Mobile security is important as mobile device usage surpasses desktop usage. Who will be held accountable for security issues depends on who is involved in the mobile ecosystem, including app owners, device builders, network providers, and developers. When choosing a platform strategy, organizations must consider options like native apps, web apps, and hybrid approaches, as well as operating systems, developer support, and application delivery. Mobile apps can be developed in-house, through traditional outsourcers, or boutique mobile development firms. Building secure mobile apps requires following practices like the Software Security Assurance maturity model, which moves organizations from reactive to proactive approaches.
Container Security: What Enterprises Need to KnowDevOps.com
Enterprises and application teams turn to containers to improve agility and increase the scalability of their environments and portability of their applications. But with these benefits come a number of serious security challenges and considerations. While some of the changes containerization brings to security are beneficial, others are a bit thornier. To avoid serious mistakes and data breaches, enterprises must understand how containers affect security and build a strategy to secure them.
Shift Left Security - The What, Why and HowDevOps.com
The shift left approach in DevOps moves software testing earlier in its lifecycle to prevent defects early in the software delivery process. How can developers use this approach to ensure security? Josh Thorngren, VP of Marketing at Twistlock, will explain what it means to shift left, and share five steps to ensure a successful transition to a shift left approach with DevOps.
Join this webinar to learn:
Best practices in adopting a successful shift to the left
How ‘shifting left’ promotes security
How developers are the new security guards in protecting company information
In this webinar we will explore the findings from the recent PtaaS Impact Report: 2020, which aims to unravel the benefits and challenges of deploying a SaaS-based pentesting model in a modern software development environment.
Join us as Cobalt Chief Strategy Officer Caroline Wong, Cobalt.io customer Ryan Stinson and experienced technology executive Dr. Chenxi Wang discuss how DevOps is changing the adoption of application security measures and how a PtaaS solution adapts to meet this change.
This webinar will cover:
The impact of DevOps on application security
Why SaaS-driven companies are expanding pentesting scopes and frequency
How PtaaS adapts to meet the speed of DevOps
Mobility and security are important factors that need to be prioritized by fintech startups in building user trust.
This presentations shares how to build, develop, and improve these two things so that your business can grow.
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
Container Security: What Enterprises Need to KnowDevOps.com
Enterprises and application teams turn to containers to improve agility and increase the scalability of their environments and portability of their applications. But with these benefits come a number of serious security challenges and considerations. While some of the changes containerization brings to security are beneficial, others are a bit thornier. To avoid serious mistakes and data breaches, enterprises must understand how containers affect security and build a strategy to secure them.
Shift Left Security - The What, Why and HowDevOps.com
The shift left approach in DevOps moves software testing earlier in its lifecycle to prevent defects early in the software delivery process. How can developers use this approach to ensure security? Josh Thorngren, VP of Marketing at Twistlock, will explain what it means to shift left, and share five steps to ensure a successful transition to a shift left approach with DevOps.
Join this webinar to learn:
Best practices in adopting a successful shift to the left
How ‘shifting left’ promotes security
How developers are the new security guards in protecting company information
In this webinar we will explore the findings from the recent PtaaS Impact Report: 2020, which aims to unravel the benefits and challenges of deploying a SaaS-based pentesting model in a modern software development environment.
Join us as Cobalt Chief Strategy Officer Caroline Wong, Cobalt.io customer Ryan Stinson and experienced technology executive Dr. Chenxi Wang discuss how DevOps is changing the adoption of application security measures and how a PtaaS solution adapts to meet this change.
This webinar will cover:
The impact of DevOps on application security
Why SaaS-driven companies are expanding pentesting scopes and frequency
How PtaaS adapts to meet the speed of DevOps
Mobility and security are important factors that need to be prioritized by fintech startups in building user trust.
This presentations shares how to build, develop, and improve these two things so that your business can grow.
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
Outpost24 webinar - A day in the life of an information security professional Outpost24
Get more information about security challenges and pitfalls you might face throughout the vulnerability management cycle, including internal obstacles thanks to these slides
BSIMM: Bringing Science to Software SecurityCigital
There is an old management adage that says “You can’t manage what you don’t measure.” The Building Security in Maturity Model (BSIMM) applies scientific principles to the field of software security to effectively measure security activities across industries and business units. The BSIMM enables experts like you to discover what exists in the application security universe, how those things work today, how they worked in the past and how they are likely to work in the future.
