The document discusses SoftServe's security services and approach to application security testing. It provides an overview of typical security reports, how the security process often looks in reality versus how it should ideally be, and how SoftServe aims to minimize repetitive security issues through practices like automated security tests, secure coding trainings, and vulnerability scans integrated into continuous integration/delivery pipelines. The document also discusses benefits of SoftServe's internal security testing versus outsourcing to third parties, like catching problems earlier and improving a development team's security expertise.

1. Security Services and
Approach
• Nazar Tymoshyk, SoftServe

2. Typical problem on project

3. Typical Security Report
delivered by Security Testing Team

4. Typical Security Report
delivered by AUDITOR

5. How security process
looks in reality
Than start process of re-Coding, re-Building, re-Testing, re-Auditing
3rd party or internal audit
Tone of
security
defects
BACK to re-Coding, re-Building, re-Testing, re-Auditing
TIME to FIX

6. How much time you need to fix security
issues in app?

7. How it should look like
With proper Security Program number of
security defects should decrease from phase
to phase
Automated
security
Tests
CI
integrated
Manual
Security/penetration
Testing
OWASP methodology
Secure
Coding
trainings
Regular
Vulnerability
Scans

8. Minimize the costs of the Security related issues
Avoid repetitive security issues
Avoid inconsistent level of the security
Determine activities that pay back faster during current
state of the project
Primary Benefits

9. Simple ROI of Product security

10. Ok, we will bay Security Tool
and scan our code…

11. Top AST Tools 2013
Which one likes you?
Average Price near
$100K

12. Why code analysis do
not resolve all problems?
Many of the CWE vulnerability
types, are design issues, or
business logic issues.
Application security testing tools are
being sold as a solution to the problem of
insecure software.

13. 55%45%
Ability of Security Tools to identify real vulnerability
Not Covered Claimed Coverage
13
Tools – At Best 12%
 MITRE found that all application
security tool vendors’ claims put
together cover only 45% of the
known vulnerability types (695)
 They found very little overlap
between tools, so to get 45%
you need them all (assuming
their claims are true)
 Based on this new data from the
CSA at the NSA, SAST has 12%
vulnerability coverage
MITRE's study

14. Security Tooling – No
Silver Bullet
Design Flaws Security Bugs
1. Occur during the architecture phase
2. High level
3. More expensive to remediate –
requires architectural changes
4. Requires human analysis to uncover
5. Logical defects
6. Rights separation
7. Complex attack vectors
8. Defects in architecture and design
9. Real Cryptography level
1. Occur curing the code phase
2. Code level - Looking for known,
defined and predictable patterns
3. Cheaper to remediate – requires code
changes
4. Can be identified using automated
tools
Can be resolved by:
SoftServe Expert
Can be resolved by:
Security Tool (Veracode, IBM
Appscan,, HP Fortify SCA
Both security tooling and security assessments are required to
address both types of vulnerabilities

15. QA Engineer Security Analyst
In functional and performance testing,
the expected results are documented
before the test begins, and the quality
assurance team looks at how well the
expected results match the actual results
In security testing, security
analysts team is concerned
only with unexpected results
and testing for the unknown
and looking for weaknesses.
VS.

16. Manual Pen testing
Manual penetration testing adds the benefit of specialized human expertise to our
automated static and dynamic analysis — and it uses the same methodology cyber-
criminals use to exploit application weaknesses such as business logic vulnerabilities.
Manual Penetration Testing involves one or more security experts performing tests
and simulating “in the wild” attacks. The goal of such testing is to determine the
potential for an attacker to successfully access and perform a variety of malicious
activities by exploiting vulnerabilities, either previously known or unknown, in the
software.
The results of this review will help strengthen the established security controls,
standards, and procedures to prevent unauthorized access to the organizational
systems, applications, and critical resources. As a result of SoftServe tests, the
SoftServe will prepare detailed work papers documenting the tests performed, a
report of SoftServe findings including recommendations for additional security
controls as required.
SoftServe MPT is designed to compliment and extend an automated assessment

17. What we propose

18. Agile Secure Development Lifecycle
•Every-Sprint practices: Essential security
practices that should be performed in
every release.
•Bucket practices: Important security
practices that must be completed on a
regular basis but can be spread across
multiple sprints during the project
lifetime.
•One-Time practices: Foundational
security practices that must be
established once at the start of every new
Agile project.

