streamline the fix webcast
DESCRIPTION
Slides for the Webinar: http://web.securityinnovation.com/webinar-decemberTRANSCRIPT
STREAMLINING THE FIXDiminishing the Impact of Software Vulnerabilities with a
Predictive Process
Tuesday, 4 December 12
TODAY’S PRESENTERSTom Bain, Director, Product Marketing
Dinis Cruz, Principal Software Architect
Tuesday, 4 December 12
TODAY’S AGENDA
•Where do I start?
•What’s the best approach?
•What process can I apply?
•What tools can I use for repeatable results?
Development and Security are looking for a better way to identify, verify, prioritize and fix software vulnerabilities.
Tuesday, 4 December 12
WHO WE ARE
Application Security Experts• 10+ Years vulnerability research • Security Testing Methodology adopted by
SAP, Microsoft, Symantec• Authors of 8+ books
Products and Services• Standards - Best Practices• Education - CBT & Instructor-Led• Assessment - Software and SDLC
Reducing Application Security Risk• Critical Vulnerability Discovery• Secure SDLC Rollout• Internal Competency Development
Tuesday, 4 December 12
OUR APPROACH• Standards: Create security
policies, align dev activities with standards and compliance requirements, fix vulnerabilities.
• Education: Create internal expertise through eLearning, Instructor-led and virtual classroom training.
• Assessment: Audit software apps against policies and compliance requirements and recommend remediation techniques.
Tuesday, 4 December 12
LIFE IS A BREACHCompanies who suffered 1-10 breaches over the past 2 years, as a
result of a software app being compromised.
Tuesday, 4 December 12
A PROCESS IS LACKINGState they either have no process (like an SDLC) at all,
or an inefficient ad-hoc process for building security into their applications.
Tuesday, 4 December 12
WHAT MOTIVATES ACTION?State there is no formal state that there is no formal mandate in place
to remediate vulnerable application code.
Tuesday, 4 December 12
COMMON USE CASES• Development teams don’t know
where to go for best practices guidance on software vulnerabilities.
• There’s a need to communicate and share intelligence around specific vulnerabilities with your team.
• Teams need to fix vulnerabilities and map to internal policies.
• There’s a market need for making more sense of static analysis results to get to full-circle remediation.
Tuesday, 4 December 12
SECURE DEVELOPMENT GUIDANCEA Real-Time In-Practice Companion Containing 4500+ Articles
of Prescriptive Guidance and CodeTuesday, 4 December 12
WHERE CAN DEVELOPERS GO FOR THE GUIDANCE THEY NEED?
• A software vulnerability has been identified.
• You need to verify it and need more information about it.
•What do you do, and where do you go for guidance?
Use Case 1- Security Team
Tuesday, 4 December 12
HOW CAN YOU SHARE THE INFORMATION?
Use Case 1I - Security Team
• You’ve verified a software vulnerability.
• You need to communicate the details of that vulnerability or set of vulnerabilities to your team.
• How is this accomplished most effectively?
Tuesday, 4 December 12
INTEGRATING WITH WHAT YOU ALREADY HAVE
Use Case III - Development Team
• You’ve verified a given vulnerability, and can now prioritize it.
• You have knowledge internally, or security policies you need to map to.
• How can I do this in a streamlined way?
Tuesday, 4 December 12
DOING MORE WITH STATIC YOUR ANALYSIS RESULTS
Use Case IV - Development Team with Tools
• The tool reports findings.
• You need to make more sense of the results.
• The findings point to guidance specific to the findings.
• Fix what you’ve found. Re-scan.
Tuesday, 4 December 12
• Full set of guidance libraries (4500+ articles)• Single user, cloud instance, business unit, and enterprise-wide
pricing available• Partner organization licensing• Contact us: [email protected]
TRY TEAMMENTOR TODAY!
• OWASP Guidance Library (Creative Commons content)• Install locally or use web version• Watch a video: http://bit.ly/Vra3OS • Download it: https://docs.teammentor.net/xml/Eval
Evaluation Version:
Enterprise and Partner Versions:
Tuesday, 4 December 12