Stu r35 a

Session ID:
Session Classification:
Jacob West
Chief Technology Officer
HP Enterprise Security
Products
STU-R35A
Intermediate
Who, What, Where,
How: Five Big
Questions in Mobile
Security

Why is mobile security an imperative?
Who will be held accountable?
What platform strategy makes sense?
Where are mobile apps developed?
How do we build secure mobile apps?

Mobile Devices are Taking
Over
12/12 KPCB Trend Report

Mobile Internet Usage
Surpassing Desktop
12/12 KPCB Trend Report

► By 2015, mobile dev projects
targeting smartphones and
tablets will outnumber native
PC projects by a ratio of 4:1
– Gartner 7/12
► By 2016, > 50 percent of
enterprise email users will rely
primarily web or mobile.
–
Gartner 12/11
Not Just for Consumers
0
10
20
30
40
50
60
% of Workforce with
Smartphones
2011
2012
2013

What is Mobile?
server
network
device
os
apps

Who Cares?
App
Owners
Device
Builders
Network
Providers
App
Developers
OS
Authors
Who Will Users Hold Accountable?

► Web, native, hybrid
► Operating systems
► Developer support
► Application delivery
► Programming language
Platform Tradeoffs

► Native mobile applications
► Persistent
► Hardware support
► Flexible
► Mobile-optimized web apps
► Lightweight
► Multi-platform
► Bolt onto legacy apps
► Hybrid?
► Native container for web content
► Cross-compiled native apps
Web Versus Native
80% by 2015
– Gartner 11/12

► Open app store model (Google Marketplace)
► Enterprise app stores
► Security as a differentiator
► Researcher access?
► Closed app store model (Apple App Store)
► Controlled ecosystem
► Revocation capability
► Compromise: Apple's iOS Developer Enterprise Program
Application Delivery

► Objective-C
► Little-known pre-iOS
► ‘Unsafe’ language
► Limited tool support
► Java
► Widely-known
► No more buffer overflows
► Better tool support
Native Programming
Languages

► In-house
► Traditional outsourcers
► Boutique firms
Mobile Development

Pros
► Leverage investments
► Easier integration
► Control over full SDLC
In-House Development
Cons
► Must train resources
► Add-ons may add risk
► Hard to outsource
security

Pros
► Well-known
expectations
► Expand on experience
► Control over SDLC
Traditional Outsourcers
Cons
► Harder to find talent
► Add-ons may add risk
► Outsourcing security
(but not accountability)

Pros
► Specialized talent
► Accelerated delivery
► Low-investment for
high-quality result
Boutique Firms
Cons
► Lack of security maturity
► Difficult integration
► Little influence over
SDLC

Same Ol’ Server
Operations Software
Information

Explore Accelerate Optimize
Software Security Assurance
Journey
Reactive – Assessing and
remediating code
• Security team alone
responsible for security
• Small set of programs
• Addressing software
security after-the-fact
• High IT value
In Place – Software security
required before production
• Security team works with
Development on security
• All critical software secure
• Solving software security
during development
• High business value
Proactive – Instilling best
practices into future code
• Development takes over
responsibility for security
• All enterprise software
embedding security into
software development
lifecycle (SDLC)
• High strategic value

► Real data from (51) real initiatives
► 95 measurements
► 13 repeat measurements
► McGraw, Migues, & West
www.bsimm.com
Inspiration from the Industry:
BSIMM4

► What do your apps do and for whom?
► What platform(s) do your apps support and
how?
► Who develops your apps and where?
► Is there an existing SDL for other development?
► Do you rely on platform providers or app
distributors for any security assurance?
► Are mobile apps prompting back-end changes?
More Questions to Ask

Weitere ähnliche Inhalte

Was ist angesagt?

Open Source Security - It can be done easily.

Flexera

Outpost24 webinar - A day in the life of an information security professional

There is an old management adage that says “You can’t manage what you don’t measure.” The Building Security in Maturity Model (BSIMM) applies scientific principles to the field of software security to effectively measure security activities across industries and business units. The BSIMM enables experts like you to discover what exists in the application security universe, how those things work today, how they worked in the past and how they are likely to work in the future.

Secure Software Development Lifecycle

1&1

BSIMM: Bringing Science to Software Security

Get Your Board to Say "Yes" to a BSIMM Assessment

Рано или поздно любая компания задумывается как о безопасности своего продукта, так и внутренней безопасности, и это неизбежно ведет к выстраиванию security-процессов, стандартов, требований и политик. Этот процесс довольно сложный и трудоемкий, требующий определенной зрелости компании и слаженной работы всех сотрудников. Мы хотели бы рассказать о своем опыте создания security-культуры компании Wrike, в том числе с помощью продукта, который мы делаем. Также мы поделимся опытом решения реальных проблем безопасности, с которыми сталкиваемся сами или наши клиенты.

