SlideShare a Scribd company logo

How to Overcome the 5 Barriers to Production App Security Testing

Cenzic
Cenzic

View the slides from Sameer Dixit and Chris Harget's energetic discussion about the five most common obstacles to monitoring production applications for new vulnerabilities. This webinar will set you on a path rise above the production security challenges of downtime, data loss and disgrace. Webinar recording at: https://info.cenzic.com/overcome-barriers-prod-app-sec.html

Technology
1 of 34
Download to read offline
How To Overcome the 5 Barriers To Production App Security Testing Chris Harget - Product Marketing Sameer Dixit - Managed Services
Or… 5 Reasons You’re Not Monitoring Production Apps For Vulnerabilities… …and 7 Reasons You Really Should
3 Agenda Cenzic, Inc. - Confidential, All Rights Reserved. Why You’re Not Scanning Why You Should Overcoming Barriers How Cenzic Managed Services Can
4 1. You Use SAST Tools In Development Cenzic, Inc. - Confidential, All Rights Reserved. • Good first step • Efficient for some remediations • Teaches Developers best practices • Commonly accepted method • Insufficient = False sense of security
5 2. Production Team Afraid of Down Time Cenzic, Inc. - Confidential, All Rights Reserved. • Production Team measured by up time • If it’s not broke, don’t fix it • Security Analyst needs Production Buy- In to actively monitor production environments
6 3. Production Team May Not Have Skill Set Cenzic, Inc. - Confidential, All Rights Reserved. • Depends on team • Mostly made up of guys who plan and manage patches, maintain hardware, and rollout new systems. • If they’re not comfortable…they will resist
7 4. Confusion Over Whose Budget Pays Cenzic, Inc. - Confidential, All Rights Reserved. • Is this Developers’ budget? • They built it, unless it’s outsourced • Is it Security Analysts’ budget? • It’s security…and development and production… • Is it Production budget? • They run it.
8 5. You Haven’t Gotten Around To it Yet Cenzic, Inc. - Confidential, All Rights Reserved. • Even if everyone agrees it should be done…it has to become a priority • Like brushing teeth…you can skip it, but eventually there’ll be a hole. • Gets deferred.
9 5 Barriers To Monitoring Production Apps Cenzic, Inc. - Confidential, All Rights Reserved. 1. You use SAST tools in Development 2. Production team afraid of down time 3. Production team may not have skill set 4. Confusion over whose budget pays 5. You haven’t gotten around to it yet
…And 7 Reasons You Really Should
11 1. Some Vulnerabilities Can't Be Found by SAST Cenzic, Inc. - Confidential, All Rights Reserved. • Search Strings might miss them • May only appear in run-time environment • May be on web server or framework • QA & Production environment may not be identical (especially DBs)
12 2. New Vulnerabilities Discovered Daily Cenzic, Inc. - Confidential, All Rights Reserved. • >5,200 Web app vulnerabilities discovered…so far • ~1,090 discovered last year • Odds are, hundreds more will be discovered while your apps are in production.
13 Cenzic, Inc. - Confidential, All Rights Reserved. 3. Production Apps Are The Biggest Risk 600+ Million Web Sites <10% of the applications in development or in QA stage >90% applications are in production and deployed At Greatest Risk! Vulnerability Testing Must Monitor Run-Time Environments
14 4. Some Vulnerabilities Cause Downtime Cenzic, Inc. - Confidential, All Rights Reserved. • Buffer Overflow • Downs app & can give shell access • XSS • Can insert javascript to the web server 100's of times for each user and spread like a virus • SQL injection • Drop tables, remove users, dump database • About 110 other types of attacks that can lead directly to production downtime
15 5. Effective Automated Attacks Cenzic, Inc. - Confidential, All Rights Reserved. • Blackbox testing + Cenzic experts • Designed to emulate what attackers do on your site, but safer • Cenzic has 10+ years helping enterprises and SMB’s protect Production Apps • Tools and services can find vulnerabilities with minimized risk to application uptime and data
16 6. Tightly Integrate WAF to Monitoring Cenzic, Inc. - Confidential, All Rights Reserved. • Cenzic integrates with leading Web App Firewalls • As few as two-clicks to approve/enact a policy & virtually patch app vulnerability • Faster remediation => More Secure + Identify Risk Mitigate Risk = =
