SlideShare a Scribd company logo

Webinar–Building A Culture of Secure Programming in Your Organization

Synopsys Software Integrity Group
Synopsys Software Integrity Group

This document discusses building a culture of secure programming within an organization. It notes that culture can account for 20-30% of differences in corporate performance. It discusses challenges of modern software development like polyglot environments and faster development cycles. It argues security must understand developer technologies and processes. It promotes solutions like security champions who work with developers, security training, automation, and early involvement to align security and development pressures. The goal is open communication, security as enablers rather than blockers, and nurturing a proactive security culture.

Software
1 of 30
© 2019 Synopsys, Inc.1 Building a Culture of Secure Programming in Your Organization Amanvir Sangha Synopsys Software Integrity Group—2019
© 2019 Synopsys, Inc.2 Introduction Software security engineer consultant, Synopsys • Static analysis, code review • Training • Penetration testing Experience: Software Security Engineer (FinTech) • Bug bounty/vulnerability disclosure programs • Building AppSec from the ground up Software Engineer (FinTech) • Building life insurance software • Focus on quality and high assurance: TDD, BDD Startup (Security) • Building a SaaS platform for vulnerability scanning amanvir@synopsys.com @_amanvir
© 2019 Synopsys, Inc.4 Agenda • Why culture? • Modern software engineering - Challenges in modern software engineering - Dealing with constant change • Solutions to new challenges • Allowing security to be an enabler - Maintaining velocity • Nurturing a culture of proactive security - Automation - Tooling - Environment
© 2019 Synopsys, Inc.6 Why focus on culture? Culture “can account for 20-30% of the differential in corporate performance when compared with ‘culturally unremarkable’ competitors.” 1 1 https://hbr.org/2013/05/six-components-of-culture Technologies change, but people stay the same.
© 2019 Synopsys, Inc.7 Rise of polyglot environments polyglot /ˈpɒlɪɡlɒt/ adjective 1. knowing or using several languages.
© 2019 Synopsys, Inc.8 “If a company chooses to write its software in a comparatively esoteric language, they'll be able to hire better programmers, because they'll attract only those who cared enough to learn it.” —Paul Graham, The Python Paradox, 2004
© 2019 Synopsys, Inc.9 Why polyglot? • Polyglot developers allow companies to build software faster • It’s a competitive advantage: if you don’t do it, you don’t survive • But it brings new challenges: – How do we deal with this complexity? – How do we keep up?
© 2019 Synopsys, Inc.11 Polyglot environments Now • Microservices! • Deploying to the cloud • Several stacks • Agile/DevOps: Daily, if not hourly deployment, constant code changes • How does security keep up? In the past • Monolithic applications • Typically one or two stacks • Waterfall methodology • Infrequent deployments • Security can “keep up”
© 2019 Synopsys, Inc.13 Observation: teams in 2019 Operations • DevOps: AWS, Kubernetes, Terraform, Ansible • Everything written as code Quality • Automated: TDD, BDD, automated testing in CI/CD pipelines • Everything written as code Security Development • Multiple languages, multiple platforms, multiple architectures • Everything written as code • Tools and process oriented • Not moving as fast • Working silo
© 2019 Synopsys, Inc.14 Polyglot environments = new challenges • Environment are now much more complex • Faster rate of change Key questions Does your security team understand the technologies the developer teams are using? Are they familiar with the languages use? Can they code in them? Are they moving at the same pace as the development teams?
© 2019 Synopsys, Inc.15 Security vs. developers' skill sets Security Architecture Risk Analysis, Threat Modeling, Penetration Testing, Static Security Analysis Burp Suite, nmap, Metasploit Maybe can write scripts Developers Test Driven Development, Behaviour Driven-Design, User Experience, User Interface Code Editors, Compilers, Browsers Write code daily, can build production applications and deploy them
© 2019 Synopsys, Inc.16 Internal security vs. developer pressures Risk Reduction Are there security bugs? Is it resilient? Security Static Analysis Coverage Remediating Code Feature Velocity Are there functional bugs? Is it scalable? Code Release Deadlines Unit Testing Coverage Refactoring Code
© 2019 Synopsys, Inc.17 Align parallel pressures Risk Reduction Are there security bugs? Is it resilient? Security Static Analysis Coverage Remediating Code Feature Velocity Are there functional bugs? Is it scalable? Code Release Deadlines Unit Testing Coverage Refactoring Code Culture: Communication
© 2019 Synopsys, Inc.18 Align parallel pressures Risk Reduction Are there security bugs? Is it resilient? Security Static Analysis Coverage Remediating Code Feature Velocity Are there functional bugs? Is it scalable? Code Release Deadlines Unit Testing Coverage Refactoring Code Culture: Communication Culture: Security Training
