SlideShare ist ein Scribd-Unternehmen logo

Software Security Assurance - Program Building (You're going to need a bigger shovel)

Rafal Los
Rafal Los

This document outlines a 5-step approach to establishing a Software Security Assurance program: 1) Conduct an assessment of capabilities, resources, assets, and organization. 2) Develop a resource strategy and plan based on assessment. 3) Build intelligent processes that leverage existing processes and accommodate business needs. 4) Implement processes strategically and augment with automation technologies. 5) Continuously measure business impact and reassess goals as business priorities change.

TechnologieNews & Politik
1 von 12
You're Going to Need a Bigger Shovel A Critical Look at Software Security Assurance Rafal M. Los (“Wh1t3Rabbit”) Enterprise & Cloud Security Strategist ©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Catch more info from me – Podcast: http://podcast.wh1t3rabbit.net Blog: http://hp.com/go/white-rabbit Twitter: @Wh1t3Rabbit
What Type of Organization Are You? Be honest with yourself “Get SSA” Randomly Spending $ on “App Sec” Fooling Themselves 3 Enterprise Security – HP Public
App Security vs. Software Security Assurance • Application Security (AppSec) – “Securing software” – Tactical approach, marked by erratic spending – Measured to CISO level – Tools, tools, tools • Software Security Assurance (SSA) – Program approach driven by risks – Acknowledge there is no such thing as secure software – Measured to CIO level as impact on IT performance – People & process first, then smart application of technology 4 Enterprise Security – HP Public
Step 1: Assessment Know where you’re starting • Perform a rational assessment of – Capabilities – Resources – Assets – Liabilities – Organization & structure – Organizational goals • Be careful of paralysis by analysis • Be thorough, but move swiftly 5 Enterprise Security – HP Public
Step 2: Resource Planning Build resource strategy from your assessment • What can you do with what you’ve got? – Human resources – Technology – Time & capital • Plan for resource allocation – Plan 6, 12, 18, 36 months into the future – What is current capacity (work-load), how will it grow over time – Will you in-source, outsource, hybridize or all of the above? – Will budgets increase, decrease, and can you leverage your LoB? – Do you have the right resources in the right positions to succeed? 6 Enterprise Security – HP Public
Step 3: Intelligent Process Building Process makes success possible • Don’t reinvent the wheel (you probably don’t have to) Start – Leverage existing processes – Less friction within the organization – How are things being done today? Can you fit in the right controls? • Accommodate, align, associate ? – Accommodate processes that LoB is already using – Align to others’ goals (remember, they’re not yours …yet) – Associate your success to theirs, then vice versa Secur – DevOps! e • Think of the full ALM span (Application Lifecycle) 7 Enterprise Security – HP Public
Step 4: Implementation and Technology Implement, then automate • Implement strategically – Start small, where failure won’t be noticed – Tweak processes, approach as you go – Do whatever it takes to succeed the pilot – Shout your success, encourage others to sign on • Augment and automate with technology – People don’t scale well – Ensure right technology, to the right resources, at the right time – Your process must produce consistent, repeatable results – Remove burden from the user 8 Enterprise Security – HP Public
Step 5: Measurement and Re-Assessment Make sure you measure business relevance • Measure impact to the business – Get beyond “vulnerabilities” and “criticals” – Demonstrate risk reduction with less negative business impact – Build IT-relevant KPIs – “How is your activity contributing to business value? • Re-assess each {quarter | half-year | year} to align goals – As business priorities change, so should your program – What causes a change in program? • Industry security “climate” • Budget • Technology shifts 9 Enterprise Security – HP Public
Things Everyone Forgets Things only failure teaches • Planning for things you can’t plan for – Cloud computing – Consumer device adoption • Being a smart victim – Plan for incident response – “Would you know you’ve become a victim?” • Adopt to boardroom requirements – Business objectives change – learn how to listen – Priorities, budgets change • What happens after you’ve been promoted? 10 Enterprise Security – HP Public
If this was easy, everyone wouldn’t be getting pwn3d through a 10 year old bug. 11
Software Security Assurance - Program Building (You're going to need a bigger shovel)

