Enviar pesquisa
Carregar
Dan Cornell - The Real Cost of Software Remediation
•
0 gostou
•
473 visualizações
Source Conference
Seguir
Tecnologia
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 32
Baixar agora
Baixar para ler offline
Recomendados
Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007
Denim Group
Real Cost of Software Remediation
Real Cost of Software Remediation
Denim Group
2009 06 01 The Lean Startup Texas Edition
2009 06 01 The Lean Startup Texas Edition
Eric Ries
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Denim Group
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less time
Rogue Wave Software
Agile and Secure
Agile and Secure
Denim Group
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
Benefits of System Accelerators
Benefits of System Accelerators
Perficient
Recomendados
Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007
Denim Group
Real Cost of Software Remediation
Real Cost of Software Remediation
Denim Group
2009 06 01 The Lean Startup Texas Edition
2009 06 01 The Lean Startup Texas Edition
Eric Ries
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Denim Group
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less time
Rogue Wave Software
Agile and Secure
Agile and Secure
Denim Group
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
Denim Group
Benefits of System Accelerators
Benefits of System Accelerators
Perficient
Open source software support for the enterprise
Open source software support for the enterprise
Rogue Wave Software
Agile Software Development In The Large
Agile Software Development In The Large
ConSanFrancisco123
Stop the line & Stop Feature Development practices
Stop the line & Stop Feature Development practices
Agile Spain
Practical use of defect detection and prediction
Practical use of defect detection and prediction
gregoryg
DevOpsDays Austin: Helping Horses Become Unicorns, Chef's Operations Maturity...
DevOpsDays Austin: Helping Horses Become Unicorns, Chef's Operations Maturity...
Matt Ray
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
The Linux Foundation
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
Security Innovation
People Dimension in Software Projects
People Dimension in Software Projects
Emanuele Della Valle
P&msp2010 08 development-management
P&msp2010 08 development-management
Emanuele Della Valle
SRVision 2019, Utrecht: Swarming and Cynefin
SRVision 2019, Utrecht: Swarming and Cynefin
Jon Stevens-Hall
Trackid H4D Stanford 2018
Trackid H4D Stanford 2018
Stanford University
Supporting operations personnel a software engineers perspective
Supporting operations personnel a software engineers perspective
Len Bass
Scale: The Most Hyped Term in Agile Development Today
Scale: The Most Hyped Term in Agile Development Today
TechWell
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspective
Colin Domoney
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
Aaron Rinehart
From Waterfall to Agile: A ScrumMaster’s View
From Waterfall to Agile: A ScrumMaster’s View
TechWell
manage databases like codebases
manage databases like codebases
DBmaestro - Database DevOps
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
Aaron Rinehart
2014 12-10 aimee
2014 12-10 aimee
Design World
Rolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review Program
Denim Group
17 dsp dunia muzik tahun 3 5 feb 2013
17 dsp dunia muzik tahun 3 5 feb 2013
OwesomePure Collection
Bmm3171 konsepstrategipendekatankaedahdanteknik-130313084308-phpapp02
Bmm3171 konsepstrategipendekatankaedahdanteknik-130313084308-phpapp02
OwesomePure Collection
Mais conteúdo relacionado
Mais procurados
Open source software support for the enterprise
Open source software support for the enterprise
Rogue Wave Software
Agile Software Development In The Large
Agile Software Development In The Large
ConSanFrancisco123
Stop the line & Stop Feature Development practices
Stop the line & Stop Feature Development practices
Agile Spain
Practical use of defect detection and prediction
Practical use of defect detection and prediction
gregoryg
DevOpsDays Austin: Helping Horses Become Unicorns, Chef's Operations Maturity...
DevOpsDays Austin: Helping Horses Become Unicorns, Chef's Operations Maturity...
