ManagerCisco Prime Security Manager
Cisco Prime Security ManagerCisco Russia
 
Geopolitics HLS Article
Geopolitics HLS ArticleGeopolitics HLS Article
Geopolitics HLS ArticleADGP, Public Grivences, Bangalore
 

More Related Content

What's hot

Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
Appsec Agility: A Brief Tour
Appsec Agility: A Brief TourAppsec Agility: A Brief Tour
Appsec Agility: A Brief TourRobert Keefer
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiNazar Tymoshyk, CEH, Ph.D.
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application securityRogue Wave Software
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Revised IEEE 1633 Recommended Practices for Software Reliability
Revised IEEE 1633 Recommended Practices for Software ReliabilityRevised IEEE 1633 Recommended Practices for Software Reliability
Revised IEEE 1633 Recommended Practices for Software ReliabilityAnn Marie Neufelder
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Ann Marie Neufelder
 
Five Common Mistakes made when Conducting a Software FMECA
Five Common Mistakes made when Conducting a Software FMECAFive Common Mistakes made when Conducting a Software FMECA
Five Common Mistakes made when Conducting a Software FMECAAnn Marie Neufelder
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareRogue Wave Software
 
Software FMEA and Software FTA – An Effective Tool for Embedded Software Qual...
Software FMEA and Software FTA – An Effective Tool for Embedded Software Qual...Software FMEA and Software FTA – An Effective Tool for Embedded Software Qual...
Software FMEA and Software FTA – An Effective Tool for Embedded Software Qual...Mahindra Satyam
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Introduction to Software Failure Modes Effects Analysis
Introduction to Software Failure Modes Effects AnalysisIntroduction to Software Failure Modes Effects Analysis
Introduction to Software Failure Modes Effects AnalysisAnn Marie Neufelder
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Denim Group
 
Software Failure Modes Effects Analysis Overview
Software Failure Modes Effects Analysis OverviewSoftware Failure Modes Effects Analysis Overview
Software Failure Modes Effects Analysis OverviewAnn Marie Neufelder
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Ann Marie Neufelder
 

What's hot (20)

Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Appsec Agility: A Brief Tour
Appsec Agility: A Brief TourAppsec Agility: A Brief Tour
Appsec Agility: A Brief Tour
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav Breslavskyi
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
Revised IEEE 1633 Recommended Practices for Software Reliability
Revised IEEE 1633 Recommended Practices for Software ReliabilityRevised IEEE 1633 Recommended Practices for Software Reliability
Revised IEEE 1633 Recommended Practices for Software Reliability
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...
 
Five Common Mistakes made when Conducting a Software FMECA
Five Common Mistakes made when Conducting a Software FMECAFive Common Mistakes made when Conducting a Software FMECA
Five Common Mistakes made when Conducting a Software FMECA
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
 
Software FMEA and Software FTA – An Effective Tool for Embedded Software Qual...
Software FMEA and Software FTA – An Effective Tool for Embedded Software Qual...Software FMEA and Software FTA – An Effective Tool for Embedded Software Qual...
Software FMEA and Software FTA – An Effective Tool for Embedded Software Qual...
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Introduction to Software Failure Modes Effects Analysis
Introduction to Software Failure Modes Effects AnalysisIntroduction to Software Failure Modes Effects Analysis
Introduction to Software Failure Modes Effects Analysis
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
 
Software fmea for medical devices
Software fmea for medical devicesSoftware fmea for medical devices
Software fmea for medical devices
 
Software Failure Modes Effects Analysis Overview
Software Failure Modes Effects Analysis OverviewSoftware Failure Modes Effects Analysis Overview
Software Failure Modes Effects Analysis Overview
 
Web Ex2 28 Jan09
Web Ex2 28 Jan09Web Ex2 28 Jan09
Web Ex2 28 Jan09
 
Texto de Ayuda Un2_Taller de ingles
Texto de Ayuda Un2_Taller de inglesTexto de Ayuda Un2_Taller de ingles
Texto de Ayuda Un2_Taller de ingles
 
Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...Four things that are almost guaranteed to reduce the reliability of a softwa...
Four things that are almost guaranteed to reduce the reliability of a softwa...
 

