Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building an Effective SDLC Program: Case Study Guy Bejerano, CSO, LivePerson Ofer Maor, CTO, Seeker Security.

Published byMathew Worcester Modified over 9 years ago

Similar presentations

Presentation on theme: "Building an Effective SDLC Program: Case Study Guy Bejerano, CSO, LivePerson Ofer Maor, CTO, Seeker Security."— Presentation transcript:

1 Building an Effective SDLC Program: Case Study Guy Bejerano, CSO, LivePerson Ofer Maor, CTO, Seeker Security

2 SDLC – Why Do We Bother? Vendor Heaven – Sell All You Can Sell Finding Your Path in The Jungle - Assembling The Puzzle to Build a Robust SDLC Program The Next 45 Min Data & Insights based on our experience @ LivePerson

3 Seeker Security Formerly Hacktics ® (Acquired by EY) New Generation of Application Security Testing (IAST) Recognized as Top 10 Most Innovative Companies at RSA ® 2010. Recognized as “Cool Vendor” by Gartner Identify, Demonstrate & Mitigate Critical Application Business Risk

4 LivePerson Monitor web visitor’s behavior (Over 1.2 B visits each month) Providing Engagement platform ( Over 10 M chats each month) Deploying code on customers’ websites SAAS in a full Multi-tenancy environment Process and Store customers’ data on our systems

5 Providing Service to Some of the Biggest

6 Cloud Motivation for Building Secure Code Reputation in a social era Risk Characteristics Cyber Crime – Financial motivation Systems are more accessible and Perimeter protection is not enough Legal liability and cost of non-compliance Customers (over 15 application pen-tests in the past year)

7 The Impact of Security Bugs in Production Highly expensive to fix (4X than during the dev process) We are not focusing on the upside Creates friction – Externally and Internally

8 Back in the Waterfall Days DesignDevelopmentQARollout 3 rd party Pen-Testing Security Requirements Bug Fixing Challenges Accuracy of Testing Same Findings Repeating Internal Friction Still Exists Customer Testing

9 And Then We Moved to Agile Sprint Plan Sprint & RegressionRollout Security Requirements Challenges Shorter Cycle (Design, Bug Fixing) Greater Friction In Production Customer Testing 3 rd party Pen-Testing

10 The Solution Matrix Vendor Heaven Infinite Services, Products, Solutions & Combinations In House / Outsourced Services / Product / SaaS Manual / Automated Blackbox / Whitebox Penetration Test / Code Review DAST / SAST / IAST

11 In-House/ Outsourced Skills Availability Cost Repeatability SDLC Integration Service/Product/SaaS (Manual/Automated) Accuracy False Positives False Negatives Skills/Quality Repeatability Ease of Use SDLC Integration Intellectual Property Coverage DAST/SAST/IAST (PT/CR, Black/White Box) Accuracy False Positives False Negatives Quality of Results Pinpointing Code Data Handling Validation Ease of Operation 3 rd Party Code Scale The Solution Matrix - Considerations

12 How to Assemble All the Pieces? Define Your PlaygroundRisk – Web, Data, Multi-Tenancy Customers – SLA, Standards Choose a Framework Who Leads This Program Highly Technical Organization (System Owners, Scrum Masters, Tech Leaders) Knowledge – Who & How Hands-On… QA First On-going sessions

13 How to Assemble All the Pieces? Fitting Tools to Platform and Development Process Java – Multi-Tier Agile Methodology JIRA (For bug tracking) Define Operational cycleKey Performance Indicators Operational Review (by system owners) Pen-Test Strategy 3 rd Party Blackbox Pre-defined flows to check

14 SDLC Take #2 Sprint Plan Sprint & RegressionRollout Security Design In Production Customer Testing 3 rd party Pen-Testing Budgeted “Certification” Program R&D / QA Ownership (Tech Leaders & System Owners) Knowledge (Hands-On Training + On-Going Sessions) Embedded Bug Tracking in Dev Tools Static Code Analysis Runtime/Dynamic Code Analysis

15 Thank You! Q&A

Download ppt "Building an Effective SDLC Program: Case Study Guy Bejerano, CSO, LivePerson Ofer Maor, CTO, Seeker Security."

