SlideShare a Scribd company logo

The Future of Software Security Assurance

Rafal Los, profile picture
Rafal Los

The document outlines the future of software security assurance, highlighting the necessity for modernized security practices in response to outdated applications and the challenges posed by cloud adoption. It identifies five key catalysts for change and proposes eight evolutions in software security strategies, emphasizing risk-based defense and the need for organizations to engage in the full application lifecycle. The overarching message is that proactive measures and adapting to emerging security challenges are critical to mitigating risks effectively.

TechnologyNews & Politics
Related topics:
Application Security
1 of 24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
The Future of Software Security Assurance: Cloudy, with Storms Likely Rafal Los Enterprise & Cloud Security Strategist HP Software ©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
SSA Software Security Assurance ©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Software Security Assurance Can you trust your software?
THE FUTURE …of software security. ©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
5 Inevitables
1 – Application Modernization Catalysts: • Your corporate applications are aging • Aging application technologies are hindering your business productivity • Applications deployed ‘before security’ are critically exposed Opportunity: • Address software security as a core business requirement • Modernize security controls, “bolt-ons”
2 – Cloud Adoption Catalysts: • Organizations are adopting cloud whether they acknowledge it or not • Extreme confusion: what is “cloud security”? • “The Cloud” brings fundamentally different security challenges Opportunity: • A forceful re-evaluation of security paradigms • Shift security from perimeter, to application • Engage providers, fully understand risks of the cloud model
3 – Consumerization of the Enterprise Catalysts: • Enterprises functions being performed across consumer devices • Corporate data is spread across devices enterprises don’t control • Applications must run on diverse platforms, pose unique risks Opportunity: • Understand application risk profiles across consumer use-cases • Focus on minimizing data sprawl, centralizing logic processing • Create strategic mobile application defenses
4 – Technology Overrun Catalysts: • Bleeding-edge client-side technology adoption • Mobile development is hot, security is lacking • Development technology over-running security capability Opportunity: • Adopt technology-independent security controls • Control application release processes (ITIL change control)
5 – Incidents Catalysts: • Incidents will increase as enterprises become more aware • Cloud adoption, mobile computing, consumerization increases likelihood • Regulations and laws continue to drive disclosure Opportunity: • Optimized technology responds to incidents faster, smarter • Identify data acquisition, forensic strategies as part of design plans
8 Evolutions
1 – Start and End with Requirements Strategic risk reduction impacts the idea, not the result • Understand organizational goals, seek to reduce risk • Influence “what the business wants” • Abstract security to risk, in business terms • A defect is a deviation from a requirement
2 – Engage the Full SDLC Organizations must address the full application lifecycle IT Handoff Release
3 – Shift SSA Ownership Software security is not the Security organization’s problem. SSA Today SSA Tomorrow • SSA is equated with security • Security governs SSA program • Security runs SSA program • Security manages key aspects • Manage all aspects • Govern testing, validates • Perform security testing findings • Manage defect tracking • Develop policy, practices • Fail. • Succeed.
4 – Risk-Based Defense Application use-cases have unique risk profiles. It’s time to recognize this fact, and build sane strategies. • Segregate, segment, build security zones by business criticality • Short-term tactical defenses for weakest legacy applications • Fix, defer or accept risk. • Develop risk profiles for application use-cases such as mobile… – Encrypt data, virtualize usage • Fortify more than just the front-end – including services, APIs
5 – Static or Dynamic Testing? Yes. Static vs. Dynamic security testing is no longer a question. Static and Dynamic analysis each has advantages, both are needed Provide the right technology, at the right time, to the right people Audit source code, validate the running application Remember, you can’t test yourself secure
6 – Test, but Cheat When you’re up against attackers, cheat as often as possible. • Gray-box technology provides deeper insight into application logic • Link exploits with vulnerable code • Get to the fix faster. Web App Function exec_query () { take user data (x); construct query (x + y); execute query; return results (z); 4 exploitable fields  1 fix }
7 – Dynamic Security Intelligence Real security isn’t about keeping the ‘bad guys’ out, it’s about reacting in real-time. Critical Detect Data Respond Compromised Remote Corp User
8 – Measure Against Business Goals (KPIs) Only 2 questions are relevant: 1. What are your organizational, business objectives? 2. How does Software Security Assurance contribute to those objectives? 5 Suggested KPIs: 1. WRT – Weighted Risk Trend 2. DRW – Defect Remediation Window 3. RDR – Rate of Defect Recurrence 4. SCM – Specific Coverage Metric 5. SQR – Security to Quality Defect Ratio
1 Cold Hard Fact
You will be breached. You will lose data, trust, and money. The incident is will matter. The response will be the deciding factor.
Surviving a Major Breach In the court of public opinion Organizational Due Diligence Response Incident “Damage” 22 Enterprise Security – HP Confidential
SOFTWARE SECURITY ASSURANCE MUST EVOLVE Enterprise Security – HP Confidential 23
Twitter: @Wh1t3Rabbit Blog: http://hp.com/go/white-rabbit Podcast: http://podcast.wh1t3rabbit.net THANK YOU, LET’S TALK!

