Using the Cloud and SaaS to Secure the SDLC. About Me Andy Earle HP/Fortify – Security Solutions Architect / Presales Engineer – Sell, deliver solutions.

Slides:



Advertisements
Similar presentations
Life Science Services and Solutions
Advertisements

Course: e-Governance Project Lifecycle Day 1
System Center 2012 R2 Overview
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Security Services Svetlana.
Enterprise Web Content Management Path to developing a Competency Center Presented To: Presented By: Gilbane ConferenceBrian VanDeventer IT Manager, Web.
SDLC. Information Systems Development Terms SDLC - the development method used by most organizations today for large, complex systems Systems Analysts.
Chapter 8: Development of Business Intelligence
Presented by Sujit Tilak. Evolution of Client/Server Architecture Clients & Server on different computer systems Local Area Network for Server and Client.
BI in the Cloud – Sky is the limit Vishal Agrawal Product Technical Architect Infosys Tech Ltd Anand Govindarajan Principal Technology Architect Infosys.
M.A.Doman Model for enabling the delivery of computing as a SERVICE.
Greg Pierce| Concerto Cloud Services Which Cloud is Right for Microsoft CRM?
Microsoft Premier Support for Partners Capitalize on cloud potential Receive and deliver end-to-end cloud support Ease customers’ transition to the cloud.
Internet GIS. A vast network connecting computers throughout the world Computers on the Internet are physically connected Computers on the Internet use.
Cloud Computing. 2 A division of Konica Minolta Business Solutions USA Inc. What is Cloud Computing? A model for enabling convenient, on-demand network.
Effectively Explaining the Cloud to Your Colleagues.
Application Lifecycle Management and the cloud
DYNAMICS CRM AS AN xRM DEVELOPMENT PLATFORM Jim Novak Solution Architect Celedon Partners, LLC
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.
Achieving Agility with WSO2 App Factory S. Uthaiyashankar Director, Cloud Solutions WSO2 Inc. Dimuthu Leelarathne Software Architect WSO2 Inc.
Findly Leads the World in Talent Innovation with Its Enterprise-Cloud for Global Talent Acquisition COMPANY PROFILE: FINDLY Findly is a SaaS ISV founded.
Security and Privacy Services Cloud computing point of view October 2012.
CLOUD COMPUTING  IT is a service provider which provides information.  IT allows the employees to work remotely  IT is a on demand network access.
Modern app development Continuous value delivery and rapid response to change.
M.A.Doman Short video intro Model for enabling the delivery of computing as a SERVICE.
Alert Logic Security and Compliance Solutions for vCloud Air High-level Overview.
1 © 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential Cloud Computing – The Value Proposition Wayne Clark Architect, Intelligent Network.
SAM for Virtualizatio n Presenter Name. Virtualization: a key priority for business decision makers Technavio forecasts that the global virtualization.
Built on the Powerful Microsoft Azure Platform, Phyzit Helps Doctors Reduce Readmissions Through a Transitional Care Management App MICROSOFT AZURE ISV.
What is the cloud ? IT as a service Cloud allows access to services without user technical knowledge or control of supporting infrastructure Best described.
1 Evolution and Revolution: Windows 7 and Desktop Virtualization How to Accelerate Migration to Windows 7 Miguel Sian, Sr. Enterprise Solutions Consultant.
WHAT OUR CUSTOMERS ARE SAYING “After thorough market research and a review process, Qorus Breeze Proposals stood out from the competitors because of its.
== Enovatio Delivers a Scalable Project Management Solution Minus Large Upfront Infrastructure Costs, Thanks to the Powerful Microsoft Azure Platform MICROSOFT.
IBM Bluemix Ecosystem Development Hands on Workshop Section 1 - Overview.
Paperless Timesheet Management Project Anant Pednekar.
Software Testing and Software Quality Assurance Process.
© 2014 IBM Corporation Does your Cloud have a Silver Lining ? The adoption of Cloud in Grid Operations of Electric Distribution Utilities Kieran McLoughlin.
Continual Service Improvement Methods & Techniques.
Built on the Microsoft Azure Platform, UberCloud Helps Engineers and Software Providers to Offer and Deploy Powerful Cloud Services On Demand MICROSOFT.
G-Cloud - The Delivery of a Shared Computing Platform for Government Ian Osborne Director, Digital Systems KTN Intellect.
TRANSITION FROM SCADA TO A CLOUD SOLUTION: MARKETING, DESIGN, RESULTS. D GOLOVACHEV.
Cisco Consulting Services for Application-Centric Cloud Your Company Needs Fast IT Cisco Application-Centric Cloud Can Help.
JRA1 Meeting – 09/02/ Software Configuration Management and Integration EGEE is proposed as a project funded by the European Union under contract.
1. ENTERPRISE AGILE TRANSFORMATION AT THE US POSTAL SERVICE MAY 24, Agile Business Solutions.
What Project Managers Need to Know About Cloud Computing Stacy Taylor President, Red Mountain Services
Cloud Computing ENG. YOUSSEF ABDELHAKIM. Agenda :  The definitions of Cloud Computing.  Examples of Cloud Computing.  Which companies are using Cloud.
Contact US: ID: Phone Number:
© 2016 Catalyze, Inc. Go-To-Market Services HIPAA Compliance in the Cloud: Catalyze Provides Microsoft Azure Customers with a HITRUST Certified Platform-as-a-Service.
RSA Professional Services RSA SecurID Solution Design and Implementation (D&I) Services.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2016, Cigital So you’ve purchased a SAST tool? Brenton Kohler Copyright © 2016, Cigital.
Increasing Cloud Adoption Through Cloud Services Brokerage (CSB) Brent Brightwell Senior VP Products and Strategy DoubleHorn.
GIS IN THE CLOUD Cloud computing furnishes scalable GIS technology that is maintained off premises and delivered on demand as services via the Internet.
If it’s not automated, it’s broken!
Rapid Launch Workshop ©CC BY-SA.
Chapter 6: Securing the Cloud
Joonas Sirén, Technology Architect, Emerging Technologies Accenture
Azure Infrastructure for SAP®
Partner Toolbox Cloud Infrastructure & Management
OWASP Static Analysis (SA) Track Goals, Objectives, and Track Roadmap
Speaker’s Name, SAP Month 00, 2017
Week 01 Comp 7780 – Class Overview.
Making Information Security Manageable with GRC
Herding Cats and Security Tools
Enterprise Program Management Office
King Saud University College of Engineering IE – 462: “Industrial Information Systems” Fall – 2018 (1st Sem H) Chapter 2 Information System.
Managed Content Services
For Community and TSC Discussion Bin Hu
Presentation transcript:

