Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Software Security Maturity The Economic Advantages of a Resilient Supply Chain- Software Security

OWASP 2 The End in Mind…  13% of every dollar spent on software development is returned for a productivity gain and reinvested in high value activities

OWASP 3 3 DTCC Confidential Software Security Program - Value Delivery and Productivity Save 2008 Productivity Save $19 M Productivity Gain Increases from Y 2007 to Y % Cost Benefit Analysis Y 2006Y 2007Y 2008Y 2009 ADM Budget$114.1 M$ M$ 145 M Investment- $17.1 M- $ 0.25 M - $ 0.25 M* Annual Return- $17.1 M$ 2.75 M$ 19 M$ 19 M* Cumulative Return - $17.1 M -$ 14.6 M$ 4.4 M$ 23 M* Productivity SaveN.A. 1.97%11.13%>13.10%* * Projected * Estimate

OWASP 4 Consulting ExpertiseWorkflow, Process Management- CMMI Education, Training, “Security Mavens” SDLC Software Security Controls  10-15% Productivity Impact  3 year program  Business case based on reduced risk, higher productivity Static Code Analysis Dynamic Analysis Manual “White Box” Testing “Black Box” Testing Pen Tests End-to-end Security Requirements Security Architecture DesignDevelopmentQ/A- TestingProduction

OWASP 5 Economic Impact of Controls PreventativeDetective Controls Lifecycle 1 36

OWASP 66 The Challenge in 2005 The Depository Trust & Clearing Corp (DTCC) had 450 application developers on shore and over 100 offshore creating product for their brokers, bank, mutual fund and insurance carrier customers. DTCC needed to implement improved security practices as part of the application development process. The goal was to create more secure applications to handle clearance and settlement of more than $1.8 Quadrillion worth of securities transactions each year Background:Background: Context:Context: Dilemma:Dilemma: – CMMI Level 3 Certified development organization – What is the best approach to improving the resiliency of software developed, outsourced or bought?

OWASP 7 Code Management Open Source Palamida/Black Duck DTCC’s Software Security Program System Implementation Lifecycle (SILC – CLASP Integration) Security Education Communication KPIs, Portfolio Level Reporting, Vulnerability Framework Requirements Phase Business Requirements, PSA Process Enhance Whiteboard Tracking BITS Shared Assessment- Services Design Phase Current ASAR New ASAR Implementation Build Phase Fortify – In-house Development Veracode – COTS Testing Phase WHITEHAT – Dynamic Analysis Security Testing (TSG) Operational Phase Application Logging Control Standard enVision Integration Application Assessment Net2S, Primeon (on demand) Database Security AppDetective – Compliance enVision – Security Monitoring 10 Core Control Points

OWASP 8 KPIs - 17 Production KPIs

OWASP 99 Accountability Model – Comprehensive reports Domain Level, VP Level and Project Level Reports