Software Confidence. Achieved. Deployment of a Code Analysis Methodology Critical Discussion Towards a Roadmap for Success John Steven Software Security.

Slides:

Advertisements

Similar presentations

Implementing a Behavior Based Safety Process at Rockwell Automation

Advertisements

Effective Contract Management Planning

Develop an Information Strategy Plan

Course: e-Governance Project Lifecycle Day 1

© Sigma (Bookham) Ltd British Computer Society 19 March 2007 'Embedding Benefit Realisation Management – Friends Provident’s experiences Ann Watts – Head.

© 2005 by Prentice Hall Appendix 2 Automated Tools for Systems Development Modern Systems Analysis and Design Fourth Edition Jeffrey A. Hoffer Joey F.

Grow Your Business through Contact Centre Outsourcing Fanny Vaz Director, Personal Market Unit, CTM.

Roadmap to Continuous Integration Testing and Benefits Gowri Selka, Walgreens Natalie Koltun, Walgreens May 20th, 2014 ©2013 Walgreen Co. All rights reserved.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Rational Unified Process

©2009 Gotham Digital Science, LLC Software Assurance with SAMM 21 Sept 2009, SOURCE Barcelona Matt Bartoldus

Viewpoint Consulting – Committed to your success.

© 2005 Prentice Hall, Decision Support Systems and Intelligent Systems, 7th Edition, Turban, Aronson, and Liang 6-1 Chapter 6 Decision Support System Development.

Lecture 2b: Software Project Management CSCI102 - Introduction to Information Technology B ITCS905 - Fundamentals of Information Technology.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Principles of Information Systems, Sixth Edition 1 Systems Investigation and Analysis Chapter 12.

SDLC. Information Systems Development Terms SDLC - the development method used by most organizations today for large, complex systems Systems Analysts.

1 Performance Auditing  In IT Environment  Evidence Gathering & Analysis Techniques  Computer Assisted Techniques  Use of IDEA.

Software Engineering Institute Capability Maturity Model (CMM)

Slide 1 Test Assurance – Ensuring Stakeholders get What They Want Paul Gerrard Gerrard Consulting PO Box 347 Maidenhead Berkshire SL6 2GU UK e:

© 2005 by Prentice Hall Appendix 2 Automated Tools for Systems Development Modern Systems Analysis and Design Fourth Edition Jeffrey A. Hoffer Joey F.

CPM -200: Principles of Schedule Management IPM 2002 Fall Conference PMI-College of Performance Management – Professional Education.

Presentation Identifier Goes Here 1 Business Critical Services Helping you manage your IT Risk.

© Copyright High Performance Concepts, Inc. 12 Criteria for Software Vendor Selection July 14, 2014 prepared by: Brian Savoie Vice President HIGH.

“This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”

Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.

Pre-Project Activities Text Chapters 5 and 6. Pre-Project Activities 1.Contract Review 2.Development Plan 3.Quality Plan.

Appendix 2 Automated Tools for Systems Development © 2006 ITT Educational Services Inc. SE350 System Analysis for Software Engineers: Unit 2 Slide 1.

Supporting tools in an IT Project & Portfolio Management environment Ann Van Belle -

(ISC)2 SecureLondon 2009, London, United Kingdom This information is not intended, and should not be construed, as an offer to sell, or as a solicitation.

Testing Challenges in an Agile Environment Biraj Nakarja Sogeti UK 28 th October 2009.

Information System Design IT60105 Lecture 21 Staff Organization, Risk Management and Software Configuration Management.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

EMI INFSO-RI SA2 - Quality Assurance Alberto Aimar (CERN) SA2 Leader EMI First EC Review 22 June 2011, Brussels.

Industry SDLCs and Business Climate. Justin Kalicharan Credentials Director and Senior Technology Officer Over 14 years of coding experience in various.

Service Transition & Planning Service Validation & Testing

Module 4: Systems Development Chapter 12: (IS) Project Management.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Decision Support System Development By Dr.S.Sridhar,Ph.D., RACI(Paris),RZFM(Germany),RMR(USA),RIEEEProc. web-site :

Microsoft Office Project 2003: Selling EPM in your Organization Matt Wilson Business Solutions Specialist LMR Solutions.

Fifth Lecture Hour 9:30 – 10:20 am, September 9, 2001 Framework for a Software Management Process – Life Cycle Phases (Part II, Chapter 5 of Royce’ book)

Principles of Information Systems, Sixth Edition Systems Investigation and Analysis Chapter 12.

1 Chapter 3 1.Quality Management, 2.Software Cost Estimation 3.Process Improvement.

© 2013 IBM Corporation IBM Enterprise Content Management Solutions Services and Support.

Federal Software Asset Management Initiative Concept of Operations Report to the Executive Steering Committee March 8, 2004 Implementing the President’s.

An organizational structure is a mostly hierarchical concept of subordination of entities that collaborate and contribute to serve one common aim... Organizational.