Similar presentations

Enabling Technology Innovation using Open Source Software

Enabling Technology Innovation using Open Source Software
Ensuring your business continuity. The problem (According to top research firms ) 59% of fortune 500 companies experience a minimum of 1.6 hours of downtime.

Ensuring your business continuity. The problem (According to top research firms ) 59% of fortune 500 companies experience a minimum of 1.6 hours of downtime.
QuEdge Testing Process Delivering Global Solutions.

QuEdge Testing Process Delivering Global Solutions.
An Agile Retrospective Clinton Keith Overview Retrospective format What works (clear wins)? What doesn’t work so well? What do we need to start doing?

An Agile Retrospective Clinton Keith Overview Retrospective format What works (clear wins)? What doesn’t work so well? What do we need to start doing?
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
HVC2012 | 8-Nov-12 Application Performance Monitoring Ofer Maor CTO HVC2012 8 Nov 2012 Haifa, Israel.

HVC2012 | 8-Nov-12 Application Performance Monitoring Ofer Maor CTO HVC Nov 2012 Haifa, Israel.
<<replace with Customer Logo>>

<<replace with Customer Logo>>
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Agile-Scrum in QA – Case study at TraderTools Amitay Itskovitch TraderTools LLC QA Manager Phone: +972-9-7408880,

Agile-Scrum in QA – Case study at TraderTools Amitay Itskovitch TraderTools LLC QA Manager Phone: ,
Agile development By Sam Chamberlain. First a bit of history..

Agile development By Sam Chamberlain. First a bit of history..
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Security Services Svetlana.

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Security Services Svetlana.
NuVista Technologies Pte Ltd Superior Performance, Improved Efficiency & Tangible Cost Savings For IOS - Integrated Outsourcing Services Suite Your preferred.

NuVista Technologies Pte Ltd Superior Performance, Improved Efficiency & Tangible Cost Savings For IOS - Integrated Outsourcing Services Suite Your preferred.
IT Governance: Simultaneously Empowers and Controls Source: IT Governance, Chapter 1.

IT Governance: Simultaneously Empowers and Controls Source: IT Governance, Chapter 1.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
July 8-9, 2014 | Ronald Reagan Building | Washington, DC Federal Cloud Computing Summit Dr. Barry C. West Cloud Tools and Integration.

July 8-9, 2014 | Ronald Reagan Building | Washington, DC Federal Cloud Computing Summit Dr. Barry C. West Cloud Tools and Integration.
Agile Testing with Testing Anywhere The road to automation need not be long.

Agile Testing with Testing Anywhere The road to automation need not be long.
The Product Owner prioritizes the requirements or features through feedback from the Stakeholders & interaction with the core team The Team.

The Product Owner prioritizes the requirements or features through feedback from the Stakeholders & interaction with the core team The Team.
A Connected World in transformation NICE – DATACENTRES 2012 May 23 rd 2012 Paul-François CATTIER Global Data Centre Solution VP.

A Connected World in transformation NICE – DATACENTRES 2012 May 23 rd 2012 Paul-François CATTIER Global Data Centre Solution VP.
REV042811. Total SaaS global revenues of $13.1 billion in 2009 Total SaaS estimated revenues of $40.5 billion by 2014 25% of CRM software in 2011 will.

REV Total SaaS global revenues of $13.1 billion in 2009 Total SaaS estimated revenues of $40.5 billion by % of CRM software in 2011 will.
Agile/Scrum Case study Code name: ninja.  2 scrum teams  One product backlog  8 months so far  Long term project  External integrations  R&D and.

Agile/Scrum Case study Code name: ninja.  2 scrum teams  One product backlog  8 months so far  Long term project  External integrations  R&D and.

Similar presentations

Ads by Google