SlideShare uma empresa Scribd logo

JavaOne2013: Secure Engineering Practices for Java

Chris Bailey
Chris Bailey

This document summarizes a presentation on secure engineering practices for Java given at JavaOne 2013. It discusses the importance of software assurance over just security controls. It emphasizes that achieving a high level of software assurance requires attention to security throughout the development lifecycle, including risk assessment, secure coding practices, security testing, documentation, and incident response. The presentation recommends that development teams understand security risks and threats in order to build secure software.

Tecnologia
1 de 27
Baixar para ler offline
JavaOne 2013 Secure Engineering Practices for Java Tim Ellison, IBM United Kingdom Ltd. CON 3615 © 2013 IBM Corporation
Important Disclaimers THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILST EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. ALL PERFORMANCE DATA INCLUDED IN THIS PRESENTATION HAVE BEEN GATHERED IN A CONTROLLED ENVIRONMENT. YOUR OWN TEST RESULTS MAY VARY BASED ON HARDWARE, SOFTWARE OR INFRASTRUCTURE DIFFERENCES. ALL DATA INCLUDED IN THIS PRESENTATION ARE MEANT TO BE USED ONLY AS A GUIDE. IN ADDITION, THE INFORMATION CONTAINED IN THIS PRESENTATION IS BASED ON IBM’S CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM, WITHOUT NOTICE. IBM AND ITS AFFILIATED COMPANIES SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION. NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, OR SHALL HAVE THE EFFECT OF: - CREATING ANY WARRANT OR REPRESENTATION FROM IBM, ITS AFFILIATED COMPANIES OR ITS OR THEIR SUPPLIERS AND/OR LICENSORS 2 © 2013 IBM Corporation
About me  Based in the Java Technology Centre, Hursley UK  Working on various runtime technologies for >20 years  Experience of open source communities  Currently focused on class library design and delivery  Overall technical lead for IBM Java 8 SE tim_ellison@uk.ibm.com 3 © 2013 IBM Corporation
The goal of Secure Engineering Practices is to achieve a high level of Software Assurance Software Assurance is not the same as Security Controls © 2013 IBM Corporation
Security Controls The mechanisms by which security is established and maintained across the people, data, applications, infrastructure of the system. Security controls, the management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. National Information Assurance (IA) Glossary http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf © 2013 IBM Corporation
Software Assurance How confident are we that the entire system comprising people, data, applications, and infrastructure is secure? Software Assurance, a statement of the “level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at anytime during its lifecycle, and that the software functions in the intended manner.” National Information Assurance (IA) Glossary http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf © 2013 IBM Corporation
The market for software and computing services is evolving Governments and Enterprise customers are adopting procurement requirements that give preference to software and computing services having “high assurance characteristics” over other commercial, off-the-shelf products and services. Many critical business and control systems require a high level of software assurance. © 2013 IBM Corporation
IBM X-Force View of Enterprise Security Incidents in 2012 http://www.ibm.com/services/us/iss/xforce/trendreports/ © 2013 IBM Corporation
Measuring the assurance of software and computing services  The requirements are evolving… – Meets recognized security standards – Public history of security bulletins & press reports – Passes security tests, including scanning source, automated security testing and penetration testing – Provides evidence that good software engineering practices were applied throughout the development lifecycle Unfortunately, there are no over-arching standards. © 2013 IBM Corporation
Secure Engineering Goals 1.ofProvide security out the box 2. Proactively respond to new threats and risks Ensure products and solutions provide a reasonable and adequate level of security at time of release, and they maintain and improve security from release to release. Act in a timely fashion for any report of vulnerability in an existing release, and proactively address any new threat that may apply. Achieving a high confidence in software security assurance requires attention throughout the full software lifecycle Development Supply Chain Development Process and Lifecycle Deployment Lifecycle © 2013 IBM Corporation
Software Assurance Activities The tools and practices needed within a given project depend upon  What is being built (component, product, solution, service or enterprise workload)  Where it is expected to be used (closed workgroup, intranet, internet, cloud or critical infrastructure) Operational  The relevant risks and threats Code integrity Manual Code Review Security Review of Open Source Architecture Review & Security Requirements Threat Analysis & Mitigation Planning Development Supply Chain Third Party SW Contract Terms Secure Coding Security Source Code Scan Secure Build Security Security Evaluation Evaluation Security System Test Binary Analysis Development Process and Lifecycle Use Case, Abuse Case and Fault Analysis Security Controls mechanisms Source and Object Code Control Pre-Production Assurance (Pen Testing) Monitoring & Analytics Change Mgmt Scanning Deployment Lifecycle Incident Handling © 2013 IBM Corporation
Adopting Secure Development Practices  Group specific activities that support secure engineering into a set of practices  Focusing on development process – Similar can be done for supply chain, deployment, etc Development Supply Chain Tools Practices Risk Assess & Threat Model Development Process and Lifecycle Security Reqmts Secure Coding Security Testing Project Planning Security Document Deployment Lifecycle Incident response Skills Knowledge Education & Awareness © 2013 IBM Corporation
Risk Assessment and Threat Modeling Essential Practice The goal of this practice is to identify potential risks or attacks against software product or solutions as it will be deployed and to make decisions about how to address these risks during development. 1.Decide what risks are important to the Identify Risks 1.Investigate threats related Analyze Threats software being built those risks 1.Create and adopt a mitigation plan to Plan Mitigations avoid / correct the issues © 2013 IBM Corporation
The Stride Threat Model – as an example Spoofing identity Tampering with data An example of identity spoofing is illegally accessing and then using another user's authentication information, such as username and password. Data tampering involves the malicious modification of data. Examples include unauthorized changes made to persistent data, such as that held in a database, and the alteration of data as it flows between two computers over an open network, such as the Internet. Repudiation and Nonrepudiation Repudiation threats are associated with users who deny performing an action without other parties having any way to prove otherwise—e.g., a user performs an illegal operation in a system that lacks the ability to trace operations. Non-repudiation refers to the ability of a system to counter repudiation threats. For example, a user who purchases an item might have to sign for the item upon receipt. The vendor can then use the receipt as evidence that the user received the package. Information disclosure Information disclosure threats involve the exposure of information to individuals who are not supposed to have access to it—for example, the ability of users to read a file that they were not granted access to, or the ability of an intruder to read data in transit between two computers. Denial of service Elevation of privilege 14 Denial of service (DoS) attacks deny service to valid users—for example, by making a Web server temporarily unavailable or unusable. You must protect against certain types of DoS threats simply to improve system availability and reliability. In this type of threat, an unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system. Elevation of privilege threats include those situations in which an attacker has effectively penetrated all system defenses and become part of the trusted system itself, a dangerous situation indeed. http://msdn.microsoft.com/en-us/library/ee823878%28v=cs.20%29.aspx © 2013 IBM Corporation
Anti-patterns: Addressing security exclusively through tests Reqmts Without overt actions the code will contain vulnerabilities Code Design Testing tools find ~50% of the known types of vulnerabilities Prod Mgmt team Design team Reqmts Design Remediation “loops” may add two to four months to a project depending on the complexity of the issues discovered 15 Programming team Code / Build Code Scan Test team Test Package / Deploy Maintain Security System Test © 2013 IBM Corporation
Secure Design Practices  Understand the security requirements for the system early  Identify risks during design and prototyping and address them  Adopt established best practices for recognized risks (patterns), Attack surface reduction, principle of least privilege, defense in depth, security by default, ...  Document and describe the assurances you have about the system  Developers iterate towards a functional system based on a secure architecture 16 © 2013 IBM Corporation
Shared Goals Promote Secure Coding Consistent guidance on Security Risks, Threats & Vulnerabilities Security Advice Reqmts Code may contain vulnerabilities Code Design Testing tools find ~50% of the known types of vulnerabilities Prod Mgmt team Design team Reqmts Design Programming team Code / Build Code Scan 17 Test team Test Package / Deploy Maintain Security System Test © 2013 IBM Corporation
Secure Coding  A significant proportion of escaped vulnerabilities are traced to coding errors  Developers need to be familiar with the secure coding guidelines, MITRE top 25, etc.  Understand the concepts of trusted and untrusted code, tainted data, sensitive data, etc – The team and the application must handle them explicitly – Java 8 annotations can help with classifying constraints and metadata about variables  Prioritize departures from the coding standard by failure mode, effects, and criticality – Severity: How serious are the consequences of the error? – Likelihood: How likely is it that a flaw introduced by violating the rule could 18 lead to an exploitable vulnerability? – Remediation cost: How expensive is it to remediate existing code to comply with the standard? © 2013 IBM Corporation
Security Testing  Use threat modelling to target security testing based on risk – Prioritize testing with manual and tools based scenarios • Breach of access rules • Bad actor • Effect of malformed data • Out of process operations 100x  Static analysis – Does the code adhere to the coding guidelines? – Tools and formal code inspections  Dynamic testing – SQL injection – Fuzzing – Penetration testing 19 15x 1x design 6x coding verification release © 2013 IBM Corporation cost  Numerous studies show the cost of finding and fixing vulnerabilities rises exponentially through the development lifecycle
Security Documentation  All releases should be secure by design in their default configuration  High quality documentation about how to use a system securely is equally important  Users need clear guidelines about the security impact to modifying configurations – Inform users about secure deployment, and balancing usability with security – Security should be addressed as a specific topic, not spread throughout the documentation  Explain the impact of configurations that increase the attack surface of the system, e.g. – Backwards compatibility – Choice of communications protocols – Guest and demo accounts  Provide examples and templates for hardening the system in specific scenarios  Use threat modeling conclusions to inform users about best practices 20 © 2013 IBM Corporation
Security Incident Response  Expect security incidents even after following careful secure engineering practices  Incident response policy and plan – Establishing communications internally and externally – Be prepared for any eventuality, but focus on expected attacks attrition web-based hardware level e-mail improper usage loss / theft  Establish robust means of detecting and verifying incidents – logging, audits, external reports, validation checks, ...  Create guidelines for prioritizing incidents – Functional impact to the business – Information impact to confidentiality, integrity and availability of business data – Recoverability from incident occurrence  Learn lessons from incidents – Ensure the organization improves based on the history of security incidents © 2013 IBM Corporation
Education and Environment  Software assurance requires positive action maintained throughout the full system lifecycle Development Supply Chain Tools Practices Risk Assess & Threat Modeling Development Process and Lifecycle Security Reqmts Secure Coding Security Testing Project Planning Security Document Deployment Lifecycle Incident response Skills Knowledge Education & Awareness  Ensure development team has the same knowledge and perspective that adversaries might use. © 2013 IBM Corporation
Security Advice Expert Knowledge Actors Risks Assets Design team Programming team Threats Permissions Exploits Platforms Attacks Tools User Stories Common Weaknesses Defense in Depth Test team Users Roles Support team D e fe n s e s Vulnerability History Security Perimeter White hat Languages Security Controls Malware Black hat © 2013 IBM Corporation
Secure Engineering is the responsibility of the entire development All job roles need an understanding of the concepts Awareness and organization Education Project Planning Architects and Designers need to ensure that best practices for session handling, information protection, etc. are included in Design Specifications, Use Cases and Security Test Plans Secure Coding Test team Architects and Designers need to review the security characteristics of existing software and document a Threat Model for new software Security Requirements Design team Project/Release Managers need to include Secure Engineering in Project Planning activities Risk Assessment and Threat Modeling Management team and the implications of Security in Development Developers need to ensure that coding and configuration techniques are appropriate Security Testing Test Teams need to learn about security testing and perform Security Testing using AppScan, with appropriate test plan and policy Security Documentation Information Developers need to ensure that all offerings include appropriate Security Documentation Security Incident Response Support Teams must participate in Security Incident Response Process Programming team Support team © 2013 IBM Corporation
Summary  Security Controls and Software Assurance are both critical to enterprise users  Continued evidence of vulnerabilities in software has changed the focus from security controls and defenses to controlling the risk of security incidents.  To build secure software, development teams need to understand risks throughout the development lifecycle.  There are risks related to weaknesses in design, coding and integration, as well as, in use cases and abuse cases related to deployment models for critical business processes and workloads.  Development Teams need to grow skills in analyzing risks and threats and use the available tools. © 2013 IBM Corporation
© 2013 IBM Corporation
Photo attributions  Chart 7 – MRI = Jan Ainali – ATM = DaviSements – Car = Kevin Rodriguez Ortiz  Chart 16 – Coder = Matthew (WMF)  Chart 20 – Writer = greg.turner © 2013 IBM Corporation

