Presentation is loading. Please wait.

Presentation is loading. Please wait.

Finding vulnerabilities in your software before attackers do Supported by Her Majesty’s Government and U.S. Department of Homeland Security, Science &

Published byAlana Faucett Modified over 9 years ago

Similar presentations

Presentation on theme: "Finding vulnerabilities in your software before attackers do Supported by Her Majesty’s Government and U.S. Department of Homeland Security, Science &"— Presentation transcript:

1 Finding vulnerabilities in your software before attackers do Supported by Her Majesty’s Government and U.S. Department of Homeland Security, Science & Technology Directorate Secure Decisions presents ANITA D’AMICO 17 SEPTEMBER, 2014

2 1.2B user names and passwords stolen via an SQL injection exploit via SQLi; $3M to clean up and upgrade Heartbleed bug: > 600,000 servers, $1B to remedy 90% of cyber incidents are traced to software flaws Bug Bounties Google pays “white hat” hackers up to £12,300 ($20k) to find vulnerabilities in its Web browser, before the attackers do Microsoft offers a much as £92,600 ($150k) Critical infrastructure (financial, power, health) can be disabled via software flaws

3 IgnoranceMost developers don’t know how to find and fix vulnerabilities ExpenseCommercial tools (e.g. HP Fortify, IBM AppScan) that find security flaws during development often cost > $100,000 a year Difficulty“Free” open source tools (FindBugs, cppcheck, Jlint, others) are hard to configure and interpret results Hard to prioritize thousands of vulnerabilities Why is non-secure software even shipped? Incomplete Coverage On average, a single code analysis tool finds only 14% of vulnerabilities Need to run several tools on a single code base to find even half the vulnerabilities Each tool outputs in different format; hard to compare results Inconsistent Results

4 Code Dx solution 1.Combines Multiple Tools Imports and correlates results from multiple tools, both commercial and open source 2.Easy to Compare Results Normalizes results; common severity scale 3.Prioritization Visual analytics to rapidly triage results, remove false positives 4.Easy to Use Bundles in and automatically runs language-specific open source tools for use with or without commercial tools 5.Affordable Standard Edition starts at $2,500; Enterprise Edition $9,700 6.Builds awareness Free educational version builds new educated consumer base and target market Find, prioritize, and visualize software vulnerabilities – fast and affordably

5 Software developersFind and fix problems during development Security analystsAssess the security of software as it is developed Security auditorsCheck for regulatory compliance Acquisition authoritiesConfirm software is secure Who benefits from Code Dx? Aggregate Application Security Testing market is projected to be $1B in 2014, with CAGR of 20%.

6 Regulatory compliance is major driver in growing adoption of application security testing tools The next major version of Code Dx will show which vulnerabilities are violations of compliance standards Regulatory compliance is driving market growth Recent pricing requests are for 2,500 users, far exceeding our original estimate of typical adoption patterns by customers

7 Available now! www.codedx.com anita.damico@codedx.com

8

9 EXTRA SLIDES THAT MAY BE NEEDED TO ANSWER QUESTIONS

10 Standard Edition – Leverage open source for those with earthly budgets Overcomes cost barrier of commercial tools –HP Fortify, IBM AppScan, Parasoft, and others are six-figure investments Easier to use: automatically configures and runs open source application security testing tools so you don’t have to Combines tool results in a way that makes sense, giving one clear picture of the data Enterprise Edition – Extract more value from costly commercial tools Improves vulnerability coverage by adding results of several open source tools to those already gathered by commercial tools and manual analysis Normalizes results to the same severity scales, making triage less painful Correlates results of multiple commercial tools; removes overlapping results Allows consumer to expand beyond a single tool supplier, and get unified results Code Dx competitive advantages

11 Operational pilots in state and federal agencies –Supported by our DHS sponsor –Experience with operational users refines: usability, scalability, value prop Government sales –Extended pricing model to accommodate price quotes for 2,500 users –Looking for the right US government reseller Commercial sales –“Try before you Buy” on Standard Edition –Affordability attracts new consumer base –Users of other commercial tools can buy Code Dx to add value to current investment at a very low price Go-to-market strategy

12 Visual Analytics for triage, remediation, and communication 12 Workflows tailored to each type of user Interactive, powerful filtering Visualize thousands of weaknesses in a single view Quickly and effectively triage large weakness lists

13 SINGLE INTERFACE FOR CORRELATED RESULTS FROM MULTIPLE TOOLS normalized severities tool attribution correlated standards mappings totals from all 5 tools overlap detection correlated source code mappings

Download ppt "Finding vulnerabilities in your software before attackers do Supported by Her Majesty’s Government and U.S. Department of Homeland Security, Science &"

Similar presentations

Polycom Unified Collaboration for IBM Lotus Sametime and IBM Lotus Notes January 2010.

