SlideShare uma empresa Scribd logo

Rolling Out An Enterprise Source Code Review Program

Denim Group
Denim Group

This document discusses rolling out an enterprise source code review program. It begins by providing background on the author and his company, Denim Group. It then discusses common mistakes organizations make in implementing source code reviews. The rest of the document addresses technology concerns, such as what languages and architectures are supported by review tools, as well as people and process concerns like who will run the tools, when scans will be run, how results will be interpreted and prioritized, and how findings will be addressed. It emphasizes that source code review programs require both technical and human elements to be effective at improving software security.

Tecnologia
1 de 20
Baixar para ler offline
Rolling Out an Enterprise Source Code Review Program Dan Cornell
Agenda • Background • How Not To Do It • Technology Concerns • People and Process Concerns • Questions 1
Background • Denim Group – Develop Secure Software • Ground Up Development • Software Security Remediation – Help Organizations Deal with Software Risk • Code Review and Application Assessments • Application Penetration Testing • Training – Instructor-Led and ThreadStrong eLearning • Security in the SDLC • Dan Cornell – Principal at Denim Group – Developer by background: Java 2 Certified Programmer, MCSD – OWASP: Chapter Lead, Global Membership Committee, Open Review Project 2
How Not To Do It • Q: What are you all doing to address application security concerns in your organization? • A: We b A W bought “XYZ Scanner” ht S ” • Q: Okay… Are you actually using it? • A: We ran some scans • Q: And how did that go? • A: Oh we found some stuff… • Q: How did you address those issues? • A: I think we sent the report to the developers. Not sure what they did with them. I guess I ought to check in on that… 3
What Are Your Goals? • Common Answers – Meet compliance or regulatory requirements – Address software risk • Keep in Mind – Compliance != Security – “Checkbox” mentality Checkbox – Look for opportunities to leverage compliance budget to increase actual security 4
Initial Considerations • Every organization is different – Development practices: Agile, waterfall, cowboy-code – Control environment: Security IT audit compliance Security, audit, – Most important: Organizational values. What is important and how do things get done? – Not necessarily “Core Values” but certainly related • You must overcome resistance 5
Static Analysis: Advantages and Disadvantages • Advantages: – Have access to the actual instructions the software will be executing • No need to guess or interpret behavior • Full access to all of the software’s possible behaviors – Speeds remediation – You know exactly where the vulnerabilities are in the code • Disadvantages: g – Require access to source code or at least binary code • Typically need access to enough software artifacts to execute a build – Typically require proficiency running software builds – Will not fi d i t find issues related t operational d l l t d to ti l deployment environments t i t
Dynamic, Static and Manual Testing
Components 8
Technology • Majority of the focus tends to be here – For better or for worse • What l Wh t languages require support? i t? – Java, .NET, C/C++, PHP, Python, Ruby, Perl, Smalltalk, COBOL, etc • What application architectures are supported? – W b web services, thi k li t system software Web, b i thick-client, t ft 9
Where Is All the Code, Anyway? • Must Know In Order to Define Scope • How Is Software Developed In Your Organization? – Centralized development team under IT – Separate development groups under different lines of business • Don’t Forget – ERP d l deployments often contain custom code th t can h t ft t i t d that have vulnerabilities l biliti – Portal deployments (SharePoint) also often have custom code 10
Before You Select Technologies? • Questions – Who will run the tool? – When will it be run? – What will be done with the results? • If you haven’t answered these – you aren’t ready to deploy – It won t be used won’t – Nothing will be done with the results – You may fool your auditors… – … but you won’t fool attackers 11
Who Runs the Scans? • Common Options – Security Team – Development Team – Quality Assurance Team – Combination – Outsourced • Keep in Mind – Source code scanning tools are not “fire and forget” so effective users need training – Need to know how each scan will be used 12
When Are Scans Run? • Common Options – Developers at their workstations – Continuous integration – Integrated into nightly build – Prior to the end of an iteration or release • Keep in Mind – Scans of large applications can take a long time to complete – Developers may only have a portion of the code on their workstations – Waiting until late in the process make timely remediation impossible 13
Interpreting Results • Scanning Tools All Return False Positives – Except during sales engineer demos • Scans Must Be Manually R i S M tB M ll Reviewed d – Culling false positives can be time-consuming – Trained analysts can work through this process pretty quickly 14
Tuning Scans • What Rules Are Used? – Standard rule set – Subset of the standard rule set (often based on compliance requirements) • Are Custom Rules Used? – Organization-wide – Per-application 15
What Gets Fixed? • Common Options – Everything (yeah, right) – Tool based standard (“All HOT and MEDIUM level issues ) Tool-based ( All issues”) – Negotiated between development and security teams: “Risk Poker” • Keep in Mind – Finding the vulnerabilities is only the first step – Often have to provide guidance to developers on fixing vulnerabilities 16
Incremental Progress • Scanning Programs Evolve Over Time – Start with proof-of-concept or limited deployment – Expand from there • Strategies – Riskiest applications first – Compliance mandates first (or only) – Require for all new applications, incorporate legacy portfolio over time – Development group by development group 17
Other Topics • Manual Code Reviews – Critical to catch business logic issues – Often done by team leads – but do they have specific security guidance • Integrating Source Code Review With Dynamic Assessments 18
Questions / Contact Information Dan Cornell dan@denimgroup.com Twitter: @d i l T itt @danielcornell ll (210) 572-4400 Web: W b www.denimgroup.com d i Blog: denimgroup.typepad.com 19