Recomendados

Impact2014: Introduction to the IBM Java Tools
Impact2014: Introduction to the IBM Java ToolsImpact2014: Introduction to the IBM Java Tools
Impact2014: Introduction to the IBM Java ToolsChris Bailey
 
Windows Debugging Tools - JavaOne 2013
Windows Debugging Tools - JavaOne 2013Windows Debugging Tools - JavaOne 2013
Windows Debugging Tools - JavaOne 2013MattKilner
 
Security in the Real World - JavaOne 2013
Security in the Real World - JavaOne 2013Security in the Real World - JavaOne 2013
Security in the Real World - JavaOne 2013MattKilner
 
JavaOne2013: Build Your Own Runtime Monitoring for the IBM JDK with the Healt...
JavaOne2013: Build Your Own Runtime Monitoring for the IBM JDK with the Healt...JavaOne2013: Build Your Own Runtime Monitoring for the IBM JDK with the Healt...
JavaOne2013: Build Your Own Runtime Monitoring for the IBM JDK with the Healt...Chris Bailey
 
Debugging Native heap OOM - JavaOne 2013
Debugging Native heap OOM - JavaOne 2013Debugging Native heap OOM - JavaOne 2013
Debugging Native heap OOM - JavaOne 2013MattKilner
 
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...0xdaryl
 
JavaOne BOF 5957 Lightning Fast Access to Big Data
JavaOne BOF 5957 Lightning Fast Access to Big DataJavaOne BOF 5957 Lightning Fast Access to Big Data
JavaOne BOF 5957 Lightning Fast Access to Big DataBrian Martin
 
Ten things you should know when writing good unit test cases
Ten things you should know when writing good unit test casesTen things you should know when writing good unit test cases
Ten things you should know when writing good unit test casesPaulThwaite
 

Recomendados

Impact2014: Introduction to the IBM Java Tools
Impact2014: Introduction to the IBM Java ToolsImpact2014: Introduction to the IBM Java Tools
Impact2014: Introduction to the IBM Java ToolsChris Bailey
 
Windows Debugging Tools - JavaOne 2013
Windows Debugging Tools - JavaOne 2013Windows Debugging Tools - JavaOne 2013
Windows Debugging Tools - JavaOne 2013MattKilner
 
Security in the Real World - JavaOne 2013
Security in the Real World - JavaOne 2013Security in the Real World - JavaOne 2013
Security in the Real World - JavaOne 2013MattKilner
 
