Finding vulnerabilities in your software before attackers do Supported by Her Majesty’s Government and U.S. Department of Homeland Security, Science &

Slides:

Advertisements

Similar presentations

Polycom Unified Collaboration for IBM Lotus Sametime and IBM Lotus Notes January 2010.

Advertisements

Top 10 User Mistakes with Static Analysis Sate IV March 2012.

Copyright © 2006 Quest Software Quest SharePoint Management.

What is On Time Booking? Reservation and distribution system for passenger transport companies (airlines and ferries ) Tool that helps you to manage the.

Purpose: These slides are for use with customers by the Microsoft Dynamics NAV sales force and partners. How to use: Add these slides to the core customer.

Customer Strategic Presentation March 2010

COMOS Mobile Solutions 1.0 Simplified global collaboration

XProtect ® Professional Efficient solutions for mid-sized installations.

1. 2 Captaris Workflow Microsoft SharePoint User Group 16 May 2006.

Hewlett-Packard Services Microsoft Solutions Practice M S Krishnan Regional Applications Lead, Microsoft Solutions HP Services, Consulting and Integration.

© 2010 Orchid Technical Consultancy (P) Ltd. Problems facing businesses today Non-availability of information on time –Delayed or improper decision making.

Thanks to Microsoft Azure’s Scalability, BA Minds Delivers a Cost-Effective CRM Solution to Small and Medium-Sized Enterprises in Latin America MICROSOFT.

Page 1 GADD Software - An Introduction Public version, August 2014, gaddsoftware.com.

Managing Software Assets. Managing Software Assets Software costs represent one of the largest information technology expenditures in most firms. Amounting.

Microsoft Dynamics CRM Online Choice Begins Today! Ralph R. Zerbonia President Universe Central Corporation.

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.

Service Engage – Engaging with Our Users IBM Cloud and Smarter Infrastructure 1.

CS 3500 SE - 1 Software Engineering: It’s Much More Than Programming! Sources: “Software Engineering: A Practitioner’s Approach - Fourth Edition” Pressman,

Shopping and ORM Solutions

Driving Productivity with Microsoft Dynamics CRM Presenter Name Presenter Title Presenter Date.

SQL Server 2014 Enterprise Edition Brad Jarocki Adam Bogobowicz Matt Haynes.

2 Why Sage Intelligence What is Sage Intelligence Software Demonstrations Success Story Competitive Advantages Questions You May Have Icons and Components.

Getting the Most Out of Blue Mountain RAM

Data Warehousing: Defined and Its Applications Pete Johnson April 2002.

Demonstrating IT Relevance to Business Aligning IT and Business Goals with On Demand Automation Solutions Robert LeBlanc General Manager Tivoli Software.

Duncan Fraiser, Adam Gambrell, Lisa Schalk, Emily Williams

Sales Card Dell Confidential – Internal Use Only Microsoft Windows 10 OVERALL DELL MESSAGE: Let Dell help you migrate to take advantage of new Windows.

Security Scanning OWASP Education Nishi Kumar Computer based training

Navigating the Maze How to sell to the public sector Adrian Farley Chief Deputy CIO State of California

BMC Software confidential. BMC Performance Manager Will Brown.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse.

IBM Software Group - IBM Systems Group © 2006 IBM Corporation IBM Software Group | IBM Systems Grouppage 1 Team Collaboration Software Selling Strategy.

Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.

Joel Bapaga on Web Design Strategies Technologies Commercial Value.

Copyright © 2009 Pearson Education, Inc. Slide 6-1 Chapter 6 E-commerce Marketing Concepts.

SOA in Telecommunications September 30, 2008 Speaker: Mike Giordano.

Performance Management in Practice

User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.

April, 2008 Better Together! Integrated GP & CRM AN INDEPENDENT MEMBER OF BAKER TILLY INTERNATIONAL 505 AFFILIATE OFFICES WORLDWIDE.

Enabling Business Optimization with BI and Performance Management.

Fundamentals of Database Chapter 7 Database Technologies.

Presentation Software as a Service Applications Software-as-a-Service Partner Enablement Program Enabling ‘Software as a Service’

Best of Both Worlds: Information Management Solutions SmartCore Management Dashboards.

The Eyeblaster ACM Advertising Campaign Management.

Linux vs. Windows: A Comparison of Application and Platform Innovation Incentives for Open Source and Proprietary Software Platforms Submitted By: Kishan.

10/14/2015 Introducing Worry-Free SecureSite. Copyright Trend Micro Inc. Agenda Problem –SQL injection –XSS Solution Market opportunity Target.

Oracle Application Express. Program Agenda Oracle Application Express Overview Use Cases Key Features Packaged Applications Packaging Pricing Call to.

Unified Pricing Across Product Lines: Detail or Driver? Erik Larson Director of Product Management and Marketing Macromedia.

1 Adding Secure and Collaboration to Your Business with SCOoffice Server 4.1.

© 2010 IBM Corporation Business Analytics software Business Analytics Editable Text Editable Text Editable Text.

Enterprise Cloud Computing

- NCSU project goals and requirements - Adoption Drivers - Current challenges and pain points - Identacor at NCSU - Identacor Features - NCSU Key Benefits.

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 Automate your way to.

1 Adding Secure and Collaboration to Your Business with SCOoffice Server 4.1 Marc Modersitzki.

® IBM Software Group © 2004 IBM Corporation October, 2004.

