SlideShare una empresa de Scribd logo

Wendy Nather - Building a Rube Goldberg Application Security Program

Source Conference
Source Conference
Tecnología
1 de 21
Descargar para leer sin conexión
Building  a  Rube  Goldberg   Applica3on  Security  Program   SOURCE  Boston  2011     Wendy Nather The 451 Group
The  451  Group   451  Research  is  focused  on  the  business  of  enterprise  IT   innova3on.  The  company’s  analysts  provide  cri3cal  and  3mely   insight  into  the  compe33ve  dynamics  of  innova3on  in  emerging   technology  segments.   Tier1  Research  is  a  single-­‐source  research  and  advisory  firm  covering   the  mul3-­‐tenant  datacenter,  hos3ng,  IT  and  cloud-­‐compu3ng  sectors,   blending  the  best  of  industry  and  financial  research.     The  Up3me  Ins3tute  is  ‘ The  Global  Data  Center  Authority’  and  a   pioneer  in  the  crea3on  and  facilita3on  of  end-­‐user  knowledge   communi3es  to  improve  reliability  and  uninterrup3ble  availability     in  datacenter  facili3es.   TheInfoPro  is  a  leading  IT  advisory  and  research  firm  that  provides   real-­‐world  perspec3ves  on  the  customer  and  market  dynamics  of  the   enterprise  informa3on  technology  landscape,  harnessing  the   collec3ve  knowledge  and  insight  of  leading  IT  organiza3ons   worldwide.   ChangeWave  Research  is  a  research  firm  that  iden3fies  and  quan3fies   ‘change’  in  consumer  spending  behavior,  corporate  purchasing,  and   industry,  company  and  technology  trends.    
The  Platonic  Ideal  of  an  applica3on  security  program  
The  Platonic  Ideal  of  an  applica3on  security  program  
The  Platonic  Ideal  of  an  applica3on  security  remedia3on  project  
The  Platonic  Ideal  of  an  applica3on  security  remedia3on  project  
The  Platonic  Ideal  of  an  applica3on  security  remedia3on  project  
How  it  really  happens     Training   •  Onsite  classes  are  expensive   •  Offsite  classes  are  even  more  expensive   •  You  can’t  pay  to  train  contractors   •  The  most  important  developers  can’t  make  it  to  the  classes   •  Nobody  fires  up  the  e-­‐learning  applica3on   •  E-­‐learning  doesn’t  teach  developers  half  of  what  they  need  to  know  
How  it  really  works     Threat  modeling  and  security  requirements   •  It’s  not  in  any  story   •  Security  isn’t  just  in  the  applica3on  design   •  Developers  make  bad  assump3ons  about  the  environment  for  their   applica3ons   •  YOU  try  wri3ng  down  every  single  security  requirement   •  Security  requirements  are  new  and  can  be  every  bit  as  disrup3ve  as   new  func3onality   •  Func3onal  requirements  change  mid-­‐project;  threat  modeling  and   security  requirements  have  to  be  re-­‐visited   •  Developers  will  ask  for  excep3ons  to  security  requirements  and  you   have  to  grant  them  and  track  them  
How  it  really  works     Peer  review  and  scanning  in  development   •  Not  every  tool  will  scan  an  app  that  isn’t  built   •  Itera3ve  scanning  is  what  the  developer  wants  to  do,  but  it  takes  too   long   •  The  development  environment  is  different  from  produc3on   •  The  security  team  becomes  a  boleneck  as  they  field  ques3ons  and  help   write  the  code   •  There  are  s3ll  dependencies  on  other  insecure  applica3ons  and  insecure   libraries   •  Here  There  Be  Deadlines  
How  it  really  works     QA  tes3ng   •  They  don’t  want  security  tes3ng  messing  with  their  tes3ng  results   •  Itera3ve  scan-­‐fix-­‐rescan  cycle  too  short  for  many  tools   •  QA  thinks  that  “security  tes3ng”  means  tes3ng  to  see  if  the  login   works   •  Verbose  error  messages  are  needed  for  troubleshoo3ng   •  Test  environment  s3ll  isn’t  the  same  as  in  produc3on   •  Those  short  deadlines  again  
How  it  really  works     The  Budget  Issue   •  Once  a  project  is  done,  it’s  done   •  Nobody  keeps  staff  siang  around  wai3ng,  in  case  there’s  an   applica3on  that  needs  remedia3ng   •  Remedia3on  of  an  app  can  be  a  full  project  in  and  of  itself   •  The  CIO  never  intended  to  touch  that  applica3on  again   •  Project  managers  rarely  budget  for  QA  3me,  much  less  for  security   tes3ng     Boom  line:    they  don’t  see  the  risk  
Scanner  1     Scanner  2   Scanner  3  
Scanner  1  
Scanner  2  
The  environment   Single  sign-­‐ on   Roles  and   Roles  and   en3tlements   en3tlements   App1   App2   App60  
Scanner  3  
Story  of  a  legacy  applica3on  
The  moral  of  the  story     Budget  isn’t  enough  (even  when  there’s  enough  budget)     Have  your  pieces  placed  in  the  right  order     Timing  is  everything     A  “15-­‐minute  fix”  –  isn’t     Running  an  applica3on  security  program  is  as  much  about  social   engineering  as  it  is  about  the  technical  side  
Thank  You  