Viewers also liked

Cisco Prime Security Manager
Cisco Prime Security ManagerCisco Prime Security Manager
Cisco Prime Security ManagerCisco Russia
 
I.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
I.G.N. Mantra - Mobile Security, Mobile Malware,and CountermeasureI.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
I.G.N. Mantra - Mobile Security, Mobile Malware,and CountermeasureIndonesia Honeynet Chapter
 
Cyber security: challenges for society- literature review
Cyber security: challenges for society- literature reviewCyber security: challenges for society- literature review
Cyber security: challenges for society- literature reviewIOSR Journals
 
Analysts Probe Future of Client Architectures as HTML 5 and Client Virtualiza...
Analysts Probe Future of Client Architectures as HTML 5 and Client Virtualiza...Analysts Probe Future of Client Architectures as HTML 5 and Client Virtualiza...
Analysts Probe Future of Client Architectures as HTML 5 and Client Virtualiza...Dana Gardner
 

Viewers also liked (7)

Cisco Prime Security Manager
Cisco Prime Security ManagerCisco Prime Security Manager
Cisco Prime Security Manager
 
Geopolitics HLS Article
Geopolitics HLS ArticleGeopolitics HLS Article
Geopolitics HLS Article
 
C3i Group Cyber Law
C3i Group Cyber LawC3i Group Cyber Law
C3i Group Cyber Law
 
Cloud security
Cloud securityCloud security
Cloud security
 
I.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
I.G.N. Mantra - Mobile Security, Mobile Malware,and CountermeasureI.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
I.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
 
Cyber security: challenges for society- literature review
Cyber security: challenges for society- literature reviewCyber security: challenges for society- literature review
Cyber security: challenges for society- literature review
 
Analysts Probe Future of Client Architectures as HTML 5 and Client Virtualiza...
Analysts Probe Future of Client Architectures as HTML 5 and Client Virtualiza...Analysts Probe Future of Client Architectures as HTML 5 and Client Virtualiza...
Analysts Probe Future of Client Architectures as HTML 5 and Client Virtualiza...
 

Similar to Good Security Starts with Software Assurance - Software Assurance Market Place (SWAMP) - DHS Continuous Assurance

Machine programming
Machine programmingMachine programming
Machine programmingDESMOND YUEN
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
 
Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedAshley Zupkus
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybSeniorStoryteller
 
How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis Perforce
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 
Software engineering : Layered Architecture
Software engineering : Layered ArchitectureSoftware engineering : Layered Architecture
Software engineering : Layered ArchitectureMuhammed Afsal Villan
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...SegInfo
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRogue Wave Software
 
How AI and ML Can Accelerate and Optimize Software Development and Testing
How AI and ML Can Accelerate and Optimize Software Development and TestingHow AI and ML Can Accelerate and Optimize Software Development and Testing
How AI and ML Can Accelerate and Optimize Software Development and TestingAggregage
 
Ranjith kumar Nagisetty(AndiordApp and PostSiliconTest Engineer)_Resume
Ranjith kumar Nagisetty(AndiordApp and PostSiliconTest Engineer)_ResumeRanjith kumar Nagisetty(AndiordApp and PostSiliconTest Engineer)_Resume
Ranjith kumar Nagisetty(AndiordApp and PostSiliconTest Engineer)_Resumeranjith nagisetty
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecurityTao Xie
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
Freedom and Responsibility
Freedom and ResponsibilityFreedom and Responsibility
Freedom and ResponsibilityMike Ruangutai
 
How to Operate Kubernetes CI/CD Pipelines at Scale
How to Operate Kubernetes CI/CD Pipelines at ScaleHow to Operate Kubernetes CI/CD Pipelines at Scale
How to Operate Kubernetes CI/CD Pipelines at ScaleDevOps.com
 

Similar to Good Security Starts with Software Assurance - Software Assurance Market Place (SWAMP) - DHS Continuous Assurance (20)

Machine programming
Machine programmingMachine programming
Machine programming
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically Guaranteed
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Internship msc cs
Internship msc csInternship msc cs
Internship msc cs
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
 
Software engineering : Layered Architecture
Software engineering : Layered ArchitectureSoftware engineering : Layered Architecture
Software engineering : Layered Architecture
 
Intro
IntroIntro
Intro
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
 
How AI and ML Can Accelerate and Optimize Software Development and Testing
How AI and ML Can Accelerate and Optimize Software Development and TestingHow AI and ML Can Accelerate and Optimize Software Development and Testing
How AI and ML Can Accelerate and Optimize Software Development and Testing
 