17 7. Managed Services For Key Apps Cenzic, Inc. - Confidential, All Rights Reserved. • Production Team = Security Team • Priority Apps deserve specialists • Frees Production Team To: • Receive results • Manage patches (virtual or code refresh) • Maximize uptime
18 Overcoming Barrier 1 Cenzic, Inc. - Confidential, All Rights Reserved. 1. You use SAST tools in Development • But that’s not a complete solution • Some vulnerabilities require real- time scanning • New vulnerabilities discovered all the time
19 Overcoming Barrier 2 Cenzic, Inc. - Confidential, All Rights Reserved. 2. Production team afraid of down time • …and vulnerable apps can increase downtime. • You patch other bugs in Production • Monitoring can be done fairly safely
20 Overcoming Barrier 3 Cenzic, Inc. - Confidential, All Rights Reserved. 3. Production team may not have skill set • Cenzic Managed Service can cover it until your team gets the skills • Cenzic takes care of F100 customers for Production Monitoring
21 Overcoming Barrier 4 Cenzic, Inc. - Confidential, All Rights Reserved. 4. Confusion Over Who Pays • Whoever has the most budget • Production…probably
22 Overcoming Barrier 5 Cenzic, Inc. - Confidential, All Rights Reserved. 5. You haven’t Got Around To It Yet • It’s important • It’s relatively safe • It’s easy • Production can probably afford it
23 A Few… Cenzic, Inc. - Confidential, All Rights Reserved.
24 What's Best Form Factor For You? Cenzic, Inc. - Confidential, All Rights Reserved. Low-Risk Apps High Priority Apps Under-resourced, broad-duties Security Analysts Cloud (self-service) Production Scanning Managed Service Production Scanning Sizeable, Focused Security Analyst Group Cloud or Software Production Scanning Software or Managed Service Production Scanning
25 What's Important To Success Cenzic, Inc. - Confidential, All Rights Reserved. • Consistent Detection Accuracy • Erratic technicians or ad hoc tools can mask changes in security posture • Quality of Service • Production Teams benefit from vulnerability monitoring managed services that meet high standards
26 Monitoring Available 24x7 Cenzic, Inc. - Confidential, All Rights Reserved. • Frequent Assessments = shorter vulnerability windows • Reports should include trend data and ranking of vulnerabilities for easy response • Vulnerabilities should be time- stamped so you know report was actually run that week.
27 What's Important To Success? Cenzic, Inc. - Confidential, All Rights Reserved. • Options To Evolve • Managed Service might be great way to start. Self-service Saas, software, or service/software hybrid might make sense in the long run. • Scalability • Start with key apps, scale to all apps
28 Choosing Vendor By References Cenzic, Inc. - Confidential, All Rights Reserved. • Services harder to rate than software. • (People)*(Software)= Results • Talent doesn’t scale well • Look for best-in-class software • Look for excellent customer survey results
29 Cenzic Can Help Cenzic, Inc. - Confidential, All Rights Reserved. • Cenzic is a leading provider of Web Application Production Scanning as a Managed Service. • 10+ Years • Leverages patented Hailstorm™ engine for more consistently accurate and efficient results • Large and happy customers
30 How Cenzic Can Help Cenzic, Inc. - Confidential, All Rights Reserved. • We Do It All • Cenzic is the only vendor who offers you excellent software, or excellent managed services leveraging our excellent solutions • Evolve wherever you want with Cenzic
31 Customers Rate Cenzic Higher Cenzic, Inc. - Confidential, All Rights Reserved. • 2013 Gartner surveyed App Security Testing Customers • ONLY Cenzic scored high marks from customers in Accuracy, Service, Support and Overall Satisfaction • Cenzic provides the best services!
Managed Services Offerings – At-a-Glance 32 Cenzic, Inc. - Confidential, All Rights Reserved. Bronze Silver Gold Platinum Industry Best- Practices for Brochureware sites Industry Best- Practices for forms and login protected sites Compliance for sites with user data Comprehensive scans for Mission critical applications Phishing X X X x Light input validation X X X x Data Security X X X x Session management X X x OWASP compliance X x PCI compliance X x Business logic testing x Application logic testing x Manual penetration testing x
33 Cenzic, Inc. - Confidential, All Rights Reserved. Pre-production & App Development Production Partner / Supply Chain Enterprise Application Security Complete Enterprise Security by Cenzic
34 Application Security for Web, Web Services & Mobile

