Presentation is loading. Please wait.

Presentation is loading. Please wait.

Herding Cats and Security Tools

Published byMerja Hiltunen Modified over 6 years ago

Similar presentations

Presentation on theme: "Herding Cats and Security Tools"— Presentation transcript:

1 Herding Cats and Security Tools
Harold Toomey Product and Application Security McAfee LLC 10 Nov 2017

2 Table of Contents Cat Herding Product & Application Security
Problem Statement SDL Activities Tool Integrations Diagrams Disclaimer Usage Scenarios Considerations

3 Cat Herding The phrase herding cats comes from the common saying that something involving coordination of many different groups or people is as difficult as herding cats.

4 Product & Application Security
Product – Software developed by engineering BUs to sell to customers Application – Software developed by IT Enterprise Applications team to run on company systems, websites, and servers Primary difference is the target audience Customers (Public) - Full SDL External-Facing (Partners) Internal-Facing (Employees) - Minimal SDL

5 Current Trend Waterfall  Agile  Continuous (CICD)

6 Problem Statement CICD requires automation
Software developers want single place to go (ALM) ALM SDLC SDL ALM – Application Lifecycle Management SDLC – Software Development Lifecycle SDL – Security Development Lifecycle ALM vs. Software Development Life Cycle ALM is a broader perspective than the Software Development Life Cycle (SDLC), which is limited to the phases of software development such as requirements, design, coding, testing, configuration, project management, and change management. ALM continues after development until the application is no longer used, and may span many SDLCs. SDL Activity Entry Criteria Tasks Exit Criteria ALM – Application Lifecycle Management SDLC – Software Development Lifecycle SDL – Security Development Lifecycle

7 SDL – Operational Activities
Program SDL PSIRT People & Resources Tools & Services Policy, Compliance, & Certifications Training Metrics Maturity Models

8 SDL – Technical Activities
Security Definition of Done (DoD) Security Architecture Review Security Design Review Threat Modeling Security Testing & Validation Static Analysis (SAST) Interactive Analysis (IAST) Dynamic Analysis (DAST) Fuzz Testing Vulnerability Scan Penetration Testing Manual Code Review Secure Coding Standards Open Source & 3rd Party Libraries Vendor Management Privacy Operating Environment Static Analysis (SAST) - White-box Interactive Testing (IAST) – Grey-box Dynamic Analysis (DAST) – Black-box

9 When to do the Technical Activities

10 Why the Different Tools

11 Tools Integration – Generic
Flow Diagram Example

12 Herding Cats (Tools)

13

14

15

16

17 Solution

18 Disclaimer Mention of vendor names and tools does not imply endorsement Vendor list is intentionally incomplete Based on my limited research Best integration for me may not be best for you

19 ALMs

20 Tools Integration – Real Tools
Flow Diagram Examples

21

22

23 Scenario #1 – SDL Requirements
SW security requirements management Custom SDL, FedRAMP (NIST ), GDPR Use templates in ALM and/or Use 3rd party tool with seamless bi-directional ALM integration SD Elements, HP ALM

24 Scenario #2 – Vulnerabilities
Black Duck Hub identifies CVEs in open source High severity CVEs are sent to JIRA Engineer sees CVEs in project backlog and fixes JIRA syncs back to Black Duck Hub and verifies fix

25 Considerations Tool integration considerations
Availability (Y/N)? When? Push, pull, both (bidirectional), or none? Native or through a 3rd party connector? Tight or loose integration? Server-side or client plugin? Ability to throttle? (high severity only) Cost?

26 Considerations Business considerations
Due diligence researched (all options) Integration with existing systems? Buy, build or use existing? When? This Fiscal Year, next FY? Who will use? Which BUs will purchase? (other benefactors) Who will install, host, and maintain? Who will configure and customize?

