SlideShare ist ein Scribd-Unternehmen logo

Build Security into the Software with Sparrow

Als PPTX, PDF herunterladen
Jason Sohn
Jason Sohn

Fasoo Sparrow - Static Application Security Testing Tool

Software
1 von 16
Build Security into the Software 4Q/2016 Global Business
Company Overview 2 More than 1,250 customers 10+ customers with 100Kusers worldwide Leader in enterprise data- centric security space Building Security into the Data and Software60% with security consulting or engineering backgrounds 300 employees Founded in June, 2000 Installed base of over 2.5Musers
Sparrow Overview
Key Features Policy Enforcement Quick Fix Accurate Analysis Supporting various programming languages and platforms Dynamic policy enforcement Intelligent issue clustering Active suggestion Deep semantic analysis and supporting web framework All-in-One SAST Solution
Quick Look at Sparrow • WHISTLE (Analyzer Client) ⚡ Defining target programs and policies • SAE (Analysis Engine) ⚡ Analyzing program codes • NEST (Analysis Management System) ⚡ Showing details of error type, path, functions, suggested code changes and analysis reports SAE (Sparrow Analysis Engine) NEST (Analysis Management System) Sparrow Server Development Server/Client (w/ Source Code) WHISTLE (Analyzer Client) or Eclipse Plugin w/ Analysis Engine
Dynamic Policy Enforcement • Enforce multiple policies dynamically to different projects, users/groups and project phases
Deep Semantic Analysis • Interprocedural analysis (context and path-sensitive analysis + symbolic execution) • False path pruning by constraint solving • Semantic analysis (data-flow, value, pointer, structure, and class analysis) + abstract interpretation for dead code detection • Syntactic analysis (comment, pattern-based analysis) Supporting Web Framework • Analyzing spring/struts web application ⚡ Control/dataflow of MVC (model, view, control) architecture ⚡ Annotation based configuration ⚡ Dependency injection ⚡ Configuration files Accurate Analysis
Accurate Analysis (Cont’d) Common Weakness Sparrow Vendor H True False True False HTTP response splitting 1 0 Private Array-Typed Field Returned From A Public Method 1 0 SQL injection 2 3 12 Path Traversal & Resource Injection 4 2 Null deference 74 2 3 Reliance on Untrusted Inputs in a Security Decision 1 0 Improper Check for Unusual or Exceptional Conditions 53 53 Resource Leak 109 19 Open Redirect 3 0 Improper Error Handling 6 6 2 Information Exposure Through an Error Message 57 53 Exposure of Data Element to Wrong Session 4 0 Use of Insufficiently Random Values 2 8 Integer Overflow 1 0 Leftover Debug Code 1 1 Information Exposure Through Comments 0 9 4 Cleartext Storage of Sensitive Information 0 1 Cross-site scripting 3 10 Cross-site Request Forgery 1 0 Hard coded password 2 5 0 Total 325 2 173 18 Tool Time Target program # of File Total LOC Executable LOC Sparrow 4m 42s Webgoat 191 44,645 27,531 Vendor H 19m 22s
Intelligent Issue Clustering • Clustering similar issues in groups that will allow organizations to identify and fix the issues efficiently
Active Suggestion • Not only identify software vulnerabilities, but also has an ability to remediate code using automated code suggestions.
Technical Specification ABAP, Android, ASP(.NET), C/C++, C#, HTML, Java, JavaScript, JSP, Objective-C, PHP, SQL, VB.NET, VBScript, XML Languages IDEs Android Studio, Code Composer, CodeWarrior, Eclipse, IAR, IBM RAD, IntelliJ IDEA, Keil uVision, Visual Studio, Xcode Platform Windows, Linux, Mac OS, AIX, HP-UX, SunOS Build Management GNU make, Sun make, Microsoft nmake, … Continuous Integration Source Control Framework Spring framework, Struts framework, Proframe framework Git, Microsoft Team Foundation, Subversion, Commercial Source Controls Hudson, Jenkins, TeamCity
Timeline and Roadmap • 2007-2016 ⚡ OWASP Benchmark Score: 94% *The average score of other solutions were 25%. ⚡ ISO26262 Certification *Qualification of Software Tools for Automotive Industry ⚡ CWE Compatibility 2016 2018 Sparrow Cloud v1 Sparrow v5 (SAST) DAST v1 RASP v1 2017 IAST v1
Case Study
Customer in Financial Verticals • Key fact ⚡ Industry: Financial/Banking ⚡ Revenue: US$22.7B (Assets: $204.3B) ⚡ Headcount: 100K • Challenge ⚡ Develop and deliver an efficient and effective static application security testing environment for all business applications developed, maintained and operated by the Bank’s IT Department. • Solution ⚡ Enforced secure coding policies set by IT and Security Group to all Dev environments (approx. 1,450 developers) ⚡ Inspected more than 233 project source code for security and quality ⚡ Added reporting capabilities of security vulnerability and quality issue related statistical analysis periodically (identified and fixed approx. 1,000 vulnerabilities annually since 2014)
Customer in Financial Verticals (Cont’d) Source Code Management Server Operating Server Development Servers (233 Projects) Sparrow Servers Developers (1,450 Seats) Admin Transfer secure source code Check-in request Approve/reject check-in request based on the secure coding policy Define/manage secure coding policy Review status of projects and generate reports Request security assessment results of source code Validate the request Sends analysis results and pre-processed data Managing code analysis results *4 active servers Managing secure projects Execute code analysis Review the analysis results
Fasoo has been successfully building its worldwide reputation as an EDRM (enterprise digital rights management aka information rights management, IRM) solution provider with industry leading solutions and services. Fasoo solutions allow organizations to prevent unintended information disclosure or exposure, ensure a secure information-sharing environment, better manage workflows and simplify secure collaboration internally and externally. Fasoo Enterprise DRM, a data-centric security solution safeguards and prevents unauthorized use of digital files and provides persistent and reliable protection of the documents with effective file encryption, permission control and audit trail technologies. Fasoo has successfully retained its leadership in the EDRM market by deploying solutions for more than 1,250 organizations in enterprise-wide level, securing more than 2.5 million users. Fasoo also has foresight to plan for future expansion through new business models including static code analysis/SAST (Sparrow), content-centric data lifecycle management solutions (Wrapsody) and intelligent lifelog solutions (DigitalPage). North America Headquarters 197 State Route 18 South, East Brunswick, NJ 08817, USA Global Headquarters 396 World Cup buk-ro, Mapo-gu, Seoul 121-795, Korea Web: www.fasoo.com Email: inquiry@fasoo.com Phone: (732) 955-2333 (NA HQ) | +82-2-300-9000 (Global HQ)

