Building an Effective SDLC Program:
This presentation is the property of its rightful owner.
Sponsored Links
1 / 15

Building an Effective SDLC Program: Case Study PowerPoint PPT Presentation


  • 55 Views
  • Uploaded on
  • Presentation posted in: General

Building an Effective SDLC Program: Case Study. Guy Bejerano, CSO, LivePerson Ofer Maor, CTO, Seeker Security. The Next 45 Min. SDLC – Why Do We Bother? Vendor Heaven – Sell All You Can Sell Finding Your Path in The Jungle - Assembling The Puzzle to Build a Robust SDLC Program.

Download Presentation

Building an Effective SDLC Program: Case Study

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Building an effective sdlc program case study

Building an Effective SDLC Program:

Case Study

  • Guy Bejerano, CSO, LivePerson

  • Ofer Maor, CTO, Seeker Security


Building an effective sdlc program case study

The Next 45 Min

SDLC – Why Do We Bother?

Vendor Heaven – Sell All You Can Sell

Finding Your Path in The Jungle -

Assembling The Puzzle to Build a Robust SDLC Program

Data & Insights based on our experience @ LivePerson


Building an effective sdlc program case study

Seeker Security

Identify, Demonstrate & Mitigate

Critical Application Business Risk

Formerly Hacktics® (Acquired by EY)

New Generation of Application Security Testing (IAST)

Recognized as Top 10 Most Innovative Companies at RSA® 2010.

Recognized as “Cool Vendor” by Gartner


Building an effective sdlc program case study

  • LivePerson

SAAS in a full Multi-tenancy environment

Monitor web visitor’s behavior(Over 1.2 B visits each month)

Deploying code on customers’ websites

Providing Engagement platform(Over 10 M chats each month)

Process and Store customers’ data on our systems


Providing service to some of the biggest

Providing Service to Some of the Biggest


Building an effective sdlc program case study

Cloud Motivation for Building Secure Code

Risk Characteristics

  • Cyber Crime – Financial motivation

  • Systems are more accessible and Perimeter protection is not enough

Reputation in a social era

Legal liability and cost of non-compliance

Customers (over 15 application pen-tests in the past year)


Building an effective sdlc program case study

The Impact of Security Bugs in Production

Highly expensive to fix (4X than during the dev process)

Creates friction – Externally and Internally

We are not focusing on the upside


Building an effective sdlc program case study

Back in the Waterfall Days

3rd party Pen-Testing

Customer Testing

Bug Fixing

Design

Development

QA

Rollout

Challenges

  • Accuracy of Testing

  • Same Findings Repeating

  • Internal Friction Still Exists

SecurityRequirements


Building an effective sdlc program case study

And Then We Moved to Agile

3rd party Pen-Testing

Customer Testing

In Production

Sprint Plan

Sprint & Regression

Rollout

Challenges

  • Shorter Cycle (Design, Bug Fixing)

  • Greater Friction

SecurityRequirements


Building an effective sdlc program case study

The Solution Matrix

Vendor Heaven

Infinite Services, Products, Solutions & Combinations

In House / Outsourced

Services / Product / SaaS

Manual / Automated

Blackbox / Whitebox

Penetration Test / Code Review

DAST / SAST / IAST


Building an effective sdlc program case study

The Solution Matrix - Considerations

  • Service/Product/SaaS (Manual/Automated)

In-House/

Outsourced

Skills

Accuracy

Availability

False Positives

Cost

Ease of Use

False Negatives

Repeatability

Skills/Quality

Repeatability

SDLC Integration

SDLC Integration

Coverage

Intellectual Property

DAST/SAST/IAST

(PT/CR, Black/White Box)

Accuracy

False Positives

False Negatives

Quality of Results

Pinpointing Code

Validation

Data Handling

Ease of Operation

3rd Party Code

Scale


Building an effective sdlc program case study

How to Assemble All the Pieces?

Define Your Playground

Risk – Web, Data, Multi-Tenancy

Customers – SLA, Standards

Choose a Framework

Highly Technical Organization (System Owners, Scrum Masters, Tech Leaders)

Who Leads This Program

Hands-On… QA FirstOn-going sessions

Knowledge – Who & How


Building an effective sdlc program case study

How to Assemble All the Pieces?

3rd PartyBlackboxPre-defined flows to check

Pen-Test Strategy

Java – Multi-TierAgile Methodology JIRA (For bug tracking)

Fitting Tools to Platform and Development Process

Define Operational cycle

Key Performance Indicators

Operational Review (by system owners)


Building an effective sdlc program case study

SDLC Take #2

SecurityDesign

Static Code Analysis

Runtime/Dynamic Code Analysis

3rd party Pen-Testing

Customer Testing

In Production

Sprint Plan

Sprint & Regression

Rollout

Budgeted “Certification” Program

R&D / QA Ownership (Tech Leaders & System Owners)

Knowledge (Hands-On Training + On-Going Sessions)

Embedded Bug Tracking in Dev Tools


Building an effective sdlc program case study

Thank You!

Q&A


  • Login