Recomendados

AI cybersecurity
AI cybersecurityAI cybersecurity
AI cybersecurityShauryaGupta38
 
Challenges in Applying AI to Enterprise Cybersecurity
Challenges in Applying AI to Enterprise CybersecurityChallenges in Applying AI to Enterprise Cybersecurity
Challenges in Applying AI to Enterprise CybersecurityTahseen Shabab
 
How Machine Learning & AI Will Improve Cyber Security
How Machine Learning & AI Will Improve Cyber SecurityHow Machine Learning & AI Will Improve Cyber Security
How Machine Learning & AI Will Improve Cyber SecurityDevOps.com
 
Cyber security and AI
Cyber security and AICyber security and AI
Cyber security and AIDexterJanPineda
 
How is ai important to the future of cyber security
How is ai important to the future of cyber security How is ai important to the future of cyber security
How is ai important to the future of cyber security Robert Smith
 
Cognitive Security: How Artificial Intelligence is Your New Best Friend
Cognitive Security: How Artificial Intelligence is Your New Best FriendCognitive Security: How Artificial Intelligence is Your New Best Friend
Cognitive Security: How Artificial Intelligence is Your New Best FriendSparkCognition
 
Application of Machine Learning in Cyber Security
Application of Machine Learning in Cyber SecurityApplication of Machine Learning in Cyber Security
Application of Machine Learning in Cyber SecurityDr. Umesh Rao.Hodeghatta
 
From machine learning to deepfakes - how AI is revolutionizing cybersecurity
From machine learning to deepfakes - how AI is revolutionizing cybersecurityFrom machine learning to deepfakes - how AI is revolutionizing cybersecurity
From machine learning to deepfakes - how AI is revolutionizing cybersecurityInfosec
 

Recomendados

AI cybersecurity
AI cybersecurityAI cybersecurity
AI cybersecurityShauryaGupta38
 
Challenges in Applying AI to Enterprise Cybersecurity
Challenges in Applying AI to Enterprise CybersecurityChallenges in Applying AI to Enterprise Cybersecurity
Challenges in Applying AI to Enterprise CybersecurityTahseen Shabab
 
How Machine Learning & AI Will Improve Cyber Security
How Machine Learning & AI Will Improve Cyber SecurityHow Machine Learning & AI Will Improve Cyber Security
How Machine Learning & AI Will Improve Cyber SecurityDevOps.com
 
Cyber security and AI
Cyber security and AICyber security and AI
Cyber security and AIDexterJanPineda
 
How is ai important to the future of cyber security
How is ai important to the future of cyber security How is ai important to the future of cyber security
How is ai important to the future of cyber security Robert Smith
 
Cognitive Security: How Artificial Intelligence is Your New Best Friend
Cognitive Security: How Artificial Intelligence is Your New Best FriendCognitive Security: How Artificial Intelligence is Your New Best Friend
Cognitive Security: How Artificial Intelligence is Your New Best FriendSparkCognition
 
Application of Machine Learning in Cyber Security
Application of Machine Learning in Cyber SecurityApplication of Machine Learning in Cyber Security
Application of Machine Learning in Cyber SecurityDr. Umesh Rao.Hodeghatta
 