Matt Ray
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
The Linux Foundation
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
Security Innovation
People Dimension in Software Projects
People Dimension in Software Projects
Emanuele Della Valle
P&msp2010 08 development-management
P&msp2010 08 development-management
Emanuele Della Valle
SRVision 2019, Utrecht: Swarming and Cynefin
SRVision 2019, Utrecht: Swarming and Cynefin
Jon Stevens-Hall
Trackid H4D Stanford 2018
Trackid H4D Stanford 2018
Stanford University
Supporting operations personnel a software engineers perspective
Supporting operations personnel a software engineers perspective
Len Bass
Scale: The Most Hyped Term in Agile Development Today
Scale: The Most Hyped Term in Agile Development Today
TechWell
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspective
Colin Domoney
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
Aaron Rinehart
From Waterfall to Agile: A ScrumMaster’s View
From Waterfall to Agile: A ScrumMaster’s View
TechWell
manage databases like codebases
manage databases like codebases
DBmaestro - Database DevOps
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
Aaron Rinehart
2014 12-10 aimee
2014 12-10 aimee
Design World
Rolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review Program
Denim Group
Mais procurados
(20)
Open source software support for the enterprise
Open source software support for the enterprise
Agile Software Development In The Large
Agile Software Development In The Large
Stop the line & Stop Feature Development practices
Stop the line & Stop Feature Development practices
Practical use of defect detection and prediction
Practical use of defect detection and prediction
DevOpsDays Austin: Helping Horses Become Unicorns, Chef's Operations Maturity...
DevOpsDays Austin: Helping Horses Become Unicorns, Chef's Operations Maturity...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
People Dimension in Software Projects
People Dimension in Software Projects
P&msp2010 08 development-management
P&msp2010 08 development-management
SRVision 2019, Utrecht: Swarming and Cynefin
SRVision 2019, Utrecht: Swarming and Cynefin
Trackid H4D Stanford 2018
Trackid H4D Stanford 2018
Supporting operations personnel a software engineers perspective
Supporting operations personnel a software engineers perspective
Scale: The Most Hyped Term in Agile Development Today
Scale: The Most Hyped Term in Agile Development Today
How to get the best out of DevSecOps - a security perspective
How to get the best out of DevSecOps - a security perspective
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
From Waterfall to Agile: A ScrumMaster’s View
From Waterfall to Agile: A ScrumMaster’s View
manage databases like codebases
manage databases like codebases
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
2014 12-10 aimee
2014 12-10 aimee
Rolling Out An Enterprise Source Code Review Program
Rolling Out An Enterprise Source Code Review Program
Destaque
17 dsp dunia muzik tahun 3 5 feb 2013
17 dsp dunia muzik tahun 3 5 feb 2013
OwesomePure Collection
Bmm3171 konsepstrategipendekatankaedahdanteknik-130313084308-phpapp02
Bmm3171 konsepstrategipendekatankaedahdanteknik-130313084308-phpapp02
OwesomePure Collection
Adapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
Source Conference
Mobile Convention Amsterdam - Google - Ian Carrington
Mobile Convention Amsterdam - Google - Ian Carrington
MobileConventionAmsterdam
Mobile Convention Amsterdam - Rabobank - David Jan Janse
Mobile Convention Amsterdam - Rabobank - David Jan Janse
MobileConventionAmsterdam
Mobile Convention Amsterdam - Fabrique
Mobile Convention Amsterdam - Fabrique
MobileConventionAmsterdam
Mobile Convention Amsterdam - Netbiscuits - Steffen Schlimmer
Mobile Convention Amsterdam - Netbiscuits - Steffen Schlimmer
MobileConventionAmsterdam
Destaque
(7)
17 dsp dunia muzik tahun 3 5 feb 2013
17 dsp dunia muzik tahun 3 5 feb 2013
Bmm3171 konsepstrategipendekatankaedahdanteknik-130313084308-phpapp02
Bmm3171 konsepstrategipendekatankaedahdanteknik-130313084308-phpapp02
Adapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
Mobile Convention Amsterdam - Google - Ian Carrington
Mobile Convention Amsterdam - Google - Ian Carrington
Mobile Convention Amsterdam - Rabobank - David Jan Janse
Mobile Convention Amsterdam - Rabobank - David Jan Janse
Mobile Convention Amsterdam - Fabrique
Mobile Convention Amsterdam - Fabrique
Mobile Convention Amsterdam - Netbiscuits - Steffen Schlimmer
Mobile Convention Amsterdam - Netbiscuits - Steffen Schlimmer
Semelhante a Dan Cornell - The Real Cost of Software Remediation
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
Denim Group
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
Denim Group
Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final Final
Robin Lutchansky
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
20th Anniversary - OWASP Top 10 2021.pptx
20th Anniversary - OWASP Top 10 2021.pptx
Dedy Hariyadi
The quality attribute of upgradability
The quality attribute of upgradability
Len Bass
Software Lifecycle
Software Lifecycle
Soumen Sarkar
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOps
Tom Cappetta
Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability Manager
Denim Group
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
Twelve Factor - Designing for Change
Twelve Factor - Designing for Change
Eric Wyles
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
Site-Reliability-Engineering-v2[6241].pdf
Site-Reliability-Engineering-v2[6241].pdf
DeepakGupta747774
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
Damon Small
Application Assessment Techniques
Application Assessment Techniques
Denim Group