Ranjith kumar Nagisetty(AndiordApp and PostSiliconTest Engineer)_Resume
Ranjith kumar Nagisetty(AndiordApp and PostSiliconTest Engineer)_ResumeRanjith kumar Nagisetty(AndiordApp and PostSiliconTest Engineer)_Resume
Ranjith kumar Nagisetty(AndiordApp and PostSiliconTest Engineer)_Resume
 
Software ppt
Software pptSoftware ppt
Software ppt
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and Security
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Freedom and Responsibility
Freedom and ResponsibilityFreedom and Responsibility
Freedom and Responsibility
 
How to Operate Kubernetes CI/CD Pipelines at Scale
How to Operate Kubernetes CI/CD Pipelines at ScaleHow to Operate Kubernetes CI/CD Pipelines at Scale
How to Operate Kubernetes CI/CD Pipelines at Scale
 

More from Phil Agcaoili

Cybersecurity Market 2020 - Bring the Noise
Cybersecurity Market 2020 - Bring the NoiseCybersecurity Market 2020 - Bring the Noise
Cybersecurity Market 2020 - Bring the NoisePhil Agcaoili
 
4th Industrial Revolution (4IR) - Cyber Canaries Get Out of the Mine
4th Industrial Revolution (4IR) - Cyber Canaries Get Out of the Mine4th Industrial Revolution (4IR) - Cyber Canaries Get Out of the Mine
4th Industrial Revolution (4IR) - Cyber Canaries Get Out of the MinePhil Agcaoili
 
2016 ISSA Conference Threat Intelligence Keynote philA
2016 ISSA Conference Threat Intelligence Keynote philA2016 ISSA Conference Threat Intelligence Keynote philA
2016 ISSA Conference Threat Intelligence Keynote philAPhil Agcaoili
 
CSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter MeetingCSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter MeetingPhil Agcaoili
 
Archer Users Group / Southern Risk Council 2016 Enterprise Risk Management an...
Archer Users Group / Southern Risk Council 2016 Enterprise Risk Management an...Archer Users Group / Southern Risk Council 2016 Enterprise Risk Management an...
Archer Users Group / Southern Risk Council 2016 Enterprise Risk Management an...Phil Agcaoili
 
2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber Security2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber SecurityPhil Agcaoili
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Phil Agcaoili
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Phil Agcaoili
 
Data Breaches. Are you next? What does the data say?
Data Breaches. Are you next? What does the data say? Data Breaches. Are you next? What does the data say?
Data Breaches. Are you next? What does the data say? Phil Agcaoili
 
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and AfraidAECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and AfraidPhil Agcaoili
 
2014 - KSU - So You Want to Be in Cyber Security?
2014 - KSU - So You Want to Be in Cyber Security?2014 - KSU - So You Want to Be in Cyber Security?
2014 - KSU - So You Want to Be in Cyber Security?Phil Agcaoili
 
CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...
CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...
CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...Phil Agcaoili
 
What CIOs and CFOs Need to Know About Cyber Security
What CIOs and CFOs Need to Know About Cyber SecurityWhat CIOs and CFOs Need to Know About Cyber Security
What CIOs and CFOs Need to Know About Cyber SecurityPhil Agcaoili
 
Southern Risk Council - Cybersecurity Update 10-9-13
Southern Risk Council - Cybersecurity Update 10-9-13Southern Risk Council - Cybersecurity Update 10-9-13
Southern Risk Council - Cybersecurity Update 10-9-13Phil Agcaoili
 
CSO Magazine Confab 2013 Atlanta - Cyber Security
CSO Magazine Confab 2013 Atlanta - Cyber SecurityCSO Magazine Confab 2013 Atlanta - Cyber Security
CSO Magazine Confab 2013 Atlanta - Cyber SecurityPhil Agcaoili
 
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA AnnouncementsCSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA AnnouncementsPhil Agcaoili
 
Moneysec - Moneyball for Security
Moneysec - Moneyball for SecurityMoneysec - Moneyball for Security
Moneysec - Moneyball for SecurityPhil Agcaoili
 