© 2019 Synopsys, Inc.19 Align parallel pressures Risk Reduction Are there security bugs? Is it resilient? Security Static Analysis Coverage Remediating Code Feature Velocity Are there functional bugs? Is it scalable? Code Release Deadlines Unit Testing Coverage Refactoring Code Culture: Communication Culture: Security Training Culture: Security Testing
© 2019 Synopsys, Inc.20 Align parallel pressures Risk Reduction Are there security bugs? Is it resilient? Security Static Analysis Coverage Remediating Code Feature Velocity Are there functional bugs? Is it scalable? Code Release Deadlines Unit Testing Coverage Refactoring Code Culture: Communication Culture: Security Training Culture: Security Testing Culture: Automation
© 2019 Synopsys, Inc.21 Align parallel pressures Risk Reduction Are there security bugs? Is it resilient? Security Static Analysis Coverage Remediating Code Feature Velocity Are there functional bugs? Is it scalable? Code Release Deadlines Unit Testing Coverage Refactoring Code Culture: Communication Culture: Security Training Culture: Security Testing Culture: Pair Programming, User Stories Culture: Automation
© 2019 Synopsys, Inc.22 So what does a Good Culturetm look like? • Open Communication, Interacting with the development teams – Security Champions • Security Training – CTFs, Conferences • Testing – Continuous Testing – Via automation, tools, CI/CD pipelines – Manual Review – For the high priority issues • Automation – Code analysis, pipelines, chatops • General Culture – Pair programming, sharing knowledge, security-centric user stories, transparency
© 2019 Synopsys, Inc.23 Automation increases velocity and decreases bureaucracy, allowing companies to move faster.
© 2019 Synopsys, Inc.24 Individuals and interactions over processes and tools • Assumption: We will do a penetration test and find issues with the application • Reality: How do we deal with the results? Are the developer aware of how to fix these findings? How do we prevent these mistakes from happening again in the future? Are we seeing the same vulnerabilities again year over year? “Make it easy to do the right thing” Automation Make your stack secure by default
© 2019 Synopsys, Inc.25 If you’re not speaking the language of development, and you’re not using tools and processes that align with the developers’ world, you’re not doing software security. —Nick Murison, Head of Software Security Services, Nordics, Synopsys
© 2019 Synopsys, Inc.26 Security champions • Primarily located in areas outside SSG (e.g. technology/development teams) • Do not directly report to SSG but are key players in evangelizing security activities and culture • Primary responsibilities: – Assist in triage for the engineering team they belong to – Involved in security decisions with their engineering team – Developing code and writing tests relevant to security – Involved in automation in pipelines
© 2019 Synopsys, Inc.27 Communication and engagement • Early involvement in SDLC leads to lower costs and less security bugs – But! Communication and engagement are necessary for this. Key questions: – Are you aware of new products being built in your organization? – Are you aware of new features that are being implemented? – Are you involved when user stories are written? – Are you involved at the design stage for architecture? • How do we communicate and engage? – Security Champions!
© 2019 Synopsys, Inc.28 Find your security champions Security DevelopersSweet spot: the developers who can do application security, e.g. pair program with teams, implement security user stories
© 2019 Synopsys, Inc.31 Nurture your security champions Should we do another CTF next year? • Sparking curiosity in security – If you are not involving your development teams in security, you will not be able to do this • Stay involved with them – Via slack or messaging applications – Weekly meetings • Case Study: DropBox “Trustober” – 30 events centred around security and training – CTFs for developers – Training for staff in security https://blogs.dropbox.com/tech/2018/06/securit y-culture-the-dropbox-way/ 100% YES
© 2019 Synopsys, Inc.32 Nurture your culture • Security is everyone’s responsibility, collaboration is key – Get every team involved: Operations, Network, Quality, Business and Development • Get involved early • Proactive not reactive • Don’t work in silo, share what you work on • Internal evangelism via security champions • Be empathetic when working with security issues and development teams – This is especially true with working on remediating issues or disclosing vulnerabilities
© 2019 Synopsys, Inc.33 Strategy & Planning Maturity Action Plan (MAP) Building Security in Maturity Model (BSIMM) Dynamic Application Security Testing Managed Services Static Application Security Testing Penetration Testing Mobile Application Security Testing Professional Services Industry Solutions Architecture and Design Security Training DevSecOps Integration Cloud Security Synopsys Software Security and Quality Portfolio Integrated Tools Seeker & Defensics Dynamic Analysis Coverity Static Analysis Black Duck Software Composition Analysis =Available on the Polaris platform
© 2019 Synopsys, Inc.34 Build Secure, High-Quality Software Faster
Thank You
© 2019 Synopsys, Inc.36