Get Your Board to Say "Yes" to a BSIMM AssessmentCigital
Not everyone understands why benchmarking is important or how it can help set the course for the future. If you’re having trouble convincing your executive team why this matters take a look at our slides Get Your Board to Say “Yes” to a BSIMM Assessment for guidance on what to share and how to share it.
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
Рано или поздно любая компания задумывается как о безопасности своего продукта, так и внутренней безопасности, и это неизбежно ведет к выстраиванию security-процессов, стандартов, требований и политик. Этот процесс довольно сложный и трудоемкий, требующий определенной зрелости компании и слаженной работы всех сотрудников. Мы хотели бы рассказать о своем опыте создания security-культуры компании Wrike, в том числе с помощью продукта, который мы делаем. Также мы поделимся опытом решения реальных проблем безопасности, с которыми сталкиваемся сами или наши клиенты.
Jack Nichelson - Information Security Metrics - Practical Security Metricscentralohioissa
So exactly how do you integrate information security metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program.
Some of the most famous information breaches over the past few years have been a result of entry through embedded and IoT system environments. Often these breaches are a result of unexpected system architecture and service connectivity on the network that allows the hacker to enter through an embedded device and make their way to the financial or corporate servers. Experts in embedded security discuss key security issues for embedded systems and how to address them.
The State of Open Source Vulnerabilities ManagementWhiteSource
The number of open source vulnerabilities hit an all-time record in 2017 with 3,500 reported vulnerabilities - that's 60% higher than the previous year, and the trend continues in 2018.
Since it’s impossible to keep up with today’s pace of software production without open source, development and security teams are challenged to meet security objectives, without compromising on speed and quality.
It's time for organizations to step up their open source security game. Join WhiteSource's Senior Director of Product Management, Rami Elron, as he discusses:
- the current state of open source vulnerabilities management;
- organizations' struggle to handle open source vulnerabilities; and
- the key strategy for effective vulnerability management.
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...Outpost24
In this webinar, our expert will discuss why CISOs must embrace unified cyber risk management for greater consolidation and simplification of business risk to build trust and maximize business resilience.
How to Choose the Right Security Training for YouCigital
There aren't enough security experts to fill the more than 1 million open cybersecurity jobs. If you’re lucky enough to have the security staff it’s important to keep them motivated and learning, to do that you need to know what options are open to you. We’ll take a dive into training options so you can pick what’s right for your staff and your organization.
DevOps Night - Shifting Security to the Left - SCTV Tower - 19 September 2018Adhitya Hartowo
Presentation for DevOps Night talk in SCTV Tower in Jakarta on 19 September 2018. Sharing on how to bring security to DevOps environment on Development side.
Getting Executive Support for a Software Security ProgramCigital
Software security is one of many competing priorities within your organization. How do you get the attention and budget you need? This presentation walks you through ways to build executive support
Protecting endpoints from targeted attacksAppSense
On this AppSense webinar, guest speaker Chris Sherman, Forrester Research analyst, shared five principles for an effective endpoint security strategy. Anti-virus software isn't enough anymore.
Dan O'Farrell, Sr. Director of Product Marketing for Cloud Computing at Dell, shared how highly-regulated industries have embraced VDI to increase security and reduce costs.
And Bassam Khan discussed how AppSense offers privilege management with just-in-time self-elevation and application control through trusted ownership. This allows you to manage and secure your endpoints while providing a great user experience. And our latest product, AppSense Insight, offers endpoint analytics. Contact us to request a demo at iwanttoknowmore@appsense.com.
Applications support some of the most strategic business processes and access an organization’s most sensitive data. These applications also contain 92% of reported security vulnerabilities, not networks. Yet application security continues to receive less budget and attention than network security. This means security-aware companies must find a cost-effective application security solution to lower application-related security risk without compromising productivity. Not an easy task.
Fortunately, there is a way. In this presentation, you’ll learn one simple solution to solving six of the most common security hurdles.
Deploying Secure Modern Apps in Evolving InfrastructuresSBWebinars
Software development is changing. It is now measured in days instead of months. Microservice architectures are preferred over monolithic centralized app architecture, and cloud is the preferred environment over hardware that must be owned and maintained.
