1 / 9

Software Security Maturity

Software Security Maturity. The Economic Advantages of a Resilient Supply Chain- Software Security. The End in Mind…. 13% of every dollar spent on software development is returned for a productivity gain and reinvested in high value activities.

bradk
Download Presentation

Software Security Maturity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Software Security Maturity The Economic Advantages of a Resilient Supply Chain- Software Security

  2. The End in Mind… • 13% of every dollar spent on software development is returned for a productivity gain and reinvested in high value activities

  3. Software Security Program - Value Delivery and Productivity Save 2008 Productivity Save $19 M Productivity Gain Increases from Y 2007 to Y 200811.13% * Estimate * Projected DTCC Confidential 3

  4. SDLC Security Requirements “White Box” Testing “Black Box” Testing Pen Tests End-to-end Education, Training, “Security Mavens” Consulting Expertise Workflow, Process Management- CMMI Software Security Controls • 10-15% Productivity Impact • 3 year program • Business case based on reduced risk, higher productivity Static Code Analysis Dynamic Analysis Security Architecture Manual Design Development Q/A- Testing Production

  5. Economic Impact of Controls Controls Preventative Detective Lifecycle 36 1

  6. The Challenge in 2005 The Depository Trust & Clearing Corp (DTCC) had 450 application developers on shore and over 100 offshore creating product for their brokers, bank, mutual fund and insurance carrier customers. DTCC needed to implement improved security practices as part of the application development process. The goal was to create more secure applications to handle clearance and settlement of more than $1.8 Quadrillion worth of securities transactions each year • Background: • Context: • CMMI Level 3 Certified development organization • Dilemma: • What is the best approach to improving the resiliency of software developed, outsourced or bought? 6

  7. Communication KPIs, Portfolio Level Reporting, Vulnerability Framework DTCC’s Software Security Program 10 Core Control Points System Implementation Lifecycle (SILC – CLASP Integration) Security Education Code Management Open Source Palamida/Black Duck Requirements Phase Business Requirements, PSA Process Enhance Whiteboard Tracking BITS Shared Assessment- Services Design Phase Current ASAR New ASAR Implementation Build Phase Fortify – In-house Development Veracode – COTS Testing Phase WHITEHAT – Dynamic Analysis Security Testing (TSG) Operational Phase Application Logging Control Standard enVision Integration Application Assessment Net2S, Primeon (on demand) Database Security AppDetective – Compliance enVision – Security Monitoring

  8. KPIs - 17 Production KPIs

  9. Accountability Model – Comprehensive reports Domain Level, VP Level and Project Level Reports 9

More Related