Tell me how you provision and I'll tell you how you are
Tell me how you provision and I'll tell you how you are
Juan Vicente Herrera Ruiz de Alejo
The State of DevSecOps
The State of DevSecOps
DevOps Indonesia
Semelhante a Dan Cornell - The Real Cost of Software Remediation
(20)
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final Final
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
20th Anniversary - OWASP Top 10 2021.pptx
20th Anniversary - OWASP Top 10 2021.pptx
The quality attribute of upgradability
The quality attribute of upgradability
Software Lifecycle
Software Lifecycle
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOps
Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability Manager
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Twelve Factor - Designing for Change
Twelve Factor - Designing for Change
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Site-Reliability-Engineering-v2[6241].pdf
Site-Reliability-Engineering-v2[6241].pdf
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
Application Assessment Techniques
Application Assessment Techniques
Tell me how you provision and I'll tell you how you are
Tell me how you provision and I'll tell you how you are
The State of DevSecOps
The State of DevSecOps
Mais de Source Conference
Million Browser Botnet
Million Browser Botnet
Source Conference
iBanking - a botnet on Android
iBanking - a botnet on Android
Source Conference
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
Source Conference
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
Source Conference
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
Source Conference
How to Like Social Media Network Security
How to Like Social Media Network Security
Source Conference
Wfuzz para Penetration Testers
Wfuzz para Penetration Testers
Source Conference
Security Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
Source Conference
Securty Testing For RESTful Applications
Securty Testing For RESTful Applications
Source Conference
Esteganografia
Esteganografia
Source Conference
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
Source Conference
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
Source Conference
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Source Conference
Advanced (persistent) binary planting
Advanced (persistent) binary planting
Source Conference
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Source Conference
Who should the security team hire next?
Who should the security team hire next?
Source Conference
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
Source Conference
JSF Security
JSF Security
Source Conference
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
Source Conference
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
Source Conference
Mais de Source Conference
(20)
Million Browser Botnet
Million Browser Botnet
iBanking - a botnet on Android
iBanking - a botnet on Android
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
How to Like Social Media Network Security
How to Like Social Media Network Security
Wfuzz para Penetration Testers
Wfuzz para Penetration Testers
Security Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
Securty Testing For RESTful Applications
Securty Testing For RESTful Applications
Esteganografia
Esteganografia
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Advanced (persistent) binary planting
Advanced (persistent) binary planting
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Who should the security team hire next?
Who should the security team hire next?
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
JSF Security
JSF Security
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
Último
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Khem
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Results
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Katpro Technologies
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
Último
(20)
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
Slack Application Development 101 Slides
Slack Application Development 101 Slides
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Dan Cornell - The Real Cost of Software Remediation
1.
The Real Cost
of Software Remediation Dan Cornell CTO, Denim Group @danielcornell © Copyright 2011 Denim Group - All Rights Reserved
2.
Agenda •
Introduction / Background • An Innocent Question • Finding a Structure for Remediation Projects • Methodology • Remediation Data • Analysis and Recommendations • Questions © Copyright 2011 Denim Group - All Rights Reserved 1
3.
Introduction / Background
• Me (Dan Cornell) – Founder and CTO of Denim Group – Software developer by background (Java, .NET, etc) – OWASP San Antonio, Global Membership Committee • Denim Group – Build software with special security, performance, reliability requirements (think “Rugged”) – Software security remediation – Help organizations deal with the risk associated with their software • Code reviews and application assessments • SDLC consulting • Secure development training – instructor-led and eLearning © Copyright 2011 Denim Group - All Rights Reserved 2
4.
Fixing a Cross-Site
Scripting (XSS) Vulnerability How long does it take? A) 9.6 minutes B) 16.2 minutes C) 84 minutes D) It doesn’t matter E) All of the above © Copyright 2011 Denim Group - All Rights Reserved 3
5.
Fixing a Cross-Site
Scripting (XSS) Vulnerability How long does it take? A) 9.6 minutes – Average fix time for stored XSS (no load) B) 16.2 minutes – Average fix time for reflected XSS (no load) C) 84 minutes – Average fix time for stored and reflected (loaded) D) It doesn’t matter E) All of the above © Copyright 2011 Denim Group - All Rights Reserved 4
6.