From machine learning to deepfakes - how AI is revolutionizing cybersecurity
From machine learning to deepfakes - how AI is revolutionizing cybersecurityFrom machine learning to deepfakes - how AI is revolutionizing cybersecurity
From machine learning to deepfakes - how AI is revolutionizing cybersecurityInfosec
 
Blackbox Testing in AI Cybersecurity
Blackbox Testing in AI CybersecurityBlackbox Testing in AI Cybersecurity
Blackbox Testing in AI CybersecurityShauryaGupta38
 
AI In Cybersecurity – Challenges and Solutions
AI In Cybersecurity – Challenges and SolutionsAI In Cybersecurity – Challenges and Solutions
AI In Cybersecurity – Challenges and SolutionsZoneFox
 
OA_Cyber security course with AI
OA_Cyber security course with AIOA_Cyber security course with AI
OA_Cyber security course with AIObject Automation
 
Practical Applications of Machine Learning in Cybersecurity
Practical Applications of Machine Learning in CybersecurityPractical Applications of Machine Learning in Cybersecurity
Practical Applications of Machine Learning in Cybersecurityscoopnewsgroup
 
Ontology-based context-sensitive software security knowledge management model...
Ontology-based context-sensitive software security knowledge management model...Ontology-based context-sensitive software security knowledge management model...
Ontology-based context-sensitive software security knowledge management model...IJECEIAES
 
Cognitive automation with machine learning in cyber security
Cognitive automation with machine learning in cyber securityCognitive automation with machine learning in cyber security
Cognitive automation with machine learning in cyber securityRishi Kant
 
Cyber Security in AI (Artificial Intelligence)
Cyber Security in AI (Artificial Intelligence)Cyber Security in AI (Artificial Intelligence)
Cyber Security in AI (Artificial Intelligence)Harsh Bhanushali
 
AI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for ThoughtAI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for ThoughtNUS-ISS
 
Security in the age of Artificial Intelligence
Security in the age of Artificial IntelligenceSecurity in the age of Artificial Intelligence
Security in the age of Artificial IntelligenceFaction XYZ
 
The Future of Security: How Artificial Intelligence Will Impact Us
The Future of Security: How Artificial Intelligence Will Impact UsThe Future of Security: How Artificial Intelligence Will Impact Us
The Future of Security: How Artificial Intelligence Will Impact UsPECB
 
Machine learning in Cyber Security
Machine learning in Cyber SecurityMachine learning in Cyber Security
Machine learning in Cyber SecurityRajathV2
 
Use of Artificial Intelligence in Cyber Security - Avantika University
Use of Artificial Intelligence in Cyber Security - Avantika UniversityUse of Artificial Intelligence in Cyber Security - Avantika University
Use of Artificial Intelligence in Cyber Security - Avantika UniversityAvantika University
 
Machine Learning in Information Security by Mohammed Zuber
Machine Learning in Information Security by Mohammed ZuberMachine Learning in Information Security by Mohammed Zuber
Machine Learning in Information Security by Mohammed ZuberOWASP Delhi
 
The good, the bad, and the ugly on integration ai with cybersecurity
The good, the bad, and the ugly on integration ai with cybersecurityThe good, the bad, and the ugly on integration ai with cybersecurity
The good, the bad, and the ugly on integration ai with cybersecurityMohammad Khreesha
 
HOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITYHOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITYPriyanshu Ratnakar
 
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...CODE BLUE
 
Cyber Defense Automation
Cyber Defense AutomationCyber Defense Automation
Cyber Defense Automation♟Sergej Epp
 
Philly ETE 2016: Securing Software by Construction
Philly ETE 2016: Securing Software by ConstructionPhilly ETE 2016: Securing Software by Construction
Philly ETE 2016: Securing Software by Constructionjxyz
 
Software risk management
Software risk managementSoftware risk management
Software risk managementJose Javier M
 
2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurityMatthew Rosenquist
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Source Conference
 
Don Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesDon Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesSource Conference
 

Más contenido relacionado

La actualidad más candente

Blackbox Testing in AI Cybersecurity
Blackbox Testing in AI CybersecurityBlackbox Testing in AI Cybersecurity
Blackbox Testing in AI CybersecurityShauryaGupta38
 