More Related Content

PPTX
The QA Analyst's Hacker's Landmark Tour v3.0
Rafal Los
 
PDF
Security BSides Atlanta - "The Business Doesn't Care..."
Rafal Los
 
PPTX
Software Security Assurance - Program Building (You're going to need a bigger...
Rafal Los
 
PPTX
Assess all the things
Jerod Brennen
 
PPT
Six Mistakes of Log Management 2008
Anton Chuvakin
 
PDF
Jump Start Your Application Security Knowledge
Denim Group
 
PPTX
Building an Analytics - Enabled SOC Breakout Session
Splunk
 
PDF
2015 Cyber Security
Allen Zhang
 
The QA Analyst's Hacker's Landmark Tour v3.0
Rafal Los
 
Security BSides Atlanta - "The Business Doesn't Care..."
Rafal Los
 
Software Security Assurance - Program Building (You're going to need a bigger...
Rafal Los
 
Assess all the things
Jerod Brennen
 
Six Mistakes of Log Management 2008
Anton Chuvakin
 
Jump Start Your Application Security Knowledge
Denim Group
 
Building an Analytics - Enabled SOC Breakout Session
Splunk
 
2015 Cyber Security
Allen Zhang
 

What's hot (20)

PPTX
451 and Cylance - The Roadmap To Better Endpoint Security
Adrian Sanabria
 
PPTX
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
AlienVault
 
PDF
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Source Conference
 
PPTX
Building a SOC - hackmiami 2018
Jose Hernandez
 
PPTX
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
PPTX
Ten Security Product Categories You've Probably Never Heard Of
Adrian Sanabria
 
PPTX
2016 virus bulletin
Adrian Sanabria
 
PPTX
Generic siem how_2017
Anton Chuvakin
 
PPTX
Security best practices for regular users
Geoffrey Vaughan
 
PDF
Getting Executive Support for a Software Security Program
Cigital
 
PPTX
What PCI DSS Taught Us About Security by Dr. Anton Chuvakin
Anton Chuvakin
 
PPTX
Something Fun About Using SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
PPTX
Incident Response in the age of Nation State Cyber Attacks
Resilient Systems
 
PDF
Get Your Board to Say "Yes" to a BSIMM Assessment
Cigital
 
PDF
The Path to Proactive Application Security
Cigital
 
PDF
Proactive Measures to Defeat Insider Threat
Andrew Case
 
PPTX
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
Adrian Sanabria
 
PPTX
NIST Critical Security Framework (CSF)
Priyanka Aash
 
PPTX
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Brian Andrzejewski
 
PPTX
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
451 and Cylance - The Roadmap To Better Endpoint Security
Adrian Sanabria
 
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
AlienVault
 
Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?
Source Conference
 
Building a SOC - hackmiami 2018
Jose Hernandez
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
Ten Security Product Categories You've Probably Never Heard Of
Adrian Sanabria
 
2016 virus bulletin
Adrian Sanabria
 
Generic siem how_2017
Anton Chuvakin
 
Security best practices for regular users
Geoffrey Vaughan
 
Getting Executive Support for a Software Security Program
Cigital
 
What PCI DSS Taught Us About Security by Dr. Anton Chuvakin
Anton Chuvakin
 
Something Fun About Using SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
Incident Response in the age of Nation State Cyber Attacks
Resilient Systems
 
Get Your Board to Say "Yes" to a BSIMM Assessment
Cigital
 
The Path to Proactive Application Security
Cigital
 
Proactive Measures to Defeat Insider Threat
Andrew Case
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
Adrian Sanabria
 
NIST Critical Security Framework (CSF)
Priyanka Aash
 
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Brian Andrzejewski
 
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Ad

Similar to The Future of Software Security Assurance (20)

PPTX
Application Hackers Have A Handbook. Why Shouldn't You?
London School of Cyber Security
 
PPTX
Application security meetup 27012021
lior mazor
 
PDF
Trending it security threats in the public sector
Core Security
 
PPTX
Protecting health and life science organizations from breaches and ransomware
Cloudera, Inc.
 