JavaOne2013: Build Your Own Runtime Monitoring for the IBM JDK with the Healt...
JavaOne2013: Build Your Own Runtime Monitoring for the IBM JDK with the Healt...JavaOne2013: Build Your Own Runtime Monitoring for the IBM JDK with the Healt...
JavaOne2013: Build Your Own Runtime Monitoring for the IBM JDK with the Healt...Chris Bailey
 
Debugging Native heap OOM - JavaOne 2013
Debugging Native heap OOM - JavaOne 2013Debugging Native heap OOM - JavaOne 2013
Debugging Native heap OOM - JavaOne 2013MattKilner
 
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...
JavaOne 2013 CON7370: Java Interprocess Communication Challenges in Low-Laten...0xdaryl
 
JavaOne BOF 5957 Lightning Fast Access to Big Data
JavaOne BOF 5957 Lightning Fast Access to Big DataJavaOne BOF 5957 Lightning Fast Access to Big Data
JavaOne BOF 5957 Lightning Fast Access to Big DataBrian Martin
 
Ten things you should know when writing good unit test cases
Ten things you should know when writing good unit test casesTen things you should know when writing good unit test cases
Ten things you should know when writing good unit test casesPaulThwaite
 
IBM Health Center Details
IBM Health Center DetailsIBM Health Center Details
IBM Health Center DetailsRohit Kelapure
 
Three key concepts for java batch
Three key concepts for java batchThree key concepts for java batch
Three key concepts for java batchtimfanelli
 
Performance comparison on java technologies a practical approach
Performance comparison on java technologies a practical approachPerformance comparison on java technologies a practical approach
Performance comparison on java technologies a practical approachcsandit
 
scale_perf_best_practices
scale_perf_best_practicesscale_perf_best_practices
scale_perf_best_practiceswebuploader
 
WCE031_WH06
WCE031_WH06WCE031_WH06
WCE031_WH06webuploader
 
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin CenterDeploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin CenterWASdev Community
 
Profile narendraredy
Profile narendraredyProfile narendraredy
Profile narendraredyNARENDRA REDDY S
 
Cloud Performance Testing with LoadRunner
Cloud Performance Testing with LoadRunnerCloud Performance Testing with LoadRunner
Cloud Performance Testing with LoadRunnerRichard Bishop
 
DB2 for z/OS Solutions
DB2 for z/OS SolutionsDB2 for z/OS Solutions
DB2 for z/OS Solutionssoftbasemarketing
 
Windows 7 For Geeks
Windows 7 For GeeksWindows 7 For Geeks
Windows 7 For GeeksAdil Mughal
 
Healthcheck 07 application
Healthcheck 07 applicationHealthcheck 07 application
Healthcheck 07 applicationNakedi Kobo
 
Building highly available architectures with WAS and MQ
Building highly available architectures with WAS and MQBuilding highly available architectures with WAS and MQ
Building highly available architectures with WAS and MQMatthew White
 
Effective admin and development in iib
Effective admin and development in iibEffective admin and development in iib
Effective admin and development in iibm16k
 
Ebs performance tuning session feb 13 2013---Presented by Oracle
Ebs performance tuning session feb 13 2013---Presented by OracleEbs performance tuning session feb 13 2013---Presented by Oracle
Ebs performance tuning session feb 13 2013---Presented by OracleAkash Pramanik
 
TECHNICAL BRIEF▶ Backup Exec 15 Blueprint for Large Installations
TECHNICAL BRIEF▶ Backup Exec 15 Blueprint for Large InstallationsTECHNICAL BRIEF▶ Backup Exec 15 Blueprint for Large Installations
TECHNICAL BRIEF▶ Backup Exec 15 Blueprint for Large InstallationsSymantec
 
Load Test Methodology: Server Load Testing
Load Test Methodology: Server Load TestingLoad Test Methodology: Server Load Testing
Load Test Methodology: Server Load TestingIxia
 
Windows 7 client performance talk - Jeff Stokes
Windows 7 client performance talk - Jeff StokesWindows 7 client performance talk - Jeff Stokes
Windows 7 client performance talk - Jeff StokesJeff Stokes
 
Ibm PureApplication system
Ibm PureApplication systemIbm PureApplication system
Ibm PureApplication systemkhawkwf
 
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOps
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOpsSHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOps
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOpsRob Convery
 
Overcoming Scaling Challenges in MongoDB Deployments with SSD
Overcoming Scaling Challenges in MongoDB Deployments with SSDOvercoming Scaling Challenges in MongoDB Deployments with SSD
Overcoming Scaling Challenges in MongoDB Deployments with SSDMongoDB
 
Impact2014: Practical Performance Troubleshooting
Impact2014: Practical Performance TroubleshootingImpact2014: Practical Performance Troubleshooting
Impact2014: Practical Performance TroubleshootingChris Bailey
 
Real World Java Compatibility (Tim Ellison)
Real World Java Compatibility (Tim Ellison)Real World Java Compatibility (Tim Ellison)
Real World Java Compatibility (Tim Ellison)Chris Bailey
 

Mais conteúdo relacionado

Mais procurados

IBM Health Center Details
IBM Health Center DetailsIBM Health Center Details
IBM Health Center DetailsRohit Kelapure
 
Three key concepts for java batch
Three key concepts for java batchThree key concepts for java batch
Three key concepts for java batchtimfanelli
 
Performance comparison on java technologies a practical approach
Performance comparison on java technologies a practical approachPerformance comparison on java technologies a practical approach
Performance comparison on java technologies a practical approachcsandit
 
scale_perf_best_practices
scale_perf_best_practicesscale_perf_best_practices
scale_perf_best_practiceswebuploader
 
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin CenterDeploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin CenterWASdev Community
 
Cloud Performance Testing with LoadRunner
Cloud Performance Testing with LoadRunnerCloud Performance Testing with LoadRunner
Cloud Performance Testing with LoadRunnerRichard Bishop
 
Windows 7 For Geeks
Windows 7 For GeeksWindows 7 For Geeks
Windows 7 For GeeksAdil Mughal
 
Healthcheck 07 application
Healthcheck 07 applicationHealthcheck 07 application
Healthcheck 07 applicationNakedi Kobo
 
Building highly available architectures with WAS and MQ
Building highly available architectures with WAS and MQBuilding highly available architectures with WAS and MQ
Building highly available architectures with WAS and MQMatthew White
 
Effective admin and development in iib
Effective admin and development in iibEffective admin and development in iib
Effective admin and development in iibm16k
 
Ebs performance tuning session feb 13 2013---Presented by Oracle
Ebs performance tuning session feb 13 2013---Presented by OracleEbs performance tuning session feb 13 2013---Presented by Oracle
Ebs performance tuning session feb 13 2013---Presented by OracleAkash Pramanik
 
TECHNICAL BRIEF▶ Backup Exec 15 Blueprint for Large Installations
TECHNICAL BRIEF▶ Backup Exec 15 Blueprint for Large InstallationsTECHNICAL BRIEF▶ Backup Exec 15 Blueprint for Large Installations
TECHNICAL BRIEF▶ Backup Exec 15 Blueprint for Large InstallationsSymantec
 
Load Test Methodology: Server Load Testing
Load Test Methodology: Server Load TestingLoad Test Methodology: Server Load Testing
Load Test Methodology: Server Load TestingIxia
 