Recommended

Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Synopsys Software Integrity Group
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Synopsys Software Integrity Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions
Synopsys Software Integrity Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
WhiteSource
 

Recommended

Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Synopsys Software Integrity Group
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Synopsys Software Integrity Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions
Synopsys Software Integrity Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
WhiteSource
 
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
Cyber Security Alliance
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon
 
Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security Analysis
Carlos Andrés García
 
How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...
kunwaratul hax0r
 
Mojave Networks Webinar: A Three-Pronged Approach to Mobile Security
Mojave Networks Webinar: A Three-Pronged Approach to Mobile SecurityMojave Networks Webinar: A Three-Pronged Approach to Mobile Security
Mojave Networks Webinar: A Three-Pronged Approach to Mobile Security
Mojave Networks
 
AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...
AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...
AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...
AWS User Group - Thailand
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon
 
Digital Security by Design Vision
Digital Security by Design VisionDigital Security by Design Vision
Digital Security by Design Vision
KTN
 
Accelerate Your Digital Transformation Journey with Cloud Native and Low-Cod...
Accelerate Your Digital Transformation Journey with Cloud Native and Low-Cod...Accelerate Your Digital Transformation Journey with Cloud Native and Low-Cod...
Accelerate Your Digital Transformation Journey with Cloud Native and Low-Cod...
DevOps.com
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps Cultures
DevOps Indonesia
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software Remediation
Denim Group
 
Securing DevOps Lifecycle
Securing DevOps LifecycleSecuring DevOps Lifecycle
Securing DevOps Lifecycle
DevOps Indonesia
 
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
AgileNetwork
 
Use our Threat Modeling Playbook to Improve your Product Security
Use our Threat Modeling Playbook to Improve your Product Security Use our Threat Modeling Playbook to Improve your Product Security
Use our Threat Modeling Playbook to Improve your Product Security
Sebastien Deleersnyder
 
SG MVPA Workshop Booklet Fall 2015
SG MVPA Workshop Booklet Fall 2015SG MVPA Workshop Booklet Fall 2015
SG MVPA Workshop Booklet Fall 2015
Josh Russ
 
Mendix essentials 25 11-2011 introductie mendix by arno rood
Mendix essentials 25 11-2011 introductie mendix by arno roodMendix essentials 25 11-2011 introductie mendix by arno rood
Mendix essentials 25 11-2011 introductie mendix by arno rood
Mendix
 
2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report
Angela Gunn
 
Shift Left Security: Development Does Not Want to Own It.
Shift Left Security: Development Does Not Want to Own It.Shift Left Security: Development Does Not Want to Own It.
Shift Left Security: Development Does Not Want to Own It.
Aggregage
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS
 
Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity
Synopsys Software Integrity Group
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Software Integrity Group
 

More Related Content

What's hot

ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
Cyber Security Alliance
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon
 
Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security Analysis
Carlos Andrés García
 
How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...
kunwaratul hax0r
 
Mojave Networks Webinar: A Three-Pronged Approach to Mobile Security
Mojave Networks Webinar: A Three-Pronged Approach to Mobile SecurityMojave Networks Webinar: A Three-Pronged Approach to Mobile Security
Mojave Networks Webinar: A Three-Pronged Approach to Mobile Security
Mojave Networks
 
AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...
AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...
AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...
AWS User Group - Thailand
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon
 
Digital Security by Design Vision
Digital Security by Design VisionDigital Security by Design Vision
Digital Security by Design Vision
KTN
 
Accelerate Your Digital Transformation Journey with Cloud Native and Low-Cod...
Accelerate Your Digital Transformation Journey with Cloud Native and Low-Cod...Accelerate Your Digital Transformation Journey with Cloud Native and Low-Cod...
Accelerate Your Digital Transformation Journey with Cloud Native and Low-Cod...
DevOps.com
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps Cultures
DevOps Indonesia
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software Remediation
Denim Group
 
Securing DevOps Lifecycle
Securing DevOps LifecycleSecuring DevOps Lifecycle
Securing DevOps Lifecycle
DevOps Indonesia
 
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
AgileNetwork
 
Use our Threat Modeling Playbook to Improve your Product Security
Use our Threat Modeling Playbook to Improve your Product Security Use our Threat Modeling Playbook to Improve your Product Security
Use our Threat Modeling Playbook to Improve your Product Security
Sebastien Deleersnyder
 
SG MVPA Workshop Booklet Fall 2015
SG MVPA Workshop Booklet Fall 2015SG MVPA Workshop Booklet Fall 2015
SG MVPA Workshop Booklet Fall 2015
Josh Russ
 
Mendix essentials 25 11-2011 introductie mendix by arno rood
Mendix essentials 25 11-2011 introductie mendix by arno roodMendix essentials 25 11-2011 introductie mendix by arno rood
Mendix essentials 25 11-2011 introductie mendix by arno rood
Mendix
 
2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report
Angela Gunn
 
Shift Left Security: Development Does Not Want to Own It.
Shift Left Security: Development Does Not Want to Own It.Shift Left Security: Development Does Not Want to Own It.
Shift Left Security: Development Does Not Want to Own It.
Aggregage
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
 
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS
 

What's hot (20)

ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
 
Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security Analysis
 
How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...How to build app sec team & culture in your organization the hack summi...
How to build app sec team & culture in your organization the hack summi...
 
Mojave Networks Webinar: A Three-Pronged Approach to Mobile Security
Mojave Networks Webinar: A Three-Pronged Approach to Mobile SecurityMojave Networks Webinar: A Three-Pronged Approach to Mobile Security
Mojave Networks Webinar: A Three-Pronged Approach to Mobile Security
 
AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...
AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...
AWS Meetup: Career Day 2019 - Lightning Talk with Cloud Career Path: DevOps E...
 
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
DevSecCon Singapore 2019: The journey of digital transformation through DevSe...
 
Digital Security by Design Vision
Digital Security by Design VisionDigital Security by Design Vision
Digital Security by Design Vision
 
Accelerate Your Digital Transformation Journey with Cloud Native and Low-Cod...
Accelerate Your Digital Transformation Journey with Cloud Native and Low-Cod...Accelerate Your Digital Transformation Journey with Cloud Native and Low-Cod...
Accelerate Your Digital Transformation Journey with Cloud Native and Low-Cod...
 
Threat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps CulturesThreat Modelling in DevSecOps Cultures
Threat Modelling in DevSecOps Cultures
 
Real Cost of Software Remediation
Real Cost of Software RemediationReal Cost of Software Remediation
Real Cost of Software Remediation
 
Securing DevOps Lifecycle
Securing DevOps LifecycleSecuring DevOps Lifecycle
Securing DevOps Lifecycle
 
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
Agile Gurugram Conference 2020 | Keeping software secure in agile | Gurpreet ...
 