In this webinar, we examine how these new software development practices have changed web application security and review a new approach to protecting assets at the web application layer.
Attendees will learn:
The changes in development models, architecture designs, and infrastructure
How these changes necessitate a new approach to web application security
How development teams can effectively stay secure at the speed of DevOps
Outpost24 webinar - Improve your organizations security with red teamingOutpost24
Our Red Teaming expert Hugo van den Toorn explains the key elements of a red team operations, what companies can expect from the assessment and how to benefit from the ‘moment of truth’
Quality Management, Information Security, Threat Hunting and Mitigation Plans for a Software Company or a Technology Start-up engaged in building, deploying or consulting in Software and Internet Applications.
Outpost24 webinar - A day in the life of an information security professional Outpost24
Get more information about security challenges and pitfalls you might face throughout the vulnerability management cycle, including internal obstacles thanks to these slides
BSIMM: Bringing Science to Software SecurityCigital
There is an old management adage that says “You can’t manage what you don’t measure.” The Building Security in Maturity Model (BSIMM) applies scientific principles to the field of software security to effectively measure security activities across industries and business units. The BSIMM enables experts like you to discover what exists in the application security universe, how those things work today, how they worked in the past and how they are likely to work in the future.
Get Your Board to Say "Yes" to a BSIMM AssessmentCigital
Not everyone understands why benchmarking is important or how it can help set the course for the future. If you’re having trouble convincing your executive team why this matters take a look at our slides Get Your Board to Say “Yes” to a BSIMM Assessment for guidance on what to share and how to share it.
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
Рано или поздно любая компания задумывается как о безопасности своего продукта, так и внутренней безопасности, и это неизбежно ведет к выстраиванию security-процессов, стандартов, требований и политик. Этот процесс довольно сложный и трудоемкий, требующий определенной зрелости компании и слаженной работы всех сотрудников. Мы хотели бы рассказать о своем опыте создания security-культуры компании Wrike, в том числе с помощью продукта, который мы делаем. Также мы поделимся опытом решения реальных проблем безопасности, с которыми сталкиваемся сами или наши клиенты.
Jack Nichelson - Information Security Metrics - Practical Security Metricscentralohioissa
So exactly how do you integrate information security metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program.
Some of the most famous information breaches over the past few years have been a result of entry through embedded and IoT system environments. Often these breaches are a result of unexpected system architecture and service connectivity on the network that allows the hacker to enter through an embedded device and make their way to the financial or corporate servers. Experts in embedded security discuss key security issues for embedded systems and how to address them.
The State of Open Source Vulnerabilities ManagementWhiteSource
The number of open source vulnerabilities hit an all-time record in 2017 with 3,500 reported vulnerabilities - that's 60% higher than the previous year, and the trend continues in 2018.
Since it’s impossible to keep up with today’s pace of software production without open source, development and security teams are challenged to meet security objectives, without compromising on speed and quality.
It's time for organizations to step up their open source security game. Join WhiteSource's Senior Director of Product Management, Rami Elron, as he discusses:
- the current state of open source vulnerabilities management;
- organizations' struggle to handle open source vulnerabilities; and
- the key strategy for effective vulnerability management.
Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...Outpost24
In this webinar, our expert will discuss why CISOs must embrace unified cyber risk management for greater consolidation and simplification of business risk to build trust and maximize business resilience.
How to Choose the Right Security Training for YouCigital
There aren't enough security experts to fill the more than 1 million open cybersecurity jobs. If you’re lucky enough to have the security staff it’s important to keep them motivated and learning, to do that you need to know what options are open to you. We’ll take a dive into training options so you can pick what’s right for your staff and your organization.
DevOps Night - Shifting Security to the Left - SCTV Tower - 19 September 2018Adhitya Hartowo
Presentation for DevOps Night talk in SCTV Tower in Jakarta on 19 September 2018. Sharing on how to bring security to DevOps environment on Development side.
Getting Executive Support for a Software Security ProgramCigital
Software security is one of many competing priorities within your organization. How do you get the attention and budget you need? This presentation walks you through ways to build executive support
Protecting endpoints from targeted attacksAppSense
On this AppSense webinar, guest speaker Chris Sherman, Forrester Research analyst, shared five principles for an effective endpoint security strategy. Anti-virus software isn't enough anymore.