Windows 7 client performance talk - Jeff Stokes
Windows 7 client performance talk - Jeff StokesWindows 7 client performance talk - Jeff Stokes
Windows 7 client performance talk - Jeff StokesJeff Stokes
 
Ibm PureApplication system
Ibm PureApplication systemIbm PureApplication system
Ibm PureApplication systemkhawkwf
 
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOps
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOpsSHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOps
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOpsRob Convery
 
Overcoming Scaling Challenges in MongoDB Deployments with SSD
Overcoming Scaling Challenges in MongoDB Deployments with SSDOvercoming Scaling Challenges in MongoDB Deployments with SSD
Overcoming Scaling Challenges in MongoDB Deployments with SSDMongoDB
 

Mais procurados (20)

IBM Health Center Details
IBM Health Center DetailsIBM Health Center Details
IBM Health Center Details
 
Three key concepts for java batch
Three key concepts for java batchThree key concepts for java batch
Three key concepts for java batch
 
Performance comparison on java technologies a practical approach
Performance comparison on java technologies a practical approachPerformance comparison on java technologies a practical approach
Performance comparison on java technologies a practical approach
 
scale_perf_best_practices
scale_perf_best_practicesscale_perf_best_practices
scale_perf_best_practices
 
WCE031_WH06
WCE031_WH06WCE031_WH06
WCE031_WH06
 
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin CenterDeploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
Deploy, Monitor and Manage in Style with WebSphere Liberty Admin Center
 
Profile narendraredy
Profile narendraredyProfile narendraredy
Profile narendraredy
 
Cloud Performance Testing with LoadRunner
Cloud Performance Testing with LoadRunnerCloud Performance Testing with LoadRunner
Cloud Performance Testing with LoadRunner
 
DB2 for z/OS Solutions
DB2 for z/OS SolutionsDB2 for z/OS Solutions
DB2 for z/OS Solutions
 
Windows 7 For Geeks
Windows 7 For GeeksWindows 7 For Geeks
Windows 7 For Geeks
 
Healthcheck 07 application
Healthcheck 07 applicationHealthcheck 07 application
Healthcheck 07 application
 
Building highly available architectures with WAS and MQ
Building highly available architectures with WAS and MQBuilding highly available architectures with WAS and MQ
Building highly available architectures with WAS and MQ
 
Effective admin and development in iib
Effective admin and development in iibEffective admin and development in iib
Effective admin and development in iib
 
Ebs performance tuning session feb 13 2013---Presented by Oracle
Ebs performance tuning session feb 13 2013---Presented by OracleEbs performance tuning session feb 13 2013---Presented by Oracle
Ebs performance tuning session feb 13 2013---Presented by Oracle
 
TECHNICAL BRIEF▶ Backup Exec 15 Blueprint for Large Installations
TECHNICAL BRIEF▶ Backup Exec 15 Blueprint for Large InstallationsTECHNICAL BRIEF▶ Backup Exec 15 Blueprint for Large Installations
TECHNICAL BRIEF▶ Backup Exec 15 Blueprint for Large Installations
 
Load Test Methodology: Server Load Testing
Load Test Methodology: Server Load TestingLoad Test Methodology: Server Load Testing
Load Test Methodology: Server Load Testing
 
Windows 7 client performance talk - Jeff Stokes
Windows 7 client performance talk - Jeff StokesWindows 7 client performance talk - Jeff Stokes
Windows 7 client performance talk - Jeff Stokes
 
Ibm PureApplication system
Ibm PureApplication systemIbm PureApplication system
Ibm PureApplication system
 
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOps
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOpsSHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOps
SHARE2016: DevOps - IIB Administration for Continuous Delivery and DevOps
 
Overcoming Scaling Challenges in MongoDB Deployments with SSD
Overcoming Scaling Challenges in MongoDB Deployments with SSDOvercoming Scaling Challenges in MongoDB Deployments with SSD
Overcoming Scaling Challenges in MongoDB Deployments with SSD
 

Destaque

Impact2014: Practical Performance Troubleshooting
Impact2014: Practical Performance TroubleshootingImpact2014: Practical Performance Troubleshooting
Impact2014: Practical Performance TroubleshootingChris Bailey
 
Real World Java Compatibility (Tim Ellison)
Real World Java Compatibility (Tim Ellison)Real World Java Compatibility (Tim Ellison)
Real World Java Compatibility (Tim Ellison)Chris Bailey
 
Tuning IBMs Generational GC
Tuning IBMs Generational GCTuning IBMs Generational GC
Tuning IBMs Generational GCChris Bailey
 
JavaOne2013: Implement a High Level Parallel API - Richard Ning
JavaOne2013: Implement a High Level Parallel API - Richard NingJavaOne2013: Implement a High Level Parallel API - Richard Ning
JavaOne2013: Implement a High Level Parallel API - Richard NingChris Bailey
 
Java security in the real world (Ryan Sciampacone)
Java security in the real world (Ryan Sciampacone)Java security in the real world (Ryan Sciampacone)
Java security in the real world (Ryan Sciampacone)Chris Bailey
 
JavaOne2013: Securing Java in the Server Room - Tim Ellison
JavaOne2013: Securing Java in the Server Room - Tim EllisonJavaOne2013: Securing Java in the Server Room - Tim Ellison
JavaOne2013: Securing Java in the Server Room - Tim EllisonChris Bailey
 
Java Code to Java Heap - En Français
Java Code to Java Heap - En FrançaisJava Code to Java Heap - En Français
Java Code to Java Heap - En FrançaisChris Bailey
 
High speed networks and Java (Ryan Sciampacone)
High speed networks and Java (Ryan Sciampacone)High speed networks and Java (Ryan Sciampacone)
High speed networks and Java (Ryan Sciampacone)Chris Bailey
 
JavaOne 2014: Java Debugging
JavaOne 2014: Java DebuggingJavaOne 2014: Java Debugging
JavaOne 2014: Java DebuggingChris Bailey
 
Introduction to the IBM Java Tools
Introduction to the IBM Java ToolsIntroduction to the IBM Java Tools
Introduction to the IBM Java ToolsChris Bailey
 
Practical Performance: Understand and improve the performance of your applica...
Practical Performance: Understand and improve the performance of your applica...Practical Performance: Understand and improve the performance of your applica...
Practical Performance: Understand and improve the performance of your applica...Chris Bailey
 
JavaOne 2014: Java vs JavaScript
JavaOne 2014: Java vs JavaScriptJavaOne 2014: Java vs JavaScript
JavaOne 2014: Java vs JavaScriptChris Bailey
 
JavaOne 2015: From Java Code to Machine Code
JavaOne 2015: From Java Code to Machine CodeJavaOne 2015: From Java Code to Machine Code
JavaOne 2015: From Java Code to Machine CodeChris Bailey
 
Debugging Java from Dumps
Debugging Java from DumpsDebugging Java from Dumps
Debugging Java from DumpsChris Bailey
 
JavaOne 2013: Memory Efficient Java
JavaOne 2013: Memory Efficient JavaJavaOne 2013: Memory Efficient Java
JavaOne 2013: Memory Efficient JavaChris Bailey
 
From Java code to Java heap: Understanding and optimizing your application's ...
From Java code to Java heap: Understanding and optimizing your application's ...From Java code to Java heap: Understanding and optimizing your application's ...
From Java code to Java heap: Understanding and optimizing your application's ...Chris Bailey
 
Node Summit 2016: Web App Architectures
Node Summit 2016: Web App ArchitecturesNode Summit 2016: Web App Architectures
Node Summit 2016: Web App ArchitecturesChris Bailey
 