PDF
Why You'll Care More About Mobile Security in 2020
tmbainjr131
 
PDF
Why You’ll Care More About Mobile Security in 2020 - Tom Bain
EC-Council
 
PPTX
SAM05_Barber PW (7-9-15)
Norm Barber
 
PPT
Information Technology Security Basics
Mohan Jadhav
 
PDF
Software Vulnerabilities Risk Remediation
Bruce Hafner
 
PDF
Journey to the Cloud: Securing Your AWS Applications - April 2015
Alert Logic
 
PPTX
Building an AppSec Team Extended Cut
Mike Spaulding
 
PPTX
Mike Spaulding - Building an Application Security Program
centralohioissa
 
PDF
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 
PDF
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Cybersecurity Education and Research Centre
 
PDF
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
AT-NET Services, Inc. - Charleston Division
 
PDF
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
NathanDjami
 
PPT
dataProtection_p3.ppt
ssusera76ea9
 
PDF
Responding to and recovering from sophisticated security attacks
IBM
 
PDF
New Age Red Teaming - Enterprise Infilteration
Shritam Bhowmick
 
PDF
Vulnerability Management In An Application Security World
Denim Group
 
Application Hackers Have A Handbook. Why Shouldn't You?
London School of Cyber Security
 
Application security meetup 27012021
lior mazor
 
Trending it security threats in the public sector
Core Security
 
Protecting health and life science organizations from breaches and ransomware
Cloudera, Inc.
 
Why You'll Care More About Mobile Security in 2020
tmbainjr131
 
Why You’ll Care More About Mobile Security in 2020 - Tom Bain
EC-Council
 
SAM05_Barber PW (7-9-15)
Norm Barber
 
Information Technology Security Basics
Mohan Jadhav
 
Software Vulnerabilities Risk Remediation
Bruce Hafner
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Alert Logic
 
Building an AppSec Team Extended Cut
Mike Spaulding
 
Mike Spaulding - Building an Application Security Program
centralohioissa
 
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Cybersecurity Education and Research Centre
 
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
AT-NET Services, Inc. - Charleston Division
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
NathanDjami
 
dataProtection_p3.ppt
ssusera76ea9
 
Responding to and recovering from sophisticated security attacks
IBM
 
New Age Red Teaming - Enterprise Infilteration
Shritam Bhowmick
 
Vulnerability Management In An Application Security World
Denim Group
 
Ad

More from Rafal Los (20)

PDF
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
 
PDF
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
Rafal Los
 
PDF
Irrational But Effective - Applying Parenthood Lessons to Cyber Security
Rafal Los
 
PPTX
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
Rafal Los
 
PPTX
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Rafal Los
 
PDF
Lies, Fables and Security Metrics
Rafal Los
 
PDF
Losing battles, winning wars
Rafal Los
 
PPTX
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
Rafal Los
 
PPTX
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Rafal Los
 
PDF
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Rafal Los
 
PPTX
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rafal Los
 
PPTX
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Rafal Los
 
PPTX
Threat modeling the security of the enterprise
Rafal Los
 
PPTX
Making Measurable Gains - Contextualizing 'Secure' in Business
Rafal Los
 
PDF
Defying Logic - Business Logic Testing with Automation
Rafal Los
 
PDF
Ultimate Hack! Layers 8 & 9 of the OSI Model
Rafal Los
 
PDF
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Rafal Los
 
PPTX
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Rafal Los
 
PPTX
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Rafal Los
 
PPTX
Sans Feb 2010 - When Web 2 0 Attacks v3.3
Rafal Los
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
 
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf
Rafal Los
 
Irrational But Effective - Applying Parenthood Lessons to Cyber Security
Rafal Los
 
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)
Rafal Los
 
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Rafal Los
 
Lies, Fables and Security Metrics
Rafal Los
 
Losing battles, winning wars
Rafal Los
 
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013
Rafal Los
 
Operationalizing Security Intelligence [ InfoSec World 2014 ]
Rafal Los
 
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...
Rafal Los
 
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...
Rafal Los
 
Cloud Security Alliance- Challanges of an elastic environment v8a [public]
Rafal Los
 
Threat modeling the security of the enterprise
Rafal Los
 
Making Measurable Gains - Contextualizing 'Secure' in Business
Rafal Los
 
Defying Logic - Business Logic Testing with Automation
Rafal Los
 
Ultimate Hack! Layers 8 & 9 of the OSI Model
Rafal Los
 
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)
Rafal Los
 
Oh No They Didn't! 7 Web App Security Stories (v1.0)
Rafal Los
 
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2
Rafal Los
 
Sans Feb 2010 - When Web 2 0 Attacks v3.3
Rafal Los
 

Recently uploaded (20)

PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Cloud computing and distributed systems.
kkkkkhan
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
A Presentation on Artificial Intelligence
memembruh336
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 