Basic of SSDLC

Chitpong Wuttanan

Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"

WrikeTechClub

Jack Nichelson - Information Security Metrics - Practical Security Metrics

centralohioissa

Some of the most famous information breaches over the past few years have been a result of entry through embedded and IoT system environments. Often these breaches are a result of unexpected system architecture and service connectivity on the network that allows the hacker to enter through an embedded device and make their way to the financial or corporate servers. Experts in embedded security discuss key security issues for embedded systems and how to address them.

Cyber security - It starts with the embedded system

Rogue Wave Software

The number of open source vulnerabilities hit an all-time record in 2017 with 3,500 reported vulnerabilities - that's 60% higher than the previous year, and the trend continues in 2018. Since it’s impossible to keep up with today’s pace of software production without open source, development and security teams are challenged to meet security objectives, without compromising on speed and quality. It's time for organizations to step up their open source security game. Join WhiteSource's Senior Director of Product Management, Rami Elron, as he discusses: - the current state of open source vulnerabilities management; - organizations' struggle to handle open source vulnerabilities; and - the key strategy for effective vulnerability management.

The State of Open Source Vulnerabilities Management

WhiteSource

Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...

How to Choose the Right Security Training for You

DevOps Night - Shifting Security to the Left - SCTV Tower - 19 September 2018

Adhitya Hartowo

Getting Executive Support for a Software Security Program

On this AppSense webinar, guest speaker Chris Sherman, Forrester Research analyst, shared five principles for an effective endpoint security strategy. Anti-virus software isn't enough anymore. Dan O'Farrell, Sr. Director of Product Marketing for Cloud Computing at Dell, shared how highly-regulated industries have embraced VDI to increase security and reduce costs. And Bassam Khan discussed how AppSense offers privilege management with just-in-time self-elevation and application control through trusted ownership. This allows you to manage and secure your endpoints while providing a great user experience. And our latest product, AppSense Insight, offers endpoint analytics. Contact us to request a demo at iwanttoknowmore@appsense.com.

Protecting endpoints from targeted attacks

AppSense

Are Agile And Secure Development Mutually Exclusive?

Source Conference

Applications support some of the most strategic business processes and access an organization’s most sensitive data. These applications also contain 92% of reported security vulnerabilities, not networks. Yet application security continues to receive less budget and attention than network security. This means security-aware companies must find a cost-effective application security solution to lower application-related security risk without compromising productivity. Not an easy task. Fortunately, there is a way. In this presentation, you’ll learn one simple solution to solving six of the most common security hurdles.

The Path to Proactive Application Security

Software development is changing. It is now measured in days instead of months. Microservice architectures are preferred over monolithic centralized app architecture, and cloud is the preferred environment over hardware that must be owned and maintained. In this webinar, we examine how these new software development practices have changed web application security and review a new approach to protecting assets at the web application layer. Attendees will learn: The changes in development models, architecture designs, and infrastructure How these changes necessitate a new approach to web application security How development teams can effectively stay secure at the speed of DevOps

Deploying Secure Modern Apps in Evolving Infrastructures

SBWebinars

What’s making way for secure sdlc

Avancercorp

Outpost24 webinar - Improve your organizations security with red teaming

In most cases, the COVID-19 crisis has sped up the desire to engage in digital transformation for medium-to-large scale enterprises. Roadmaps are rarely implemented without challenges. During this session, MK Palmore, the Field CSO (Americas) for Palo Alto Networks and a former public-sector executive, will walk through the difficulties of crisis planning execution in the midst of an organization's digital changes. He will use a combination of industry insights through statistical observations and direct customer feedback to emphasize the importance of adopting new technologies to battle an ever changing threat landscape.

Was ist angesagt? (20)

Open Source Security - It can be done easily.

Outpost24 webinar - A day in the life of an information security professional

Secure Software Development Lifecycle

BSIMM: Bringing Science to Software Security

Get Your Board to Say "Yes" to a BSIMM Assessment

Basic of SSDLC

Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"

Jack Nichelson - Information Security Metrics - Practical Security Metrics

Cyber security - It starts with the embedded system

The State of Open Source Vulnerabilities Management

Outpost24 webinar - The new CISO imperative: connecting technical vulnerabili...

How to Choose the Right Security Training for You

DevOps Night - Shifting Security to the Left - SCTV Tower - 19 September 2018

Getting Executive Support for a Software Security Program

Protecting endpoints from targeted attacks

Are Agile And Secure Development Mutually Exclusive?

