This document discusses integrating application security testing into the software development life cycle (SDLC) using automated cloud security services. It notes that while development teams understand the importance of security, they often do not practice secure development lifecycles due to lack of education, increased complexity, and security being seen as someone else's job. The document proposes that automated cloud security services could help solve this problem by testing applications continuously throughout the development process. It demonstrates how such a service could work through an interactive demo.
2. Source: 2014 Cost of Data Breach Study: Global Analysis Ponemon Institute LLC
$1,599,996
Average post data breach cost in the US
$3,324,959
Average lost business costs in the U.S.
3. Agenda
• What is Secure Development Life Cycle?
• Why don’t development teams practice SDLC?
• Can Automated Cloud Security Services be the answer?
• Demo
6. Coding Build QA Security Production
Developers vs. Security
DEVELOPERS
Lack education
Increased complexity
“Not my job”
SECURITY
SDLC bottleneck
Testing just before release
Too many apps to test
7. Most Issues are found
by security auditors
prior to going live.
%ofIssuesFound
Security testing within the SDLC
Requirements
Definition
Coding Build QA Security Production
8. Coding Build QA Security Production
Reduce Cost by Finding Vulnerabilities Early
Find during Development
$80/defect
Find during Build
$240/defect
Find during QA/Test
$960/defect
Find in Production
$7,600 / defect
80% of development costs are spent identifying and correcting defects!*
* Source: National Institute of Standards and Technology
9. Coding Build QA Security Production
Desired profile
%ofIssuesFound
Security testing within the SDLC
24. What if I don’t have UrbanCode Deploy?
Automated Cloud Security Services to the Rescue
https://hub.jazz.net/project/erezro/Application Security Testing/overview
25. Try it now!
Get your 30-day AppScan Mobile Analyzer free trial -
https://AppScan.ibmcloud.com
For more information visit our product pages on ibm.com:
• IBM Security AppScan Mobile Analyzer
• IBM Security AppScan Dynamic Analyzer
• Video: Using AppScan Mobile Analyzer
• Video: Identify & Remediate Application Security Vulnerabilities Effectively
27. Notices and Disclaimers (con’t)
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products in connection with this
publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM
products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to
interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any
IBM patents, copyrights, trademarks or other intellectual property right.
• IBM, the IBM logo, ibm.com, Bluemix, Blueworks Live, CICS, Clearcase, DOORS®, Enterprise Document
Management System™, Global Business Services ®, Global Technology Services ®, Information on Demand,
ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™,
PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®,
pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, SoDA, SPSS, StoredIQ, Tivoli®, Trusteer®,
urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of
International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on
the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
28. Thank You
Your Feedback is Important!
Access the InterConnect 2015 Conference CONNECT
Attendee Portal to complete your session surveys
from your smartphone,
laptop or conference kiosk.
29. How to rescan the same application?
Appendix A
In order to rescan the same application (and enjoy the current 30 days free rescans
period) you need to supply the scan id of the original scan.
You can extract the original scan id from the output of the UrbanCode plugin or the
Ant target that you ran.
Then supply this scan id in the UrbanCode plugin properties or as an attribute for
the Ant target.
30. Bluemix services login credentials:
Appendix B
In order to use the UrbanCode plugin or the Ant targets for Bluemix services you
need to supply the binding id and password as the login credentials.
You receive the binding id and password after creating an application in Bluemix
and binding a service to that application.