Recommended

Designing For Functional Safety? How to Apply a Coding Standard
Designing For Functional Safety? How to Apply a Coding Standard Designing For Functional Safety? How to Apply a Coding Standard
Designing For Functional Safety? How to Apply a Coding Standard Perforce
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
Versiondog
VersiondogVersiondog
VersiondogLourens Botes "Master Charlie"
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next ProjectAbeer R
 
DevOps 2017 Conf: evolving from automated to continuous
DevOps 2017 Conf: evolving from automated to continuousDevOps 2017 Conf: evolving from automated to continuous
DevOps 2017 Conf: evolving from automated to continuousArthur Hicken
 
Create Agile confidence for better application security
Create Agile confidence for better application securityCreate Agile confidence for better application security
Create Agile confidence for better application securityRogue Wave Software
 
The Continuous delivery value - Funaro
The Continuous delivery value - FunaroThe Continuous delivery value - Funaro
The Continuous delivery value - FunaroCodemotion
 

Recommended

Designing For Functional Safety? How to Apply a Coding Standard
Designing For Functional Safety? How to Apply a Coding Standard Designing For Functional Safety? How to Apply a Coding Standard
Designing For Functional Safety? How to Apply a Coding Standard Perforce
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
Versiondog
VersiondogVersiondog
VersiondogLourens Botes "Master Charlie"
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next Project
10 Reasons Why You Should Consider Google App Engine (GAE) for Your Next ProjectAbeer R
 
DevOps 2017 Conf: evolving from automated to continuous
DevOps 2017 Conf: evolving from automated to continuousDevOps 2017 Conf: evolving from automated to continuous
DevOps 2017 Conf: evolving from automated to continuousArthur Hicken
 
Create Agile confidence for better application security
Create Agile confidence for better application securityCreate Agile confidence for better application security
Create Agile confidence for better application securityRogue Wave Software
 
The Continuous delivery value - Funaro
The Continuous delivery value - FunaroThe Continuous delivery value - Funaro
The Continuous delivery value - FunaroCodemotion
 
Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 
10 Warning Signs of Weak Requirements Management
10 Warning Signs of Weak Requirements Management10 Warning Signs of Weak Requirements Management
10 Warning Signs of Weak Requirements ManagementPerforce
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Denim Group
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
 
Software Failure Modes Effects Analysis Overview
Software Failure Modes Effects Analysis OverviewSoftware Failure Modes Effects Analysis Overview
Software Failure Modes Effects Analysis OverviewAnn Marie Neufelder
 
SRE-iously! Defining the Principles, Habits, and Practices of Site Reliabilit...
SRE-iously! Defining the Principles, Habits, and Practices of Site Reliabilit...SRE-iously! Defining the Principles, Habits, and Practices of Site Reliabilit...
SRE-iously! Defining the Principles, Habits, and Practices of Site Reliabilit...Tori Wieldt
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
SRE-iously: Defining the Principles, Habits, and Practices of Site Reliabilit...
SRE-iously: Defining the Principles, Habits, and Practices of Site Reliabilit...SRE-iously: Defining the Principles, Habits, and Practices of Site Reliabilit...
SRE-iously: Defining the Principles, Habits, and Practices of Site Reliabilit...New Relic
 
Technical Capabilities as enabler for Agile and DevOps
Technical Capabilities as enabler for Agile and DevOpsTechnical Capabilities as enabler for Agile and DevOps
Technical Capabilities as enabler for Agile and DevOpsNelis Boucké
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...Virtual Forge
 
Test coverage in a jiffy v0 9
Test coverage in a jiffy v0 9Test coverage in a jiffy v0 9
Test coverage in a jiffy v0 9Indium Software
 
Top Ten things that have been proven to effect software reliability
Top Ten things that have been proven to effect software reliabilityTop Ten things that have been proven to effect software reliability
Top Ten things that have been proven to effect software reliabilityAnn Marie Neufelder
 