IAPP Atlanta Chapter Meeting 2013 February
IAPP Atlanta Chapter Meeting 2013 FebruaryIAPP Atlanta Chapter Meeting 2013 February
IAPP Atlanta Chapter Meeting 2013 FebruaryPhil Agcaoili
 
Cloud Security Alliance (CSA) Chapter Meeting Atlanta 082312
Cloud Security Alliance (CSA) Chapter Meeting Atlanta 082312Cloud Security Alliance (CSA) Chapter Meeting Atlanta 082312
Cloud Security Alliance (CSA) Chapter Meeting Atlanta 082312Phil Agcaoili
 
2013 Democratization Of Technology How Cloud And Consumerization Change Eve...
2013 Democratization Of Technology How Cloud And Consumerization Change Eve...2013 Democratization Of Technology How Cloud And Consumerization Change Eve...
2013 Democratization Of Technology How Cloud And Consumerization Change Eve...Phil Agcaoili
 

More from Phil Agcaoili (20)

Cybersecurity Market 2020 - Bring the Noise
Cybersecurity Market 2020 - Bring the NoiseCybersecurity Market 2020 - Bring the Noise
Cybersecurity Market 2020 - Bring the Noise
 
4th Industrial Revolution (4IR) - Cyber Canaries Get Out of the Mine
4th Industrial Revolution (4IR) - Cyber Canaries Get Out of the Mine4th Industrial Revolution (4IR) - Cyber Canaries Get Out of the Mine
4th Industrial Revolution (4IR) - Cyber Canaries Get Out of the Mine
 
2016 ISSA Conference Threat Intelligence Keynote philA
2016 ISSA Conference Threat Intelligence Keynote philA2016 ISSA Conference Threat Intelligence Keynote philA
2016 ISSA Conference Threat Intelligence Keynote philA
 
CSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter MeetingCSA Atlanta Q1'2016 Chapter Meeting
CSA Atlanta Q1'2016 Chapter Meeting
 
Archer Users Group / Southern Risk Council 2016 Enterprise Risk Management an...
Archer Users Group / Southern Risk Council 2016 Enterprise Risk Management an...Archer Users Group / Southern Risk Council 2016 Enterprise Risk Management an...
Archer Users Group / Southern Risk Council 2016 Enterprise Risk Management an...
 
2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber Security2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber Security
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6
 
Data Breaches. Are you next? What does the data say?
Data Breaches. Are you next? What does the data say? Data Breaches. Are you next? What does the data say?
Data Breaches. Are you next? What does the data say?
 
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and AfraidAECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
AECF: A Look into Cyber Crime - Doomsday Preppers for the Naked and Afraid
 
2014 - KSU - So You Want to Be in Cyber Security?
2014 - KSU - So You Want to Be in Cyber Security?2014 - KSU - So You Want to Be in Cyber Security?
2014 - KSU - So You Want to Be in Cyber Security?
 
CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...
CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...
CSA Atlanta and Metro Atlanta ISSA Chapter Meeting May 2014 - Key Threats to ...
 
What CIOs and CFOs Need to Know About Cyber Security
What CIOs and CFOs Need to Know About Cyber SecurityWhat CIOs and CFOs Need to Know About Cyber Security
What CIOs and CFOs Need to Know About Cyber Security
 
Southern Risk Council - Cybersecurity Update 10-9-13
Southern Risk Council - Cybersecurity Update 10-9-13Southern Risk Council - Cybersecurity Update 10-9-13
Southern Risk Council - Cybersecurity Update 10-9-13
 
CSO Magazine Confab 2013 Atlanta - Cyber Security
CSO Magazine Confab 2013 Atlanta - Cyber SecurityCSO Magazine Confab 2013 Atlanta - Cyber Security
CSO Magazine Confab 2013 Atlanta - Cyber Security
 
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA AnnouncementsCSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
CSA Atlanta Chapter Meeting Q1'2013 and RSA Conference 2013 CSA Announcements
 
Moneysec - Moneyball for Security
Moneysec - Moneyball for SecurityMoneysec - Moneyball for Security
Moneysec - Moneyball for Security
 
IAPP Atlanta Chapter Meeting 2013 February
IAPP Atlanta Chapter Meeting 2013 FebruaryIAPP Atlanta Chapter Meeting 2013 February
IAPP Atlanta Chapter Meeting 2013 February
 
