Tracking the Progress of an SDL Program: Lessons from the Gym

OWASP
OWASP
Jul. 5, 2009
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
Tracking the Progress of an SDL Program: Lessons from the Gym
1 of 29

Tracking the Progress of an SDL Program: Lessons from the Gym

Jul. 5, 2009
Download to read offline
Education
Technology
Health & Medicine

This presentation is from the 29 June 2009 OWASP Minneapolis-St. Paul (MSP) chapter meeting. Cassio Goldschmidt of Symantec talked about defining consistent metrics for tracking security vulnerabilities throughout the security development lifecycle.

OWASP
OWASP

Recommended

DNS Advanced Attacks and AnalysisDNS Advanced Attacks and Analysis
DNS Advanced Attacks and AnalysisCSCJournals244 views12 slides
The bare minimum that you should know about web application security testing ...The bare minimum that you should know about web application security testing ...
The bare minimum that you should know about web application security testing ...Ken DeSouza964 views68 slides
Static RoutingStatic Routing
Static RoutingSachii Dosti5.9K views28 slides
Route 53 Latency Based RoutingRoute 53 Latency Based Routing
Route 53 Latency Based RoutingAmazon Web Services6.8K views18 slides
Routing table and routing algorithmsRouting table and routing algorithms
Routing table and routing algorithmslavanyapathy4.9K views11 slides
Understanding the Routing Table StructureUnderstanding the Routing Table Structure
Understanding the Routing Table StructureMakram Ghazzaoui1.4K views17 slides

More Related Content

Similar to Tracking the Progress of an SDL Program: Lessons from the Gym

FUNDAMENTALS OF TESTING (Fundamental of testing what) FUNDAMENTALS OF TESTING (Fundamental of testing what)
FUNDAMENTALS OF TESTING (Fundamental of testing what) CindyYuristie53 views15 slides
Bcc exceed ste_certBcc exceed ste_cert
Bcc exceed ste_certSusan L.433 views46 slides
Fundamental of testing (what is testing)Fundamental of testing (what is testing)
Fundamental of testing (what is testing)helfa safitri23 views15 slides
Fundamentals of testing 2Fundamentals of testing 2
Fundamentals of testing 2seli purnianda42 views15 slides
AFITC 2018 - Using Process Maturity and Agile to Strengthen Cyber SecurityAFITC 2018 - Using Process Maturity and Agile to Strengthen Cyber Security
AFITC 2018 - Using Process Maturity and Agile to Strengthen Cyber SecurityDjindo Lee107 views20 slides
fundamentals of testing (Fundamental of testing what)fundamentals of testing (Fundamental of testing what)
fundamentals of testing (Fundamental of testing what)diana fitri, S.Kom16 views14 slides

Similar to Tracking the Progress of an SDL Program: Lessons from the Gym(20)