The Future of Software Security Assurance

  • 1. The Future of Software Security Assurance: Cloudy, with Storms Likely Rafal Los Enterprise & Cloud Security Strategist HP Software ©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
  • 2. SSA Software Security Assurance ©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
  • 3. Software Security Assurance Can you trust your software?
  • 4. THE FUTURE …of software security. ©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
  • 6. 1 – Application Modernization Catalysts: • Your corporate applications are aging • Aging application technologies are hindering your business productivity • Applications deployed ‘before security’ are critically exposed Opportunity: • Address software security as a core business requirement • Modernize security controls, “bolt-ons”
  • 7. 2 – Cloud Adoption Catalysts: • Organizations are adopting cloud whether they acknowledge it or not • Extreme confusion: what is “cloud security”? • “The Cloud” brings fundamentally different security challenges Opportunity: • A forceful re-evaluation of security paradigms • Shift security from perimeter, to application • Engage providers, fully understand risks of the cloud model
  • 8. 3 – Consumerization of the Enterprise Catalysts: • Enterprises functions being performed across consumer devices • Corporate data is spread across devices enterprises don’t control • Applications must run on diverse platforms, pose unique risks Opportunity: • Understand application risk profiles across consumer use-cases • Focus on minimizing data sprawl, centralizing logic processing • Create strategic mobile application defenses
  • 9. 4 – Technology Overrun Catalysts: • Bleeding-edge client-side technology adoption • Mobile development is hot, security is lacking • Development technology over-running security capability Opportunity: • Adopt technology-independent security controls • Control application release processes (ITIL change control)
  • 10. 5 – Incidents Catalysts: • Incidents will increase as enterprises become more aware • Cloud adoption, mobile computing, consumerization increases likelihood • Regulations and laws continue to drive disclosure Opportunity: • Optimized technology responds to incidents faster, smarter • Identify data acquisition, forensic strategies as part of design plans
  • 12. 1 – Start and End with Requirements Strategic risk reduction impacts the idea, not the result • Understand organizational goals, seek to reduce risk • Influence “what the business wants” • Abstract security to risk, in business terms • A defect is a deviation from a requirement
  • 13. 2 – Engage the Full SDLC Organizations must address the full application lifecycle IT Handoff Release
  • 14. 3 – Shift SSA Ownership Software security is not the Security organization’s problem. SSA Today SSA Tomorrow • SSA is equated with security • Security governs SSA program • Security runs SSA program • Security manages key aspects • Manage all aspects • Govern testing, validates • Perform security testing findings • Manage defect tracking • Develop policy, practices • Fail. • Succeed.
  • 15. 4 – Risk-Based Defense Application use-cases have unique risk profiles. It’s time to recognize this fact, and build sane strategies. • Segregate, segment, build security zones by business criticality • Short-term tactical defenses for weakest legacy applications • Fix, defer or accept risk. • Develop risk profiles for application use-cases such as mobile… – Encrypt data, virtualize usage • Fortify more than just the front-end – including services, APIs
  • 16. 5 – Static or Dynamic Testing? Yes. Static vs. Dynamic security testing is no longer a question. Static and Dynamic analysis each has advantages, both are needed Provide the right technology, at the right time, to the right people Audit source code, validate the running application Remember, you can’t test yourself secure
  • 17. 6 – Test, but Cheat When you’re up against attackers, cheat as often as possible. • Gray-box technology provides deeper insight into application logic • Link exploits with vulnerable code • Get to the fix faster. Web App Function exec_query () { take user data (x); construct query (x + y); execute query; return results (z); 4 exploitable fields  1 fix }
  • 18. 7 – Dynamic Security Intelligence Real security isn’t about keeping the ‘bad guys’ out, it’s about reacting in real-time. Critical Detect Data Respond Compromised Remote Corp User
  • 19. 8 – Measure Against Business Goals (KPIs) Only 2 questions are relevant: 1. What are your organizational, business objectives? 2. How does Software Security Assurance contribute to those objectives? 5 Suggested KPIs: 1. WRT – Weighted Risk Trend 2. DRW – Defect Remediation Window 3. RDR – Rate of Defect Recurrence 4. SCM – Specific Coverage Metric 5. SQR – Security to Quality Defect Ratio
  • 20. 1 Cold Hard Fact
  • 21. You will be breached. You will lose data, trust, and money. The incident is will matter. The response will be the deciding factor.
  • 22. Surviving a Major Breach In the court of public opinion Organizational Due Diligence Response Incident “Damage” 22 Enterprise Security – HP Confidential
  • 23. SOFTWARE SECURITY ASSURANCE MUST EVOLVE Enterprise Security – HP Confidential 23
  • 24. Twitter: @Wh1t3Rabbit Blog: http://hp.com/go/white-rabbit Podcast: http://podcast.wh1t3rabbit.net THANK YOU, LET’S TALK!