Rational Unified Process (RUP)

© 2005 Prentice Hall, Decision Support Systems and Intelligent Systems, 7th Edition, Turban, Aronson, and Liang 6-1 Chapter 6 Decision Support System Development.

ARCH-04 Before You Begin Your Transformation Project… Phillip Magnay Architect – Applied Technology.

Security Snapshot Assessment Maximizing Return on Security Investment What assets do we have? What is running on those assets? What is our risk level?

PROGRAM MANAGEMENT MODULE 2 Dr. Nicole Fitzhugh Professional School Counselor Berwyn Heights Elementary.

Establishing (or Enhancing) PMO Effectiveness Nicolle Goldman, PMP March 28, 2007.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Internal developer tools and bug tracking Arabic / Hebrew Windows 3.1Win95 Japanese Word, OneNote, Outlook

Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © 2016, Cigital So you’ve purchased a SAST tool? Brenton Kohler Copyright © 2016, Cigital.

Appendix 2 Automated Tools for Systems Development

The IT Budgeting Process

Office 365 FastTrack Planning Engagement Kickoff

OWASP Static Analysis (SA) Track Goals, Objectives, and Track Roadmap

Decision Support System Development

Business System Development

Description of Revision

Software Quality Engineering

Software Assurance Maturity Model

KNOWLEDGE MANAGEMENT (KM) Session # 36

{Project Name} Organizational Chart, Roles and Responsibilities

Presentation transcript:

Software Confidence. Achieved. Deployment of a Code Analysis Methodology Critical Discussion Towards a Roadmap for Success John Steven Software Security Principal Technical Director Office of the CTO Cigital Inc.

© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Motivation- Common Goals & Challenges Initial Goals Introduce lightweight code analysis to SDLC Inexpensively purchase security expertise Consistently apply expertise Subsequent Desires Scale ‘whitebox’ code analysis Automate checking against corporate security coding standards Enable developers to test powerfully Non-starters Unwieldy build integration Overwhelming False positive reduction Inappropriate division of labor: filtering findings, writing rules Stumbling Blocks Unclear process/tool ownership, inability to Shepherd the tool Overcoming objections to accuracy, alternatives

© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Initial Adoption, Pilot Deployment

© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Pilot Inception Goal: Introduce lightweight code analysis to SDLC Define Secure SDLC Palatable to Development management Sufficient to exercise software security Stand up App. Sec. Roles Assure proper support level for roll out Avoid inadequate skills for tool support Appropriately assign adoption tasks Classify Portfolio’s Risk Apply tools where they count first Software Security Training Begin to set expectations

© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Pilot Requirements Define Tool Pilot Decide who will pilot tool Secure Coding Awareness Set expectations about tool’s capabilities Show tool along side other software security activities Differentiate tool’s success criteria from other developer feedback proactively

© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Elaboration: Phase I Pilot Potential Challenges: Unwieldy build integration Overwhelming False positive reduction Tool Deployment Handbook Face & overcome issues before development sees tool: Integration problems Unnecessary ‘on by default’ rules Tune, customize rules High-confidence, accurate rules for desktop Stage rule packs (over time) Leave rules whose findings require savvy for security personnel

© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Subsequent Roll out, Widespread Adoption Key to avoiding pushback

© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Implementation Baseline all applications Face integration issues all over again Agreement rule pack essential to measurement Deploy Incentives Program Measurement essential to incentives Enforce adoption as a quality gate

© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential. On-going Maintenance Goals: Scale ‘whitebox’ code analysis Automate checking against corporate security coding standards Enable developers to test powerfully

© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Roles and Responsibilities Essential Roles (by priority) 1. Tool Shepherd1 FTE, 1+ over time 2. Deployment Manager1/2 FTE 3. Rules Maven1 FTE, Later All report into Application Security Group Appoint Tool Shepherds in B.U.s if: Build env. differs dramatically B.U. remains very autonomous Rules maven: a longer-term, lower-priority hire

© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tool Shepherd Allows self-sufficiency w/o Fortify Sales Engineer Tackle ‘other 20%’ of integration issues in teams Finish elaboration and drive implementation 1st year tasks: Integration handbook (HOWTO) F.A.Q. for build failures Results interpretation heuristics: “Blacklist”, other Cull results, participate in determining rule pack constituency

© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Deployment Manager Delegates Shepherd’s time into teams Broker decisions about rule pack configurations Security Analyst configuration- Kitchen Sink Build New Dev- Accurate kitchen sink Maintenance- Reduced rule pack Desktop New Dev- Accurate, very fast, reduce pack Maintenance- Very accurate, very fast, very reduced Measurement & Progress Deployment coverage Rule accuracy Findings rates (density) Remediation (rate,LoE, etc.)

© 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Rules Maven Does not exist, must be grown Can wait for a year to begin True Subject Matter Expert (SME) Creates vulnerability patterns from: Incidence Assurance work Industry best practices Threat model Generates rule test cases