Use our Threat Modeling Playbook to Improve your Product Security
Use our Threat Modeling Playbook to Improve your Product Security Use our Threat Modeling Playbook to Improve your Product Security
Use our Threat Modeling Playbook to Improve your Product Security
 
SG MVPA Workshop Booklet Fall 2015
SG MVPA Workshop Booklet Fall 2015SG MVPA Workshop Booklet Fall 2015
SG MVPA Workshop Booklet Fall 2015
 
Mendix essentials 25 11-2011 introductie mendix by arno rood
Mendix essentials 25 11-2011 introductie mendix by arno roodMendix essentials 25 11-2011 introductie mendix by arno rood
Mendix essentials 25 11-2011 introductie mendix by arno rood
 
2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report2015 HPSR Cyber Risk Report
2015 HPSR Cyber Risk Report
 
Shift Left Security: Development Does Not Want to Own It.
Shift Left Security: Development Does Not Want to Own It.Shift Left Security: Development Does Not Want to Own It.
Shift Left Security: Development Does Not Want to Own It.
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
 
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
NUS-ISS Learning Day 2019-Software Platforms - Welcoming Unknown Enemies?
 

Similar to Webinar–Building A Culture of Secure Programming in Your Organization

Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity
Synopsys Software Integrity Group
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Software Integrity Group
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
Synopsys Software Integrity Group
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This Works
Synopsys Software Integrity Group
 
Synopsys_site.pptx
Synopsys_site.pptxSynopsys_site.pptx
Synopsys_site.pptx
Arthur528009
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
Synopsys Software Integrity Group
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
Checkmarx
 
Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
Synopsys Software Integrity Group
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
lior mazor
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
Synopsys Software Integrity Group
 
Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security Analysis
VMware Tanzu
 
SDM: The Fundamentals of Software Delivery Management
SDM: The Fundamentals of Software Delivery ManagementSDM: The Fundamentals of Software Delivery Management
SDM: The Fundamentals of Software Delivery Management
DevOps.com
 
APIdays Singapore 2019 - Maturity model for Microservices: Untangling a Big B...
APIdays Singapore 2019 - Maturity model for Microservices: Untangling a Big B...APIdays Singapore 2019 - Maturity model for Microservices: Untangling a Big B...
APIdays Singapore 2019 - Maturity model for Microservices: Untangling a Big B...
apidays
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
Tej Luthra
 

Similar to Webinar–Building A Culture of Secure Programming in Your Organization (20)

Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
 
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
Outpost24 Webinar - DevOps to DevSecOps: delivering quality and secure develo...
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This Works
 
Synopsys_site.pptx
Synopsys_site.pptxSynopsys_site.pptx
Synopsys_site.pptx
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
 
Automate and Enhance Application Security Analysis
Automate and Enhance Application Security AnalysisAutomate and Enhance Application Security Analysis
Automate and Enhance Application Security Analysis
 
SDM: The Fundamentals of Software Delivery Management
SDM: The Fundamentals of Software Delivery ManagementSDM: The Fundamentals of Software Delivery Management
SDM: The Fundamentals of Software Delivery Management
 
APIdays Singapore 2019 - Maturity model for Microservices: Untangling a Big B...
APIdays Singapore 2019 - Maturity model for Microservices: Untangling a Big B...APIdays Singapore 2019 - Maturity model for Microservices: Untangling a Big B...
APIdays Singapore 2019 - Maturity model for Microservices: Untangling a Big B...
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 

More from Synopsys Software Integrity Group

Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?
Synopsys Software Integrity Group
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Synopsys Software Integrity Group
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in Review
Synopsys Software Integrity Group
 
Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What?
Synopsys Software Integrity Group
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilities
Synopsys Software Integrity Group
 
Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security
Synopsys Software Integrity Group
 
Webinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedWebinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability Feed
Synopsys Software Integrity Group
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Synopsys Software Integrity Group
 
Webinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingWebinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source Licensing
Synopsys Software Integrity Group
 
Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created Equal
Synopsys Software Integrity Group
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Synopsys Software Integrity Group
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Synopsys Software Integrity Group
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and Abuse
Synopsys Software Integrity Group
 
Webinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec ResourceWebinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec Resource
Synopsys Software Integrity Group
 
Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative
Synopsys Software Integrity Group
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production Environments
Synopsys Software Integrity Group
 
Infographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPRInfographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPR
Synopsys Software Integrity Group
 
Webinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis ReportWebinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis Report
Synopsys Software Integrity Group
 
Webinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the NumbersWebinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the Numbers
Synopsys Software Integrity Group
 