SRE - drupal day aveiro 2016
SRE - drupal day aveiro 2016SRE - drupal day aveiro 2016
SRE - drupal day aveiro 2016Ricardo Amaro
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationDenim Group
 
Revised IEEE 1633 Recommended Practices for Software Reliability
Revised IEEE 1633 Recommended Practices for Software ReliabilityRevised IEEE 1633 Recommended Practices for Software Reliability
Revised IEEE 1633 Recommended Practices for Software ReliabilityAnn Marie Neufelder
 
Sre summary
Sre summarySre summary
Sre summaryYogesh Shah
 
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...Virtual Forge
 
Rewriting the rules of patch management
Rewriting the rules of patch managementRewriting the rules of patch management
Rewriting the rules of patch managementArun Gopinath
 
SanerNow Patch Management
SanerNow Patch ManagementSanerNow Patch Management
SanerNow Patch ManagementSecPod Technologies
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeHow to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeRogue Wave Software
 

More Related Content

What's hot

Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeMatt Tesauro
 
10 Warning Signs of Weak Requirements Management
10 Warning Signs of Weak Requirements Management10 Warning Signs of Weak Requirements Management
10 Warning Signs of Weak Requirements ManagementPerforce
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Denim Group
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks Ulf Mattsson
 
Software Failure Modes Effects Analysis Overview
Software Failure Modes Effects Analysis OverviewSoftware Failure Modes Effects Analysis Overview
Software Failure Modes Effects Analysis OverviewAnn Marie Neufelder
 
SRE-iously! Defining the Principles, Habits, and Practices of Site Reliabilit...
SRE-iously! Defining the Principles, Habits, and Practices of Site Reliabilit...SRE-iously! Defining the Principles, Habits, and Practices of Site Reliabilit...
SRE-iously! Defining the Principles, Habits, and Practices of Site Reliabilit...Tori Wieldt
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
SRE-iously: Defining the Principles, Habits, and Practices of Site Reliabilit...
SRE-iously: Defining the Principles, Habits, and Practices of Site Reliabilit...SRE-iously: Defining the Principles, Habits, and Practices of Site Reliabilit...
SRE-iously: Defining the Principles, Habits, and Practices of Site Reliabilit...New Relic
 
Technical Capabilities as enabler for Agile and DevOps
Technical Capabilities as enabler for Agile and DevOpsTechnical Capabilities as enabler for Agile and DevOps
Technical Capabilities as enabler for Agile and DevOpsNelis Boucké
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...Virtual Forge
 
Test coverage in a jiffy v0 9
Test coverage in a jiffy v0 9Test coverage in a jiffy v0 9
Test coverage in a jiffy v0 9Indium Software
 
Top Ten things that have been proven to effect software reliability
Top Ten things that have been proven to effect software reliabilityTop Ten things that have been proven to effect software reliability
Top Ten things that have been proven to effect software reliabilityAnn Marie Neufelder
 
SRE - drupal day aveiro 2016
SRE - drupal day aveiro 2016SRE - drupal day aveiro 2016
SRE - drupal day aveiro 2016Ricardo Amaro
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationDenim Group
 
Revised IEEE 1633 Recommended Practices for Software Reliability
Revised IEEE 1633 Recommended Practices for Software ReliabilityRevised IEEE 1633 Recommended Practices for Software Reliability
Revised IEEE 1633 Recommended Practices for Software ReliabilityAnn Marie Neufelder
 
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...Virtual Forge
 
Rewriting the rules of patch management
Rewriting the rules of patch managementRewriting the rules of patch management
Rewriting the rules of patch managementArun Gopinath
 

What's hot (20)

Lessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec LifeLessons from DevOps: Taking DevOps practices into your AppSec Life
Lessons from DevOps: Taking DevOps practices into your AppSec Life
 
10 Warning Signs of Weak Requirements Management
10 Warning Signs of Weak Requirements Management10 Warning Signs of Weak Requirements Management
10 Warning Signs of Weak Requirements Management
 
Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?Security Training: Necessary Evil, Waste of Time, or Genius Move?
Security Training: Necessary Evil, Waste of Time, or Genius Move?
 