FrenchKit: End to End Application Development with Swift
FrenchKit: End to End Application Development with SwiftFrenchKit: End to End Application Development with Swift
FrenchKit: End to End Application Development with SwiftChris Bailey
 
QCon Shanghai: Trends in Application Development
QCon Shanghai: Trends in Application DevelopmentQCon Shanghai: Trends in Application Development
QCon Shanghai: Trends in Application DevelopmentChris Bailey
 
Swift Summit: Pushing the boundaries of Swift to the Server
Swift Summit: Pushing the boundaries of Swift to the ServerSwift Summit: Pushing the boundaries of Swift to the Server
Swift Summit: Pushing the boundaries of Swift to the ServerChris Bailey
 

Destaque (20)

Impact2014: Practical Performance Troubleshooting
Impact2014: Practical Performance TroubleshootingImpact2014: Practical Performance Troubleshooting
Impact2014: Practical Performance Troubleshooting
 
Real World Java Compatibility (Tim Ellison)
Real World Java Compatibility (Tim Ellison)Real World Java Compatibility (Tim Ellison)
Real World Java Compatibility (Tim Ellison)
 
Tuning IBMs Generational GC
Tuning IBMs Generational GCTuning IBMs Generational GC
Tuning IBMs Generational GC
 
JavaOne2013: Implement a High Level Parallel API - Richard Ning
JavaOne2013: Implement a High Level Parallel API - Richard NingJavaOne2013: Implement a High Level Parallel API - Richard Ning
JavaOne2013: Implement a High Level Parallel API - Richard Ning
 
Java security in the real world (Ryan Sciampacone)
Java security in the real world (Ryan Sciampacone)Java security in the real world (Ryan Sciampacone)
Java security in the real world (Ryan Sciampacone)
 
JavaOne2013: Securing Java in the Server Room - Tim Ellison
JavaOne2013: Securing Java in the Server Room - Tim EllisonJavaOne2013: Securing Java in the Server Room - Tim Ellison
JavaOne2013: Securing Java in the Server Room - Tim Ellison
 
Java Code to Java Heap - En Français
Java Code to Java Heap - En FrançaisJava Code to Java Heap - En Français
Java Code to Java Heap - En Français
 
High speed networks and Java (Ryan Sciampacone)
High speed networks and Java (Ryan Sciampacone)High speed networks and Java (Ryan Sciampacone)
High speed networks and Java (Ryan Sciampacone)
 
JavaOne 2014: Java Debugging
JavaOne 2014: Java DebuggingJavaOne 2014: Java Debugging
JavaOne 2014: Java Debugging
 
Introduction to the IBM Java Tools
Introduction to the IBM Java ToolsIntroduction to the IBM Java Tools
Introduction to the IBM Java Tools
 
Practical Performance: Understand and improve the performance of your applica...
Practical Performance: Understand and improve the performance of your applica...Practical Performance: Understand and improve the performance of your applica...
Practical Performance: Understand and improve the performance of your applica...
 
JavaOne 2014: Java vs JavaScript
JavaOne 2014: Java vs JavaScriptJavaOne 2014: Java vs JavaScript
JavaOne 2014: Java vs JavaScript
 
JavaOne 2015: From Java Code to Machine Code
JavaOne 2015: From Java Code to Machine CodeJavaOne 2015: From Java Code to Machine Code
JavaOne 2015: From Java Code to Machine Code
 
Debugging Java from Dumps
Debugging Java from DumpsDebugging Java from Dumps
Debugging Java from Dumps
 
JavaOne 2013: Memory Efficient Java
JavaOne 2013: Memory Efficient JavaJavaOne 2013: Memory Efficient Java
JavaOne 2013: Memory Efficient Java
 
From Java code to Java heap: Understanding and optimizing your application's ...
From Java code to Java heap: Understanding and optimizing your application's ...From Java code to Java heap: Understanding and optimizing your application's ...
From Java code to Java heap: Understanding and optimizing your application's ...
 
Node Summit 2016: Web App Architectures
Node Summit 2016: Web App ArchitecturesNode Summit 2016: Web App Architectures
Node Summit 2016: Web App Architectures
 
FrenchKit: End to End Application Development with Swift
FrenchKit: End to End Application Development with SwiftFrenchKit: End to End Application Development with Swift
FrenchKit: End to End Application Development with Swift
 
QCon Shanghai: Trends in Application Development
QCon Shanghai: Trends in Application DevelopmentQCon Shanghai: Trends in Application Development
QCon Shanghai: Trends in Application Development
 
Swift Summit: Pushing the boundaries of Swift to the Server
Swift Summit: Pushing the boundaries of Swift to the ServerSwift Summit: Pushing the boundaries of Swift to the Server
Swift Summit: Pushing the boundaries of Swift to the Server
 

Semelhante a JavaOne2013: Secure Engineering Practices for Java

Secure Engineering Practices for Java
Secure Engineering Practices for JavaSecure Engineering Practices for Java
Secure Engineering Practices for JavaTim Ellison
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxwkyra78
 
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperSecurity is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperMohd Anwar Jamal Faiz
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing ProfessionalsTechWell
 
Trusteer Apex Provides Automatic and Accurate Malware Protection
Trusteer Apex Provides Automatic and Accurate Malware ProtectionTrusteer Apex Provides Automatic and Accurate Malware Protection
Trusteer Apex Provides Automatic and Accurate Malware ProtectionIBM Security
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Introduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsIntroduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsToño Herrera
 
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfThick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfElanusTechnologies
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesIJNSA Journal
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing ProfessionalsTechWell
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing ProfessionalsTechWell
 
Ibm app security assessment_ds
Ibm app security assessment_dsIbm app security assessment_ds
Ibm app security assessment_dsArun Gopinath
 
Securing Java in the Server Room
Securing Java in the Server RoomSecuring Java in the Server Room
Securing Java in the Server RoomTim Ellison
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing ProfessionalsTechWell
 
Computer Security.pptx
Computer Security.pptxComputer Security.pptx
Computer Security.pptxKENNEDYDONATO1
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 

Semelhante a JavaOne2013: Secure Engineering Practices for Java (20)

Secure Engineering Practices for Java
Secure Engineering Practices for JavaSecure Engineering Practices for Java
Secure Engineering Practices for Java
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
 
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperSecurity is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White Paper
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
 
Trusteer Apex Provides Automatic and Accurate Malware Protection
Trusteer Apex Provides Automatic and Accurate Malware ProtectionTrusteer Apex Provides Automatic and Accurate Malware Protection
Trusteer Apex Provides Automatic and Accurate Malware Protection
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
 
Introduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsIntroduction to Cybersecurity Fundamentals
Introduction to Cybersecurity Fundamentals
 
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdfThick Client Penetration Testing Modern Approaches and Techniques.pdf
Thick Client Penetration Testing Modern Approaches and Techniques.pdf
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resources
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
 
Ibm app security assessment_ds
Ibm app security assessment_dsIbm app security assessment_ds
Ibm app security assessment_ds
 
Securing Java in the Server Room
Securing Java in the Server RoomSecuring Java in the Server Room
Securing Java in the Server Room
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
 
Computer Security.pptx
Computer Security.pptxComputer Security.pptx
Computer Security.pptx
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
 

Mais de Chris Bailey

NodeJS Interactive 2019: FaaS meets Frameworks
NodeJS Interactive 2019: FaaS meets FrameworksNodeJS Interactive 2019: FaaS meets Frameworks
NodeJS Interactive 2019: FaaS meets FrameworksChris Bailey
 
