secure development 2014
DESCRIPTION
Secure development 2014TRANSCRIPT
Sigal Russin & Pini Cohen / Copyright@2014Do not remove source or attribution
From any slide, graph or portion of graph
How does the CIO deliver?
With good vibrations…
Pini Cohen Sigal Russin
STKI “IT Knowledge Integrators”[email protected]
Sigal Russin & Pini Cohen / Copyright@2014Do not remove source or attribution
From any slide, graph or portion of graph 2
Sigal Russin & Pini Cohen / Copyright@2014Do not remove source or attribution
From any slide, graph or portion of graph 3
Sigal Russin & Pini Cohen / Copyright@2014Do not remove source or attribution
From any slide, graph or portion of graph
STKI index website 2
4
Sigal Russin & Pini Cohen / Copyright@2014Do not remove source or attribution
From any slide, graph or portion of graph
STKI index website 3
5
New business scenario: big maneuvers vs. small gains
• Examples: Walmart, social time to respond, smaller telemarketing list
Or: Take full advantage
Why does IT need to adapt?
Source: 2006 http://cacm.acm.org/magazines/2006/10/5805-why-spoofing-is-serious-internet-fraud/abstract
2006 E-Banking Site
DX.com
Comparison engines
AlertsWeb Analytics
A-B testing
Recommendation engines
Social media integrationWish Lists
Likes
Much more
8
These new systems are called: “Systems of Engagement”
Source: http://www.agencyport.com/blog/?attachment_id=3713
9
IT is divided into two distinct “worlds”
Invest in new
systems
Reduce OperatingExpenses
Long development and deployment cycles
Touch peopleIn-moment decisionsPersonalized & in-contextSocial and analytics driven
short & rapid releases
10
Pini Cohen and Sigal Russin's work Copyright@2013
Do not remove source or attribution from any slide, graph or portion of
graph
Domains of change
• Focus on generating business value through agility and flexibility
Agile Development
BYOD \BYO everything
Public Cloud
Open Source
Big Data
Devops
Mobile First
Commodity HW (or specific build)
11
Source: http://highscalability.com/blog/2012/5/7/startups-are-creating-a-new-system-of-the-world-for-it.html STKI modifications
Lately “I was not happy” (corporate IT situation)
12
This year is “Good Vibrations Year”
•Continuous integration with Jenkins. Agile development projects.
•Open source code in governmental projects. Hadoop, NoSQL initial projects.
•Users deploy CRM and other strategic application in SaaS. Corporate sites at Azure. Email at 365 and Google.
•Develop web apps in php, python. Users consider Puppet, Chef, Openstack.
13
Not in all organization. Not in all areas. But still, organizations starting to embrace contemporary technologies and processes!
The current “kings” are threatened
• SDN – Openflow , NiciraCISCO
• Mobile market share
• Traction of startups and cloud providers Microsoft
• Lower margins in printers, servers, PCHP
• Open source alternatives – OpenstackVMWARE
• NoSQL\Hadoop
• Cloud \SaaSOracle
• Monitoring is provided by platforms (cloud, PaaS, etc.)Monitoring vendors (CA BMC HP IBM)
• Publick Cloud
• Software Defined Storage
• NoSQL\Hadoop
Storage vendors (EMC NETAPP, etc.)
• CentosRedhat
14
Major Application development trends
•Mobile first
•Responsive Web
•Client based web applications (with Rest API’s)
•Proliferation of web JS frameworks and in general development tools
•Development on cloud. PAAS frameworks (CloudFoundry, Openshift)
•Continuous integration\deployment – Devops –Dockers
•Microservices
15
Major security trends
16
IT is not only changing information security tools but also an internal vision of security inside your business.
For a start - Development Problems
•Buffer Overflow
Buffer which crosses the volume of information allocated to it in a timely manner. It allows attackers to travel outside the buffer and overwrite important information to continue running the program.
In many, utilizing this weakness allows running code injected by the attacker.
17
Development Problems
•DOS- Denial Of Service
Ping of death- Due to increased bandwidth browsing, this attack does not pose a risk.
Local Denial of Service:
"Stealing" all possible memory from the operating system, as well as prevention service by blocking the regular work with your computer.
18
Development Problems
Distributed Denial of Service:
Many different points make one or more requests for a particular service any network and is usually carried out through many computers controlled by a single operator.
•Code Injection
Cross Site Scripting
HTML/Javascript/ SQL injection
The user can enter any code to run it through the software, and do whatever the spirit through the code they injected.
•Race Condition- Resource Condition
Resource conflicts in software refers to the fact that the resource is used by more than one code divides the software (memory disposed).
19
Development vs. Security
20
סדר יום לדיון
נציגות אבטחת -בעזרת מעורבות אבטחת מידע" אידאלי"פיתוח מהו תהליך •מידע באגף הפיתוח
בנושא פיתוח מאובטח כולל מוצרים בענןמוצרים ·•
אבטחת המידע בתחילת פרויקט פיתוחתקציב ·•
לשפר תהליכים ארגוניים עוד בשלב הפיתוח מבחינת אבטחה כיצד ·•
והמלצות ארגונים בנושאטיפים ·•
21
Sigal Russin & Pini Cohen / Copyright@2014Do not remove source or attribution
From any slide, graph or portion of graph 22
Thank you!