How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks How to go from waterfall app dev to secure agile development in 2 weeks
How to go from waterfall app dev to secure agile development in 2 weeks
 
Software Failure Modes Effects Analysis Overview
Software Failure Modes Effects Analysis OverviewSoftware Failure Modes Effects Analysis Overview
Software Failure Modes Effects Analysis Overview
 
SRE-iously! Defining the Principles, Habits, and Practices of Site Reliabilit...
SRE-iously! Defining the Principles, Habits, and Practices of Site Reliabilit...SRE-iously! Defining the Principles, Habits, and Practices of Site Reliabilit...
SRE-iously! Defining the Principles, Habits, and Practices of Site Reliabilit...
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
SRE-iously: Defining the Principles, Habits, and Practices of Site Reliabilit...
SRE-iously: Defining the Principles, Habits, and Practices of Site Reliabilit...SRE-iously: Defining the Principles, Habits, and Practices of Site Reliabilit...
SRE-iously: Defining the Principles, Habits, and Practices of Site Reliabilit...
 
Technical Capabilities as enabler for Agile and DevOps
Technical Capabilities as enabler for Agile and DevOpsTechnical Capabilities as enabler for Agile and DevOps
Technical Capabilities as enabler for Agile and DevOps
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
 
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...
Case Study: ABAP Development Life Cycle and Governance at THE GLOBE AND MAIL ...
 
Test coverage in a jiffy v0 9
Test coverage in a jiffy v0 9Test coverage in a jiffy v0 9
Test coverage in a jiffy v0 9
 
Top Ten things that have been proven to effect software reliability
Top Ten things that have been proven to effect software reliabilityTop Ten things that have been proven to effect software reliability
Top Ten things that have been proven to effect software reliability
 
SRE - drupal day aveiro 2016
SRE - drupal day aveiro 2016SRE - drupal day aveiro 2016
SRE - drupal day aveiro 2016
 
How-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability RemediationHow-To-Guide for Software Security Vulnerability Remediation
How-To-Guide for Software Security Vulnerability Remediation
 
Revised IEEE 1633 Recommended Practices for Software Reliability
Revised IEEE 1633 Recommended Practices for Software ReliabilityRevised IEEE 1633 Recommended Practices for Software Reliability
Revised IEEE 1633 Recommended Practices for Software Reliability
 
Sre summary
Sre summarySre summary
Sre summary
 
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
Case Study: Automating Code Reviews for Custom SAP ABAP Applications with Vir...
 
Rewriting the rules of patch management
Rewriting the rules of patch managementRewriting the rules of patch management
Rewriting the rules of patch management
 
SanerNow Patch Management
SanerNow Patch ManagementSanerNow Patch Management
SanerNow Patch Management
 

Similar to How to Overcome the 5 Barriers to Production App Security Testing

Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeHow to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeRogue Wave Software
 
How to build confidence in your release cycle
How to build confidence in your release cycleHow to build confidence in your release cycle
How to build confidence in your release cycleDiUS
 
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Simon Storm
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Kevin Fealey
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Patch your workplaces at home, in a meeting center or at the office
Patch your workplaces at home, in a meeting center or at the officePatch your workplaces at home, in a meeting center or at the office
Patch your workplaces at home, in a meeting center or at the officeIvanti
 
4 florin coada - dast automation, more value for less work
4 florin coada - dast automation, more value for less work4 florin coada - dast automation, more value for less work
4 florin coada - dast automation, more value for less workIevgenii Katsan
 
Continuous delivery
Continuous deliveryContinuous delivery
Continuous deliveryMasas Dani
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Agile & DevOps - It's all about project success
Agile & DevOps - It's all about project successAgile & DevOps - It's all about project success
Agile & DevOps - It's all about project successAdam Stephensen
 
Improving Quality through Continuous Integration - A case study of CollabNet
Improving Quality through Continuous Integration - A case study of CollabNetImproving Quality through Continuous Integration - A case study of CollabNet
Improving Quality through Continuous Integration - A case study of CollabNetVenkat Janardhanam, MS, MBA
 
Unlocking Faster Product Development Cycles
Unlocking Faster Product Development CyclesUnlocking Faster Product Development Cycles
Unlocking Faster Product Development CyclesPerforce
 
Harman deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformationHarman deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformationXebia India
 