Polycom Unified Collaboration for IBM Lotus Sametime and IBM Lotus Notes January 2010.
Top 10 User Mistakes with Static Analysis Sate IV March 2012.

Top 10 User Mistakes with Static Analysis Sate IV March 2012.
Copyright © 2006 Quest Software Quest SharePoint Management.

Copyright © 2006 Quest Software Quest SharePoint Management.
What is On Time Booking? Reservation and distribution system for passenger transport companies (airlines and ferries ) Tool that helps you to manage the.

What is On Time Booking? Reservation and distribution system for passenger transport companies (airlines and ferries ) Tool that helps you to manage the.
Purpose: These slides are for use with customers by the Microsoft Dynamics NAV sales force and partners. How to use: Add these slides to the core customer.

Purpose: These slides are for use with customers by the Microsoft Dynamics NAV sales force and partners. How to use: Add these slides to the core customer.
Customer Strategic Presentation March 2010

Customer Strategic Presentation March 2010
COMOS Mobile Solutions 1.0 Simplified global collaboration

COMOS Mobile Solutions 1.0 Simplified global collaboration
XProtect ® Professional Efficient solutions for mid-sized installations.

XProtect ® Professional Efficient solutions for mid-sized installations.
1. 2 Captaris Workflow Microsoft SharePoint User Group 16 May 2006.

1. 2 Captaris Workflow Microsoft SharePoint User Group 16 May 2006.
Hewlett-Packard Services Microsoft Solutions Practice M S Krishnan Regional Applications Lead, Microsoft Solutions HP Services, Consulting and Integration.

Hewlett-Packard Services Microsoft Solutions Practice M S Krishnan Regional Applications Lead, Microsoft Solutions HP Services, Consulting and Integration.
© 2010 Orchid Technical Consultancy (P) Ltd. Problems facing businesses today Non-availability of information on time –Delayed or improper decision making.

© 2010 Orchid Technical Consultancy (P) Ltd. Problems facing businesses today Non-availability of information on time –Delayed or improper decision making.
Thanks to Microsoft Azure’s Scalability, BA Minds Delivers a Cost-Effective CRM Solution to Small and Medium-Sized Enterprises in Latin America MICROSOFT.

Thanks to Microsoft Azure’s Scalability, BA Minds Delivers a Cost-Effective CRM Solution to Small and Medium-Sized Enterprises in Latin America MICROSOFT.
Page 1 GADD Software - An Introduction Public version, August 2014, gaddsoftware.com.

Page 1 GADD Software - An Introduction Public version, August 2014, gaddsoftware.com.
Managing Software Assets. Managing Software Assets Software costs represent one of the largest information technology expenditures in most firms. Amounting.

Managing Software Assets. Managing Software Assets Software costs represent one of the largest information technology expenditures in most firms. Amounting.
Microsoft Dynamics CRM Online Choice Begins Today! Ralph R. Zerbonia President Universe Central Corporation.

Microsoft Dynamics CRM Online Choice Begins Today! Ralph R. Zerbonia President Universe Central Corporation.
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Service Engage – Engaging with Our Users IBM Cloud and Smarter Infrastructure 1.

Service Engage – Engaging with Our Users IBM Cloud and Smarter Infrastructure 1.
CS 3500 SE - 1 Software Engineering: It’s Much More Than Programming! Sources: “Software Engineering: A Practitioner’s Approach - Fourth Edition” Pressman,

CS 3500 SE - 1 Software Engineering: It’s Much More Than Programming! Sources: “Software Engineering: A Practitioner’s Approach - Fourth Edition” Pressman,
Shopping and ORM Solutions

Shopping and ORM Solutions
Driving Productivity with Microsoft Dynamics CRM Presenter Name Presenter Title Presenter Date.

Driving Productivity with Microsoft Dynamics CRM Presenter Name Presenter Title Presenter Date.

Similar presentations

Ads by Google