Recomendados

How to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsHow to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsDevOps.com
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Maven Logix
 
Agile and Secure
Agile and SecureAgile and Secure
Agile and SecureDenim Group
 
Smarter Sprint Cycles , Better deliverables - Suma Shastry
Smarter Sprint Cycles , Better deliverables - Suma ShastrySmarter Sprint Cycles , Better deliverables - Suma Shastry
Smarter Sprint Cycles , Better deliverables - Suma ShastryIndicThreads
 
Winning strategies in Test Automation
Winning strategies in Test AutomationWinning strategies in Test Automation
Winning strategies in Test AutomationXBOSoft
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual TestingDenim Group
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment TechniquesDenim Group
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
 

Recomendados

How to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsHow to Manage the Risk of your Polyglot Environments
How to Manage the Risk of your Polyglot EnvironmentsDevOps.com
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Maven Logix
 
Agile and Secure
Agile and SecureAgile and Secure
Agile and SecureDenim Group
 
Smarter Sprint Cycles , Better deliverables - Suma Shastry
Smarter Sprint Cycles , Better deliverables - Suma ShastrySmarter Sprint Cycles , Better deliverables - Suma Shastry
Smarter Sprint Cycles , Better deliverables - Suma ShastryIndicThreads
 
Winning strategies in Test Automation
Winning strategies in Test AutomationWinning strategies in Test Automation
Winning strategies in Test AutomationXBOSoft
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual TestingDenim Group
 
Application Assessment Techniques
Application Assessment TechniquesApplication Assessment Techniques
Application Assessment TechniquesDenim Group
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Scrum_BLR 11th meet up 13 dec-2014 - SDET - They Way to go for Testers - Jaya...
Scrum_BLR 11th meet up 13 dec-2014 - SDET - They Way to go for Testers - Jaya...Scrum_BLR 11th meet up 13 dec-2014 - SDET - They Way to go for Testers - Jaya...
Scrum_BLR 11th meet up 13 dec-2014 - SDET - They Way to go for Testers - Jaya...Scrum Bangalore
 
agile vs. traditional methodologies
agile vs. traditional methodologies agile vs. traditional methodologies
agile vs. traditional methodologies SWE department, Bogazici university
 
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeHow to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeRogue Wave Software
 
Lean Software Development
Lean Software DevelopmentLean Software Development
Lean Software DevelopmentVashira Ravipanich
 
Software Testing with Agile Requirements Practices
Software Testing with Agile Requirements Practices Software Testing with Agile Requirements Practices
Software Testing with Agile Requirements Practices A B M Moniruzzaman
 
Agile Project Management
Agile Project ManagementAgile Project Management
Agile Project ManagementAllianceMSFourOneEig
 
Rsqrd AI: From R&D to ROI of AI
Rsqrd AI: From R&D to ROI of AIRsqrd AI: From R&D to ROI of AI
Rsqrd AI: From R&D to ROI of AISanjana Chowdhury
 