More from Synopsys Software Integrity Group (20)

Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in Review
 
Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What?
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilities
 
Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security
 
Webinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedWebinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability Feed
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
 
Webinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingWebinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source Licensing
 
Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created Equal
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and Abuse
 
Webinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec ResourceWebinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec Resource
 
Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production Environments
 
Infographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPRInfographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPR
 
Webinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis ReportWebinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis Report
 
Webinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the NumbersWebinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the Numbers
 

Recently uploaded

14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision
ShulagnaSarkar2
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
Drona Infotech
 
Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.
KrishnaveniMohan1
 
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
campbellclarkson
 
The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024
Yara Milbes
 
Orca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container OrchestrationOrca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container Orchestration
Pedro J. Molina
 
42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert
vaishalijagtap12
 
Transforming Product Development using OnePlan To Boost Efficiency and Innova...
Transforming Product Development using OnePlan To Boost Efficiency and Innova...Transforming Product Development using OnePlan To Boost Efficiency and Innova...
Transforming Product Development using OnePlan To Boost Efficiency and Innova...
OnePlan Solutions
 
Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...
Paul Brebner
 
Voxxed Days Trieste 2024 - Unleashing the Power of Vector Search and Semantic...
Voxxed Days Trieste 2024 - Unleashing the Power of Vector Search and Semantic...Voxxed Days Trieste 2024 - Unleashing the Power of Vector Search and Semantic...
Voxxed Days Trieste 2024 - Unleashing the Power of Vector Search and Semantic...
Luigi Fugaro
 
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in NashikUpturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
The Third Creative Media
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
gapen1
 
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom KittEnhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Peter Caitens
 
TMU毕业证书精仿办理
TMU毕业证书精仿办理TMU毕业证书精仿办理
TMU毕业证书精仿办理
aeeva
 
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
widenerjobeyrl638
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
Tier1 app
 
WWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders AustinWWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders Austin
Patrick Weigel
 
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
kalichargn70th171
 

Recently uploaded (20)

14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
 
Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.Penify - Let AI do the Documentation, you write the Code.
Penify - Let AI do the Documentation, you write the Code.
 
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
 
The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024
 
Orca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container OrchestrationOrca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container Orchestration
 
42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert
 
Transforming Product Development using OnePlan To Boost Efficiency and Innova...
Transforming Product Development using OnePlan To Boost Efficiency and Innova...Transforming Product Development using OnePlan To Boost Efficiency and Innova...
Transforming Product Development using OnePlan To Boost Efficiency and Innova...
 
Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...
 
Voxxed Days Trieste 2024 - Unleashing the Power of Vector Search and Semantic...
Voxxed Days Trieste 2024 - Unleashing the Power of Vector Search and Semantic...Voxxed Days Trieste 2024 - Unleashing the Power of Vector Search and Semantic...
Voxxed Days Trieste 2024 - Unleashing the Power of Vector Search and Semantic...
 
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in NashikUpturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in Nashik
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
 
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom KittEnhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
 
TMU毕业证书精仿办理
TMU毕业证书精仿办理TMU毕业证书精仿办理
TMU毕业证书精仿办理
 
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
 
WWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders AustinWWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders Austin
 
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...
 
