Upload
hume
View
39
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Building an Effective SDLC Program: Case Study. Guy Bejerano, CSO, LivePerson Ofer Maor, CTO, Seeker Security. The Next 45 Min. SDLC – Why Do We Bother? Vendor Heaven – Sell All You Can Sell Finding Your Path in The Jungle - Assembling The Puzzle to Build a Robust SDLC Program. - PowerPoint PPT Presentation
Citation preview
Building an Effective SDLC Program:
Case Study
Guy Bejerano, CSO, LivePersonOfer Maor, CTO, Seeker Security
SDLC – Why Do We Bother?Vendor Heaven – Sell All You Can SellFinding Your Path in The Jungle -
Assembling The Puzzle to Build a Robust SDLC Program
The Next 45 Min
Data & Insights based on our experience @ LivePerson
Seeker Security
Formerly Hacktics® (Acquired by EY)New Generation of Application Security Testing (IAST)Recognized as Top 10 Most Innovative Companies at RSA® 2010.Recognized as “Cool Vendor” by Gartner
Identify, Demonstrate & MitigateCritical Application Business Risk
LivePersonMonitor web visitor’s behavior(Over 1.2 B visits each month)
Providing Engagement platform(Over 10 M chats each month)
Deploying code on customers’ websites
SAAS in a full Multi-tenancy environment
Process and Store customers’ data on our systems
Providing Service to Some of the Biggest
Cloud Motivation for Building Secure Code
Reputation in a social era
Risk Characteristics • Cyber Crime – Financial motivation• Systems are more accessible and Perimeter
protection is not enough
Legal liability and cost of non-compliance
Customers (over 15 application pen-tests in the past year)
The Impact of Security Bugs in Production
Highly expensive to fix (4X than during the dev process)
We are not focusing on the upside
Creates friction – Externally and Internally
Back in the Waterfall Days
Design Development QA Rollout
3rd party Pen-Testing
SecurityRequirements
Bug Fixing
Challenges• Accuracy of Testing• Same Findings Repeating• Internal Friction Still Exists
Customer Testing
And Then We Moved to Agile
Sprint
PlanSprint & Regression Rollout
SecurityRequirements
Challenges• Shorter Cycle (Design, Bug Fixing)• Greater Friction
In Production
Customer Testing
3rd party Pen-Testing
The Solution Matrix
Vendor HeavenInfinite Services, Products, Solutions & Combinations
In House / Outsourced Services / Product / SaaS Manual / AutomatedBlackbox / WhiteboxPenetration Test / Code ReviewDAST / SAST / IAST
In-House/OutsourcedSkills
AvailabilityCostRepeatability
SDLC Integration
Service/Product/SaaS (Manual/Automated)
Accuracy False PositivesFalse Negatives
Skills/QualityRepeatabilityEase of Use
SDLC IntegrationIntellectual Property
CoverageDAST/SAST/IAST (PT/CR, Black/White Box)Accuracy False Positives
False Negatives Quality of ResultsPinpointing Code
Data HandlingValidation
Ease of Operation3rd Party CodeScale
The Solution Matrix - Considerations
How to Assemble All the Pieces?
Define Your Playground
Risk – Web, Data, Multi-TenancyCustomers – SLA, Standards
Choose a Framework
Who Leads This Program
Highly Technical Organization (System Owners, Scrum Masters, Tech Leaders)
Knowledge – Who & How
Hands-On… QA FirstOn-going sessions
How to Assemble All the Pieces?
Fitting Tools to Platform and Development Process
Java – Multi-TierAgile Methodology JIRA (For bug tracking)
Define Operational cycle
Key Performance IndicatorsOperational Review (by system owners)
Pen-Test Strategy 3rd PartyBlackboxPre-defined flows to check
SDLC Take #2
Sprint
PlanSprint & Regression Rollout
SecurityDesign
In Production
Customer Testing
3rd party Pen-Testing
Budgeted “Certification” Program
R&D / QA Ownership (Tech Leaders & System Owners)
Knowledge (Hands-On Training + On-Going Sessions)
Embedded Bug Tracking in Dev Tools
Static Code Analysis
Runtime/Dynamic Code Analysis
Thank You!
Q&A