Smits security driven development
Smits security driven developmentSmits security driven development
Smits security driven developmentSmitsMC LLC
 
Mastering BDD - Eran Kinsbruner Workshop Quest 2018
Mastering BDD - Eran Kinsbruner Workshop Quest 2018Mastering BDD - Eran Kinsbruner Workshop Quest 2018
Mastering BDD - Eran Kinsbruner Workshop Quest 2018Perfecto Mobile
 
Risk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
Risk Mitigation Using Exploratory and Technical Testing | QASymphony WebinarRisk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
Risk Mitigation Using Exploratory and Technical Testing | QASymphony WebinarQASymphony
 
My talk at PMI Sweden Congress 2013 on Agile and Large Software Products
My talk at PMI Sweden Congress 2013 on Agile and Large Software ProductsMy talk at PMI Sweden Congress 2013 on Agile and Large Software Products
My talk at PMI Sweden Congress 2013 on Agile and Large Software ProductsSvante Lidman
 
Threat modelling & apps testing
Threat modelling & apps testingThreat modelling & apps testing
Threat modelling & apps testingAdrian Munteanu
 
Lean Software Development
Lean Software DevelopmentLean Software Development
Lean Software DevelopmentSaqib Raza
 
2016-05-30 risk driven design
2016-05-30 risk driven design2016-05-30 risk driven design
2016-05-30 risk driven designJaap van Ekris
 
SCA in an Agile World | June 2010
SCA in an Agile World | June 2010SCA in an Agile World | June 2010
SCA in an Agile World | June 2010Klocwork
 
Scrum
ScrumScrum
ScrumAmit Sawhney
 
Application Source code review Services
Application Source code review ServicesApplication Source code review Services
Application Source code review ServicesUsman Khan
 
Code Review
Code ReviewCode Review
Code ReviewRavi Raj
 

Mais conteúdo relacionado

Mais procurados

Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Scrum_BLR 11th meet up 13 dec-2014 - SDET - They Way to go for Testers - Jaya...
Scrum_BLR 11th meet up 13 dec-2014 - SDET - They Way to go for Testers - Jaya...Scrum_BLR 11th meet up 13 dec-2014 - SDET - They Way to go for Testers - Jaya...
Scrum_BLR 11th meet up 13 dec-2014 - SDET - They Way to go for Testers - Jaya...Scrum Bangalore
 
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeHow to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeRogue Wave Software
 
Software Testing with Agile Requirements Practices
Software Testing with Agile Requirements Practices Software Testing with Agile Requirements Practices
Software Testing with Agile Requirements Practices A B M Moniruzzaman
 
Rsqrd AI: From R&D to ROI of AI
Rsqrd AI: From R&D to ROI of AIRsqrd AI: From R&D to ROI of AI
Rsqrd AI: From R&D to ROI of AISanjana Chowdhury
 
Smits security driven development
Smits security driven developmentSmits security driven development
Smits security driven developmentSmitsMC LLC
 
Mastering BDD - Eran Kinsbruner Workshop Quest 2018
Mastering BDD - Eran Kinsbruner Workshop Quest 2018Mastering BDD - Eran Kinsbruner Workshop Quest 2018
Mastering BDD - Eran Kinsbruner Workshop Quest 2018Perfecto Mobile
 
Risk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
Risk Mitigation Using Exploratory and Technical Testing | QASymphony WebinarRisk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
Risk Mitigation Using Exploratory and Technical Testing | QASymphony WebinarQASymphony
 
My talk at PMI Sweden Congress 2013 on Agile and Large Software Products
My talk at PMI Sweden Congress 2013 on Agile and Large Software ProductsMy talk at PMI Sweden Congress 2013 on Agile and Large Software Products
My talk at PMI Sweden Congress 2013 on Agile and Large Software ProductsSvante Lidman
 
Threat modelling & apps testing
Threat modelling & apps testingThreat modelling & apps testing
Threat modelling & apps testingAdrian Munteanu
 
Lean Software Development
Lean Software DevelopmentLean Software Development
Lean Software DevelopmentSaqib Raza
 
2016-05-30 risk driven design
2016-05-30 risk driven design2016-05-30 risk driven design
2016-05-30 risk driven designJaap van Ekris
 