Using the Cloud and SaaS to Secure the SDLC

About Me Andy Earle HP/Fortify – Security Solutions Architect / Presales Engineer – Sell, deliver solutions to commercial and US Fed Past – PM for High Assurance computer system at BAE – Mobile and App Security, multiple jobs – Software Engineer, multiple jobs

Agenda Terms and Background Application Security (AppSec) Deployment Models – SaaS / Cloud (On Demand) – On-Premise AppSec Industry Evolution – Relevant Trends – Case for “Hybrid” Implementation Hybrid On-Premise / cloud delivery of S-SDLC

Terms and Background Terms – SaaS : Software as a Service – SDLC : Software Development Lifecycle – SSA : Software Security Assurance Background – Focus is static analysis…but many concepts applicable to dynamic – SaaS and (public) cloud somewhat interchangeable, for this session – Caveats: Lots of variety of offerings amongst vendors; many of my statements are necessarily generalities

APPSEC DEPLOYMENT MODELS

What is SaaS? Software as a Service (SaaS) …or Security as a Service, in the AppSec world SaaS is a delivery model where software, data and services are hosted in the cloud and delivered on demand Application Security SaaS offerings include – Static, dynamic, and manual analyses – Expert review and prioritization of results – Various delivery offerings (web interface, reports, artifacts that integrate with onsite infrastructure)

AppSec via SaaS SaaS Web Portal Dev Org Stakeholders AppSec SME - review & triage 1 Analysis SaaS Process, On-Demand 1)Deliver code or bytes 2)Analysis as a Service 3)Expert Review 4)Results made available 2 3 4

What is an SDLC? Software Development Lifecycle (SDLC) …or Secure Development Lifecycle …or Secure Software Dev Lifecycle (S-SDLC) S-SDLC incorporates security across all phases of the development lifecycle. Security is built into applications from the start. Result: Software Security Assurance (SSA)

Sample Secure SDLC Developers Auditor / Security PM / Tech Lead Build Machine Possibly Continuous Integration Code Repository Bug Tracking Check in Code Check-out, Build and Scan Auditor Reviews Results Submit Findings to Bug Tracker IDE Plug-in Repeat as Necessary Vulnerability Scan On Premise Deployment Developer Fixes Bug / Security Finding

Building Security into an SDLC Build Security in: Activities & Tasks Developer & staff training Vulnerability analysis technologies Technology integrations and automation AppSec processes, procedures and metrics Governance, enforcement of the above …Basically, process reengineering …This is SSA

SSA Challenges Challenges to implementing an SSA program Tools “wanted by security, need to be used by development” Developers not security trained. Security doesn’t understand source code Seamless integration of security requires big upfront commitment Expertise is scarce (and expensive in time or $$$) And more…