The Path to Proactive Application Security

Deploying Secure Modern Apps in Evolving Infrastructures

What’s making way for secure sdlc

Outpost24 webinar - Improve your organizations security with red teaming

Ähnlich wie Stu r35 a

Security is our duty and we shall deliver it - White Paper

Mohd Anwar Jamal Faiz

Fortify-Application_Security_Foundation_Training.pptx

YoisRoberthTapiadeLa

Fortify-Application_Security_Foundation_Training.pptx

VictoriaChavesta

Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx

lior mazor

SAM05_Barber PW (7-9-15)

Norm Barber

Journey to the Perfect Application: Digital Transformation During a Crisis

Aggregage

Application Hackers Have A Handbook. Why Shouldn't You?

London School of Cyber Security

Scalable enterprise mobility solutions: How to give your employees tools they need without sacrificing user experience and security. Consumerization of IT and BYOD are here – and it’s a GOOD thing. Today's dynamic workplaces and hyper-competitive markets drive demand for more mobile productivity solutions. Nearly 70% of enterprise employees report making better decisions, being more productive and happier if they are allowed to use mobile devices and cloud-based tools. Yet, IT organizations often resist these trends because of cost and risk associated with multi-platform, multi-device ecosystem having access to corporate data and resources. In this webinar, product experts from Sencha and Centrify will help your organization embrace BYOD and SaaS in a cost-effective, scalable way. Sencha Space is an advanced platform for securely deploying mobile apps and delivering a consistent, elegant, mobile user experience to end-users. Users can launch any mobile web app, or HTML5 app in a secure, managed environment. Combining Space with secure, Active Directory- or Cloud-Based Identity and Access Management (IAM) from Centrify gives IT visibility and control over mobile platforms and SaaS / in-house apps while improving user experience and reducing security risk.

Embracing secure, scalable BYOD with Sencha and Centrify

Sumana Mehta

Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...

Synopsys Software Integrity Group

Veracode Corporate Overview - Print

Andrew Kanikuru

Appendix A Operating Scenario GPS/CDU Project for Wild Blue Yonder Technologies Wild Blue Yonder Technologies Inc (WYBT) is a general holding company whose line of business is tailored to high-tech holdings. Wild Blue Yonder Technologies various subsidiary companies are maintained as one coordinated business from offices in New York City. The centralization of policy and planning direction at one location has historically produced higher revenues, profit margins, and customer satisfaction. The necessary degree of coordination is enabled by a global, enterprise network that is managed from the New York location. That network provides secure telecommunications capability with embedded firewall protection, multi-carrier cellular access options and automatic access point database updates for all connection types. It enables access to the enterprise’s applications from any location on an as-needed basis. The network also provides integrated, any distance, seamless connectivity to WBYT’s centralized information resources. WBYT’s holdings are concentrated in advanced technology products and services. Two closely held subsidiaries deal exclusively with the Federal government. The line of business of one, which is based in Gaithersburg, Maryland, is R&D and manufacture for advanced capability components for the F 16 Fighting Falcon and F 18 Super Hornet. The other, based in Jacksonville deals in R&D in target acquisition and fire control systems for Army helicopters. There is also a manufacturing facility in Detroit. That facility builds Leopard tanks for the Canadian Army under license from the German government. Other close holdings in WBYT’s empire include a commercial electronics R&D facility in Corvallis. The Corvallis facility also does contract work for the Idaho National Laboratory. In addition to the closely held corporations, there are loosely held electronics manufacturing, or service holdings in Pittsburgh, Houston, Des Moines, Sioux Falls, Denver and Bozeman. These facilities serve the consumer high-tech industry. Finally, there are a number of loosely held international corporations in India, Australia and across the Pacific Rim, all concentrated in advanced technology. All computer services for that region are provided over a public/private VPN , which is maintained for that area in Singapore. The Singapore data center is actually owned and operated by WBYT, as part of the company’s global VPN. The VPN itself is maintained out of the New York office. According to WBYT’s charter, the primary business goal of the Company is to utilize the global marketplace to provide high quality technology components at the lowest price possible price. Wild Blue Yonder Technologies entered the market knowing that the ability to closely monitor its operation and deliver competitive business information quickly was going to be a prerequisite to its success, particularly in the integration and reuse of COTS products. In essence, its entire.