SCA in an Agile World | June 2010
SCA in an Agile World | June 2010SCA in an Agile World | June 2010
SCA in an Agile World | June 2010Klocwork
 

Mais procurados (20)

Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Outpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24 webinar: Turning DevOps and security into DevSecOps
Outpost24 webinar: Turning DevOps and security into DevSecOps
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Scrum_BLR 11th meet up 13 dec-2014 - SDET - They Way to go for Testers - Jaya...
Scrum_BLR 11th meet up 13 dec-2014 - SDET - They Way to go for Testers - Jaya...Scrum_BLR 11th meet up 13 dec-2014 - SDET - They Way to go for Testers - Jaya...
Scrum_BLR 11th meet up 13 dec-2014 - SDET - They Way to go for Testers - Jaya...
 
agile vs. traditional methodologies
agile vs. traditional methodologies agile vs. traditional methodologies
agile vs. traditional methodologies
 
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeHow to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less time
 
Lean Software Development
Lean Software DevelopmentLean Software Development
Lean Software Development
 
Software Testing with Agile Requirements Practices
Software Testing with Agile Requirements Practices Software Testing with Agile Requirements Practices
Software Testing with Agile Requirements Practices
 
Agile Project Management
Agile Project ManagementAgile Project Management
Agile Project Management
 
Rsqrd AI: From R&D to ROI of AI
Rsqrd AI: From R&D to ROI of AIRsqrd AI: From R&D to ROI of AI
Rsqrd AI: From R&D to ROI of AI
 
Smits security driven development
Smits security driven developmentSmits security driven development
Smits security driven development
 
Mastering BDD - Eran Kinsbruner Workshop Quest 2018
Mastering BDD - Eran Kinsbruner Workshop Quest 2018Mastering BDD - Eran Kinsbruner Workshop Quest 2018
Mastering BDD - Eran Kinsbruner Workshop Quest 2018
 
Risk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
Risk Mitigation Using Exploratory and Technical Testing | QASymphony WebinarRisk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
Risk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
 
My talk at PMI Sweden Congress 2013 on Agile and Large Software Products
My talk at PMI Sweden Congress 2013 on Agile and Large Software ProductsMy talk at PMI Sweden Congress 2013 on Agile and Large Software Products
My talk at PMI Sweden Congress 2013 on Agile and Large Software Products
 
Threat modelling & apps testing
Threat modelling & apps testingThreat modelling & apps testing
Threat modelling & apps testing
 
Lean Software Development
Lean Software DevelopmentLean Software Development
Lean Software Development
 
2016-05-30 risk driven design
2016-05-30 risk driven design2016-05-30 risk driven design
2016-05-30 risk driven design
 
SCA in an Agile World | June 2010
SCA in an Agile World | June 2010SCA in an Agile World | June 2010
SCA in an Agile World | June 2010
 
Scrum
ScrumScrum
Scrum
 

Destaque

Application Source code review Services
Application Source code review ServicesApplication Source code review Services
Application Source code review ServicesUsman Khan
 
Code Review
Code ReviewCode Review
Code ReviewRavi Raj
 
Code Review Tool Evaluation
Code Review Tool EvaluationCode Review Tool Evaluation
Code Review Tool EvaluationKate Semizhon
 
Scada Security & Penetration Testing
Scada Security & Penetration TestingScada Security & Penetration Testing
Scada Security & Penetration TestingAhmed Sherif
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsShah Sheikh
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Yehia Mamdouh
 
Code review process with JetBrains UpSource
Code review process with JetBrains UpSourceCode review process with JetBrains UpSource
Code review process with JetBrains UpSourceOleksii Prohonnyi
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityNinh Nguyen
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and SolutionsColin058
 

Destaque (13)

Application Source code review Services
Application Source code review ServicesApplication Source code review Services
Application Source code review Services
 
Code Review
Code ReviewCode Review
Code Review
 
Code Review Tool Evaluation
Code Review Tool EvaluationCode Review Tool Evaluation
Code Review Tool Evaluation
 
Scada Security & Penetration Testing
Scada Security & Penetration TestingScada Security & Penetration Testing
Scada Security & Penetration Testing
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
 
DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security Solutions
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
 