Empfohlen

The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security AssuranceRafal Los
 
The QA Analyst's Hacker's Landmark Tour v3.0
The QA Analyst's Hacker's Landmark Tour v3.0The QA Analyst's Hacker's Landmark Tour v3.0
The QA Analyst's Hacker's Landmark Tour v3.0Rafal Los
 
Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Rafal Los
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterpriseRafal Los
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementMel Drews
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksResilient Systems
 
2015 Cyber Security
2015 Cyber Security2015 Cyber Security
2015 Cyber SecurityAllen Zhang
 
Professional incident response
Professional incident responseProfessional incident response
Professional incident responseBrooks Garrett
 

Empfohlen

The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security AssuranceRafal Los
 
The QA Analyst's Hacker's Landmark Tour v3.0
The QA Analyst's Hacker's Landmark Tour v3.0The QA Analyst's Hacker's Landmark Tour v3.0
The QA Analyst's Hacker's Landmark Tour v3.0Rafal Los
 
Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Security BSides Atlanta - "The Business Doesn't Care..."
Security BSides Atlanta - "The Business Doesn't Care..."Rafal Los
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterpriseRafal Los
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementMel Drews
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksResilient Systems
 
2015 Cyber Security
2015 Cyber Security2015 Cyber Security
2015 Cyber SecurityAllen Zhang
 
Professional incident response
Professional incident responseProfessional incident response
Professional incident responseBrooks Garrett
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingCigital
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Anton Chuvakin
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Phillip Maddux
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatAndrew Case
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeDenim Group
 
Baselining Logs
Baselining LogsBaselining Logs
Baselining LogsAnton Chuvakin
 
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?Source Conference
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Resilient Systems
 
Make IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingMake IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingPriyanka Aash
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsChris Gates
 
Something Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinSomething Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Runtime Protection in the Real World
Runtime Protection in the Real WorldRuntime Protection in the Real World
Runtime Protection in the Real WorldBrooks Garrett
 
TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To BasicsJoel Cardella
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular usersGeoffrey Vaughan
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentDamon Small
 
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDDATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDPriyanka Aash
 
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...North Texas Chapter of the ISSA
 
Skillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant fluxSkillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant fluxEoin Keary
 
Ten Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfTen Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfAdrian Sanabria
 
Build Security into the Software with Sparrow
Build Security into the Software with SparrowBuild Security into the Software with Sparrow
Build Security into the Software with SparrowJason Sohn
 
Touchpoints and security
Touchpoints and securityTouchpoints and security
Touchpoints and securityMohan Datar
 

Weitere ähnliche Inhalte

Was ist angesagt?

Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingCigital
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Anton Chuvakin
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Phillip Maddux
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatAndrew Case
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeDenim Group
 
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?Source Conference
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Resilient Systems
 
Make IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingMake IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingPriyanka Aash
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsChris Gates
 
Something Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinSomething Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Runtime Protection in the Real World
Runtime Protection in the Real WorldRuntime Protection in the Real World
Runtime Protection in the Real WorldBrooks Garrett
 
TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To BasicsJoel Cardella
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular usersGeoffrey Vaughan
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentDamon Small
 
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDDATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDPriyanka Aash
 
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...North Texas Chapter of the ISSA
 
Skillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant fluxSkillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant fluxEoin Keary
 
Ten Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfTen Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfAdrian Sanabria
 

Was ist angesagt? (20)

Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)Deception in Cyber Security (League of Women in Cyber Security)
Deception in Cyber Security (League of Women in Cyber Security)
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider Threat
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security Knowledge
 
Baselining Logs
Baselining LogsBaselining Logs
Baselining Logs
 
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
 
Make IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingMake IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and Reporting
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security Environments
 
Something Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinSomething Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton Chuvakin
 
Runtime Protection in the Real World
Runtime Protection in the Real WorldRuntime Protection in the Real World
Runtime Protection in the Real World
 
TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To Basics
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular users
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
 
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPAREDDATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
DATA BREACH LITIGATION HOW TO AVOID IT AND BE BETTER PREPARED
 
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
 
Skillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant fluxSkillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant flux
 
Ten Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfTen Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard Of
 

Andere mochten auch

Build Security into the Software with Sparrow
Build Security into the Software with SparrowBuild Security into the Software with Sparrow
Build Security into the Software with SparrowJason Sohn
 
Touchpoints and security
Touchpoints and securityTouchpoints and security
Touchpoints and securityMohan Datar
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security FrameworksMarco Morana
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
Software Quality Assurance: A mind game between you and devil
Software Quality Assurance: A mind game between you and devilSoftware Quality Assurance: A mind game between you and devil
Software Quality Assurance: A mind game between you and devilNascenia IT
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 

Andere mochten auch (7)

Build Security into the Software with Sparrow
Build Security into the Software with SparrowBuild Security into the Software with Sparrow
Build Security into the Software with Sparrow
 
Touchpoints and security
Touchpoints and securityTouchpoints and security
Touchpoints and security
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 
Software Quality Assurance: A mind game between you and devil
Software Quality Assurance: A mind game between you and devilSoftware Quality Assurance: A mind game between you and devil
Software Quality Assurance: A mind game between you and devil
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
 

Ähnlich wie Software Security Assurance - Program Building (You're going to need a bigger shovel)

Smarter fundraising – technology and processes
Smarter fundraising – technology and processesSmarter fundraising – technology and processes
Smarter fundraising – technology and processesShoNet
 
Managing the Risks of AI - A Planning Guide for Executives
Managing the Risks of AI - A Planning Guide for ExecutivesManaging the Risks of AI - A Planning Guide for Executives
Managing the Risks of AI - A Planning Guide for ExecutivesDaniel Faggella
 
Agile Development Product Delivery For Successful Organizations
Agile Development Product Delivery For Successful OrganizationsAgile Development Product Delivery For Successful Organizations
Agile Development Product Delivery For Successful OrganizationsMarc Crudgington, MBA
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent CampaignDenim Group
 
Holistic Product Development
Holistic Product DevelopmentHolistic Product Development
Holistic Product DevelopmentGary Pedretti
 
uTest CMO Matt Johnston Presents "Online Communities: Changing the Way Work ...
uTest CMO Matt Johnston Presents "Online Communities: Changing the Way Work ...uTest CMO Matt Johnston Presents "Online Communities: Changing the Way Work ...
uTest CMO Matt Johnston Presents "Online Communities: Changing the Way Work ...uTest
 
Big Data at a Gaming Company: Spil Games
Big Data at a Gaming Company: Spil GamesBig Data at a Gaming Company: Spil Games
Big Data at a Gaming Company: Spil GamesRob Winters
 
Capacity Planning and Demand Management
Capacity Planning and Demand ManagementCapacity Planning and Demand Management
Capacity Planning and Demand ManagementLawrence Putnam Jr
 
IT Demand Management and Capacity Planning: Why Estimation Is Vital to Balanc...
IT Demand Management and Capacity Planning: Why Estimation Is Vital to Balanc...IT Demand Management and Capacity Planning: Why Estimation Is Vital to Balanc...
IT Demand Management and Capacity Planning: Why Estimation Is Vital to Balanc...Quantitative Software Management, Inc.
 
Fear and Loathing in Agility: Long Live the Accounting Department
Fear and Loathing in Agility: Long Live the Accounting DepartmentFear and Loathing in Agility: Long Live the Accounting Department
Fear and Loathing in Agility: Long Live the Accounting DepartmentAccenture | SolutionsIQ
 
Using Threat Information to Build Your Cyber Risk Intelligence Program
Using Threat Information to Build Your Cyber Risk Intelligence ProgramUsing Threat Information to Build Your Cyber Risk Intelligence Program
Using Threat Information to Build Your Cyber Risk Intelligence ProgramSurfWatch Labs
 