27 Considerations Engineer considerations
Does ALM contain all user stories? Insight manual integration ( ) Ticketing system adds advanced workflow and SLA reminders Does it need to be engineer friendly or just tightly integrated with ALM? Data overload - throttle settings Issue severity: Critical, High, Medium, Low Business Impact vs. Risk score vs. CVSS v3 score

28 Questions? Harold Toomey Sr. Software Security Architect
Product & App. Security Group McAfee LLC W: (972) M: (801)

29 North Texas ISSA (Information Systems Security Association)
Collin College  North Texas ISSA (Information Systems Security Association) Thank you

Download ppt "Herding Cats and Security Tools"

Similar presentations

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
High level QA strategy for SQL Server enforcer

High level QA strategy for SQL Server enforcer
Software Engineering CSE470: Process 15 Software Engineering Phases Definition: What? Development: How? Maintenance: Managing change Umbrella Activities:

Software Engineering CSE470: Process 15 Software Engineering Phases Definition: What? Development: How? Maintenance: Managing change Umbrella Activities:
Information Resources Management January 23, 2001.

Information Resources Management January 23, 2001.
Building an Effective SDLC Program: Case Study Guy Bejerano, CSO, LivePerson Ofer Maor, CTO, Seeker Security.

Building an Effective SDLC Program: Case Study Guy Bejerano, CSO, LivePerson Ofer Maor, CTO, Seeker Security.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Automation Domination Application Security with Continuous Integration (CI)

Automation Domination Application Security with Continuous Integration (CI)
IT PLANNING Enterprise Architecture (EA) & Updates to the Plan.

IT PLANNING Enterprise Architecture (EA) & Updates to the Plan.
Improving Process for Better Software. Who We Are An experiential learning program that provides technology solutions for our partners, and real- world.

Improving Process for Better Software. Who We Are An experiential learning program that provides technology solutions for our partners, and real- world.
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
PopMedNet Software Development Life Cycle Chayim Herzig-Marx Harvard Pilgrim Health Care Institute Daniel Dee Lincoln Peak Partners.

PopMedNet Software Development Life Cycle Chayim Herzig-Marx Harvard Pilgrim Health Care Institute Daniel Dee Lincoln Peak Partners.
Effective Methods for Software and Systems Integration

Effective Methods for Software and Systems Integration
Achieving Agility with WSO2 App Factory S. Uthaiyashankar Director, Cloud Solutions WSO2 Inc. Dimuthu Leelarathne Software Architect WSO2 Inc.

Achieving Agility with WSO2 App Factory S. Uthaiyashankar Director, Cloud Solutions WSO2 Inc. Dimuthu Leelarathne Software Architect WSO2 Inc.
© Blackboard, Inc. All rights reserved. Back to the Feature: An Agile, User-centric Software Development Lifecycle Cindy Barry Senior Product Manager Martha.

© Blackboard, Inc. All rights reserved. Back to the Feature: An Agile, User-centric Software Development Lifecycle Cindy Barry Senior Product Manager Martha.
 Protect customers with more secure software  Reduce the number of vulnerabilities  Reduce the severity of vulnerabilities  Address compliance requirements.

 Protect customers with more secure software  Reduce the number of vulnerabilities  Reduce the severity of vulnerabilities  Address compliance requirements.
This information is confidential and proprietary to Lawson ® and cannot be reproduced without permission. Reducing Resolution Time with Advanced Electronic.

This information is confidential and proprietary to Lawson ® and cannot be reproduced without permission. Reducing Resolution Time with Advanced Electronic.
© 2008 IBM Corporation ® IBM Cognos Business Viewpoint Miguel Garcia - Solutions Architect.

© 2008 IBM Corporation ® IBM Cognos Business Viewpoint Miguel Garcia - Solutions Architect.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Microsoft’s ALM Vision. Vision and benefits ALM today ALM outlook.

Microsoft’s ALM Vision. Vision and benefits ALM today ALM outlook.

Similar presentations

Ads by Google