Code review process with JetBrains UpSource
Code review process with JetBrains UpSourceCode review process with JetBrains UpSource
Code review process with JetBrains UpSource
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and Solutions
 

Semelhante a Rolling Out An Enterprise Source Code Review Program

Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldDenim Group
 
Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Denim Group
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical ApproachJeremy Brown
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent CampaignDenim Group
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Introduction To Agile Refresh Savannah July20 2010 V1 4
Introduction To Agile Refresh Savannah July20 2010 V1 4Introduction To Agile Refresh Savannah July20 2010 V1 4
Introduction To Agile Refresh Savannah July20 2010 V1 4Marvin Heery
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsDamon Small
 
Continuous Globalization Workflow Webinar Slides
Continuous Globalization Workflow Webinar SlidesContinuous Globalization Workflow Webinar Slides
Continuous Globalization Workflow Webinar SlidesAdam Asnes
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
The Permanent Campaign: Driving a Secure Software Initiative in the EnterpriseThe Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
The Permanent Campaign: Driving a Secure Software Initiative in the EnterpriseDenim Group
 
Agility reboot iv
Agility reboot ivAgility reboot iv
Agility reboot ivAndrew Chum
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Enterprise system implementation strategies and phases
Enterprise system implementation strategies and phasesEnterprise system implementation strategies and phases
Enterprise system implementation strategies and phasesJohn Cachat
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerDenim Group
 
Think future technologies – corporate presentation (public)
Think future technologies – corporate presentation (public)Think future technologies – corporate presentation (public)
Think future technologies – corporate presentation (public)Tft Us
 
Random thoughts and dev practices / advices to build a great product
Random thoughts and dev practices / advices to build a great productRandom thoughts and dev practices / advices to build a great product
Random thoughts and dev practices / advices to build a great productGuillaume POTIER
 

Semelhante a Rolling Out An Enterprise Source Code Review Program (20)

Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
 
Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007Web Application Remediation - OWASP San Antonio March 2007
Web Application Remediation - OWASP San Antonio March 2007
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent Campaign
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Introduction To Agile Refresh Savannah July20 2010 V1 4
Introduction To Agile Refresh Savannah July20 2010 V1 4Introduction To Agile Refresh Savannah July20 2010 V1 4
Introduction To Agile Refresh Savannah July20 2010 V1 4
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
 
Continuous Globalization Workflow Webinar Slides
Continuous Globalization Workflow Webinar SlidesContinuous Globalization Workflow Webinar Slides
Continuous Globalization Workflow Webinar Slides
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
The Permanent Campaign: Driving a Secure Software Initiative in the EnterpriseThe Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
 
Agility reboot iv
Agility reboot ivAgility reboot iv
Agility reboot iv
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Enterprise system implementation strategies and phases
Enterprise system implementation strategies and phasesEnterprise system implementation strategies and phases
Enterprise system implementation strategies and phases
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability Manager
 
Think future technologies – corporate presentation (public)
Think future technologies – corporate presentation (public)Think future technologies – corporate presentation (public)
Think future technologies – corporate presentation (public)
 
Random thoughts and dev practices / advices to build a great product
Random thoughts and dev practices / advices to build a great productRandom thoughts and dev practices / advices to build a great product
Random thoughts and dev practices / advices to build a great product
 

Mais de Denim Group

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsDenim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 

Mais de Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 

Último

Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 

Último (20)

Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 

Rolling Out An Enterprise Source Code Review Program

  • 1. Rolling Out an Enterprise Source Code Review Program Dan Cornell
  • 2. Agenda • Background • How Not To Do It • Technology Concerns • People and Process Concerns • Questions 1
  • 3. Background • Denim Group – Develop Secure Software • Ground Up Development • Software Security Remediation – Help Organizations Deal with Software Risk • Code Review and Application Assessments • Application Penetration Testing • Training – Instructor-Led and ThreadStrong eLearning • Security in the SDLC • Dan Cornell – Principal at Denim Group – Developer by background: Java 2 Certified Programmer, MCSD – OWASP: Chapter Lead, Global Membership Committee, Open Review Project 2
  • 4. How Not To Do It • Q: What are you all doing to address application security concerns in your organization? • A: We b A W bought “XYZ Scanner” ht S ” • Q: Okay… Are you actually using it? • A: We ran some scans • Q: And how did that go? • A: Oh we found some stuff… • Q: How did you address those issues? • A: I think we sent the report to the developers. Not sure what they did with them. I guess I ought to check in on that… 3
  • 5. What Are Your Goals? • Common Answers – Meet compliance or regulatory requirements – Address software risk • Keep in Mind – Compliance != Security – “Checkbox” mentality Checkbox – Look for opportunities to leverage compliance budget to increase actual security 4
  • 6. Initial Considerations • Every organization is different – Development practices: Agile, waterfall, cowboy-code – Control environment: Security IT audit compliance Security, audit, – Most important: Organizational values. What is important and how do things get done? – Not necessarily “Core Values” but certainly related • You must overcome resistance 5
  • 7. Static Analysis: Advantages and Disadvantages • Advantages: – Have access to the actual instructions the software will be executing • No need to guess or interpret behavior • Full access to all of the software’s possible behaviors – Speeds remediation – You know exactly where the vulnerabilities are in the code • Disadvantages: g – Require access to source code or at least binary code • Typically need access to enough software artifacts to execute a build – Typically require proficiency running software builds – Will not fi d i t find issues related t operational d l l t d to ti l deployment environments t i t
  • 8. Dynamic, Static and Manual Testing
  • 10. Technology • Majority of the focus tends to be here – For better or for worse • What l Wh t languages require support? i t? – Java, .NET, C/C++, PHP, Python, Ruby, Perl, Smalltalk, COBOL, etc • What application architectures are supported? – W b web services, thi k li t system software Web, b i thick-client, t ft 9
  • 11. Where Is All the Code, Anyway? • Must Know In Order to Define Scope • How Is Software Developed In Your Organization? – Centralized development team under IT – Separate development groups under different lines of business • Don’t Forget – ERP d l deployments often contain custom code th t can h t ft t i t d that have vulnerabilities l biliti – Portal deployments (SharePoint) also often have custom code 10
  • 12. Before You Select Technologies? • Questions – Who will run the tool? – When will it be run? – What will be done with the results? • If you haven’t answered these – you aren’t ready to deploy – It won t be used won’t – Nothing will be done with the results – You may fool your auditors… – … but you won’t fool attackers 11
  • 13. Who Runs the Scans? • Common Options – Security Team – Development Team – Quality Assurance Team – Combination – Outsourced • Keep in Mind – Source code scanning tools are not “fire and forget” so effective users need training – Need to know how each scan will be used 12
  • 14. When Are Scans Run? • Common Options – Developers at their workstations – Continuous integration – Integrated into nightly build – Prior to the end of an iteration or release • Keep in Mind – Scans of large applications can take a long time to complete – Developers may only have a portion of the code on their workstations – Waiting until late in the process make timely remediation impossible 13
  • 15. Interpreting Results • Scanning Tools All Return False Positives – Except during sales engineer demos • Scans Must Be Manually R i S M tB M ll Reviewed d – Culling false positives can be time-consuming – Trained analysts can work through this process pretty quickly 14
  • 16. Tuning Scans • What Rules Are Used? – Standard rule set – Subset of the standard rule set (often based on compliance requirements) • Are Custom Rules Used? – Organization-wide – Per-application 15
  • 17. What Gets Fixed? • Common Options – Everything (yeah, right) – Tool based standard (“All HOT and MEDIUM level issues ) Tool-based ( All issues”) – Negotiated between development and security teams: “Risk Poker” • Keep in Mind – Finding the vulnerabilities is only the first step – Often have to provide guidance to developers on fixing vulnerabilities 16
  • 18. Incremental Progress • Scanning Programs Evolve Over Time – Start with proof-of-concept or limited deployment – Expand from there • Strategies – Riskiest applications first – Compliance mandates first (or only) – Require for all new applications, incorporate legacy portfolio over time – Development group by development group 17
  • 19. Other Topics • Manual Code Reviews – Critical to catch business logic issues – Often done by team leads – but do they have specific security guidance • Integrating Source Code Review With Dynamic Assessments 18
  • 20. Questions / Contact Information Dan Cornell dan@denimgroup.com Twitter: @d i l T itt @danielcornell ll (210) 572-4400 Web: W b www.denimgroup.com d i Blog: denimgroup.typepad.com 19