AI In Cybersecurity – Challenges and Solutions
AI In Cybersecurity – Challenges and SolutionsAI In Cybersecurity – Challenges and Solutions
AI In Cybersecurity – Challenges and SolutionsZoneFox
 
OA_Cyber security course with AI
OA_Cyber security course with AIOA_Cyber security course with AI
OA_Cyber security course with AIObject Automation
 
Practical Applications of Machine Learning in Cybersecurity
Practical Applications of Machine Learning in CybersecurityPractical Applications of Machine Learning in Cybersecurity
Practical Applications of Machine Learning in Cybersecurityscoopnewsgroup
 
Ontology-based context-sensitive software security knowledge management model...
Ontology-based context-sensitive software security knowledge management model...Ontology-based context-sensitive software security knowledge management model...
Ontology-based context-sensitive software security knowledge management model...IJECEIAES
 
Cognitive automation with machine learning in cyber security
Cognitive automation with machine learning in cyber securityCognitive automation with machine learning in cyber security
Cognitive automation with machine learning in cyber securityRishi Kant
 
Cyber Security in AI (Artificial Intelligence)
Cyber Security in AI (Artificial Intelligence)Cyber Security in AI (Artificial Intelligence)
Cyber Security in AI (Artificial Intelligence)Harsh Bhanushali
 
AI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for ThoughtAI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for ThoughtNUS-ISS
 
Security in the age of Artificial Intelligence
Security in the age of Artificial IntelligenceSecurity in the age of Artificial Intelligence
Security in the age of Artificial IntelligenceFaction XYZ
 
The Future of Security: How Artificial Intelligence Will Impact Us
The Future of Security: How Artificial Intelligence Will Impact UsThe Future of Security: How Artificial Intelligence Will Impact Us
The Future of Security: How Artificial Intelligence Will Impact UsPECB
 
Machine learning in Cyber Security
Machine learning in Cyber SecurityMachine learning in Cyber Security
Machine learning in Cyber SecurityRajathV2
 
Use of Artificial Intelligence in Cyber Security - Avantika University
Use of Artificial Intelligence in Cyber Security - Avantika UniversityUse of Artificial Intelligence in Cyber Security - Avantika University
Use of Artificial Intelligence in Cyber Security - Avantika UniversityAvantika University
 
Machine Learning in Information Security by Mohammed Zuber
Machine Learning in Information Security by Mohammed ZuberMachine Learning in Information Security by Mohammed Zuber
Machine Learning in Information Security by Mohammed ZuberOWASP Delhi
 
The good, the bad, and the ugly on integration ai with cybersecurity
The good, the bad, and the ugly on integration ai with cybersecurityThe good, the bad, and the ugly on integration ai with cybersecurity
The good, the bad, and the ugly on integration ai with cybersecurityMohammad Khreesha
 
HOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITYHOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITYPriyanshu Ratnakar
 
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...CODE BLUE
 
Cyber Defense Automation
Cyber Defense AutomationCyber Defense Automation
Cyber Defense Automation♟Sergej Epp
 
Philly ETE 2016: Securing Software by Construction
Philly ETE 2016: Securing Software by ConstructionPhilly ETE 2016: Securing Software by Construction
Philly ETE 2016: Securing Software by Constructionjxyz
 
Software risk management
Software risk managementSoftware risk management
Software risk managementJose Javier M
 
2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurityMatthew Rosenquist
 

La actualidad más candente (20)

Blackbox Testing in AI Cybersecurity
Blackbox Testing in AI CybersecurityBlackbox Testing in AI Cybersecurity
Blackbox Testing in AI Cybersecurity
 
AI In Cybersecurity – Challenges and Solutions
AI In Cybersecurity – Challenges and SolutionsAI In Cybersecurity – Challenges and Solutions
AI In Cybersecurity – Challenges and Solutions
 
OA_Cyber security course with AI
OA_Cyber security course with AIOA_Cyber security course with AI
OA_Cyber security course with AI
 
Practical Applications of Machine Learning in Cybersecurity
Practical Applications of Machine Learning in CybersecurityPractical Applications of Machine Learning in Cybersecurity
Practical Applications of Machine Learning in Cybersecurity
 
Ontology-based context-sensitive software security knowledge management model...
Ontology-based context-sensitive software security knowledge management model...Ontology-based context-sensitive software security knowledge management model...
Ontology-based context-sensitive software security knowledge management model...
 