Cloud Security Alliance (CSA) Chapter Meeting Atlanta 082312
Cloud Security Alliance (CSA) Chapter Meeting Atlanta 082312Cloud Security Alliance (CSA) Chapter Meeting Atlanta 082312
Cloud Security Alliance (CSA) Chapter Meeting Atlanta 082312
 
2013 Democratization Of Technology How Cloud And Consumerization Change Eve...
2013 Democratization Of Technology How Cloud And Consumerization Change Eve...2013 Democratization Of Technology How Cloud And Consumerization Change Eve...
2013 Democratization Of Technology How Cloud And Consumerization Change Eve...
 

Recently uploaded

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

Recently uploaded (20)

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 

Good Security Starts with Software Assurance - Software Assurance Market Place (SWAMP) - DHS Continuous Assurance

  • 1. A transformative force in the software eco-system Welcome! The live event will begin at 2PM ET. Q&A sessions with the presenters will follow. Please have your speakers turned on. Do you hear the music? Tweet with us live @SWAMPTEAM & @TENandISE
  • 2. A transformative force in the software eco-system Good Security Starts with Software Assurance Jan. 23, 2014
  • 3. Agenda Agenda: 2:00pm EST – Welcome Remarks – Barton Miller 2:10pm EST – SWAMP High Level Overview – Pat Beyer 2:25pm EST – Executive Insight – Phil Agcaoili 2:45pm EST – Q&A 3:00pm EST – Program Conclusion You may earn 1CPE for this event. If you would like us to submit on your behalf, please email your certification number to Deb Jones at djones@ten-inc.com.
  • 4. A transformative force in the software eco-system Welcome! Prof. Barton P. Miller, Chief Scientist
  • 5. Nothing New Under the Sun In November 1988, Robert Morris Jr. released the first Internet worm that shutdown the entire Internet (literally): The enabling exploit was a buffer overflow caused by not checking the bounds on a C character buffer. In 1989, we introduced fuzz random testing and studied the robustness of system utilities on a wide variety of UNIX implementations (and could crash 25-40% of them): The #1 source of errors were uncheck bounds on strings. Still this year, in the CWE/SANS Top 25 Most Dangerous Software Errors (www.mitre.org/top25): #3 on the list is unchecked bounds on strings.
  • 6. And Plenty of New Stuff, Too Since then, we also have to worry about: Injections (SQL, command line, code) Numeric attacks Exception attacks Race attacks (TOCTOU) File path name manipulations Privilege escalations Sandbox escapes VM escapes DNS spoofing Web attacks (cross site scripting, cross site forgeries, session hijacking, open redirect) … just to mention a few.
  • 7. Your First Line of Defense: Clean Code We need to teach our programmers to write code with security in mind. … and … We need to equip them with the tools to help them do so: Software assurance tools are our first line of defense: source code analysis, binary analysis, dynamic analysis, and domain specific (mobile, web) … and … We need to make it easy to run these tools: The SWAMP will be a key asset.
  • 8. Run the Tools Early, Run Them Often Build in security from day one, or the task becomes overwhelming for the programmer to fix them all: dthread.h: In constructor ‘ScopeLock::ScopeLock(Mutex&)’: dthread.h:132: warning: unused variable ‘result’ dthread.h: In constructor ‘ScopeLock::ScopeLock(CondVar&)’: dthread.h:140: warning: unused variable ‘result’ src/irpc.C: In member function ‘void int_iRPC::setState(int_iRPC::State)’: src/irpc.C:118: warning: unused variable ‘old_state’ src/irpc.C:119: warning: unused variable ‘new_state’ src/irpc.C: In member function ‘bool int_iRPC::saveRPCState()’: src/irpc.C:714: warning: unused variable ‘result’ src/irpc.C:723: warning: unused variable ‘result’ src/irpc.C:736: warning: unused variable ‘result’ src/irpc.C:1030: warning: unused variable ‘result’ src/irpc.C:1041: warning: unused variable ‘result’ src/irpc.C:1081: warning: unused variable ‘result’ dyninst/proccontrol/src/response.h:35, dyninst/proccontrol/src/int_process.h:39, dyninst/proccontrol/src/mailbox.C:33: dthread.h: In constructor ‘ScopeLock::ScopeLock(Mutex&)’: dthread.h:132: warning: unused variable ‘result’ dthread.h: In constructor ‘ScopeLock::ScopeLock(CondVar&)’: dthread.h:140: warning: unused variable ‘result’
  • 9. Provide the Facilities Needed to Run Them Early and Often The SWAMP offers: •The automation to run tools easily: applying a tool to a new software package takes little effort. •The automation to run tools easily: get feedback on each code update or commit. •The resources to run many tools over each software package on each relevant platform. •The smarts to combine results in unified reports. •The ability to track progress and trends over time.