Effective Patch and Software Update Management
Effective Patch and Software Update ManagementEffective Patch and Software Update Management
Effective Patch and Software Update ManagementQuest
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...IBM Security
 
The Continuous delivery Value @ codemotion 2014
The Continuous delivery Value @ codemotion 2014The Continuous delivery Value @ codemotion 2014
The Continuous delivery Value @ codemotion 2014David Funaro
 

Similar to How to Overcome the 5 Barriers to Production App Security Testing (20)

Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
How to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less timeHow to achieve security, reliability, and productivity in less time
How to achieve security, reliability, and productivity in less time
 
How to build confidence in your release cycle
How to build confidence in your release cycleHow to build confidence in your release cycle
How to build confidence in your release cycle
 
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
 
Automation and Technical Debt
Automation and Technical DebtAutomation and Technical Debt
Automation and Technical Debt
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Patch your workplaces at home, in a meeting center or at the office
Patch your workplaces at home, in a meeting center or at the officePatch your workplaces at home, in a meeting center or at the office
Patch your workplaces at home, in a meeting center or at the office
 
4 florin coada - dast automation, more value for less work
4 florin coada - dast automation, more value for less work4 florin coada - dast automation, more value for less work
4 florin coada - dast automation, more value for less work
 
Automic Support Tips and Tricks
Automic Support Tips and TricksAutomic Support Tips and Tricks
Automic Support Tips and Tricks
 
Continuous delivery
Continuous deliveryContinuous delivery
Continuous delivery
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Agile & DevOps - It's all about project success
Agile & DevOps - It's all about project successAgile & DevOps - It's all about project success
Agile & DevOps - It's all about project success
 
Improving Quality through Continuous Integration - A case study of CollabNet
Improving Quality through Continuous Integration - A case study of CollabNetImproving Quality through Continuous Integration - A case study of CollabNet
Improving Quality through Continuous Integration - A case study of CollabNet
 
Unlocking Faster Product Development Cycles
Unlocking Faster Product Development CyclesUnlocking Faster Product Development Cycles
Unlocking Faster Product Development Cycles
 
Harman deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformationHarman deepak v - agile on steriod - dev ops led transformation
Harman deepak v - agile on steriod - dev ops led transformation
 
Effective Patch and Software Update Management
Effective Patch and Software Update ManagementEffective Patch and Software Update Management
Effective Patch and Software Update Management
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...Protecting Mission-Critical Source Code from Application Security Vulnerabili...
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
 
The Continuous delivery Value @ codemotion 2014
The Continuous delivery Value @ codemotion 2014The Continuous delivery Value @ codemotion 2014
The Continuous delivery Value @ codemotion 2014
 

More from Cenzic

Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityCenzic
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Ians cenzic webinar
Ians cenzic webinarIans cenzic webinar
Ians cenzic webinarCenzic
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Cenzic
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Cenzic
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
HARM Score: Approaches to Quantitative Risk Analysis for Web Applications
HARM Score: Approaches to Quantitative Risk Analysis for Web ApplicationsHARM Score: Approaches to Quantitative Risk Analysis for Web Applications
HARM Score: Approaches to Quantitative Risk Analysis for Web ApplicationsCenzic
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert ThreatsCenzic
 

More from Cenzic (8)

Continuous Monitoring for Web Application Security
Continuous Monitoring for Web Application SecurityContinuous Monitoring for Web Application Security
Continuous Monitoring for Web Application Security
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Ians cenzic webinar
Ians cenzic webinarIans cenzic webinar
Ians cenzic webinar
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
HARM Score: Approaches to Quantitative Risk Analysis for Web Applications
HARM Score: Approaches to Quantitative Risk Analysis for Web ApplicationsHARM Score: Approaches to Quantitative Risk Analysis for Web Applications
HARM Score: Approaches to Quantitative Risk Analysis for Web Applications
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert Threats
 

Recently uploaded

[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 

Recently uploaded (20)