Cognitive automation with machine learning in cyber security
Cognitive automation with machine learning in cyber securityCognitive automation with machine learning in cyber security
Cognitive automation with machine learning in cyber security
 
Cyber Security in AI (Artificial Intelligence)
Cyber Security in AI (Artificial Intelligence)Cyber Security in AI (Artificial Intelligence)
Cyber Security in AI (Artificial Intelligence)
 
AI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for ThoughtAI and Cybersecurity - Food for Thought
AI and Cybersecurity - Food for Thought
 
Security in the age of Artificial Intelligence
Security in the age of Artificial IntelligenceSecurity in the age of Artificial Intelligence
Security in the age of Artificial Intelligence
 
The Future of Security: How Artificial Intelligence Will Impact Us
The Future of Security: How Artificial Intelligence Will Impact UsThe Future of Security: How Artificial Intelligence Will Impact Us
The Future of Security: How Artificial Intelligence Will Impact Us
 
Machine learning in Cyber Security
Machine learning in Cyber SecurityMachine learning in Cyber Security
Machine learning in Cyber Security
 
Use of Artificial Intelligence in Cyber Security - Avantika University
Use of Artificial Intelligence in Cyber Security - Avantika UniversityUse of Artificial Intelligence in Cyber Security - Avantika University
Use of Artificial Intelligence in Cyber Security - Avantika University
 
Machine Learning in Information Security by Mohammed Zuber
Machine Learning in Information Security by Mohammed ZuberMachine Learning in Information Security by Mohammed Zuber
Machine Learning in Information Security by Mohammed Zuber
 
The good, the bad, and the ugly on integration ai with cybersecurity
The good, the bad, and the ugly on integration ai with cybersecurityThe good, the bad, and the ugly on integration ai with cybersecurity
The good, the bad, and the ugly on integration ai with cybersecurity
 
HOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITYHOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITY
 
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
 
Cyber Defense Automation
Cyber Defense AutomationCyber Defense Automation
Cyber Defense Automation
 
Philly ETE 2016: Securing Software by Construction
Philly ETE 2016: Securing Software by ConstructionPhilly ETE 2016: Securing Software by Construction
Philly ETE 2016: Securing Software by Construction
 
Software risk management
Software risk managementSoftware risk management
Software risk management
 
2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity
 

Destacado

Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Source Conference
 
Don Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesDon Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary plantingSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Source Conference
 

Destacado (6)

Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
 
Don Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesDon Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking Devices
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
 
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
 

Similar a Wendy Nather - Building a Rube Goldberg Application Security Program

Beyond security testing
Beyond security testingBeyond security testing
Beyond security testingCu Nguyen
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? Jorge García
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
 
SECURETI: ADVANCED SDLC AND PROJECT MANAGEMENT TOOL FOR TI(PHILIPPINES)
SECURETI: ADVANCED SDLC AND PROJECT MANAGEMENT TOOL FOR TI(PHILIPPINES)SECURETI: ADVANCED SDLC AND PROJECT MANAGEMENT TOOL FOR TI(PHILIPPINES)
SECURETI: ADVANCED SDLC AND PROJECT MANAGEMENT TOOL FOR TI(PHILIPPINES)ijcsit
 
SECURETI: Advanced SDLC and Project Management Tool for TI (Philippines)
SECURETI: Advanced SDLC and Project Management Tool for TI (Philippines)SECURETI: Advanced SDLC and Project Management Tool for TI (Philippines)
SECURETI: Advanced SDLC and Project Management Tool for TI (Philippines)AIRCC Publishing Corporation
 
CLOUD CPOMPUTING SECURITY
CLOUD CPOMPUTING SECURITYCLOUD CPOMPUTING SECURITY
CLOUD CPOMPUTING SECURITYShivananda Rai
 
111.pptx
111.pptx111.pptx
111.pptxJESUNPK
 
OT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security SuccessOT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security Successaccenture
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile worldStefan Streichsbier
 