Proposed Title Fear and Loathing in Agility: Long Live the Accounting Departm...
Proposed Title Fear and Loathing in Agility: Long Live the Accounting Departm...Proposed Title Fear and Loathing in Agility: Long Live the Accounting Departm...
Proposed Title Fear and Loathing in Agility: Long Live the Accounting Departm...Laszlo Szalvay
 
Agile Project Failures: Root Causes and Corrective Actions
Agile Project Failures: Root Causes and Corrective ActionsAgile Project Failures: Root Causes and Corrective Actions
Agile Project Failures: Root Causes and Corrective ActionsTechWell
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent CampaignDenim Group
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldDenim Group
 
Get faster results and more business value the Vree way
Get faster results and more business value the Vree wayGet faster results and more business value the Vree way
Get faster results and more business value the Vree waysccarbone
 
Introduction To Agile Refresh Savannah July20 2010 V1 4
Introduction To Agile Refresh Savannah July20 2010 V1 4Introduction To Agile Refresh Savannah July20 2010 V1 4
Introduction To Agile Refresh Savannah July20 2010 V1 4Marvin Heery
 
The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
The Permanent Campaign: Driving a Secure Software Initiative in the EnterpriseThe Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
The Permanent Campaign: Driving a Secure Software Initiative in the EnterpriseDenim Group
 

Ähnlich wie Software Security Assurance - Program Building (You're going to need a bigger shovel) (20)

Smarter fundraising – technology and processes
Smarter fundraising – technology and processesSmarter fundraising – technology and processes
Smarter fundraising – technology and processes
 
Managing the Risks of AI - A Planning Guide for Executives
Managing the Risks of AI - A Planning Guide for ExecutivesManaging the Risks of AI - A Planning Guide for Executives
Managing the Risks of AI - A Planning Guide for Executives
 
Agile Development Product Delivery For Successful Organizations
Agile Development Product Delivery For Successful OrganizationsAgile Development Product Delivery For Successful Organizations
Agile Development Product Delivery For Successful Organizations
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent Campaign
 
Holistic Product Development
Holistic Product DevelopmentHolistic Product Development
Holistic Product Development
 
uTest CMO Matt Johnston Presents "Online Communities: Changing the Way Work ...
uTest CMO Matt Johnston Presents "Online Communities: Changing the Way Work ...uTest CMO Matt Johnston Presents "Online Communities: Changing the Way Work ...
uTest CMO Matt Johnston Presents "Online Communities: Changing the Way Work ...
 
Big Data at a Gaming Company: Spil Games
Big Data at a Gaming Company: Spil GamesBig Data at a Gaming Company: Spil Games
Big Data at a Gaming Company: Spil Games
 
Capacity Planning and Demand Management
Capacity Planning and Demand ManagementCapacity Planning and Demand Management
Capacity Planning and Demand Management
 
IT Demand Management and Capacity Planning: Why Estimation Is Vital to Balanc...
IT Demand Management and Capacity Planning: Why Estimation Is Vital to Balanc...IT Demand Management and Capacity Planning: Why Estimation Is Vital to Balanc...
IT Demand Management and Capacity Planning: Why Estimation Is Vital to Balanc...
 
Fear and Loathing in Agility: Long Live the Accounting Department
Fear and Loathing in Agility: Long Live the Accounting DepartmentFear and Loathing in Agility: Long Live the Accounting Department
Fear and Loathing in Agility: Long Live the Accounting Department
 
Using Threat Information to Build Your Cyber Risk Intelligence Program
Using Threat Information to Build Your Cyber Risk Intelligence ProgramUsing Threat Information to Build Your Cyber Risk Intelligence Program
Using Threat Information to Build Your Cyber Risk Intelligence Program
 
Proposed Title Fear and Loathing in Agility: Long Live the Accounting Departm...
Proposed Title Fear and Loathing in Agility: Long Live the Accounting Departm...Proposed Title Fear and Loathing in Agility: Long Live the Accounting Departm...
Proposed Title Fear and Loathing in Agility: Long Live the Accounting Departm...
 