Voxxed Micro-services: Serverless JakartaEE - JAX-RS comes to FaaS
Voxxed Micro-services: Serverless JakartaEE - JAX-RS comes to FaaSVoxxed Micro-services: Serverless JakartaEE - JAX-RS comes to FaaS
Voxxed Micro-services: Serverless JakartaEE - JAX-RS comes to FaaSChris Bailey
 
Silicon Valley Code Camp 2019 - Reaching the Cloud Native World
Silicon Valley Code Camp 2019 - Reaching the Cloud Native WorldSilicon Valley Code Camp 2019 - Reaching the Cloud Native World
Silicon Valley Code Camp 2019 - Reaching the Cloud Native WorldChris Bailey
 
FaaS Meets Java EE: Developing Cloud Native Applications at Speed
FaaS Meets Java EE: Developing Cloud Native Applications at SpeedFaaS Meets Java EE: Developing Cloud Native Applications at Speed
FaaS Meets Java EE: Developing Cloud Native Applications at SpeedChris Bailey
 
AltConf 2019: Server-Side Swift State of the Union
AltConf 2019: Server-Side Swift State of the UnionAltConf 2019: Server-Side Swift State of the Union
AltConf 2019: Server-Side Swift State of the UnionChris Bailey
 
Server-side Swift with Swagger
Server-side Swift with SwaggerServer-side Swift with Swagger
Server-side Swift with SwaggerChris Bailey
 
Node Summit 2018: Cloud Native Node.js
Node Summit 2018: Cloud Native Node.jsNode Summit 2018: Cloud Native Node.js
Node Summit 2018: Cloud Native Node.jsChris Bailey
 
Index - BFFs vs GraphQL
Index - BFFs vs GraphQLIndex - BFFs vs GraphQL
Index - BFFs vs GraphQLChris Bailey
 
Swift Cloud Workshop - Swift Microservices
Swift Cloud Workshop - Swift MicroservicesSwift Cloud Workshop - Swift Microservices
Swift Cloud Workshop - Swift MicroservicesChris Bailey
 
Swift Cloud Workshop - Codable, the key to Fullstack Swift
Swift Cloud Workshop - Codable, the key to Fullstack SwiftSwift Cloud Workshop - Codable, the key to Fullstack Swift
Swift Cloud Workshop - Codable, the key to Fullstack SwiftChris Bailey
 
Try!Swift India 2017: All you need is Swift
Try!Swift India 2017: All you need is SwiftTry!Swift India 2017: All you need is Swift
Try!Swift India 2017: All you need is SwiftChris Bailey
 
Swift Summit 2017: Server Swift State of the Union
Swift Summit 2017: Server Swift State of the UnionSwift Summit 2017: Server Swift State of the Union
Swift Summit 2017: Server Swift State of the UnionChris Bailey
 
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
IBM Cloud University: Build, Deploy and Scale Node.js MicroservicesIBM Cloud University: Build, Deploy and Scale Node.js Microservices
IBM Cloud University: Build, Deploy and Scale Node.js MicroservicesChris Bailey
 
IBM Cloud University: Java, Node.js and Swift
IBM Cloud University: Java, Node.js and SwiftIBM Cloud University: Java, Node.js and Swift
IBM Cloud University: Java, Node.js and SwiftChris Bailey
 
Node Interactive: Node.js Performance and Highly Scalable Micro-Services
Node Interactive: Node.js Performance and Highly Scalable Micro-ServicesNode Interactive: Node.js Performance and Highly Scalable Micro-Services
Node Interactive: Node.js Performance and Highly Scalable Micro-ServicesChris Bailey
 
FrenchKit 2017: Server(less) Swift
FrenchKit 2017: Server(less) SwiftFrenchKit 2017: Server(less) Swift
FrenchKit 2017: Server(less) SwiftChris Bailey
 
AltConf 2017: Full Stack Swift in 30 Minutes
AltConf 2017: Full Stack Swift in 30 MinutesAltConf 2017: Full Stack Swift in 30 Minutes
AltConf 2017: Full Stack Swift in 30 MinutesChris Bailey
 
InterConnect: Server Side Swift for Java Developers
InterConnect: Server Side Swift for Java DevelopersInterConnect: Server Side Swift for Java Developers
InterConnect: Server Side Swift for Java DevelopersChris Bailey
 
InterConnect: Java, Node.js and Swift - Which, Why and When
InterConnect: Java, Node.js and Swift - Which, Why and WhenInterConnect: Java, Node.js and Swift - Which, Why and When
InterConnect: Java, Node.js and Swift - Which, Why and WhenChris Bailey
 
Playgrounds: Mobile + Swift = BFF
Playgrounds: Mobile + Swift = BFFPlaygrounds: Mobile + Swift = BFF
Playgrounds: Mobile + Swift = BFFChris Bailey
 

Mais de Chris Bailey (20)

NodeJS Interactive 2019: FaaS meets Frameworks
NodeJS Interactive 2019: FaaS meets FrameworksNodeJS Interactive 2019: FaaS meets Frameworks
NodeJS Interactive 2019: FaaS meets Frameworks
 
Voxxed Micro-services: Serverless JakartaEE - JAX-RS comes to FaaS
Voxxed Micro-services: Serverless JakartaEE - JAX-RS comes to FaaSVoxxed Micro-services: Serverless JakartaEE - JAX-RS comes to FaaS
Voxxed Micro-services: Serverless JakartaEE - JAX-RS comes to FaaS
 
Silicon Valley Code Camp 2019 - Reaching the Cloud Native World
Silicon Valley Code Camp 2019 - Reaching the Cloud Native WorldSilicon Valley Code Camp 2019 - Reaching the Cloud Native World
Silicon Valley Code Camp 2019 - Reaching the Cloud Native World
 
FaaS Meets Java EE: Developing Cloud Native Applications at Speed
FaaS Meets Java EE: Developing Cloud Native Applications at SpeedFaaS Meets Java EE: Developing Cloud Native Applications at Speed
FaaS Meets Java EE: Developing Cloud Native Applications at Speed
 
AltConf 2019: Server-Side Swift State of the Union
AltConf 2019: Server-Side Swift State of the UnionAltConf 2019: Server-Side Swift State of the Union
AltConf 2019: Server-Side Swift State of the Union
 
Server-side Swift with Swagger
Server-side Swift with SwaggerServer-side Swift with Swagger
Server-side Swift with Swagger
 
Node Summit 2018: Cloud Native Node.js
Node Summit 2018: Cloud Native Node.jsNode Summit 2018: Cloud Native Node.js
Node Summit 2018: Cloud Native Node.js
 
Index - BFFs vs GraphQL
Index - BFFs vs GraphQLIndex - BFFs vs GraphQL
Index - BFFs vs GraphQL
 
Swift Cloud Workshop - Swift Microservices
Swift Cloud Workshop - Swift MicroservicesSwift Cloud Workshop - Swift Microservices
Swift Cloud Workshop - Swift Microservices
 
Swift Cloud Workshop - Codable, the key to Fullstack Swift
Swift Cloud Workshop - Codable, the key to Fullstack SwiftSwift Cloud Workshop - Codable, the key to Fullstack Swift
Swift Cloud Workshop - Codable, the key to Fullstack Swift
 
Try!Swift India 2017: All you need is Swift
Try!Swift India 2017: All you need is SwiftTry!Swift India 2017: All you need is Swift
Try!Swift India 2017: All you need is Swift
 