Empfohlen

How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Security Innovation
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Owasp & Asp.Net
Owasp & Asp.NetOwasp & Asp.Net
Owasp & Asp.Net
Önsel Akın
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
Security Innovation
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
we45
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 

Empfohlen

How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Security Innovation
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Owasp & Asp.Net
Owasp & Asp.NetOwasp & Asp.Net
Owasp & Asp.Net
Önsel Akın
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
Security Innovation
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
we45
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Importance of Identity Management in Security - Microsoft Tech Tour @Towson
Importance of Identity Management in Security - Microsoft Tech Tour @TowsonImportance of Identity Management in Security - Microsoft Tech Tour @Towson
Importance of Identity Management in Security - Microsoft Tech Tour @Towson
Adam Levithan
 
Security Testing
Security TestingSecurity Testing
Security Testing
Qualitest
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
Tjylen Veselyj
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Black Duck by Synopsys
 
Agile AppSec DevOps
Agile AppSec DevOpsAgile AppSec DevOps
Agile AppSec DevOps
Robert Grupe, CSSLP CISSP PE PMP
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Sathyanarayana Panduranga
 
Application Security Logging with Splunk using Java
Application Security Logging with Splunk using JavaApplication Security Logging with Splunk using Java
Application Security Logging with Splunk using Java
Robert Grupe, CSSLP CISSP PE PMP
 
Red7 SSDLC Introduction: Building Secure Web and Mobile Applications
Red7 SSDLC Introduction: Building Secure Web and Mobile ApplicationsRed7 SSDLC Introduction: Building Secure Web and Mobile Applications
Red7 SSDLC Introduction: Building Secure Web and Mobile Applications
Robert Grupe, CSSLP CISSP PE PMP
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
Black Duck by Synopsys
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
Cygnet Infotech
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Black Duck by Synopsys
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
Black Duck by Synopsys
 
Web Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingWeb Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN Testing
Robert Grupe, CSSLP CISSP PE PMP
 
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access SystemsValerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
centralohioissa
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
Stephen de Vries
 
Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...
Rafal Los
 
Touchpoints and security
Touchpoints and securityTouchpoints and security
Touchpoints and security
Mohan Datar
 

Weitere ähnliche Inhalte

Was ist angesagt?

Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Black Duck by Synopsys
 

Was ist angesagt? (20)

Importance of Identity Management in Security - Microsoft Tech Tour @Towson
Importance of Identity Management in Security - Microsoft Tech Tour @TowsonImportance of Identity Management in Security - Microsoft Tech Tour @Towson
Importance of Identity Management in Security - Microsoft Tech Tour @Towson
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the Cloud
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
 
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
 
Agile AppSec DevOps
Agile AppSec DevOpsAgile AppSec DevOps
Agile AppSec DevOps
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Application Security Logging with Splunk using Java
Application Security Logging with Splunk using JavaApplication Security Logging with Splunk using Java
Application Security Logging with Splunk using Java
 
Red7 SSDLC Introduction: Building Secure Web and Mobile Applications
Red7 SSDLC Introduction: Building Secure Web and Mobile ApplicationsRed7 SSDLC Introduction: Building Secure Web and Mobile Applications
Red7 SSDLC Introduction: Building Secure Web and Mobile Applications
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
 
Web Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingWeb Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN Testing
 
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access SystemsValerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
 

Andere mochten auch

Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...
Rafal Los
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
Marco Morana
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
Denim Group
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
Marco Morana
 

Andere mochten auch (7)

Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...Software Security Assurance - Program Building (You're going to need a bigger...
Software Security Assurance - Program Building (You're going to need a bigger...
 
Touchpoints and security
Touchpoints and securityTouchpoints and security
Touchpoints and security
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 
Software Quality Assurance: A mind game between you and devil
Software Quality Assurance: A mind game between you and devilSoftware Quality Assurance: A mind game between you and devil
Software Quality Assurance: A mind game between you and devil
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
 

Ähnlich wie Build Security into the Software with Sparrow

Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
BeyondTrust
 
Mark_Koehler_Resume_JUN2015_v1.1
Mark_Koehler_Resume_JUN2015_v1.1Mark_Koehler_Resume_JUN2015_v1.1
Mark_Koehler_Resume_JUN2015_v1.1
Mark Koehler
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
DicodingEvent
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
Dinis Cruz
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
Achim D. Brucker
 

Ähnlich wie Build Security into the Software with Sparrow (20)

Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
 
Coverity Data Sheet
Coverity Data SheetCoverity Data Sheet
Coverity Data Sheet
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and Security
 
Mark_Koehler_Resume_JUN2015_v1.1
Mark_Koehler_Resume_JUN2015_v1.1Mark_Koehler_Resume_JUN2015_v1.1
Mark_Koehler_Resume_JUN2015_v1.1
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINXKeep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
Keep Ahead of Evolving Cyberattacks with OPSWAT and F5 NGINX
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 
Apriorit presentation 2018 Embedded + Cybersecurity
Apriorit presentation 2018 Embedded + CybersecurityApriorit presentation 2018 Embedded + Cybersecurity
Apriorit presentation 2018 Embedded + Cybersecurity
 
KumarjitSharma_28011985
KumarjitSharma_28011985KumarjitSharma_28011985
KumarjitSharma_28011985
 
Euro IT Group
Euro IT GroupEuro IT Group
Euro IT Group
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource WebinarFind Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
 
Profile_Ahmad2
Profile_Ahmad2Profile_Ahmad2
Profile_Ahmad2
 
Managed security services
Managed security servicesManaged security services
Managed security services
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
 
How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOps
 

Mehr von Jason Sohn

Mehr von Jason Sohn (9)

Fasoo Digital Intelligence 2020 - 장일수
Fasoo Digital Intelligence 2020 - 장일수Fasoo Digital Intelligence 2020 - 장일수
Fasoo Digital Intelligence 2020 - 장일수
 
Fasoo Digital Intelligence 2020 - 윤화섭
Fasoo Digital Intelligence 2020 - 윤화섭Fasoo Digital Intelligence 2020 - 윤화섭
Fasoo Digital Intelligence 2020 - 윤화섭
 