  • 10. Help for Both the Novice and Expert The novice will be able to start using assurance tools with little effort or preparation. With management guidance that requires clean commits, the code stays in stable condition. The expert does familiar tasks, but with less effort and more precision. Running tools is easier, tracking results is easier, and understanding their performance over time is easier.
  • 11. And Now, a Message from the Front Lines
  • 12. A transformative force in the software eco-system Vision of the SWAMP Patrick D. Beyer PhD, PMP Project Manager Software Assurance Marketplace Morgridge Institute for Research
  • 13. THE SWAMP This five year, $23M project is led by the Morgridge Institute for Research, which also provides a state-of-the-art, secure hosting facility.
  • 14. What is the SWAMP? The Software Assurance Marketplace is: •5 year, $23 Million Grant •Funded by Department of Homeland Security, Science and Technology Directorate •Goal is to build a facility where open source software can be tested for vulnerabilities for FREE •Enable Software Researchers a place where they can do research in new testing tools
  • 15. Team Profile Building and Operating the SWAMP is a joint effort of four research institutions – Morgridge Institute for Research (lead), Indiana University, University of Illinois Urbana Champaign and University of Wisconsin – Madison
  • 16. The Problem Increased Use of Open Source Software in product development •Why use open Source Software* • High reliability • Peer Reviewed • Low Cost • Speeds Development cycle •Concerns • Unverified Code • Unknown Source • Hidden Vulnerabilities * Open Source Initiative – opensource.org
  • 17. Solution Test and Analyze Open Source Software •Many Analysis tools available (Not One Size Fits all) •May Require dedicated test environment (Sand Box) •Cost/Time prohibitive for small developers to maintain tools •Non-standard Results from Different tools
  • 18. Continuous Integration vs. Continuous Assurance Continuous integration (CI) is the practice, in software engineering, of merging all developer working copies with a shared mainline several times a day. Continuous Assurance (CoA) takes the software engineering practice of Continuous Integration to a new level. CoA incorporates SwA tools into the frequent process of building and testing the software throughout its life cycle.
  • 19. Continuous Assurance Laboratory (COSALAB) Housed in the Wisconsin Institutes for Discovery •Intel Xeon Processors •700 cores •5 TB of RAM •104 TB of HDD space •Capable of 12 teraFLOPS (12 trillion floating-point operations per second)
  • 20. Initial Operating Capabilities Once Live, the SWAMP will give users access to: •5 Assurance tools (2 Java, 3 C/C++) •100 Packages (Code with Known Vulnerabilities to test tools) •Support for 8 Operating Systems (Linux, Windows)
  • 21. The SWAMP will provide a simple result viewer: •Output parsed to individual weaknesses with location •A single software package can be assessed multiple times • Different Tools • Different Tool Versions • Different Operating Systems • Multiple results merged, filtered and sorted into a common viewer interface Results Viewer
  • 22. Results Viewer The SWAMP will provide a Commercial Viewing Tool: Code Dx (DHS SwA Grant Performer) Code Dx is a software assurance visual analytics tool that is being built by Secure Decisions to visualize and correlate weakness data from disparate code analysis tools, putting them into the proper context for effective triage and mitigation.
  • 23. SWAMP Core Services • Manage Accounts, Projects and Access Control • Manage Software Packages and SwA Tools • Assess a Software Package • View Assessment Results and the Dashboard • Conduct Continuous Assurance JOIN SWAMP JOIN SWAMP Build Assessment Run Build Assessment Run RUN AN ASSESSMENT RUN AN ASSESSMENT VIEW RESULTS VIEW RESULTS SWAMP Standard Tools/Packages SWAMP Standard Tools/Packages
  • 25. A transformative force in the software eco-system Software Assurance Executive Insight Phil Agcaoili Jan. 23, 2014
  • 26. “An ounce of prevention beats a pound of cure.” ~Ben Franklin
  • 27. Discussion Points • The Ubiquitous Presence of Software • The Appetite for Assured Software • Assured Software is Smartware • By the Numbers • Assured Software Benefits • The Path Forward