RSA 2017 - CISO's 5 steps to Success
RSA 2017 - CISO's 5 steps to SuccessRSA 2017 - CISO's 5 steps to Success
RSA 2017 - CISO's 5 steps to Success
 
Agile Project Failures: Root Causes and Corrective Actions
Agile Project Failures: Root Causes and Corrective ActionsAgile Project Failures: Root Causes and Corrective Actions
Agile Project Failures: Root Causes and Corrective Actions
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent Campaign
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
 
Get faster results and more business value the Vree way
Get faster results and more business value the Vree wayGet faster results and more business value the Vree way
Get faster results and more business value the Vree way
 
Introduction To Agile Refresh Savannah July20 2010 V1 4
Introduction To Agile Refresh Savannah July20 2010 V1 4Introduction To Agile Refresh Savannah July20 2010 V1 4
Introduction To Agile Refresh Savannah July20 2010 V1 4
 
Infosec russia cnemeth_v1.2.ppt
Infosec russia cnemeth_v1.2.pptInfosec russia cnemeth_v1.2.ppt
Infosec russia cnemeth_v1.2.ppt
 
The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
The Permanent Campaign: Driving a Secure Software Initiative in the EnterpriseThe Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
The Permanent Campaign: Driving a Secure Software Initiative in the Enterprise
 

Mehr von Rafal Los

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfThe 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfRafal Los
 
Irrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityIrrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityRafal Los
 
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)Rafal Los
 
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Rafal Los
 
Lies, Fables and Security Metrics
Lies, Fables and Security MetricsLies, Fables and Security Metrics
Lies, Fables and Security MetricsRafal Los
 
Losing battles, winning wars
Losing battles, winning warsLosing battles, winning wars
Losing battles, winning warsRafal Los
 
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 20135 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013Rafal Los
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Rafal Los
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Rafal Los
 
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rafal Los
 
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Rafal Los
 
Making Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessMaking Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessRafal Los
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationRafal Los
 
Ultimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelUltimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelRafal Los
 
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Rafal Los
 
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Rafal Los
 
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Rafal Los
 
Sans Feb 2010 - When Web 2 0 Attacks v3.3
Sans Feb 2010 - When Web 2 0 Attacks v3.3Sans Feb 2010 - When Web 2 0 Attacks v3.3
Sans Feb 2010 - When Web 2 0 Attacks v3.3Rafal Los
 
StarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
StarWest 2009 - Detective Work For Testers: Finding Workflow Based DefectsStarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
StarWest 2009 - Detective Work For Testers: Finding Workflow Based DefectsRafal Los
 

Mehr von Rafal Los (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfThe 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
 
Irrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityIrrational But Effective - Applying Parenthood Lessons to Cyber Security
Irrational But Effective - Applying Parenthood Lessons to Cyber Security
 
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
 
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
 
Lies, Fables and Security Metrics
Lies, Fables and Security MetricsLies, Fables and Security Metrics
Lies, Fables and Security Metrics
 
Losing battles, winning wars
Losing battles, winning warsLosing battles, winning wars
Losing battles, winning wars
 
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 20135 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]Operationalizing Security Intelligence [ InfoSec World 2014 ]
Operationalizing Security Intelligence [ InfoSec World 2014 ]
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
 
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
 
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
 
Making Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in BusinessMaking Measurable Gains - Contextualizing 'Secure' in Business
Making Measurable Gains - Contextualizing 'Secure' in Business
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with Automation
 
Ultimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI ModelUltimate Hack! Layers 8 & 9 of the OSI Model
Ultimate Hack! Layers 8 & 9 of the OSI Model
 
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
 
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)Oh No They Didn't! 7 Web App Security Stories (v1.0)
Oh No They Didn't! 7 Web App Security Stories (v1.0)
 
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
 
Sans Feb 2010 - When Web 2 0 Attacks v3.3
Sans Feb 2010 - When Web 2 0 Attacks v3.3Sans Feb 2010 - When Web 2 0 Attacks v3.3
Sans Feb 2010 - When Web 2 0 Attacks v3.3
 
StarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
StarWest 2009 - Detective Work For Testers: Finding Workflow Based DefectsStarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
StarWest 2009 - Detective Work For Testers: Finding Workflow Based Defects
 

Kürzlich hochgeladen

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

Kürzlich hochgeladen (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

Software Security Assurance - Program Building (You're going to need a bigger shovel)

  • 1. You're Going to Need a Bigger Shovel A Critical Look at Software Security Assurance Rafal M. Los (“Wh1t3Rabbit”) Enterprise & Cloud Security Strategist ©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
  • 2. Catch more info from me – Podcast: http://podcast.wh1t3rabbit.net Blog: http://hp.com/go/white-rabbit Twitter: @Wh1t3Rabbit
  • 3. What Type of Organization Are You? Be honest with yourself “Get SSA” Randomly Spending $ on “App Sec” Fooling Themselves 3 Enterprise Security – HP Public
  • 4. App Security vs. Software Security Assurance • Application Security (AppSec) – “Securing software” – Tactical approach, marked by erratic spending – Measured to CISO level – Tools, tools, tools • Software Security Assurance (SSA) – Program approach driven by risks – Acknowledge there is no such thing as secure software – Measured to CIO level as impact on IT performance – People & process first, then smart application of technology 4 Enterprise Security – HP Public
  • 5. Step 1: Assessment Know where you’re starting • Perform a rational assessment of – Capabilities – Resources – Assets – Liabilities – Organization & structure – Organizational goals • Be careful of paralysis by analysis • Be thorough, but move swiftly 5 Enterprise Security – HP Public
  • 6. Step 2: Resource Planning Build resource strategy from your assessment • What can you do with what you’ve got? – Human resources – Technology – Time & capital • Plan for resource allocation – Plan 6, 12, 18, 36 months into the future – What is current capacity (work-load), how will it grow over time – Will you in-source, outsource, hybridize or all of the above? – Will budgets increase, decrease, and can you leverage your LoB? – Do you have the right resources in the right positions to succeed? 6 Enterprise Security – HP Public
  • 7. Step 3: Intelligent Process Building Process makes success possible • Don’t reinvent the wheel (you probably don’t have to) Start – Leverage existing processes – Less friction within the organization – How are things being done today? Can you fit in the right controls? • Accommodate, align, associate ? – Accommodate processes that LoB is already using – Align to others’ goals (remember, they’re not yours …yet) – Associate your success to theirs, then vice versa Secur – DevOps! e • Think of the full ALM span (Application Lifecycle) 7 Enterprise Security – HP Public
  • 8. Step 4: Implementation and Technology Implement, then automate • Implement strategically – Start small, where failure won’t be noticed – Tweak processes, approach as you go – Do whatever it takes to succeed the pilot – Shout your success, encourage others to sign on • Augment and automate with technology – People don’t scale well – Ensure right technology, to the right resources, at the right time – Your process must produce consistent, repeatable results – Remove burden from the user 8 Enterprise Security – HP Public
  • 9. Step 5: Measurement and Re-Assessment Make sure you measure business relevance • Measure impact to the business – Get beyond “vulnerabilities” and “criticals” – Demonstrate risk reduction with less negative business impact – Build IT-relevant KPIs – “How is your activity contributing to business value? • Re-assess each {quarter | half-year | year} to align goals – As business priorities change, so should your program – What causes a change in program? • Industry security “climate” • Budget • Technology shifts 9 Enterprise Security – HP Public
  • 10. Things Everyone Forgets Things only failure teaches • Planning for things you can’t plan for – Cloud computing – Consumer device adoption • Being a smart victim – Plan for incident response – “Would you know you’ve become a victim?” • Adopt to boardroom requirements – Business objectives change – learn how to listen – Priorities, budgets change • What happens after you’ve been promoted? 10 Enterprise Security – HP Public
  • 11. If this was easy, everyone wouldn’t be getting pwn3d through a 10 year old bug. 11