FUNDAMENTALS OF TESTING (Fundamental of testing what) FUNDAMENTALS OF TESTING (Fundamental of testing what)
FUNDAMENTALS OF TESTING (Fundamental of testing what)
CindyYuristie53 views
Bcc exceed ste_certBcc exceed ste_cert
Bcc exceed ste_cert
Susan L.433 views
Fundamental of testing (what is testing)Fundamental of testing (what is testing)
Fundamental of testing (what is testing)
helfa safitri23 views
Fundamentals of testing 2Fundamentals of testing 2
Fundamentals of testing 2
seli purnianda42 views
AFITC 2018 - Using Process Maturity and Agile to Strengthen Cyber SecurityAFITC 2018 - Using Process Maturity and Agile to Strengthen Cyber Security
AFITC 2018 - Using Process Maturity and Agile to Strengthen Cyber Security
Djindo Lee107 views
fundamentals of testing (Fundamental of testing what)fundamentals of testing (Fundamental of testing what)
fundamentals of testing (Fundamental of testing what)
diana fitri, S.Kom16 views
Fundamentals of testing (what is testing)Fundamentals of testing (what is testing)
Fundamentals of testing (what is testing)
Dhy Ardiansyah36 views
Why Do Computational Scientists Trust Their SoWhy Do Computational Scientists Trust Their So
Why Do Computational Scientists Trust Their So
jpipitone338 views
Vulnerability Management Nirvana - Agora - March 18 2016Vulnerability Management Nirvana - Agora - March 18 2016
Vulnerability Management Nirvana - Agora - March 18 2016
David Severski1.2K views
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Kymberlee Price611 views
Experience Sharing on School Pentest ProjectExperience Sharing on School Pentest Project
Experience Sharing on School Pentest Project
eLearning Consortium 電子學習聯盟202 views
SeverityNegligiblesmallunimportant;not likely to have.docxSeverityNegligiblesmallunimportant;not likely to have.docx
SeverityNegligiblesmallunimportant;not likely to have.docx
edgar6wallace888772 views
A SOURCE CODE PERSPECTIVE C OVERFLOW VULNERABILITIES EXPLOIT TAXONOMY BASED...A SOURCE CODE PERSPECTIVE C OVERFLOW VULNERABILITIES EXPLOIT TAXONOMY BASED...
A SOURCE CODE PERSPECTIVE C OVERFLOW VULNERABILITIES EXPLOIT TAXONOMY BASED...
Nurul Haszeli Ahmad1.1K views
Towards a Better Understanding of the Impact of Experimental Components on De...Towards a Better Understanding of the Impact of Experimental Components on De...
Towards a Better Understanding of the Impact of Experimental Components on De...
Chakkrit (Kla) Tantithamthavorn1.5K views
Team System Design Group Project Instructions Overview .docxTeam System Design Group Project Instructions Overview .docx
Team System Design Group Project Instructions Overview .docx
erlindaw4 views
International Journal of Soft Computing and Engineering (IJSInternational Journal of Soft Computing and Engineering (IJS
International Journal of Soft Computing and Engineering (IJS
hildredzr1di2 views
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxSailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
lior mazor6 views
Automatic for the PeopleAutomatic for the People
Automatic for the People
Andy Zaidman87 views
ISTQB Advanced Study Guide - 6ISTQB Advanced Study Guide - 6
ISTQB Advanced Study Guide - 6
Yogindernath Gupta1K views
Risk Driven TestingRisk Driven Testing
Risk Driven Testing
Jorge Boria1.5K views

Recently uploaded

PUSAT BAHASA UINSA.pdfPUSAT BAHASA UINSA.pdf
PUSAT BAHASA UINSA.pdfLBB. Mr. Q126 views1 slide
CSCI_1001_Intro_Class1.pptxCSCI_1001_Intro_Class1.pptx
CSCI_1001_Intro_Class1.pptxmcardonalebron213 views12 slides
GDSC Info Session KMITGDSC Info Session KMIT
GDSC Info Session KMIT20BD1A053LShujaKMIT112 views48 slides
Pre-Departure Guidelines for Studying in the UK.pdfPre-Departure Guidelines for Studying in the UK.pdf
Pre-Departure Guidelines for Studying in the UK.pdfAHZ Associates52 views9 slides
Desktop Support Engineer Roles Desktop Support Engineer Roles
Desktop Support Engineer Roles Vignesh kumar44 views4 slides
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 8 CẢ NĂM - GLOBAL SUCCESS - NĂM 2024 - CÓ FILE N...BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 8 CẢ NĂM - GLOBAL SUCCESS - NĂM 2024 - CÓ FILE N...
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 8 CẢ NĂM - GLOBAL SUCCESS - NĂM 2024 - CÓ FILE N...Nguyen Thanh Tu Collection100 views245 slides

Recently uploaded(20)