Fasoo Digital Intelligence 2020 - 윤덕상
Fasoo Digital Intelligence 2020 - 윤덕상Fasoo Digital Intelligence 2020 - 윤덕상
Fasoo Digital Intelligence 2020 - 윤덕상
 
Fasoo Digital Intelligence 2020 - 김용길
Fasoo Digital Intelligence 2020 - 김용길Fasoo Digital Intelligence 2020 - 김용길
Fasoo Digital Intelligence 2020 - 김용길
 
Fasoo Digital Intelligence 2020 - 김규봉
Fasoo Digital Intelligence 2020 - 김규봉Fasoo Digital Intelligence 2020 - 김규봉
Fasoo Digital Intelligence 2020 - 김규봉
 
Fasoo Digital Intelligence 2020 - 조규곤
Fasoo Digital Intelligence 2020 - 조규곤Fasoo Digital Intelligence 2020 - 조규곤
Fasoo Digital Intelligence 2020 - 조규곤
 
AP Security Solution Providers Consortium Webinar - Fasoo Session Decks
AP Security Solution Providers Consortium Webinar - Fasoo Session DecksAP Security Solution Providers Consortium Webinar - Fasoo Session Decks
AP Security Solution Providers Consortium Webinar - Fasoo Session Decks
 
Stop Data Breach through Printouts
Stop Data Breach through PrintoutsStop Data Breach through Printouts
Stop Data Breach through Printouts
 
Fasoo Secure Document for FileNet 2014-2Q
Fasoo Secure Document for FileNet 2014-2QFasoo Secure Document for FileNet 2014-2Q
Fasoo Secure Document for FileNet 2014-2Q
 

Kürzlich hochgeladen

Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
MyIntelliSource, Inc.
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
anilsa9823
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

Kürzlich hochgeladen (20)

Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 

Build Security into the Software with Sparrow

  • 1. Build Security into the Software 4Q/2016 Global Business
  • 2. Company Overview 2 More than 1,250 customers 10+ customers with 100Kusers worldwide Leader in enterprise data- centric security space Building Security into the Data and Software60% with security consulting or engineering backgrounds 300 employees Founded in June, 2000 Installed base of over 2.5Musers
  • 4. Key Features Policy Enforcement Quick Fix Accurate Analysis Supporting various programming languages and platforms Dynamic policy enforcement Intelligent issue clustering Active suggestion Deep semantic analysis and supporting web framework All-in-One SAST Solution
  • 5. Quick Look at Sparrow • WHISTLE (Analyzer Client) ⚡ Defining target programs and policies • SAE (Analysis Engine) ⚡ Analyzing program codes • NEST (Analysis Management System) ⚡ Showing details of error type, path, functions, suggested code changes and analysis reports SAE (Sparrow Analysis Engine) NEST (Analysis Management System) Sparrow Server Development Server/Client (w/ Source Code) WHISTLE (Analyzer Client) or Eclipse Plugin w/ Analysis Engine
  • 6. Dynamic Policy Enforcement • Enforce multiple policies dynamically to different projects, users/groups and project phases
  • 7. Deep Semantic Analysis • Interprocedural analysis (context and path-sensitive analysis + symbolic execution) • False path pruning by constraint solving • Semantic analysis (data-flow, value, pointer, structure, and class analysis) + abstract interpretation for dead code detection • Syntactic analysis (comment, pattern-based analysis) Supporting Web Framework • Analyzing spring/struts web application ⚡ Control/dataflow of MVC (model, view, control) architecture ⚡ Annotation based configuration ⚡ Dependency injection ⚡ Configuration files Accurate Analysis
  • 8. Accurate Analysis (Cont’d) Common Weakness Sparrow Vendor H True False True False HTTP response splitting 1 0 Private Array-Typed Field Returned From A Public Method 1 0 SQL injection 2 3 12 Path Traversal & Resource Injection 4 2 Null deference 74 2 3 Reliance on Untrusted Inputs in a Security Decision 1 0 Improper Check for Unusual or Exceptional Conditions 53 53 Resource Leak 109 19 Open Redirect 3 0 Improper Error Handling 6 6 2 Information Exposure Through an Error Message 57 53 Exposure of Data Element to Wrong Session 4 0 Use of Insufficiently Random Values 2 8 Integer Overflow 1 0 Leftover Debug Code 1 1 Information Exposure Through Comments 0 9 4 Cleartext Storage of Sensitive Information 0 1 Cross-site scripting 3 10 Cross-site Request Forgery 1 0 Hard coded password 2 5 0 Total 325 2 173 18 Tool Time Target program # of File Total LOC Executable LOC Sparrow 4m 42s Webgoat 191 44,645 27,531 Vendor H 19m 22s
  • 9. Intelligent Issue Clustering • Clustering similar issues in groups that will allow organizations to identify and fix the issues efficiently
  • 10. Active Suggestion • Not only identify software vulnerabilities, but also has an ability to remediate code using automated code suggestions.
  • 11. Technical Specification ABAP, Android, ASP(.NET), C/C++, C#, HTML, Java, JavaScript, JSP, Objective-C, PHP, SQL, VB.NET, VBScript, XML Languages IDEs Android Studio, Code Composer, CodeWarrior, Eclipse, IAR, IBM RAD, IntelliJ IDEA, Keil uVision, Visual Studio, Xcode Platform Windows, Linux, Mac OS, AIX, HP-UX, SunOS Build Management GNU make, Sun make, Microsoft nmake, … Continuous Integration Source Control Framework Spring framework, Struts framework, Proframe framework Git, Microsoft Team Foundation, Subversion, Commercial Source Controls Hudson, Jenkins, TeamCity
  • 12. Timeline and Roadmap • 2007-2016 ⚡ OWASP Benchmark Score: 94% *The average score of other solutions were 25%. ⚡ ISO26262 Certification *Qualification of Software Tools for Automotive Industry ⚡ CWE Compatibility 2016 2018 Sparrow Cloud v1 Sparrow v5 (SAST) DAST v1 RASP v1 2017 IAST v1
  • 14. Customer in Financial Verticals • Key fact ⚡ Industry: Financial/Banking ⚡ Revenue: US$22.7B (Assets: $204.3B) ⚡ Headcount: 100K • Challenge ⚡ Develop and deliver an efficient and effective static application security testing environment for all business applications developed, maintained and operated by the Bank’s IT Department. • Solution ⚡ Enforced secure coding policies set by IT and Security Group to all Dev environments (approx. 1,450 developers) ⚡ Inspected more than 233 project source code for security and quality ⚡ Added reporting capabilities of security vulnerability and quality issue related statistical analysis periodically (identified and fixed approx. 1,000 vulnerabilities annually since 2014)
  • 15. Customer in Financial Verticals (Cont’d) Source Code Management Server Operating Server Development Servers (233 Projects) Sparrow Servers Developers (1,450 Seats) Admin Transfer secure source code Check-in request Approve/reject check-in request based on the secure coding policy Define/manage secure coding policy Review status of projects and generate reports Request security assessment results of source code Validate the request Sends analysis results and pre-processed data Managing code analysis results *4 active servers Managing secure projects Execute code analysis Review the analysis results
  • 16. Fasoo has been successfully building its worldwide reputation as an EDRM (enterprise digital rights management aka information rights management, IRM) solution provider with industry leading solutions and services. Fasoo solutions allow organizations to prevent unintended information disclosure or exposure, ensure a secure information-sharing environment, better manage workflows and simplify secure collaboration internally and externally. Fasoo Enterprise DRM, a data-centric security solution safeguards and prevents unauthorized use of digital files and provides persistent and reliable protection of the documents with effective file encryption, permission control and audit trail technologies. Fasoo has successfully retained its leadership in the EDRM market by deploying solutions for more than 1,250 organizations in enterprise-wide level, securing more than 2.5 million users. Fasoo also has foresight to plan for future expansion through new business models including static code analysis/SAST (Sparrow), content-centric data lifecycle management solutions (Wrapsody) and intelligent lifelog solutions (DigitalPage). North America Headquarters 197 State Route 18 South, East Brunswick, NJ 08817, USA Global Headquarters 396 World Cup buk-ro, Mapo-gu, Seoul 121-795, Korea Web: www.fasoo.com Email: inquiry@fasoo.com Phone: (732) 955-2333 (NA HQ) | +82-2-300-9000 (Global HQ)