Swift Summit 2017: Server Swift State of the Union
Swift Summit 2017: Server Swift State of the UnionSwift Summit 2017: Server Swift State of the Union
Swift Summit 2017: Server Swift State of the Union
 
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
IBM Cloud University: Build, Deploy and Scale Node.js MicroservicesIBM Cloud University: Build, Deploy and Scale Node.js Microservices
IBM Cloud University: Build, Deploy and Scale Node.js Microservices
 
IBM Cloud University: Java, Node.js and Swift
IBM Cloud University: Java, Node.js and SwiftIBM Cloud University: Java, Node.js and Swift
IBM Cloud University: Java, Node.js and Swift
 
Node Interactive: Node.js Performance and Highly Scalable Micro-Services
Node Interactive: Node.js Performance and Highly Scalable Micro-ServicesNode Interactive: Node.js Performance and Highly Scalable Micro-Services
Node Interactive: Node.js Performance and Highly Scalable Micro-Services
 
FrenchKit 2017: Server(less) Swift
FrenchKit 2017: Server(less) SwiftFrenchKit 2017: Server(less) Swift
FrenchKit 2017: Server(less) Swift
 
AltConf 2017: Full Stack Swift in 30 Minutes
AltConf 2017: Full Stack Swift in 30 MinutesAltConf 2017: Full Stack Swift in 30 Minutes
AltConf 2017: Full Stack Swift in 30 Minutes
 
InterConnect: Server Side Swift for Java Developers
InterConnect: Server Side Swift for Java DevelopersInterConnect: Server Side Swift for Java Developers
InterConnect: Server Side Swift for Java Developers
 
InterConnect: Java, Node.js and Swift - Which, Why and When
InterConnect: Java, Node.js and Swift - Which, Why and WhenInterConnect: Java, Node.js and Swift - Which, Why and When
InterConnect: Java, Node.js and Swift - Which, Why and When
 
Playgrounds: Mobile + Swift = BFF
Playgrounds: Mobile + Swift = BFFPlaygrounds: Mobile + Swift = BFF
Playgrounds: Mobile + Swift = BFF
 