19. Microsoft SDL

20. Integrated Security process
Build
• Build code
with special
debug
options
Deploy
• Pack build
and code
• Deploy app
to VM for
test
Test
Security
• Run code
test
• Run Test
dynamic
web
application
from VM
with security
tools
Analyze
• Collect and
format
results
• Verify results
• Filter false
positive /
negative
• Tune
scanning
engine
• Fix defects

21. High level vision
Dynamic Security testingStatic Code Analysis
CI tools
Deploying application
Security Reports
Pull source code

22. Real project view
Dynamic Security testing
CI tools
Deploying application
Security Reports
Pull source code

23. We have best tools…
IBM AppScan
license
Burp Suite
license
HP Fortify
certification
Partnership
with Veracode
Available SaaS

24. Identity & Security
…and Best Engineers
Ph.D in
Security

25. SoftServe Expertise by Vendors
Mobile Security
Data Security
Cloud Security
Enterprise Security

26. SoftServe offer
• Certified security experts to control security on
project
• SoftServe utilize different set of tools to ensure
coverage (IBM, Veracode, PortSwinger, OpenVAS)
• Regulars scans that could be integrated to CI
• Education and Case study based on defect severity
for Dev and QA stuff
• Following Secure SDLC practices
• And many more

27. Annual development
expense cost savings
Application
Development
Cost Savings
Vulnerability
Remediation Cost
Savings
Compliance & Pen
Testing Cost Savings
Application
Outsourcing Pay for
Performance
 Streamline & minimize
remediation costs for
application development by
identifying /fixing
vulnerabilities at their origin
 Lower costs associated with
compliance testing fees and
penetration testing
 Decrease 3rd party
development fees by
incenting software security
performance

28. The Benefit of SoftServe Internal
Testing vs. 3rd Party
SoftServe Internal Testing 3rd Party Scan
1. Finds issues large and small
2. Reports and resolves issues
directly to development
3. Objective
4. Credentialed
5. Industry standard toolset
1. Finds issues large and small
2. Reports issues to managers
3. Objective
4. Credentialed
5. Industry standard toolset
6. Can be scheduled any time
7. Keeps up with the 2 week
development cycle
8. Regular QA and Dev Team
trainings

29. The Benefit of SoftServe Security
Testing vs. 3rd Party
Benefit/Feature Description
Easy to start • Low initial cost
• Leverage internal resources to defray additional expense
• Maximizes assistance
• Maximizes internal resources and ongoing efforts
Provide more
actionable
information
• Focus on what really matters
• Validate your own internal processes and test procedures
Improve security
knowledge
• Security expertise within the solution
• Can assist in keeping test plans up to date
• Assist in validation of fixed items
• Stay on top of testing regression issues and new features
Increase technology
coverage
• Assurance in testing the latest technologies for the latest
vulnerabilities
• Increasing the speed and efficiency of building security into a
development lifecycle

30. Value
20-40% time for testing/re-testing decrease
Catch problems as soon as possible
Avoid repetitive security issues
Improve Security Expertise/Practices for current Team
Automation, Integration, Continuously
Proactive Security Reporting
Full coverage

31. How our security results might look like

32. False positive regression testing

33. After build succeed we pack app to
transfer it to Security testing tool
We are able to detect line of bugged code

34. How your security results may look like

35. How your security results may look like
AppScan Source

36. How your security results may looks like

37. Thank you
USA TELEPHONE
Toll-Free: 866.687.3588
Office: 239.690.3111
EMAIL
info@softserveinc.com
WEBSITE:
www.softserveinc.com
EUROPE OFFICES
United Kingdom
Germany
Netherlands
Ukraine
Bulgaria
US OFFICES
Austin, TX
Fort Myers, FL
Boston, MA
Newport Beach, CA
Salt Lake City, UT