Dan O'Farrell, Sr. Director of Product Marketing for Cloud Computing at Dell, shared how highly-regulated industries have embraced VDI to increase security and reduce costs.
And Bassam Khan discussed how AppSense offers privilege management with just-in-time self-elevation and application control through trusted ownership. This allows you to manage and secure your endpoints while providing a great user experience. And our latest product, AppSense Insight, offers endpoint analytics. Contact us to request a demo at iwanttoknowmore@appsense.com.
Applications support some of the most strategic business processes and access an organization’s most sensitive data. These applications also contain 92% of reported security vulnerabilities, not networks. Yet application security continues to receive less budget and attention than network security. This means security-aware companies must find a cost-effective application security solution to lower application-related security risk without compromising productivity. Not an easy task.
Fortunately, there is a way. In this presentation, you’ll learn one simple solution to solving six of the most common security hurdles.
Deploying Secure Modern Apps in Evolving InfrastructuresSBWebinars
Software development is changing. It is now measured in days instead of months. Microservice architectures are preferred over monolithic centralized app architecture, and cloud is the preferred environment over hardware that must be owned and maintained.
In this webinar, we examine how these new software development practices have changed web application security and review a new approach to protecting assets at the web application layer.
Attendees will learn:
The changes in development models, architecture designs, and infrastructure
How these changes necessitate a new approach to web application security
How development teams can effectively stay secure at the speed of DevOps
Outpost24 webinar - Improve your organizations security with red teamingOutpost24
Our Red Teaming expert Hugo van den Toorn explains the key elements of a red team operations, what companies can expect from the assessment and how to benefit from the ‘moment of truth’
Quality Management, Information Security, Threat Hunting and Mitigation Plans for a Software Company or a Technology Start-up engaged in building, deploying or consulting in Software and Internet Applications.
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be safe and secure. Join us virtually for our upcoming "Emphasizing Value of Prioritizing AppSec" Meetup to learn how to build a cost effective application security program, implement secure coding analysis and how to manage software security risks.
Journey to the Perfect Application: Digital Transformation During a CrisisAggregage
In most cases, the COVID-19 crisis has sped up the desire to engage in digital transformation for medium-to-large scale enterprises. Roadmaps are rarely implemented without challenges. During this session, MK Palmore, the Field CSO (Americas) for Palo Alto Networks and a former public-sector executive, will walk through the difficulties of crisis planning execution in the midst of an organization's digital changes. He will use a combination of industry insights through statistical observations and direct customer feedback to emphasize the importance of adopting new technologies to battle an ever changing threat landscape.
Embracing secure, scalable BYOD with Sencha and CentrifySumana Mehta
Scalable enterprise mobility solutions: How to give your employees tools they need without sacrificing user experience and security.
Consumerization of IT and BYOD are here – and it’s a GOOD thing. Today's dynamic workplaces and hyper-competitive markets drive demand for more mobile productivity solutions. Nearly 70% of enterprise employees report making better decisions, being more productive and happier if they are allowed to use mobile devices and cloud-based tools. Yet, IT organizations often resist these trends because of cost and risk associated with multi-platform, multi-device ecosystem having access to corporate data and resources.
In this webinar, product experts from Sencha and Centrify will help your organization embrace BYOD and SaaS in a cost-effective, scalable way. Sencha Space is an advanced platform for securely deploying mobile apps and delivering a consistent, elegant, mobile user experience to end-users. Users can launch any mobile web app, or HTML5 app in a secure, managed environment. Combining Space with secure, Active Directory- or Cloud-Based Identity and Access Management (IAM) from Centrify gives IT visibility and control over mobile platforms and SaaS / in-house apps while improving user experience and reducing security risk.
At the Synopsys Security Event - Israel, Girish Janardhanudu, VP Security Consulting, Synopsys presented on software security. For more information, please visit us at www.synopsys.com/software
Appendix AOperating ScenarioGPSCDU Project for Wild B.docxlisandrai1k
Appendix A
Operating Scenario
GPS/CDU Project for Wild Blue Yonder Technologies
Wild Blue Yonder Technologies Inc (WYBT) is a general holding company whose line of business is tailored to high-tech holdings. Wild Blue Yonder Technologies various subsidiary companies are maintained as one coordinated business from offices in New York City. The centralization of policy and planning direction at one location has historically produced higher revenues, profit margins, and customer satisfaction. The necessary degree of coordination is enabled by a global, enterprise network that is managed from the New York location.