bgiolcb
bgiolcbbgiolcb
bgiolcb
 

Webinar–Building A Culture of Secure Programming in Your Organization

  • 1. © 2019 Synopsys, Inc.1 Building a Culture of Secure Programming in Your Organization Amanvir Sangha Synopsys Software Integrity Group—2019
  • 2. © 2019 Synopsys, Inc.2 Introduction Software security engineer consultant, Synopsys • Static analysis, code review • Training • Penetration testing Experience: Software Security Engineer (FinTech) • Bug bounty/vulnerability disclosure programs • Building AppSec from the ground up Software Engineer (FinTech) • Building life insurance software • Focus on quality and high assurance: TDD, BDD Startup (Security) • Building a SaaS platform for vulnerability scanning amanvir@synopsys.com @_amanvir
  • 3. © 2019 Synopsys, Inc.4 Agenda • Why culture? • Modern software engineering - Challenges in modern software engineering - Dealing with constant change • Solutions to new challenges • Allowing security to be an enabler - Maintaining velocity • Nurturing a culture of proactive security - Automation - Tooling - Environment
  • 4. © 2019 Synopsys, Inc.6 Why focus on culture? Culture “can account for 20-30% of the differential in corporate performance when compared with ‘culturally unremarkable’ competitors.” 1 1 https://hbr.org/2013/05/six-components-of-culture Technologies change, but people stay the same.
  • 5. © 2019 Synopsys, Inc.7 Rise of polyglot environments polyglot /ˈpɒlɪɡlɒt/ adjective 1. knowing or using several languages.
  • 6. © 2019 Synopsys, Inc.8 “If a company chooses to write its software in a comparatively esoteric language, they'll be able to hire better programmers, because they'll attract only those who cared enough to learn it.” —Paul Graham, The Python Paradox, 2004
  • 7. © 2019 Synopsys, Inc.9 Why polyglot? • Polyglot developers allow companies to build software faster • It’s a competitive advantage: if you don’t do it, you don’t survive • But it brings new challenges: – How do we deal with this complexity? – How do we keep up?
  • 8. © 2019 Synopsys, Inc.11 Polyglot environments Now • Microservices! • Deploying to the cloud • Several stacks • Agile/DevOps: Daily, if not hourly deployment, constant code changes • How does security keep up? In the past • Monolithic applications • Typically one or two stacks • Waterfall methodology • Infrequent deployments • Security can “keep up”
  • 9. © 2019 Synopsys, Inc.13 Observation: teams in 2019 Operations • DevOps: AWS, Kubernetes, Terraform, Ansible • Everything written as code Quality • Automated: TDD, BDD, automated testing in CI/CD pipelines • Everything written as code Security Development • Multiple languages, multiple platforms, multiple architectures • Everything written as code • Tools and process oriented • Not moving as fast • Working silo
  • 10. © 2019 Synopsys, Inc.14 Polyglot environments = new challenges • Environment are now much more complex • Faster rate of change Key questions Does your security team understand the technologies the developer teams are using? Are they familiar with the languages use? Can they code in them? Are they moving at the same pace as the development teams?
  • 11. © 2019 Synopsys, Inc.15 Security vs. developers' skill sets Security Architecture Risk Analysis, Threat Modeling, Penetration Testing, Static Security Analysis Burp Suite, nmap, Metasploit Maybe can write scripts Developers Test Driven Development, Behaviour Driven-Design, User Experience, User Interface Code Editors, Compilers, Browsers Write code daily, can build production applications and deploy them
  • 12. © 2019 Synopsys, Inc.16 Internal security vs. developer pressures Risk Reduction Are there security bugs? Is it resilient? Security Static Analysis Coverage Remediating Code Feature Velocity Are there functional bugs? Is it scalable? Code Release Deadlines Unit Testing Coverage Refactoring Code
  • 13. © 2019 Synopsys, Inc.17 Align parallel pressures Risk Reduction Are there security bugs? Is it resilient? Security Static Analysis Coverage Remediating Code Feature Velocity Are there functional bugs? Is it scalable? Code Release Deadlines Unit Testing Coverage Refactoring Code Culture: Communication
  • 14. © 2019 Synopsys, Inc.18 Align parallel pressures Risk Reduction Are there security bugs? Is it resilient? Security Static Analysis Coverage Remediating Code Feature Velocity Are there functional bugs? Is it scalable? Code Release Deadlines Unit Testing Coverage Refactoring Code Culture: Communication Culture: Security Training
  • 15. © 2019 Synopsys, Inc.19 Align parallel pressures Risk Reduction Are there security bugs? Is it resilient? Security Static Analysis Coverage Remediating Code Feature Velocity Are there functional bugs? Is it scalable? Code Release Deadlines Unit Testing Coverage Refactoring Code Culture: Communication Culture: Security Training Culture: Security Testing
