building an effective sdlc program: case study
DESCRIPTION
Building an Effective SDLC Program: Case Study. Guy Bejerano, CSO, LivePerson Ofer Maor, CTO, Seeker Security. The Next 45 Min. SDLC – Why Do We Bother? Vendor Heaven – Sell All You Can Sell Finding Your Path in The Jungle - Assembling The Puzzle to Build a Robust SDLC Program. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Building an Effective SDLC Program: Case Study](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5681614e550346895dd0d42b/html5/thumbnails/1.jpg)
Building an Effective SDLC Program:
Case Study
Guy Bejerano, CSO, LivePersonOfer Maor, CTO, Seeker Security
![Page 2: Building an Effective SDLC Program: Case Study](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5681614e550346895dd0d42b/html5/thumbnails/2.jpg)
SDLC – Why Do We Bother?Vendor Heaven – Sell All You Can SellFinding Your Path in The Jungle -
Assembling The Puzzle to Build a Robust SDLC Program
The Next 45 Min
Data & Insights based on our experience @ LivePerson
![Page 3: Building an Effective SDLC Program: Case Study](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5681614e550346895dd0d42b/html5/thumbnails/3.jpg)
Seeker Security
Formerly Hacktics® (Acquired by EY)New Generation of Application Security Testing (IAST)Recognized as Top 10 Most Innovative Companies at RSA® 2010.Recognized as “Cool Vendor” by Gartner
Identify, Demonstrate & MitigateCritical Application Business Risk
![Page 4: Building an Effective SDLC Program: Case Study](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5681614e550346895dd0d42b/html5/thumbnails/4.jpg)
LivePersonMonitor web visitor’s behavior(Over 1.2 B visits each month)
Providing Engagement platform(Over 10 M chats each month)
Deploying code on customers’ websites
SAAS in a full Multi-tenancy environment
Process and Store customers’ data on our systems
![Page 5: Building an Effective SDLC Program: Case Study](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5681614e550346895dd0d42b/html5/thumbnails/5.jpg)
Providing Service to Some of the Biggest
![Page 6: Building an Effective SDLC Program: Case Study](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5681614e550346895dd0d42b/html5/thumbnails/6.jpg)
Cloud Motivation for Building Secure Code
Reputation in a social era
Risk Characteristics • Cyber Crime – Financial motivation• Systems are more accessible and Perimeter
protection is not enough
Legal liability and cost of non-compliance
Customers (over 15 application pen-tests in the past year)
![Page 7: Building an Effective SDLC Program: Case Study](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5681614e550346895dd0d42b/html5/thumbnails/7.jpg)
The Impact of Security Bugs in Production
Highly expensive to fix (4X than during the dev process)
We are not focusing on the upside
Creates friction – Externally and Internally
![Page 8: Building an Effective SDLC Program: Case Study](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5681614e550346895dd0d42b/html5/thumbnails/8.jpg)
Back in the Waterfall Days
Design Development QA Rollout
3rd party Pen-Testing
SecurityRequirements
Bug Fixing
Challenges• Accuracy of Testing• Same Findings Repeating• Internal Friction Still Exists
Customer Testing
![Page 9: Building an Effective SDLC Program: Case Study](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5681614e550346895dd0d42b/html5/thumbnails/9.jpg)
And Then We Moved to Agile
Sprint
PlanSprint & Regression Rollout
SecurityRequirements
Challenges• Shorter Cycle (Design, Bug Fixing)• Greater Friction
In Production
Customer Testing
3rd party Pen-Testing
![Page 10: Building an Effective SDLC Program: Case Study](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5681614e550346895dd0d42b/html5/thumbnails/10.jpg)
The Solution Matrix
Vendor HeavenInfinite Services, Products, Solutions & Combinations
In House / Outsourced Services / Product / SaaS Manual / AutomatedBlackbox / WhiteboxPenetration Test / Code ReviewDAST / SAST / IAST
![Page 11: Building an Effective SDLC Program: Case Study](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5681614e550346895dd0d42b/html5/thumbnails/11.jpg)
In-House/OutsourcedSkills
AvailabilityCostRepeatability
SDLC Integration
Service/Product/SaaS (Manual/Automated)
Accuracy False PositivesFalse Negatives
Skills/QualityRepeatabilityEase of Use
SDLC IntegrationIntellectual Property
CoverageDAST/SAST/IAST (PT/CR, Black/White Box)Accuracy False Positives
False Negatives Quality of ResultsPinpointing Code
Data HandlingValidation
Ease of Operation3rd Party CodeScale
The Solution Matrix - Considerations
![Page 12: Building an Effective SDLC Program: Case Study](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5681614e550346895dd0d42b/html5/thumbnails/12.jpg)
How to Assemble All the Pieces?
Define Your Playground
Risk – Web, Data, Multi-TenancyCustomers – SLA, Standards
Choose a Framework
Who Leads This Program
Highly Technical Organization (System Owners, Scrum Masters, Tech Leaders)
Knowledge – Who & How
Hands-On… QA FirstOn-going sessions
![Page 13: Building an Effective SDLC Program: Case Study](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5681614e550346895dd0d42b/html5/thumbnails/13.jpg)
How to Assemble All the Pieces?
Fitting Tools to Platform and Development Process
Java – Multi-TierAgile Methodology JIRA (For bug tracking)
Define Operational cycle
Key Performance IndicatorsOperational Review (by system owners)
Pen-Test Strategy 3rd PartyBlackboxPre-defined flows to check
![Page 14: Building an Effective SDLC Program: Case Study](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5681614e550346895dd0d42b/html5/thumbnails/14.jpg)
SDLC Take #2
Sprint
PlanSprint & Regression Rollout
SecurityDesign
In Production
Customer Testing
3rd party Pen-Testing
Budgeted “Certification” Program
R&D / QA Ownership (Tech Leaders & System Owners)
Knowledge (Hands-On Training + On-Going Sessions)
Embedded Bug Tracking in Dev Tools
Static Code Analysis
Runtime/Dynamic Code Analysis
![Page 15: Building an Effective SDLC Program: Case Study](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5681614e550346895dd0d42b/html5/thumbnails/15.jpg)
Thank You!
Q&A