Último

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 

Último (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 

JavaOne2013: Secure Engineering Practices for Java

  • 1. JavaOne 2013 Secure Engineering Practices for Java Tim Ellison, IBM United Kingdom Ltd. CON 3615 © 2013 IBM Corporation
  • 2. Important Disclaimers THE INFORMATION CONTAINED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILST EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION CONTAINED IN THIS PRESENTATION, IT IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. ALL PERFORMANCE DATA INCLUDED IN THIS PRESENTATION HAVE BEEN GATHERED IN A CONTROLLED ENVIRONMENT. YOUR OWN TEST RESULTS MAY VARY BASED ON HARDWARE, SOFTWARE OR INFRASTRUCTURE DIFFERENCES. ALL DATA INCLUDED IN THIS PRESENTATION ARE MEANT TO BE USED ONLY AS A GUIDE. IN ADDITION, THE INFORMATION CONTAINED IN THIS PRESENTATION IS BASED ON IBM’S CURRENT PRODUCT PLANS AND STRATEGY, WHICH ARE SUBJECT TO CHANGE BY IBM, WITHOUT NOTICE. IBM AND ITS AFFILIATED COMPANIES SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, THIS PRESENTATION OR ANY OTHER DOCUMENTATION. NOTHING CONTAINED IN THIS PRESENTATION IS INTENDED TO, OR SHALL HAVE THE EFFECT OF: - CREATING ANY WARRANT OR REPRESENTATION FROM IBM, ITS AFFILIATED COMPANIES OR ITS OR THEIR SUPPLIERS AND/OR LICENSORS 2 © 2013 IBM Corporation
  • 3. About me  Based in the Java Technology Centre, Hursley UK  Working on various runtime technologies for >20 years  Experience of open source communities  Currently focused on class library design and delivery  Overall technical lead for IBM Java 8 SE tim_ellison@uk.ibm.com 3 © 2013 IBM Corporation
  • 4. The goal of Secure Engineering Practices is to achieve a high level of Software Assurance Software Assurance is not the same as Security Controls © 2013 IBM Corporation
  • 5. Security Controls The mechanisms by which security is established and maintained across the people, data, applications, infrastructure of the system. Security controls, the management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. National Information Assurance (IA) Glossary http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf © 2013 IBM Corporation
  • 6. Software Assurance How confident are we that the entire system comprising people, data, applications, and infrastructure is secure? Software Assurance, a statement of the “level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at anytime during its lifecycle, and that the software functions in the intended manner.” National Information Assurance (IA) Glossary http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf © 2013 IBM Corporation
  • 7. The market for software and computing services is evolving Governments and Enterprise customers are adopting procurement requirements that give preference to software and computing services having “high assurance characteristics” over other commercial, off-the-shelf products and services. Many critical business and control systems require a high level of software assurance. © 2013 IBM Corporation
  • 8. IBM X-Force View of Enterprise Security Incidents in 2012 http://www.ibm.com/services/us/iss/xforce/trendreports/ © 2013 IBM Corporation
  • 9. Measuring the assurance of software and computing services  The requirements are evolving… – Meets recognized security standards – Public history of security bulletins & press reports – Passes security tests, including scanning source, automated security testing and penetration testing – Provides evidence that good software engineering practices were applied throughout the development lifecycle Unfortunately, there are no over-arching standards. © 2013 IBM Corporation
  • 10. Secure Engineering Goals 1.ofProvide security out the box 2. Proactively respond to new threats and risks Ensure products and solutions provide a reasonable and adequate level of security at time of release, and they maintain and improve security from release to release. Act in a timely fashion for any report of vulnerability in an existing release, and proactively address any new threat that may apply. Achieving a high confidence in software security assurance requires attention throughout the full software lifecycle Development Supply Chain Development Process and Lifecycle Deployment Lifecycle © 2013 IBM Corporation
  • 11. Software Assurance Activities The tools and practices needed within a given project depend upon  What is being built (component, product, solution, service or enterprise workload)  Where it is expected to be used (closed workgroup, intranet, internet, cloud or critical infrastructure) Operational  The relevant risks and threats Code integrity Manual Code Review Security Review of Open Source Architecture Review & Security Requirements Threat Analysis & Mitigation Planning Development Supply Chain Third Party SW Contract Terms Secure Coding Security Source Code Scan Secure Build Security Security Evaluation Evaluation Security System Test Binary Analysis Development Process and Lifecycle Use Case, Abuse Case and Fault Analysis Security Controls mechanisms Source and Object Code Control Pre-Production Assurance (Pen Testing) Monitoring & Analytics Change Mgmt Scanning Deployment Lifecycle Incident Handling © 2013 IBM Corporation
  • 12. Adopting Secure Development Practices  Group specific activities that support secure engineering into a set of practices  Focusing on development process – Similar can be done for supply chain, deployment, etc Development Supply Chain Tools Practices Risk Assess & Threat Model Development Process and Lifecycle Security Reqmts Secure Coding Security Testing Project Planning Security Document Deployment Lifecycle Incident response Skills Knowledge Education & Awareness © 2013 IBM Corporation
  • 13. Risk Assessment and Threat Modeling Essential Practice The goal of this practice is to identify potential risks or attacks against software product or solutions as it will be deployed and to make decisions about how to address these risks during development. 1.Decide what risks are important to the Identify Risks 1.Investigate threats related Analyze Threats software being built those risks 1.Create and adopt a mitigation plan to Plan Mitigations avoid / correct the issues © 2013 IBM Corporation
  • 14. The Stride Threat Model – as an example Spoofing identity Tampering with data An example of identity spoofing is illegally accessing and then using another user's authentication information, such as username and password. Data tampering involves the malicious modification of data. Examples include unauthorized changes made to persistent data, such as that held in a database, and the alteration of data as it flows between two computers over an open network, such as the Internet. Repudiation and Nonrepudiation Repudiation threats are associated with users who deny performing an action without other parties having any way to prove otherwise—e.g., a user performs an illegal operation in a system that lacks the ability to trace operations. Non-repudiation refers to the ability of a system to counter repudiation threats. For example, a user who purchases an item might have to sign for the item upon receipt. The vendor can then use the receipt as evidence that the user received the package. Information disclosure Information disclosure threats involve the exposure of information to individuals who are not supposed to have access to it—for example, the ability of users to read a file that they were not granted access to, or the ability of an intruder to read data in transit between two computers. Denial of service Elevation of privilege 14 Denial of service (DoS) attacks deny service to valid users—for example, by making a Web server temporarily unavailable or unusable. You must protect against certain types of DoS threats simply to improve system availability and reliability. In this type of threat, an unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system. Elevation of privilege threats include those situations in which an attacker has effectively penetrated all system defenses and become part of the trusted system itself, a dangerous situation indeed. http://msdn.microsoft.com/en-us/library/ee823878%28v=cs.20%29.aspx © 2013 IBM Corporation
  • 15. Anti-patterns: Addressing security exclusively through tests Reqmts Without overt actions the code will contain vulnerabilities Code Design Testing tools find ~50% of the known types of vulnerabilities Prod Mgmt team Design team Reqmts Design Remediation “loops” may add two to four months to a project depending on the complexity of the issues discovered 15 Programming team Code / Build Code Scan Test team Test Package / Deploy Maintain Security System Test © 2013 IBM Corporation
  • 16. Secure Design Practices  Understand the security requirements for the system early  Identify risks during design and prototyping and address them  Adopt established best practices for recognized risks (patterns), Attack surface reduction, principle of least privilege, defense in depth, security by default, ...  Document and describe the assurances you have about the system  Developers iterate towards a functional system based on a secure architecture 16 © 2013 IBM Corporation
  • 17. Shared Goals Promote Secure Coding Consistent guidance on Security Risks, Threats & Vulnerabilities Security Advice Reqmts Code may contain vulnerabilities Code Design Testing tools find ~50% of the known types of vulnerabilities Prod Mgmt team Design team Reqmts Design Programming team Code / Build Code Scan 17 Test team Test Package / Deploy Maintain Security System Test © 2013 IBM Corporation
  • 18. Secure Coding  A significant proportion of escaped vulnerabilities are traced to coding errors  Developers need to be familiar with the secure coding guidelines, MITRE top 25, etc.  Understand the concepts of trusted and untrusted code, tainted data, sensitive data, etc – The team and the application must handle them explicitly – Java 8 annotations can help with classifying constraints and metadata about variables  Prioritize departures from the coding standard by failure mode, effects, and criticality – Severity: How serious are the consequences of the error? – Likelihood: How likely is it that a flaw introduced by violating the rule could 18 lead to an exploitable vulnerability? – Remediation cost: How expensive is it to remediate existing code to comply with the standard? © 2013 IBM Corporation
  • 19. Security Testing  Use threat modelling to target security testing based on risk – Prioritize testing with manual and tools based scenarios • Breach of access rules • Bad actor • Effect of malformed data • Out of process operations 100x  Static analysis – Does the code adhere to the coding guidelines? – Tools and formal code inspections  Dynamic testing – SQL injection – Fuzzing – Penetration testing 19 15x 1x design 6x coding verification release © 2013 IBM Corporation cost  Numerous studies show the cost of finding and fixing vulnerabilities rises exponentially through the development lifecycle
  • 20. Security Documentation  All releases should be secure by design in their default configuration  High quality documentation about how to use a system securely is equally important  Users need clear guidelines about the security impact to modifying configurations – Inform users about secure deployment, and balancing usability with security – Security should be addressed as a specific topic, not spread throughout the documentation  Explain the impact of configurations that increase the attack surface of the system, e.g. – Backwards compatibility – Choice of communications protocols – Guest and demo accounts  Provide examples and templates for hardening the system in specific scenarios  Use threat modeling conclusions to inform users about best practices 20 © 2013 IBM Corporation
  • 21. Security Incident Response  Expect security incidents even after following careful secure engineering practices  Incident response policy and plan – Establishing communications internally and externally – Be prepared for any eventuality, but focus on expected attacks attrition web-based hardware level e-mail improper usage loss / theft  Establish robust means of detecting and verifying incidents – logging, audits, external reports, validation checks, ...  Create guidelines for prioritizing incidents – Functional impact to the business – Information impact to confidentiality, integrity and availability of business data – Recoverability from incident occurrence  Learn lessons from incidents – Ensure the organization improves based on the history of security incidents © 2013 IBM Corporation
  • 22. Education and Environment  Software assurance requires positive action maintained throughout the full system lifecycle Development Supply Chain Tools Practices Risk Assess & Threat Modeling Development Process and Lifecycle Security Reqmts Secure Coding Security Testing Project Planning Security Document Deployment Lifecycle Incident response Skills Knowledge Education & Awareness  Ensure development team has the same knowledge and perspective that adversaries might use. © 2013 IBM Corporation
  • 23. Security Advice Expert Knowledge Actors Risks Assets Design team Programming team Threats Permissions Exploits Platforms Attacks Tools User Stories Common Weaknesses Defense in Depth Test team Users Roles Support team D e fe n s e s Vulnerability History Security Perimeter White hat Languages Security Controls Malware Black hat © 2013 IBM Corporation
  • 24. Secure Engineering is the responsibility of the entire development All job roles need an understanding of the concepts Awareness and organization Education Project Planning Architects and Designers need to ensure that best practices for session handling, information protection, etc. are included in Design Specifications, Use Cases and Security Test Plans Secure Coding Test team Architects and Designers need to review the security characteristics of existing software and document a Threat Model for new software Security Requirements Design team Project/Release Managers need to include Secure Engineering in Project Planning activities Risk Assessment and Threat Modeling Management team and the implications of Security in Development Developers need to ensure that coding and configuration techniques are appropriate Security Testing Test Teams need to learn about security testing and perform Security Testing using AppScan, with appropriate test plan and policy Security Documentation Information Developers need to ensure that all offerings include appropriate Security Documentation Security Incident Response Support Teams must participate in Security Incident Response Process Programming team Support team © 2013 IBM Corporation
  • 25. Summary  Security Controls and Software Assurance are both critical to enterprise users  Continued evidence of vulnerabilities in software has changed the focus from security controls and defenses to controlling the risk of security incidents.  To build secure software, development teams need to understand risks throughout the development lifecycle.  There are risks related to weaknesses in design, coding and integration, as well as, in use cases and abuse cases related to deployment models for critical business processes and workloads.  Development Teams need to grow skills in analyzing risks and threats and use the available tools. © 2013 IBM Corporation
  • 26. © 2013 IBM Corporation
  • 27. Photo attributions  Chart 7 – MRI = Jan Ainali – ATM = DaviSements – Car = Kevin Rodriguez Ortiz  Chart 16 – Coder = Matthew (WMF)  Chart 20 – Writer = greg.turner © 2013 IBM Corporation