  • 16. © 2019 Synopsys, Inc.20 Align parallel pressures Risk Reduction Are there security bugs? Is it resilient? Security Static Analysis Coverage Remediating Code Feature Velocity Are there functional bugs? Is it scalable? Code Release Deadlines Unit Testing Coverage Refactoring Code Culture: Communication Culture: Security Training Culture: Security Testing Culture: Automation
  • 17. © 2019 Synopsys, Inc.21 Align parallel pressures Risk Reduction Are there security bugs? Is it resilient? Security Static Analysis Coverage Remediating Code Feature Velocity Are there functional bugs? Is it scalable? Code Release Deadlines Unit Testing Coverage Refactoring Code Culture: Communication Culture: Security Training Culture: Security Testing Culture: Pair Programming, User Stories Culture: Automation
  • 18. © 2019 Synopsys, Inc.22 So what does a Good Culturetm look like? • Open Communication, Interacting with the development teams – Security Champions • Security Training – CTFs, Conferences • Testing – Continuous Testing – Via automation, tools, CI/CD pipelines – Manual Review – For the high priority issues • Automation – Code analysis, pipelines, chatops • General Culture – Pair programming, sharing knowledge, security-centric user stories, transparency
  • 19. © 2019 Synopsys, Inc.23 Automation increases velocity and decreases bureaucracy, allowing companies to move faster.
  • 20. © 2019 Synopsys, Inc.24 Individuals and interactions over processes and tools • Assumption: We will do a penetration test and find issues with the application • Reality: How do we deal with the results? Are the developer aware of how to fix these findings? How do we prevent these mistakes from happening again in the future? Are we seeing the same vulnerabilities again year over year? “Make it easy to do the right thing” Automation Make your stack secure by default
  • 21. © 2019 Synopsys, Inc.25 If you’re not speaking the language of development, and you’re not using tools and processes that align with the developers’ world, you’re not doing software security. —Nick Murison, Head of Software Security Services, Nordics, Synopsys
  • 22. © 2019 Synopsys, Inc.26 Security champions • Primarily located in areas outside SSG (e.g. technology/development teams) • Do not directly report to SSG but are key players in evangelizing security activities and culture • Primary responsibilities: – Assist in triage for the engineering team they belong to – Involved in security decisions with their engineering team – Developing code and writing tests relevant to security – Involved in automation in pipelines
  • 23. © 2019 Synopsys, Inc.27 Communication and engagement • Early involvement in SDLC leads to lower costs and less security bugs – But! Communication and engagement are necessary for this. Key questions: – Are you aware of new products being built in your organization? – Are you aware of new features that are being implemented? – Are you involved when user stories are written? – Are you involved at the design stage for architecture? • How do we communicate and engage? – Security Champions!
  • 24. © 2019 Synopsys, Inc.28 Find your security champions Security DevelopersSweet spot: the developers who can do application security, e.g. pair program with teams, implement security user stories
  • 25. © 2019 Synopsys, Inc.31 Nurture your security champions Should we do another CTF next year? • Sparking curiosity in security – If you are not involving your development teams in security, you will not be able to do this • Stay involved with them – Via slack or messaging applications – Weekly meetings • Case Study: DropBox “Trustober” – 30 events centred around security and training – CTFs for developers – Training for staff in security https://blogs.dropbox.com/tech/2018/06/securit y-culture-the-dropbox-way/ 100% YES
  • 26. © 2019 Synopsys, Inc.32 Nurture your culture • Security is everyone’s responsibility, collaboration is key – Get every team involved: Operations, Network, Quality, Business and Development • Get involved early • Proactive not reactive • Don’t work in silo, share what you work on • Internal evangelism via security champions • Be empathetic when working with security issues and development teams – This is especially true with working on remediating issues or disclosing vulnerabilities
  • 27. © 2019 Synopsys, Inc.33 Strategy & Planning Maturity Action Plan (MAP) Building Security in Maturity Model (BSIMM) Dynamic Application Security Testing Managed Services Static Application Security Testing Penetration Testing Mobile Application Security Testing Professional Services Industry Solutions Architecture and Design Security Training DevSecOps Integration Cloud Security Synopsys Software Security and Quality Portfolio Integrated Tools Seeker & Defensics Dynamic Analysis Coverity Static Analysis Black Duck Software Composition Analysis =Available on the Polaris platform
  • 28. © 2019 Synopsys, Inc.34 Build Secure, High-Quality Software Faster