That network provides secure telecommunications capability with embedded firewall protection, multi-carrier cellular access options and automatic access point database updates for all connection types. It enables access to the enterprise’s applications from any location on an as-needed basis. The network also provides integrated, any distance, seamless connectivity to WBYT’s centralized information resources.
WBYT’s holdings are concentrated in
advanced technology products
and services. Two closely held subsidiaries deal exclusively with the Federal government. The line of business of one, which is based in Gaithersburg, Maryland, is R&D and manufacture for advanced capability components for the F 16 Fighting Falcon and F 18 Super Hornet. The other, based in Jacksonville deals in R&D in target acquisition and fire control systems for Army helicopters. There is also a manufacturing facility in Detroit. That facility builds Leopard tanks for the Canadian Army under license from the German government. Other close holdings in WBYT’s empire include a commercial electronics R&D facility in Corvallis. The Corvallis facility also does contract work for the Idaho National Laboratory. In addition to the closely held corporations, there are loosely held electronics manufacturing, or service holdings in Pittsburgh, Houston, Des Moines, Sioux Falls, Denver and Bozeman. These facilities serve the consumer high-tech industry.
Finally, there are a number of loosely held international corporations in India, Australia and across the Pacific Rim, all concentrated in advanced technology. All computer services for that region are provided over
a public/private VPN
, which is maintained for that area in Singapore. The Singapore data center is actually owned and operated by WBYT, as part of the company’s global VPN. The VPN itself is maintained out of the New York office.
According to WBYT’s charter, the primary business goal of the Company is to utilize the global marketplace to provide high quality technology components at the lowest price possible price.
Wild Blue Yonder Technologies entered the market knowing that the ability to closely monitor its operation and deliver competitive business information quickly was going to be a prerequisite to its success, particularly in the integration and reuse of COTS products. In essence, its entire.
reStartEvents DC metro & Beyond 11:17 Employer Directory.pdfKen Fuller
Looking for your next Cleared Career Opportunity in DC metro or Beyond?
Join us on November 17th at the reStartEvents DC metro & Beyond All-Clearances Virtual Career Fair and explore hundreds of career opportunities available throughout Northern Virginia, DC metro, Maryland and around the country....
Chat with hiring managers & recruiters from some of the nation's leading defense contractors - all from the comfort and safety of your home or office.
reStartEvents DC metro & Beyond All-Clearances Virtual Career Fair
Thursday, November 17th, 2022
2pm - 5pm est
Details & Registration: https://tinyurl.com/3hrxm223
An Active Security Clearance IS Required For This Event
Companies Interviewing:
• Leidos
• Northrop Grumman
• ACT1
• Amazon Web Services (AWS)
• Compass, Inc.
• Google
• IPSecure, Inc
• Jacobs
• LinQuest
• Maxar Technologies
• OBXtek
• Raytheon Technologies
Whether you are transitioning from the military or federal government, actively seeking employment, furloughed, your contract is coming to an end or window shopping and want to see what else is out there for you, This Is The Event For You!
Positions available include: Software Engineering, Network Engineer, Financial Analyst, RF/SATCOM Engineers, QA Automation Developer, Configuration Management, Scrum Master, Cyber Security, DevOps Engineer, Project Management, Data Analyst, Systems Administration, Information System Security Engineer, Linux, Systems Engineering, Application Engineers, Principal Engineers (RF), UI/UX Software Engineers, and much more....
This event is targeting cleared job seeking professionals looking for cleared employment opportunities throughout the DC metro area & beyond
Please feel free to share this important event with any of your Cleared colleagues and friends who would benefit from participating
Looking forward to seeing you online on November 17th
This is the latest version of the State of the DevSecOps presentation, which was given by Stefan Streichsbier, founder of guardrails.io, as the keynote for the Singapore Computer Society - DevSecOps Seminar in Singapore on the 13th January 2020.
Outpost24 Webinar - Creating a sustainable application security program to dr...Outpost24
In our next webinar, Simon Roe Product Manager at Outpost24 will discuss how you can create greater and more robust visibility of security within the application development lifecycle.
HP Enterprise Security Products - Intelligent Security & Risk management Platform, una risposta globale e proattiva alle nuove sfide del mercato della sicurezza.