  • 28. The Ubiquitous Presence of Software It’s the driving force behind day-to-day life (literally) •Right now, you are reading this rendering enabled by millions of lines of code…software •Transportation: It runs your car’s Controller Area Network (CAN) bus and manages control surfaces and a whole bunch of other stuff on aircraft…software •Power: utilities, water, natural gas all delivered via...software •Banking and finance: ATM, POS systems...yup software •Manufacturing: Oh, that precision targeting maneuver performed by the gamma knife at the medical center…..uh-huh, software controlled We put a lot of faith in unassured and incompetent software. Would you let a 7 year old drive you around on the highway? Pilot an aircraft or balance your checkbook?
  • 29. The Appetite for Assured Software The organizational appetite for assured software is driven by the net losses realized from compromised software •The consumer has been living with nearly 60 years of poorly developed and incompetent software. •Hundreds of millions of dollars are spent annually on post software compromise and incident recovery, lost opportunities and productivity (ask me). •Insecure software represents a pervasive kinetic threat to critical infrastructure and our way of life…..make no mistake about it. The prudent approach is to take a proactive one. That is, software assurance measures must be a top integration priority in the enterprise cyber security risk management schema.
  • 30. Assured Software is Smartware Smartware is software which contains superior qualitative and qualitative attributes. It is: •Secure – Free of common vulnerabilities and exposures •Safe – Any single function does not conflict or impede upon other software functions resulting in severe and deleterious outcomes •Reliable – Code can perform repeatedly, as expected, over extended periods of time without degradation •Functional – Code is efficient and is designed to only perform a discrete (purposeful) function and no more •Extensible – Code is modular and has strong reuse characteristics (secure, safe, reliable and functional)
  • 31. By the Numbers Feel my pain. Lack of a good software assurance program is a painful experience At one time – 127 applications were tested and; •81 (64%) contained high vulnerabilities that facilitated exposure of sensitive data or system take over; •45 applications (36%) exposed Personally Identifiable Information (PII) At another time – 50 applications were tested and; •41 applications (82%) hosted OWASP top 10 defects •5 applications (10%) taken offline due to high risk •19 (38%) contained high vulnerabilities that facilitated exposure of sensitive data or system take over •12 applications (24%) exposed PII
  • 32. Assured Software Benefits Programs such as the SWAMP provide excellent bottom line and programmatic benefits. •Over time, application development gets faster and software quality increases significantly because developers learn to code securely (Thank you John Keane) •Program managers can clearly demonstrate cost avoidance through defect identification and remediation during the development and test stages •Software built under assurance standards processes streamline security approvals. Subsequent applications that adhere to the same standards can readily inherit accreditation and authorization
  • 33. The Path Forward The SWAMP is ripe for providing assurances that software is secure. The time to implement software assurance in the development lifecycle is now. •Patching is passé. Frankly, I’m tired of buying toys that are already broken when I take them out of the box •Given the austere budget environment, showing value through ROI and cost avoidance goes a very, very long way •The SWAMP provides mechanisms that can render the security posture of the enterprise “measurable better” •Community. This must be a community effort. No single tool, process, person or organization can solve this issue. While this challenge appears intractable, it is not. The whole is in fact greater than the sum of its parts and to that end, we must continue to take on the challenge as a community.
  • 34. Things I challenge you to think out…. • Is software security important for you and your company? If not, why? • Where have you been successful promoting and implementing application security? • Where are you stuck? • What's holding you back? • Funding? Support? The need to deliver over security? • How do we fix this?
  • 36. A transformative force in the software eco-system Thank you for attending! An on-demand version of today’s event with Q&A session will be offered soon for viewing by you and your colleagues. An announcement will be emailed when the on-demand event premiers. @SWAMPTEAM

Editor's Notes

  1. DHS Estimates that about 300 Medical Devices from 40 different vendors are susceptible to Hacking Stealing WIFI, Controlling your computer using Virus Can connect to yoru car using Bluetooth / cell connections Flushing Toilets in Japan