Streamlining the Fix: Diminishing the Impact of Software Vulnerabilities with a Predictive Process
-
Upload
thomas-bain -
Category
Technology
-
view
542 -
download
0
description
Transcript of Streamlining the Fix: Diminishing the Impact of Software Vulnerabilities with a Predictive Process
![Page 1: Streamlining the Fix: Diminishing the Impact of Software Vulnerabilities with a Predictive Process](https://reader034.fdocuments.us/reader034/viewer/2022052508/559e194a1a28abad4e8b4574/html5/thumbnails/1.jpg)
Streamlining the Fix Diminishing the Impact of Software Vulnerabilities with a
Predictive Process
![Page 2: Streamlining the Fix: Diminishing the Impact of Software Vulnerabilities with a Predictive Process](https://reader034.fdocuments.us/reader034/viewer/2022052508/559e194a1a28abad4e8b4574/html5/thumbnails/2.jpg)
Today’s Presenters Tom Bain, Director, Product Marketing
Dinis Cruz, Principal Software Architect
![Page 3: Streamlining the Fix: Diminishing the Impact of Software Vulnerabilities with a Predictive Process](https://reader034.fdocuments.us/reader034/viewer/2022052508/559e194a1a28abad4e8b4574/html5/thumbnails/3.jpg)
Today’s Agenda
• Where do I start?
• What’s the best approach?
• What process can I apply?
• What tools can I use for repeatable results?
Development and Security are looking for a better way to identify, verify, prioritize and fix software vulnerabilities.
![Page 4: Streamlining the Fix: Diminishing the Impact of Software Vulnerabilities with a Predictive Process](https://reader034.fdocuments.us/reader034/viewer/2022052508/559e194a1a28abad4e8b4574/html5/thumbnails/4.jpg)
Who We Are Application Security Experts • 10+ Years vulnerability research • Security Testing Methodology adopted by SAP, Microsoft, Symantec • Authors of 8+ books Products and Services • Standards - Best Practices • Education - CBT & Instructor-Led • Assessment - Software and SDLC Reducing Application Security Risk • Critical Vulnerability Discovery • Secure SDLC Rollout • Internal Competency Development
![Page 5: Streamlining the Fix: Diminishing the Impact of Software Vulnerabilities with a Predictive Process](https://reader034.fdocuments.us/reader034/viewer/2022052508/559e194a1a28abad4e8b4574/html5/thumbnails/5.jpg)
Our Approach • Standards: Create security
policies, align dev activities with standards and compliance requirements, fix vulnerabilities.
• Education: Create internal expertise through eLearning, Instructor-led and virtual classroom training.
• Assessment: Audit software apps against policies and compliance requirements and recommend remediation techniques.
![Page 6: Streamlining the Fix: Diminishing the Impact of Software Vulnerabilities with a Predictive Process](https://reader034.fdocuments.us/reader034/viewer/2022052508/559e194a1a28abad4e8b4574/html5/thumbnails/6.jpg)
Life is a Breach Companies who suffered 1-10 breaches over the past 2 years, as a
result of a software app being compromised.
![Page 7: Streamlining the Fix: Diminishing the Impact of Software Vulnerabilities with a Predictive Process](https://reader034.fdocuments.us/reader034/viewer/2022052508/559e194a1a28abad4e8b4574/html5/thumbnails/7.jpg)
A Process is Lacking State they either have no process (like an SDLC) at all, or an inefficient ad-
hoc process for building security into their applications.
![Page 8: Streamlining the Fix: Diminishing the Impact of Software Vulnerabilities with a Predictive Process](https://reader034.fdocuments.us/reader034/viewer/2022052508/559e194a1a28abad4e8b4574/html5/thumbnails/8.jpg)
What Motivates Action? State there is no formal state that there is no formal mandate in place
to remediate vulnerable application code.
![Page 9: Streamlining the Fix: Diminishing the Impact of Software Vulnerabilities with a Predictive Process](https://reader034.fdocuments.us/reader034/viewer/2022052508/559e194a1a28abad4e8b4574/html5/thumbnails/9.jpg)
Common Use Cases • Development teams don’t know where to go for best practices guidance on
software vulnerabilities.
• There’s a need to communicate and share intelligence around specific vulnerabilities with your team.
• Teams need to fix vulnerabilities and map to internal policies.
• There’s a market need for making more sense of static analysis results to get to full-circle remediation.
![Page 10: Streamlining the Fix: Diminishing the Impact of Software Vulnerabilities with a Predictive Process](https://reader034.fdocuments.us/reader034/viewer/2022052508/559e194a1a28abad4e8b4574/html5/thumbnails/10.jpg)
Where can developers go for the guidance they need?
• A software vulnerability has been identified.
• You need to verify it and need more information about it.
• What do you do, and where do you go for guidance?
Use Case 1- Security Team
![Page 11: Streamlining the Fix: Diminishing the Impact of Software Vulnerabilities with a Predictive Process](https://reader034.fdocuments.us/reader034/viewer/2022052508/559e194a1a28abad4e8b4574/html5/thumbnails/11.jpg)
How can you share the information? Use Case 1I - Security Team
• You’ve verified a software vulnerability.
• You need to communicate the details of that vulnerability or set of vulnerabilities to your team.
• How is this accomplished most effectively?
![Page 12: Streamlining the Fix: Diminishing the Impact of Software Vulnerabilities with a Predictive Process](https://reader034.fdocuments.us/reader034/viewer/2022052508/559e194a1a28abad4e8b4574/html5/thumbnails/12.jpg)
Integrating with what you already have
Use Case III - Development Team
• You’ve verified a given vulnerability, and can now prioritize it.
• You have knowledge internally, or security policies you need to map to.
• How can I do this in a streamlined way?
![Page 13: Streamlining the Fix: Diminishing the Impact of Software Vulnerabilities with a Predictive Process](https://reader034.fdocuments.us/reader034/viewer/2022052508/559e194a1a28abad4e8b4574/html5/thumbnails/13.jpg)
Doing more with static analysis results
Use Case IV - Development Team with Tools
• The tool reports findings.
• You need to make more sense of the results.
• The findings point to guidance specific to the findings.
• Fix what you’ve found. Re-scan.
![Page 14: Streamlining the Fix: Diminishing the Impact of Software Vulnerabilities with a Predictive Process](https://reader034.fdocuments.us/reader034/viewer/2022052508/559e194a1a28abad4e8b4574/html5/thumbnails/14.jpg)
Secure Development Guidance A Real-Time In-Practice Companion Containing 4500+ Articles
of Prescriptive Guidance and Code
![Page 15: Streamlining the Fix: Diminishing the Impact of Software Vulnerabilities with a Predictive Process](https://reader034.fdocuments.us/reader034/viewer/2022052508/559e194a1a28abad4e8b4574/html5/thumbnails/15.jpg)
Evaluation Version:
Try TeamMentor Today!
Enterprise and Partner Versions:
• OWASP Guidance Library (Creative Commons Content) • Install locally, or use web version • Watch a video: http://bit.ly/Vra3OS • Download it: https://docs.teammentor.net/xml/Eval
• Full set of guidance libraries (4,500+ articles) • Single user, cloud instance, business unit, enterprise-wide pricing • Partner organization licensing • Contact us: [email protected]