[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 

How to Overcome the 5 Barriers to Production App Security Testing

  • 1. How To Overcome the 5 Barriers To Production App Security Testing Chris Harget - Product Marketing Sameer Dixit - Managed Services
  • 2. Or… 5 Reasons You’re Not Monitoring Production Apps For Vulnerabilities… …and 7 Reasons You Really Should
  • 3. 3 Agenda Cenzic, Inc. - Confidential, All Rights Reserved. Why You’re Not Scanning Why You Should Overcoming Barriers How Cenzic Managed Services Can
  • 4. 4 1. You Use SAST Tools In Development Cenzic, Inc. - Confidential, All Rights Reserved. • Good first step • Efficient for some remediations • Teaches Developers best practices • Commonly accepted method • Insufficient = False sense of security
  • 5. 5 2. Production Team Afraid of Down Time Cenzic, Inc. - Confidential, All Rights Reserved. • Production Team measured by up time • If it’s not broke, don’t fix it • Security Analyst needs Production Buy- In to actively monitor production environments
  • 6. 6 3. Production Team May Not Have Skill Set Cenzic, Inc. - Confidential, All Rights Reserved. • Depends on team • Mostly made up of guys who plan and manage patches, maintain hardware, and rollout new systems. • If they’re not comfortable…they will resist
  • 7. 7 4. Confusion Over Whose Budget Pays Cenzic, Inc. - Confidential, All Rights Reserved. • Is this Developers’ budget? • They built it, unless it’s outsourced • Is it Security Analysts’ budget? • It’s security…and development and production… • Is it Production budget? • They run it.
  • 8. 8 5. You Haven’t Gotten Around To it Yet Cenzic, Inc. - Confidential, All Rights Reserved. • Even if everyone agrees it should be done…it has to become a priority • Like brushing teeth…you can skip it, but eventually there’ll be a hole. • Gets deferred.
  • 9. 9 5 Barriers To Monitoring Production Apps Cenzic, Inc. - Confidential, All Rights Reserved. 1. You use SAST tools in Development 2. Production team afraid of down time 3. Production team may not have skill set 4. Confusion over whose budget pays 5. You haven’t gotten around to it yet
  • 10. …And 7 Reasons You Really Should
  • 11. 11 1. Some Vulnerabilities Can't Be Found by SAST Cenzic, Inc. - Confidential, All Rights Reserved. • Search Strings might miss them • May only appear in run-time environment • May be on web server or framework • QA & Production environment may not be identical (especially DBs)
  • 12. 12 2. New Vulnerabilities Discovered Daily Cenzic, Inc. - Confidential, All Rights Reserved. • >5,200 Web app vulnerabilities discovered…so far • ~1,090 discovered last year • Odds are, hundreds more will be discovered while your apps are in production.
  • 13. 13 Cenzic, Inc. - Confidential, All Rights Reserved. 3. Production Apps Are The Biggest Risk 600+ Million Web Sites <10% of the applications in development or in QA stage >90% applications are in production and deployed At Greatest Risk! Vulnerability Testing Must Monitor Run-Time Environments
  • 14. 14 4. Some Vulnerabilities Cause Downtime Cenzic, Inc. - Confidential, All Rights Reserved. • Buffer Overflow • Downs app & can give shell access • XSS • Can insert javascript to the web server 100's of times for each user and spread like a virus • SQL injection • Drop tables, remove users, dump database • About 110 other types of attacks that can lead directly to production downtime
  • 15. 15 5. Effective Automated Attacks Cenzic, Inc. - Confidential, All Rights Reserved. • Blackbox testing + Cenzic experts • Designed to emulate what attackers do on your site, but safer • Cenzic has 10+ years helping enterprises and SMB’s protect Production Apps • Tools and services can find vulnerabilities with minimized risk to application uptime and data
  • 16. 16 6. Tightly Integrate WAF to Monitoring Cenzic, Inc. - Confidential, All Rights Reserved. • Cenzic integrates with leading Web App Firewalls • As few as two-clicks to approve/enact a policy & virtually patch app vulnerability • Faster remediation => More Secure + Identify Risk Mitigate Risk = =
  • 17. 17 7. Managed Services For Key Apps Cenzic, Inc. - Confidential, All Rights Reserved. • Production Team = Security Team • Priority Apps deserve specialists • Frees Production Team To: • Receive results • Manage patches (virtual or code refresh) • Maximize uptime