PUSAT BAHASA UINSA.pdfPUSAT BAHASA UINSA.pdf
PUSAT BAHASA UINSA.pdf
LBB. Mr. Q126 views
CSCI_1001_Intro_Class1.pptxCSCI_1001_Intro_Class1.pptx
CSCI_1001_Intro_Class1.pptx
mcardonalebron213 views
GDSC Info Session KMITGDSC Info Session KMIT
GDSC Info Session KMIT
20BD1A053LShujaKMIT112 views
Pre-Departure Guidelines for Studying in the UK.pdfPre-Departure Guidelines for Studying in the UK.pdf
Pre-Departure Guidelines for Studying in the UK.pdf
AHZ Associates52 views
Desktop Support Engineer Roles Desktop Support Engineer Roles
Desktop Support Engineer Roles
Vignesh kumar44 views
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 8 CẢ NĂM - GLOBAL SUCCESS - NĂM 2024 - CÓ FILE N...BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 8 CẢ NĂM - GLOBAL SUCCESS - NĂM 2024 - CÓ FILE N...
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 8 CẢ NĂM - GLOBAL SUCCESS - NĂM 2024 - CÓ FILE N...
Nguyen Thanh Tu Collection100 views
Getting to the Core of Paper 2 - ESS Stream.pdfGetting to the Core of Paper 2 - ESS Stream.pdf
Getting to the Core of Paper 2 - ESS Stream.pdf
Nigel Gardner199 views
Object Oriented Programming using C++(UNIT 1)Object Oriented Programming using C++(UNIT 1)
Object Oriented Programming using C++(UNIT 1)
SURBHI SAROHA67 views
How to start a preschool.pptxHow to start a preschool.pptx
How to start a preschool.pptx
RavinderChaudhary980 views
adnan adil (physical examination of urine).pptxadnan adil (physical examination of urine).pptx
adnan adil (physical examination of urine).pptx
AdnanSami8462 views
Digital Presence - LinkedInDigital Presence - LinkedIn
Digital Presence - LinkedIn
PMICHENNAICHAPTER60 views
PYLORIC STENOSIS.pptxPYLORIC STENOSIS.pptx
PYLORIC STENOSIS.pptx
PRADEEP ABOTHU135 views
Research Proposal.pptxResearch Proposal.pptx
Research Proposal.pptx
DrIrfanulHaqAkhoon91 views
KDUBEY.pptxKDUBEY.pptx
KDUBEY.pptx
KHUSHBOODUBEY12111 views
The Student Guide To Writing Better Sentences In The English Classroom 2The Student Guide To Writing Better Sentences In The English Classroom 2
The Student Guide To Writing Better Sentences In The English Classroom 2
jpinnuck237 views
1.5 Quadratic Equations.pdf1.5 Quadratic Equations.pdf
1.5 Quadratic Equations.pdf
smiller559 views
LEARNING CAMP 1-2.pptxLEARNING CAMP 1-2.pptx
LEARNING CAMP 1-2.pptx
hosayo185 views
Virtual Tumor Board: Multidisciplinary Management of Advanced Soft Tissue Sar...Virtual Tumor Board: Multidisciplinary Management of Advanced Soft Tissue Sar...
Virtual Tumor Board: Multidisciplinary Management of Advanced Soft Tissue Sar...
i3 Health111 views
SIZE SEPARATION.pptxSIZE SEPARATION.pptx
SIZE SEPARATION.pptx
Anupkumar Sharma35 views
1.3 ICH .pdf1.3 ICH .pdf
1.3 ICH .pdf
KoriyaKrupali179 views

Tracking the Progress of an SDL Program: Lessons from the Gym

  21. Same workout metrics do not apply
  22. Quality of your intake affects overall performance
  25. Programming languages in use
  26. Supported platforms
  28. QA: Security Testing, Tools
  30. Approximately 3 hours long
  32. Metrics
  33. Class content
  34. Instructor knowledge
  38. Quantify results in a meaningful way to “C” executives
  39. Past results can be used to explain impact of new findings
  40. Can be simplified to a number from 1-10 or semaphore (green, yellow and red).
  41. Can be used for competitive analysis
  42. Harder to game CVSS

Editor's Notes

  1. Forcing muscle growth is a long process which requires high intensity weight training and high mental concentration. While the ultimate goal is often clear, one of the greatest mistakes bodybuilders consistently make is to overlook the importance of tracking their weight lifting progress.  Like a successful bodybuilding workout, a security development lifecycle program must consistently log simple to obtain, yet meaningful metrics throughout the entire process. Good metrics must lack subjectivity and clearly aid decision makers to determine areas that need improvement. In this pragmatic presentation we’ll discuss metrics used at Symantec, the world’s largest security ISV, to classify and appropriately compare security vulnerabilities found in different phases of the SDL by different teams working in different locations and in different products. We’ll also discuss how to easily provide decision makers different views of the same data and verify whether the process is indeed catching critical vulnerabilities internally and how the numbers compare with the competition.
  2. Cassio Goldschmidt is senior manager of the product security team under the Office of the CTO at Symantec Corporation. In this role he leads efforts across the company to ensure the secure development of software products. His responsibilities include managing Symantec’s internal secure software development process, training, threat modeling and penetration testing. Cassio’s background includes over 13 years of technical and managerial experience in the software industry.  During the seven years he has been with Symantec, he has helped to architect, design and develop several top selling product releases, conducted numerous security classes, and coordinated various penetration tests. Cassio is also internationally known for leading the OWASP chapter in Los Angeles.Cassio represents Symantec on the SAFECode technical committee and (ISC)2 in the development of the CSSLP certification. He holds a bachelor degree in computer science from PontificiaUniversidadeCatolica do Rio Grande Do Sul, a masters degree in software engineering from Santa Clara University, and a masters of business administration from the University of Southern California.