Breached! App Attacks, Application Protection and Incident Response
Breached! App Attacks, Application Protection and Incident ResponseBreached! App Attacks, Application Protection and Incident Response
Breached! App Attacks, Application Protection and Incident ResponseResilient Systems
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxwkyra78
 
4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdfJose R
 
I Series User Management
I Series User ManagementI Series User Management
I Series User ManagementSJeffrey23
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON
 
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...TrustArc
 
John Mancini's Predictions for Information Management in 2015
John Mancini's Predictions for Information Management in 2015John Mancini's Predictions for Information Management in 2015
John Mancini's Predictions for Information Management in 2015AIIM International
 

Similar a Wendy Nather - Building a Rube Goldberg Application Security Program (20)

Beyond security testing
Beyond security testingBeyond security testing
Beyond security testing
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night? MBT Webinar: Does the security of your business data keep you up at night?
MBT Webinar: Does the security of your business data keep you up at night?
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
SECURETI: ADVANCED SDLC AND PROJECT MANAGEMENT TOOL FOR TI(PHILIPPINES)
SECURETI: ADVANCED SDLC AND PROJECT MANAGEMENT TOOL FOR TI(PHILIPPINES)SECURETI: ADVANCED SDLC AND PROJECT MANAGEMENT TOOL FOR TI(PHILIPPINES)
SECURETI: ADVANCED SDLC AND PROJECT MANAGEMENT TOOL FOR TI(PHILIPPINES)
 
SECURETI: Advanced SDLC and Project Management Tool for TI (Philippines)
SECURETI: Advanced SDLC and Project Management Tool for TI (Philippines)SECURETI: Advanced SDLC and Project Management Tool for TI (Philippines)
SECURETI: Advanced SDLC and Project Management Tool for TI (Philippines)
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
CLOUD CPOMPUTING SECURITY
CLOUD CPOMPUTING SECURITYCLOUD CPOMPUTING SECURITY
CLOUD CPOMPUTING SECURITY
 
111.pptx
111.pptx111.pptx
111.pptx
 
OT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security SuccessOT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security Success
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile world
 
Breached! App Attacks, Application Protection and Incident Response
Breached! App Attacks, Application Protection and Incident ResponseBreached! App Attacks, Application Protection and Incident Response
Breached! App Attacks, Application Protection and Incident Response
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
 
4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf4-lessons-of-security-leaders-for-2022.pdf
4-lessons-of-security-leaders-for-2022.pdf
 
I Series User Management
I Series User ManagementI Series User Management
I Series User Management
 
Security Analytics Beyond Cyber
Security Analytics Beyond CyberSecurity Analytics Beyond Cyber
Security Analytics Beyond Cyber
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
 
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
 
John Mancini's Predictions for Information Management in 2015
John Mancini's Predictions for Information Management in 2015John Mancini's Predictions for Information Management in 2015
John Mancini's Predictions for Information Management in 2015
 

Más de Source Conference

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of AnonymousSource Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?Source Conference
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendSource Conference
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationSource Conference
 
Reputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsReputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsSource Conference
 

Más de Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
JSF Security
JSF SecurityJSF Security
JSF Security
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
 
Keynote
KeynoteKeynote
Keynote
 
Reputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsReputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet Blacklists
 

Último

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 

Último (20)