Fixing a Cross-Site
Scripting (XSS) Vulnerability How long does it take? A) 9.6 minutes – Average fix time for stored XSS (no load) B) 16.2 minutes – Average fix time for reflected XSS (no load) C) 84 minutes – Average fix time for stored and reflected (loaded) D) It doesn’t matter E) All of the above © Copyright 2011 Denim Group - All Rights Reserved 5
7.
Remediation Worst Practices
• When the security team: – Demands a development team devote time and budget to remediation – Provides them with no direction or support – Has the development team attempt to make fixes on their own – Complains when things don’t work out © Copyright 2011 Denim Group - All Rights Reserved 6
8.
Remediation Worst Practices
• Result: No new features and half- or non-fixed vulnerabilities • Good luck getting your next remediation project approved © Copyright 2011 Denim Group - All Rights Reserved 7
9.
Finding a Structure
for Remediation Projects • Desired outcome: predictable and effective remediation projects – Predictable: know how long they will take and how much they will cost – Effective: targeted vulnerabilities actually get fixed • A community of stakeholders – Security – Development – IT Audit / Compliance © Copyright 2011 Denim Group - All Rights Reserved 8
10.
Remediation Projects •
Inception • Planning – Calculate Risk – Agree on Fix and Confirmation Methods – Determine Level of Effort – Schedule • Execution – Set up Development Environment – Fix Vulnerabilities – Confirm Fixes and Perform Functional Testing – Deploy © Copyright 2011 Denim Group - All Rights Reserved 9
11.
Remediation: How To
Guide • Describes methodology for software security remediation projects • Includes tips and best practices • Free online denimgroup.com/howtoguide_download_register.html © Copyright 2011 Denim Group - All Rights Reserved 10
12.
That’s Great But…
• How long will it actually take me to fix my vulnerabilities? • Software security remediation projects are software development projects – So estimate them as such • Best practices: – Bottom-up estimation – Cluster vulnerabilities where possible • It would be nice to have some data to use as a starting point… © Copyright 2011 Denim Group - All Rights Reserved 11
13.
Data! • Took
data from 15 remediated applications • Two types of analysis: – Vulnerability-level (4 applications) – Project-level (13 applications) • Data from Inception and Planning phases was too messy • Data from Execution phase was useable © Copyright 2011 Denim Group - All Rights Reserved 12
14.
The Good (Why
This Data Might Be Useful) • Some data is better than no data – As long as you understand potential areas of bias – Read “How to Measure Anything” by Douglas W. Hubbard • Had relatively large sample size for some vulnerability types © Copyright 2011 Denim Group - All Rights Reserved 13
15.
The Bad (Some
Potential Sources of Bias) • Relatively small sample size • Based on a single project type – Outsourced software security remediation projects • Data required cleanup and normalization • Vulnerability data centered around technical vulnerabilities – Most identified by automated static analysis © Copyright 2011 Denim Group - All Rights Reserved 14
16.
Vulnerability-Specific Data (20+
Sample Count) Vulnerability Type Sample Count Average Fix (minutes) Dead Code (unused methods) 465 2.6 Poor logging: system output stream 83 2.9 Poor Error Handling: Empty catch block 180 6.8 Lack of Authorization check 61 6.9 Unsafe threading 301 8.5 ASP.NET non-serializable object in session 42 9.3 XSS (stored) 1023 9.6 Null Dereference 157 10.2 Missing Null Check 46 15.7 XSS (reflected) 25 16.2 Redundant null check 21 17.1 SQL injection 30 97.5 © Copyright 2011 Denim Group - All Rights Reserved 15
17.
Some Thoughts and
Notes • Apparently deleting code and changing logging methods are easy • Cross-Site Scripting – Vulnerability count tracks with data from WhiteHat, Veracode, other sources – Harder to fix reflected XSS than stored XSS • Lack of Authorization Check – Fix consisted of copy/pasting file include into a number of files • SQL Injection – Surprisingly high – Reason: fixes were for more complicated SQL injection vulnerabilities © Copyright 2011 Denim Group - All Rights Reserved 16
18.
So If I
Have 6 Stored XSS Vulnerabilities… … my remediation project should take about an hour, right? But wait! © Copyright 2011 Denim Group - All Rights Reserved 17
19.