Appendix AOperating ScenarioGPSCDU Project for Wild B.docx

lisandrai1k

Looking for your next Cleared Career Opportunity in DC metro or Beyond? Join us on November 17th at the reStartEvents DC metro & Beyond All-Clearances Virtual Career Fair and explore hundreds of career opportunities available throughout Northern Virginia, DC metro, Maryland and around the country.... Chat with hiring managers & recruiters from some of the nation's leading defense contractors - all from the comfort and safety of your home or office. reStartEvents DC metro & Beyond All-Clearances Virtual Career Fair Thursday, November 17th, 2022 2pm - 5pm est Details & Registration: https://tinyurl.com/3hrxm223 An Active Security Clearance IS Required For This Event Companies Interviewing: • Leidos • Northrop Grumman • ACT1 • Amazon Web Services (AWS) • Compass, Inc. • Google • IPSecure, Inc • Jacobs • LinQuest • Maxar Technologies • OBXtek • Raytheon Technologies Whether you are transitioning from the military or federal government, actively seeking employment, furloughed, your contract is coming to an end or window shopping and want to see what else is out there for you, This Is The Event For You! Positions available include: Software Engineering, Network Engineer, Financial Analyst, RF/SATCOM Engineers, QA Automation Developer, Configuration Management, Scrum Master, Cyber Security, DevOps Engineer, Project Management, Data Analyst, Systems Administration, Information System Security Engineer, Linux, Systems Engineering, Application Engineers, Principal Engineers (RF), UI/UX Software Engineers, and much more.... This event is targeting cleared job seeking professionals looking for cleared employment opportunities throughout the DC metro area & beyond Please feel free to share this important event with any of your Cleared colleagues and friends who would benefit from participating Looking forward to seeing you online on November 17th

reStartEvents DC metro & Beyond 11:17 Employer Directory.pdf

Ken Fuller

SCS DevSecOps Seminar - State of DevSecOps

Stefan Streichsbier

Fortify Continuous Delivery

Mainstay

Outpost24 Webinar - Creating a sustainable application security program to dr...

In this webinar, you will learn about trends in application security, threat modeling and risk rating your applications, and optimizing your Software Development Lifecycle. Highlights include: - Research from the Ponemon Institute: Where have companies improved and where do they continue to struggle when it comes to application security? - Understanding application security threats to different platforms and how to prioritize vulnerabilities. - Optimizing your Software Development Lifecycle by using best practices, identifying skill gaps, and building a roadmap.

It's Behind You! Managing Insider Threats to Digital Security with RES Software

RES

Kaspars Petersons - BYOD - more like BYOP

DevConFu

Cyber Warfare e scenari di mercato

HP Enterprise Italia

Best Practices for a Mature Application Security Program Webinar - February 2016

Security Innovation

HP2065_TieCon_Presentation_V7

Mark Interrante

Ähnlich wie Stu r35 a (20)

Security is our duty and we shall deliver it - White Paper

Fortify-Application_Security_Foundation_Training.pptx

Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx

SAM05_Barber PW (7-9-15)

Journey to the Perfect Application: Digital Transformation During a Crisis

Application Hackers Have A Handbook. Why Shouldn't You?

Embracing secure, scalable BYOD with Sencha and Centrify

Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...

Veracode Corporate Overview - Print

Appendix AOperating ScenarioGPSCDU Project for Wild B.docx

reStartEvents DC metro & Beyond 11:17 Employer Directory.pdf

SCS DevSecOps Seminar - State of DevSecOps

Fortify Continuous Delivery

Outpost24 Webinar - Creating a sustainable application security program to dr...

It's Behind You! Managing Insider Threats to Digital Security with RES Software

Kaspars Petersons - BYOD - more like BYOP

Cyber Warfare e scenari di mercato

Best Practices for a Mature Application Security Program Webinar - February 2016

HP2065_TieCon_Presentation_V7

Mehr von SelectedPresentations

Длительное архивное хранение ЭД: правовые аспекты и технологические решения

Трансграничное пространство доверия. Доверенная третья сторона.

Варианты реализации атак через мобильные устройства

Новые технологические возможности и безопасность мобильных решений

Управление безопасностью мобильных устройств

Современные технологии контроля и защиты мобильных устройств, тенденции рынка...

Кадровое агентство отрасли информационной безопасности

Основное содержание профессионального стандарта «Специалист по безопасности и...

Основное содержание профессионального стандарта «Специалист по безопасности а...

Основное содержание профессионального стандарта «Специалист по технической за...

Основное содержание профессионального стандарта «Специалист по безопасности т...

О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...

Запись активности пользователей с интеллектуальным анализом данных

Импортозамещение в системах ИБ банков. Практические аспекты перехода на росси...

Обеспечение защиты информации на стадиях жизненного цикла ИС

Документ, как средство защиты: ОРД как основа обеспечения ИБ

Чего не хватает в современных ids для защиты банковских приложений

Об участии МОО «АЗИ» в разработке профессиональных стандартов в области инфор...

Оценка состояния, меры формирования индустрии информационной безопасности Рос...

Об угрозах информационной безопасности, актуальных для разработчика СЗИ