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 

Wendy Nather - Building a Rube Goldberg Application Security Program

  • 1. Building  a  Rube  Goldberg   Applica3on  Security  Program   SOURCE  Boston  2011     Wendy Nather The 451 Group
  • 2. The  451  Group   451  Research  is  focused  on  the  business  of  enterprise  IT   innova3on.  The  company’s  analysts  provide  cri3cal  and  3mely   insight  into  the  compe33ve  dynamics  of  innova3on  in  emerging   technology  segments.   Tier1  Research  is  a  single-­‐source  research  and  advisory  firm  covering   the  mul3-­‐tenant  datacenter,  hos3ng,  IT  and  cloud-­‐compu3ng  sectors,   blending  the  best  of  industry  and  financial  research.     The  Up3me  Ins3tute  is  ‘ The  Global  Data  Center  Authority’  and  a   pioneer  in  the  crea3on  and  facilita3on  of  end-­‐user  knowledge   communi3es  to  improve  reliability  and  uninterrup3ble  availability     in  datacenter  facili3es.   TheInfoPro  is  a  leading  IT  advisory  and  research  firm  that  provides   real-­‐world  perspec3ves  on  the  customer  and  market  dynamics  of  the   enterprise  informa3on  technology  landscape,  harnessing  the   collec3ve  knowledge  and  insight  of  leading  IT  organiza3ons   worldwide.   ChangeWave  Research  is  a  research  firm  that  iden3fies  and  quan3fies   ‘change’  in  consumer  spending  behavior,  corporate  purchasing,  and   industry,  company  and  technology  trends.    
  • 3. The  Platonic  Ideal  of  an  applica3on  security  program  
  • 4. The  Platonic  Ideal  of  an  applica3on  security  program  
  • 5. The  Platonic  Ideal  of  an  applica3on  security  remedia3on  project  
  • 6. The  Platonic  Ideal  of  an  applica3on  security  remedia3on  project  
  • 7. The  Platonic  Ideal  of  an  applica3on  security  remedia3on  project  
  • 8. How  it  really  happens     Training   •  Onsite  classes  are  expensive   •  Offsite  classes  are  even  more  expensive   •  You  can’t  pay  to  train  contractors   •  The  most  important  developers  can’t  make  it  to  the  classes   •  Nobody  fires  up  the  e-­‐learning  applica3on   •  E-­‐learning  doesn’t  teach  developers  half  of  what  they  need  to  know  
  • 9. How  it  really  works     Threat  modeling  and  security  requirements   •  It’s  not  in  any  story   •  Security  isn’t  just  in  the  applica3on  design   •  Developers  make  bad  assump3ons  about  the  environment  for  their   applica3ons   •  YOU  try  wri3ng  down  every  single  security  requirement   •  Security  requirements  are  new  and  can  be  every  bit  as  disrup3ve  as   new  func3onality   •  Func3onal  requirements  change  mid-­‐project;  threat  modeling  and   security  requirements  have  to  be  re-­‐visited   •  Developers  will  ask  for  excep3ons  to  security  requirements  and  you   have  to  grant  them  and  track  them  
  • 10. How  it  really  works     Peer  review  and  scanning  in  development   •  Not  every  tool  will  scan  an  app  that  isn’t  built   •  Itera3ve  scanning  is  what  the  developer  wants  to  do,  but  it  takes  too   long   •  The  development  environment  is  different  from  produc3on   •  The  security  team  becomes  a  boleneck  as  they  field  ques3ons  and  help   write  the  code   •  There  are  s3ll  dependencies  on  other  insecure  applica3ons  and  insecure   libraries   •  Here  There  Be  Deadlines  
  • 11. How  it  really  works     QA  tes3ng   •  They  don’t  want  security  tes3ng  messing  with  their  tes3ng  results   •  Itera3ve  scan-­‐fix-­‐rescan  cycle  too  short  for  many  tools   •  QA  thinks  that  “security  tes3ng”  means  tes3ng  to  see  if  the  login   works   •  Verbose  error  messages  are  needed  for  troubleshoo3ng   •  Test  environment  s3ll  isn’t  the  same  as  in  produc3on   •  Those  short  deadlines  again  
  • 12. How  it  really  works     The  Budget  Issue   •  Once  a  project  is  done,  it’s  done   •  Nobody  keeps  staff  siang  around  wai3ng,  in  case  there’s  an   applica3on  that  needs  remedia3ng   •  Remedia3on  of  an  app  can  be  a  full  project  in  and  of  itself   •  The  CIO  never  intended  to  touch  that  applica3on  again   •  Project  managers  rarely  budget  for  QA  3me,  much  less  for  security   tes3ng     Boom  line:    they  don’t  see  the  risk  
  • 13. Scanner  1     Scanner  2   Scanner  3  
  • 16. The  environment   Single  sign-­‐ on   Roles  and   Roles  and   en3tlements   en3tlements   App1   App2   App60  
  • 18.
  • 19. Story  of  a  legacy  applica3on  
  • 20. The  moral  of  the  story     Budget  isn’t  enough  (even  when  there’s  enough  budget)     Have  your  pieces  placed  in  the  right  order     Timing  is  everything     A  “15-­‐minute  fix”  –  isn’t     Running  an  applica3on  security  program  is  as  much  about  social   engineering  as  it  is  about  the  technical  side