Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Confidence. Achieved. Deployment of a Code Analysis Methodology Critical Discussion Towards a Roadmap for Success John Steven Software Security.

Published byAlaina Johns Modified over 9 years ago

Similar presentations

Presentation on theme: "Software Confidence. Achieved. Deployment of a Code Analysis Methodology Critical Discussion Towards a Roadmap for Success John Steven Software Security."— Presentation transcript:

1 Software Confidence. Achieved. Deployment of a Code Analysis Methodology Critical Discussion Towards a Roadmap for Success John Steven Software Security Principal Technical Director Office of the CTO Cigital Inc.

2 © 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Motivation- Common Goals & Challenges Initial Goals Introduce lightweight code analysis to SDLC Inexpensively purchase security expertise Consistently apply expertise Subsequent Desires Scale ‘whitebox’ code analysis Automate checking against corporate security coding standards Enable developers to test powerfully Non-starters Unwieldy build integration Overwhelming False positive reduction Inappropriate division of labor: filtering findings, writing rules Stumbling Blocks Unclear process/tool ownership, inability to Shepherd the tool Overcoming objections to accuracy, alternatives

3 © 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Initial Adoption, Pilot Deployment

4 © 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Pilot Inception Goal: Introduce lightweight code analysis to SDLC Define Secure SDLC Palatable to Development management Sufficient to exercise software security Stand up App. Sec. Roles Assure proper support level for roll out Avoid inadequate skills for tool support Appropriately assign adoption tasks Classify Portfolio’s Risk Apply tools where they count first Software Security Training Begin to set expectations

5 © 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Pilot Requirements Define Tool Pilot Decide who will pilot tool Secure Coding Awareness Set expectations about tool’s capabilities Show tool along side other software security activities Differentiate tool’s success criteria from other developer feedback proactively

6 © 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Elaboration: Phase I Pilot Potential Challenges: Unwieldy build integration Overwhelming False positive reduction Tool Deployment Handbook Face & overcome issues before development sees tool: Integration problems Unnecessary ‘on by default’ rules Tune, customize rules High-confidence, accurate rules for desktop Stage rule packs (over time) Leave rules whose findings require savvy for security personnel

7 © 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Subsequent Roll out, Widespread Adoption Key to avoiding pushback

8 © 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Implementation Baseline all applications Face integration issues all over again Agreement rule pack essential to measurement Deploy Incentives Program Measurement essential to incentives Enforce adoption as a quality gate

9 © 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential. On-going Maintenance Goals: Scale ‘whitebox’ code analysis Automate checking against corporate security coding standards Enable developers to test powerfully

10 © 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Roles and Responsibilities Essential Roles (by priority) 1. Tool Shepherd1 FTE, 1+ over time 2. Deployment Manager1/2 FTE 3. Rules Maven1 FTE, Later All report into Application Security Group Appoint Tool Shepherds in B.U.s if: Build env. differs dramatically B.U. remains very autonomous Rules maven: a longer-term, lower-priority hire

11 © 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Tool Shepherd Allows self-sufficiency w/o Fortify Sales Engineer Tackle ‘other 20%’ of integration issues in teams Finish elaboration and drive implementation 1st year tasks: Integration handbook (HOWTO) F.A.Q. for build failures Results interpretation heuristics: “Blacklist”, other Cull results, participate in determining rule pack constituency

12 © 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Deployment Manager Delegates Shepherd’s time into teams Broker decisions about rule pack configurations Security Analyst configuration- Kitchen Sink Build New Dev- Accurate kitchen sink Maintenance- Reduced rule pack Desktop New Dev- Accurate, very fast, reduce pack Maintenance- Very accurate, very fast, very reduced Measurement & Progress Deployment coverage Rule accuracy Findings rates (density) Remediation (rate,LoE, etc.)

13 © 2006 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Rules Maven Does not exist, must be grown Can wait for a year to begin True Subject Matter Expert (SME) Creates vulnerability patterns from: Incidence Assurance work Industry best practices Threat model Generates rule test cases

Download ppt "Software Confidence. Achieved. Deployment of a Code Analysis Methodology Critical Discussion Towards a Roadmap for Success John Steven Software Security."