  • 18. 18 Overcoming Barrier 1 Cenzic, Inc. - Confidential, All Rights Reserved. 1. You use SAST tools in Development • But that’s not a complete solution • Some vulnerabilities require real- time scanning • New vulnerabilities discovered all the time
  • 19. 19 Overcoming Barrier 2 Cenzic, Inc. - Confidential, All Rights Reserved. 2. Production team afraid of down time • …and vulnerable apps can increase downtime. • You patch other bugs in Production • Monitoring can be done fairly safely
  • 20. 20 Overcoming Barrier 3 Cenzic, Inc. - Confidential, All Rights Reserved. 3. Production team may not have skill set • Cenzic Managed Service can cover it until your team gets the skills • Cenzic takes care of F100 customers for Production Monitoring
  • 21. 21 Overcoming Barrier 4 Cenzic, Inc. - Confidential, All Rights Reserved. 4. Confusion Over Who Pays • Whoever has the most budget • Production…probably
  • 22. 22 Overcoming Barrier 5 Cenzic, Inc. - Confidential, All Rights Reserved. 5. You haven’t Got Around To It Yet • It’s important • It’s relatively safe • It’s easy • Production can probably afford it
  • 23. 23 A Few… Cenzic, Inc. - Confidential, All Rights Reserved.
  • 24. 24 What's Best Form Factor For You? Cenzic, Inc. - Confidential, All Rights Reserved. Low-Risk Apps High Priority Apps Under-resourced, broad-duties Security Analysts Cloud (self-service) Production Scanning Managed Service Production Scanning Sizeable, Focused Security Analyst Group Cloud or Software Production Scanning Software or Managed Service Production Scanning
  • 25. 25 What's Important To Success Cenzic, Inc. - Confidential, All Rights Reserved. • Consistent Detection Accuracy • Erratic technicians or ad hoc tools can mask changes in security posture • Quality of Service • Production Teams benefit from vulnerability monitoring managed services that meet high standards
  • 26. 26 Monitoring Available 24x7 Cenzic, Inc. - Confidential, All Rights Reserved. • Frequent Assessments = shorter vulnerability windows • Reports should include trend data and ranking of vulnerabilities for easy response • Vulnerabilities should be time- stamped so you know report was actually run that week.
  • 27. 27 What's Important To Success? Cenzic, Inc. - Confidential, All Rights Reserved. • Options To Evolve • Managed Service might be great way to start. Self-service Saas, software, or service/software hybrid might make sense in the long run. • Scalability • Start with key apps, scale to all apps
  • 28. 28 Choosing Vendor By References Cenzic, Inc. - Confidential, All Rights Reserved. • Services harder to rate than software. • (People)*(Software)= Results • Talent doesn’t scale well • Look for best-in-class software • Look for excellent customer survey results
  • 29. 29 Cenzic Can Help Cenzic, Inc. - Confidential, All Rights Reserved. • Cenzic is a leading provider of Web Application Production Scanning as a Managed Service. • 10+ Years • Leverages patented Hailstorm™ engine for more consistently accurate and efficient results • Large and happy customers
  • 30. 30 How Cenzic Can Help Cenzic, Inc. - Confidential, All Rights Reserved. • We Do It All • Cenzic is the only vendor who offers you excellent software, or excellent managed services leveraging our excellent solutions • Evolve wherever you want with Cenzic
  • 31. 31 Customers Rate Cenzic Higher Cenzic, Inc. - Confidential, All Rights Reserved. • 2013 Gartner surveyed App Security Testing Customers • ONLY Cenzic scored high marks from customers in Accuracy, Service, Support and Overall Satisfaction • Cenzic provides the best services!
  • 32. Managed Services Offerings – At-a-Glance 32 Cenzic, Inc. - Confidential, All Rights Reserved. Bronze Silver Gold Platinum Industry Best- Practices for Brochureware sites Industry Best- Practices for forms and login protected sites Compliance for sites with user data Comprehensive scans for Mission critical applications Phishing X X X x Light input validation X X X x Data Security X X X x Session management X X x OWASP compliance X x PCI compliance X x Business logic testing x Application logic testing x Manual penetration testing x
  • 33. 33 Cenzic, Inc. - Confidential, All Rights Reserved. Pre-production & App Development Production Partner / Supply Chain Enterprise Application Security Complete Enterprise Security by Cenzic
  • 34. 34 Application Security for Web, Web Services & Mobile