Remediation Is Not
Just About Coding Fixes • This data is from one of four steps in one of three phases – “Fix Vulnerabilities” step in the “Execution” phase • What about Inception and Planning? – No great data available yet • What about the rest of Execution? – Set up Development Environment – Fix Vulnerabilities – Confirm Fixes and Perform Functional Testing – Deploy – Overhead © Copyright 2011 Denim Group - All Rights Reserved 18
20.
Where Is Time
Being Spent? 70% Indicates the weighted average versus the average of 60% 59% individual projects 50% 44% 42% 40% 37% 30% 31% 28% 29% 24% 24% 20% 17% 20% 15% 15% 16% 10% 9% 3% 2% 0% 0% 0% 0% Setup Development Fix Vulnerabilities Confirm Fixes / QA Deploy Overhead Environment © Copyright 2011 Denim Group - All Rights Reserved 19
21.
Some Thoughts and
Notes • Setup Development Environment – Best case: existing development environment or VM – Worst case: Safari expedition to recreate environment setup because organization no longer had this knowledge • Instructions on setting up a development environment were a deliverable • Fix Vulnerabilities – This is what people focus on but there is wide variation © Copyright 2011 Denim Group - All Rights Reserved 20
22.
Some Thoughts and
Notes (continued) • Confirm Fixes / QA – Sometimes this took more time than the actual fixes – Best case: Existing set of automated functional / regression tests • Deploy – Best case: use an existing planned release • Overhead – Surprisingly high in some cases © Copyright 2011 Denim Group - All Rights Reserved 21
23.
Using the Data
• I thought you said to estimate bottom-up? – Yes. Do that – Use the vulnerability data as a guide for estimation – Use the project composition data for validation – Use the lessons of the data to try and minimize required investment © Copyright 2011 Denim Group - All Rights Reserved 22
24.
What Can I
Do To Minimize Remediation Costs? Avoid introducing vulnerabilities into your software (you are all welcome for this piece of sage advice) © Copyright 2011 Denim Group - All Rights Reserved 23
25.
What Can I
Do To Minimize Remediation Costs? • Have ready access to development environments for the developers doing the remediation • Automated functional / regression testing helps speed security fixes • Use planned deployments when possible © Copyright 2011 Denim Group - All Rights Reserved 24
26.
Which Vulnerabilities Get
Fixed and When? • Use your data-backed, bottom-up WBS for risk management and planning • Serious vulnerabilities that are easy to fix? Consider an out-of-cycle release • Otherwise leverage planned releases © Copyright 2011 Denim Group - All Rights Reserved 25
27.
The Outlier •
We remediated one vulnerability not included in the study that was more expensive to fix than all vulnerabilities in the study – Authentication issue in a connected system • Requirements and architecture vulnerability – Automated scanners – static or dynamic: powerless to find it • Should have / would have been caught by even a basic threat modeling or abuse case session © Copyright 2011 Denim Group - All Rights Reserved 26
28.
So Where Does
This Leave Us • Good: – We have a framework – We have some data • Less good: – The data comes with a number of caveats • Given a framework and some data you should be: – Better able to execute successful projects – Better able to estimate projects – Better able to minimize project costs © Copyright 2011 Denim Group - All Rights Reserved 27
29.
Next Steps For
Me • Release a more in-depth report • Include more data in the analysis • Perform deeper analysis – Impact of size of project (hours) – Impact of number of vulnerabilities remediated – Impact of platform – And so on… • Include data on logical vulnerabilities © Copyright 2011 Denim Group - All Rights Reserved 28
30.
Next Steps For
You • Review your existing vulnerability data • Create a “back of the envelope” plan to address open vulnerabilities – Run different scenarios: “All critical and high” “All public-facing apps” and so on • Talk to developers – How do they set up development environments? – When do they do planned releases? • Fix some vulnerabilities! – Application-level vulnerabilities persist for a long time © Copyright 2011 Denim Group - All Rights Reserved 29
31.
Remediation Resource Center
• Resources for remediating software security vulnerabilities – Videos – How-to Guide – Blog posts denimgroup.com/remediation © Copyright 2011 Denim Group - All Rights Reserved 30
32.
Questions? Dan Cornell
dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com blog.denimgroup.com www.denimgroup.com/remediation (210) 572-4400 © Copyright 2011 Denim Group - All Rights Reserved 31
Baixar agora