SaaS vs. On-Premise SaaSOn Premise No deployment, no hardware, no training Easy Deployment Involved Requires local installation and supporting hardware Scans executed, results triaged by experts and delivered in easy to read reports Little Expertise Required Significant Requires expertise to set filters and triage results Days, sometimes weeks per scan Days Time to Results Hours Hours per scan Standardized process Less Control More 100% control - instant access to all capabilities at any time Primary results are in report, but can be sent to bug tracking systems and IDEs Less Integration More Tight integration with build systems, bug tracking, revision control, test automation Reports, web sites, web services challenging for use in fixing found issues Less Actionable Results Very Results in-house, consumable & usable in IDEs, development and security infrastructure

The Strengths of SaaS and On-Premise Pure SaaS Deployment Easy and cost effective to get started Little to no expertise required Findings make case for future appsec investments Meet compliance and reporting obligations Pure On-Premise Deployment Better model for “The Fix” Addresses the systemic problem Integration and automation maximize efficiency

A Solid Plan for SSA Phase 1: Pure SaaS Assess Critical Apps Prioritize and secure funding for Phase 2 Train and/or hire resources Fix critical vulnerabilities, low hanging fruit Phase 2: Pure On-Premise Bring technology and expertise in-house Solve the systemic problem – reduce repeat vulnerabilities Integration and automation maximize efficiency Mature SSA program This could include putting SaaS onsite (private cloud)

HOW THINGS ARE EVOLVING

Relevant AppSec Trends People Developers are increasingly security trained and aware AppSec SMEs more prevalent, many in the solution providers and security firms Product Applications increasingly complex – Hardware and time to analyze steepening – Increased expertise required to scan accurately SaaS increasingly integrate-able with onsite systems Process Compliance obligations mandating S-SDLC

S-SDLC Baseline Deployment Developers Auditor / Security Build Machine Possibly Continuous Integration Code Repository Bug Tracking Check in Code Check-out, Build and Scan Auditor Reviews Results Submit Findings to Bug Tracker Developer Fixes Bug / Security Finding Repeat as Necessary Vulnerability Scan Basic, On Premise

S-SDLC Needs Developers Auditor / Security Vulnerability Scan Analysis Needs: Power, processing, memory Multiple servers Expertise to scan accurately Development Needs: Security, vulnerability training IDE integration of results Low impact to current processes Auditor Needs: Deep appsec knowledge Expertise with scanning tool Knowledge of app deployment = SaaS = On Premise

SaaS Integration Points Developers Auditor / Security Build Machine or Continuous Integration Code Repository Bug Tracking Check in Code Check-out, Build and Scan Auditor Reviews Results Submit Findings to Bug Tracker Developer Fixes Bug / Security Finding Repeat as Necessary Vulnerability Scan On Premise Infrastructure

SaaS Integration Points Developers Auditor / Security PM / Tech Lead Code Repository Bug Tracking On Premise Infrastructure SaaS Point & click Automated Web-based Build Machine or Continuous Integration

Bringing it all Together Key Concepts in a Hybrid S-SDLC Deployment – Expertise available via SaaS is typically superior to that found on-premise (they are the experts) – Some tasks require on-site activity (like fixing bugs) – Disruptions to existing processes can slow adoption; start small and build slowly – Integration points can blur the on-premise / on- demand separation, facilitating adoption

Hybrid Delivered Secure SDLC Developers Continuous Integration Code Repository Bug Tracking Check in Code Triggered Check-out Download, Prioritize Results Submit Findings to Bug Tracker IDE Plug-in Hybrid Deployment Developer views bugs & findings SaaS Triggered send for Analysis Analyze/Scan Expert Review Auditor / PM Dev loads issues in IDE Plug-in

Integration Points Development and Security Technology Deliver Source View/Pull Results Developer IDEYY Continuous Integration ServerYY Code Repository / Version ControlY Web InterfaceYY Web Services / Custom IntegrationsYY Lots of opportunity for customization and fitting the deployment model to the customer environment

Plan for SSA, Revisited Phase 1: Pure SaaS Assess Critical Apps Prioritize and secure funding for Phase 2 Phase 2: On-Premise Pilot and SaaS Continue SaaS regime Deploy on-premise technology, design and test long term processes Train and/or hire resources Fix critical vulnerabilities, low hanging fruit Phase 3: Hybrid On-Premise and SaaS Deployment Deploy more technology and expertise in-house Difficult apps (for example) are still analyzed, triaged via SaaS Integration and automation max efficiency across deployments Mature SSA program

Final Thoughts  Take advantage of expertise where it resides, potentially buying time to bring it in-house  The general maturity curve is still on-demand --> on-premise  Automated or easy integrations are vital to successful hybrid deployment  Plan! Think long term.  Sometimes a pure on-premise or on-demand deployment is still the best answer. The important thing is to fit the solution to the problem and need.

Resources …and check out the next session on this track …Many, many others…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.