Pierpaolo Ali' , HP Enterprise Security Product - Sales Director Italy
Best Practices for a Mature Application Security Program Webinar - February 2016Security Innovation
In this webinar, you will learn about trends in application security, threat modeling and risk rating your applications, and optimizing your Software Development Lifecycle. Highlights include:
- Research from the Ponemon Institute: Where have companies improved and where do they continue to struggle when it comes to application security?
- Understanding application security threats to different platforms and how to prioritize vulnerabilities.
- Optimizing your Software Development Lifecycle by using best practices, identifying skill gaps, and building a roadmap.
Об угрозах информационной безопасности, актуальных для разработчика СЗИSelectedPresentations
Качалин Алексей Игоревич, эксперт МОО «АЗИ»
IV Форум АЗИ
«Актуальные вопросы информационной безопасности России»
г. Москва, Конгресс-Центр МТУСИ, 14 апреля 2015 года
Об угрозах информационной безопасности, актуальных для разработчика СЗИ
Stu r35 a
1. Session ID:
Session Classification:
Jacob West
Chief Technology Officer
HP Enterprise Security
Products
STU-R35A
Intermediate
Who, What, Where,
How: Five Big
Questions in Mobile
Security
2. Why is mobile security an imperative?
Who will be held accountable?
What platform strategy makes sense?
Where are mobile apps developed?
How do we build secure mobile apps?
6. ► By 2015, mobile dev projects
targeting smartphones and
tablets will outnumber native
PC projects by a ratio of 4:1
– Gartner 7/12
► By 2016, > 50 percent of
enterprise email users will rely
primarily web or mobile.
–
Gartner 12/11
Not Just for Consumers
0
10
20
30
40
50
60
% of Workforce with
Smartphones
2011
2012
2013
11. ► Web, native, hybrid
► Operating systems
► Developer support
► Application delivery
► Programming language
Platform Tradeoffs
12. ► Native mobile applications
► Persistent
► Hardware support
► Flexible
► Mobile-optimized web apps
► Lightweight
► Multi-platform
► Bolt onto legacy apps
► Hybrid?
► Native container for web content
► Cross-compiled native apps
Web Versus Native
80% by 2015
– Gartner 11/12
13. ► Open app store model (Google Marketplace)
► Enterprise app stores
► Security as a differentiator
► Researcher access?
► Closed app store model (Apple App Store)
► Controlled ecosystem
► Revocation capability
► Compromise: Apple's iOS Developer Enterprise Program
Application Delivery
14. ► Objective-C
► Little-known pre-iOS
► ‘Unsafe’ language
► Limited tool support
► Java
► Widely-known
► No more buffer overflows
► Better tool support
Native Programming
Languages
17. Pros
► Leverage investments
► Easier integration
► Control over full SDLC
In-House Development
Cons
► Must train resources
► Add-ons may add risk
► Hard to outsource
security
18. Pros
► Well-known
expectations
► Expand on experience
► Control over SDLC
Traditional Outsourcers
Cons
► Harder to find talent
► Add-ons may add risk
► Outsourcing security
(but not accountability)
19. Pros
► Specialized talent
► Accelerated delivery
► Low-investment for
high-quality result
Boutique Firms
Cons
► Lack of security maturity
► Difficult integration
► Little influence over
SDLC
22. Explore Accelerate Optimize
Software Security Assurance
Journey
Reactive – Assessing and
remediating code
• Security team alone
responsible for security
• Small set of programs
• Addressing software
security after-the-fact
• High IT value
In Place – Software security
required before production
• Security team works with
Development on security
• All critical software secure
• Solving software security
during development
• High business value
Proactive – Instilling best
practices into future code
• Development takes over
responsibility for security
• All enterprise software
embedding security into
software development
lifecycle (SDLC)
• High strategic value
23. ► Real data from (51) real initiatives
► 95 measurements
► 13 repeat measurements
► McGraw, Migues, & West
www.bsimm.com
Inspiration from the Industry:
BSIMM4
25. ► What do your apps do and for whom?
► What platform(s) do your apps support and
how?
► Who develops your apps and where?
► Is there an existing SDL for other development?
► Do you rely on platform providers or app
distributors for any security assurance?
► Are mobile apps prompting back-end changes?
More Questions to Ask