Similar presentations

Implementing a Behavior Based Safety Process at Rockwell Automation

Implementing a Behavior Based Safety Process at Rockwell Automation
Effective Contract Management Planning

Effective Contract Management Planning
Develop an Information Strategy Plan

Develop an Information Strategy Plan
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
© Sigma (Bookham) Ltd British Computer Society 19 March 2007 'Embedding Benefit Realisation Management – Friends Provident’s experiences Ann Watts – Head.

© Sigma (Bookham) Ltd British Computer Society 19 March 2007 'Embedding Benefit Realisation Management – Friends Provident’s experiences Ann Watts – Head.
© 2005 by Prentice Hall Appendix 2 Automated Tools for Systems Development Modern Systems Analysis and Design Fourth Edition Jeffrey A. Hoffer Joey F.

© 2005 by Prentice Hall Appendix 2 Automated Tools for Systems Development Modern Systems Analysis and Design Fourth Edition Jeffrey A. Hoffer Joey F.
Grow Your Business through Contact Centre Outsourcing Fanny Vaz Director, Personal Market Unit, CTM.

Grow Your Business through Contact Centre Outsourcing Fanny Vaz Director, Personal Market Unit, CTM.
Roadmap to Continuous Integration Testing and Benefits Gowri Selka, Walgreens Natalie Koltun, Walgreens May 20th, 2014 ©2013 Walgreen Co. All rights reserved.

Roadmap to Continuous Integration Testing and Benefits Gowri Selka, Walgreens Natalie Koltun, Walgreens May 20th, 2014 ©2013 Walgreen Co. All rights reserved.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Rational Unified Process

Rational Unified Process
©2009 Gotham Digital Science, LLC Software Assurance with SAMM 21 Sept 2009, SOURCE Barcelona Matt Bartoldus

©2009 Gotham Digital Science, LLC Software Assurance with SAMM 21 Sept 2009, SOURCE Barcelona Matt Bartoldus
Viewpoint Consulting – Committed to your success.

Viewpoint Consulting – Committed to your success.
© 2005 Prentice Hall, Decision Support Systems and Intelligent Systems, 7th Edition, Turban, Aronson, and Liang 6-1 Chapter 6 Decision Support System Development.

© 2005 Prentice Hall, Decision Support Systems and Intelligent Systems, 7th Edition, Turban, Aronson, and Liang 6-1 Chapter 6 Decision Support System Development.
Lecture 2b: Software Project Management CSCI102 - Introduction to Information Technology B ITCS905 - Fundamentals of Information Technology.

Lecture 2b: Software Project Management CSCI102 - Introduction to Information Technology B ITCS905 - Fundamentals of Information Technology.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Principles of Information Systems, Sixth Edition 1 Systems Investigation and Analysis Chapter 12.

Principles of Information Systems, Sixth Edition 1 Systems Investigation and Analysis Chapter 12.
SDLC. Information Systems Development Terms SDLC - the development method used by most organizations today for large, complex systems Systems Analysts.

SDLC. Information Systems Development Terms SDLC - the development method used by most organizations today for large, complex systems Systems Analysts.
1 Performance Auditing  In IT Environment  Evidence Gathering & Analysis Techniques  Computer Assisted Techniques  Use of IDEA.

1 Performance Auditing  In IT Environment  Evidence Gathering & Analysis Techniques  Computer Assisted Techniques  Use of IDEA.
Software Engineering Institute Capability Maturity Model (CMM)

Software Engineering Institute Capability Maturity Model (CMM)
Slide 1 Test Assurance – Ensuring Stakeholders get What They Want Paul Gerrard Gerrard Consulting PO Box 347 Maidenhead Berkshire SL6 2GU UK e:

Slide 1 Test Assurance – Ensuring Stakeholders get What They Want Paul Gerrard Gerrard Consulting PO Box 347 Maidenhead Berkshire SL6 2GU UK e:

Similar presentations

Ads by Google