Hosting Websites and Web Applications with Microsoft ® SQL Server ® 2008.

Must evolve to meet today’s needs Rationalization occurring Not pervasive.

MicroAge Cloud Servers The cloud platform for the modern business Small and midsize businesses (SMBs) want the power and flexibility to run their business.

Impact Research 1 Enabling Decision Making Through Business Intelligence: Preview of Report.

Chapter 8 Strategies for Marketing, Sales, and Promotion Electronic Commerce.

Interwise Connect Version 8. Interwise Connect V8: What’s New  Conferencing -Web Client -Extended platform support -Faster application sharing -Automatic.

Applicatieplatform congres 12 & 13 maart. Microsoft Application Platform A Lifecycle View Sam Guckenheimer Group Product Planner Visual Studio Team System.

How Sage ERP X3 Systems Can Benefit Businesses.  Sage X3 is an affordable and flexible ERP solution designed to help mid-sized companies manage business.

Dropbox: “It Just Works”

Defining your requirements for a successful security (and compliance

Comprehensive Security and Compliance at an Affordable Price.

CIM Modeling for E&U - (Short Version)

Oscar AP by Massive Analytic: A Precognitive Analytics Platform for Effortless Data-Driven Decisions. Now Available in Azure Marketplace MICROSOFT AZURE.

ServiceNow Story Icons

Service management system at cloud

Presentation transcript:

Finding vulnerabilities in your software before attackers do Supported by Her Majesty’s Government and U.S. Department of Homeland Security, Science & Technology Directorate Secure Decisions presents ANITA D’AMICO 17 SEPTEMBER, 2014

1.2B user names and passwords stolen via an SQL injection exploit via SQLi; $3M to clean up and upgrade Heartbleed bug: > 600,000 servers, $1B to remedy 90% of cyber incidents are traced to software flaws Bug Bounties Google pays “white hat” hackers up to £12,300 ($20k) to find vulnerabilities in its Web browser, before the attackers do Microsoft offers a much as £92,600 ($150k) Critical infrastructure (financial, power, health) can be disabled via software flaws

IgnoranceMost developers don’t know how to find and fix vulnerabilities ExpenseCommercial tools (e.g. HP Fortify, IBM AppScan) that find security flaws during development often cost > $100,000 a year Difficulty“Free” open source tools (FindBugs, cppcheck, Jlint, others) are hard to configure and interpret results Hard to prioritize thousands of vulnerabilities Why is non-secure software even shipped? Incomplete Coverage On average, a single code analysis tool finds only 14% of vulnerabilities Need to run several tools on a single code base to find even half the vulnerabilities Each tool outputs in different format; hard to compare results Inconsistent Results

Code Dx solution 1.Combines Multiple Tools Imports and correlates results from multiple tools, both commercial and open source 2.Easy to Compare Results Normalizes results; common severity scale 3.Prioritization Visual analytics to rapidly triage results, remove false positives 4.Easy to Use Bundles in and automatically runs language-specific open source tools for use with or without commercial tools 5.Affordable Standard Edition starts at $2,500; Enterprise Edition $9,700 6.Builds awareness Free educational version builds new educated consumer base and target market Find, prioritize, and visualize software vulnerabilities – fast and affordably

Software developersFind and fix problems during development Security analystsAssess the security of software as it is developed Security auditorsCheck for regulatory compliance Acquisition authoritiesConfirm software is secure Who benefits from Code Dx? Aggregate Application Security Testing market is projected to be $1B in 2014, with CAGR of 20%.

Regulatory compliance is major driver in growing adoption of application security testing tools The next major version of Code Dx will show which vulnerabilities are violations of compliance standards Regulatory compliance is driving market growth Recent pricing requests are for 2,500 users, far exceeding our original estimate of typical adoption patterns by customers

Available now!

EXTRA SLIDES THAT MAY BE NEEDED TO ANSWER QUESTIONS

Standard Edition – Leverage open source for those with earthly budgets Overcomes cost barrier of commercial tools –HP Fortify, IBM AppScan, Parasoft, and others are six-figure investments Easier to use: automatically configures and runs open source application security testing tools so you don’t have to Combines tool results in a way that makes sense, giving one clear picture of the data Enterprise Edition – Extract more value from costly commercial tools Improves vulnerability coverage by adding results of several open source tools to those already gathered by commercial tools and manual analysis Normalizes results to the same severity scales, making triage less painful Correlates results of multiple commercial tools; removes overlapping results Allows consumer to expand beyond a single tool supplier, and get unified results Code Dx competitive advantages

Operational pilots in state and federal agencies –Supported by our DHS sponsor –Experience with operational users refines: usability, scalability, value prop Government sales –Extended pricing model to accommodate price quotes for 2,500 users –Looking for the right US government reseller Commercial sales –“Try before you Buy” on Standard Edition –Affordability attracts new consumer base –Users of other commercial tools can buy Code Dx to add value to current investment at a very low price Go-to-market strategy

Visual Analytics for triage, remediation, and communication 12 Workflows tailored to each type of user Interactive, powerful filtering Visualize thousands of weaknesses in a single view Quickly and effectively triage large weakness lists

SINGLE INTERFACE FOR CORRELATED RESULTS FROM MULTIPLE TOOLS normalized severities tool attribution correlated standards mappings totals from all 5 tools overlap detection correlated source code mappings