centralized secure vault with dimensions cm
TRANSCRIPT
1 FUG2016Copyright © Serena Software 2016
WE OWN IT!Centralized Secure Vault with Dimensions CM
Rose M WellmanSr Mgr, Solutions Architects
2 FUG2016
What do these number represent?
3 FUG2016
That We Know About
4 FUG2016
Security Breaches Change Over Time
Open the safe! Amateur!
5 FUG2016
Not Just Banks
6 FUG2016
Breaches by 3rd Party Systems
• The attackers backed their way into Target's corporate network by compromising a third-party vendor. The number of vendors targeted is unknown. However, it only took one. That happened to be Fazio Mechanical, a refrigeration contractor.
• A phishing email duped at least one Fazio employee, allowing Citadel, a variant of the Zeus banking trojan, to be installed on Fazio computers. With Citadel in place, the attackers waited until the malware offered what they were looking for -- Fazio Mechanical's login credentials.
• At the time of the breach, all major versions of enterprise anti-malware detected the Citadel malware. Unsubstantiated sources mentioned Fazio used the free version of Malwarebytes anti-malware, which offered no real-time protection being an on-demand scanner. (Note: Malwarebytes anti-malware is highly regarded by experts when used in the correct manner.)
7 FUG2016
Everyone is a Target
8 FUG2016
Ensuring Security in Today’s World
9 FUG2016
Secure SDLC+
Centralized Secure Vault
Dimensions CM
10 FUG2016
Secured SDLC
11 FUG2016
Secure SDLC
Source: http://www.aspectsecurity.com/secure-development-programs
12 FUG2016
Requirements
• Establish security requirements/stories• Define security tests
Development
• Peer code reviews• Static Analysis
Testing
• Vulnerability testing• Penetration testing
Release
• Software quality review• Release readiness review
Secure SDLC
13 FUG2016
Serena Dimensions CM - Integrated Peer Code ReviewDevelop with velocity - collaboratively, securely and efficiently
Key Capabilities• Collaborative web based architecture• Integrates with Agile stories and requests• Linked to Continuous Inspection• Strengthens audit trail & governance• Configurable for Projects & Teams
Value Benefits• Improved code quality
• Find 70-90% of all defects earlier• Cost reduction
• Save up to 30% of re-work hours• Developer productivity
• Up to 25% improvement in codingPeer Reviews in Software - A Practical Guide by Karl E. Wiegers
14 FUG2016
Serena Dimensions CM – Continuous Inspection ToolchainDevelop with velocity - collaboratively, securely and efficiently
Key Capabilities• Extensible plug-in architecture• Schedule & inspect code changes• Report findings & vulnerabilities• Aggregated KPI Metrics• Supports DevOps “Shift-Left”
Value Benefits• Display results in code review• Real-time developer feedback• Reduce coding risks & issues• Monitor code health & quality• Speed release readiness
"Given enough eyeballs, all bugs are shallow."The Cathedral and the Bazar —Eric Raymond
15 FUG2016
• Code Hygiene• Refers to the “cleanliness” of an application – in particular, minimizing vulnerabilities and
code complexity.
• Good code hygiene requires visibility into all the components used to build the application.
• Several activities in the software development lifecycle support good code hygiene, including threat modeling and automated testing (i.e., static and dynamic analysis).
• The shortcoming of each of these activities is that they only provide a point-in-time snapshot of code hygiene, and can’t account for a changing threat space.
• You have to continuously monitor or continuously apply good hygiene.• More than 4,000 new vulnerabilities were disclosed by the National Vulnerability Database in open-
source components in 2014 alone. The fact that your open-source code bases are free from vulnerabilities today doesn’t mean you can ignore them for the next year.
• OWASP Dependency-Check
Open Source
16 FUG2016
Centralized Secure Vault
17 FUG2016
Problem – Repository Sprawl
• DevOps driving option of Git
• Repository Sprawl• Multiple Source Code Repos• Individually Managed/Maintained
• Security?• Reliability?• Cross-team collaboration?• Audit trail?
18 FUG2016
No Built-in Security and Authorization
• Read/Write security on all objects• Group role assignments• Full audit trail of all objects
19 FUG2016
Git/SVN Goes into the Dimensions CM Secure Vault
Release Control
Dev DevOps Ops
Dimensions CM Deployment Automation
CMSecureVault
ChangeMan ZMF
Deployment pipeline
Deployment pipeline
Deployment pipeline
Deployment pipeline
20 FUG2016
Better Solution – Git Connector
Dimensions CM Vault
Dimensions CMDeployment Pipeline
Serena DeploymentAutomation
Dimensions CM = Git Master Repository
Dimensions CM Pulse
Dim
ensions CM
G
it Connector
21 FUG2016
• The Developers don’t have to change the tools they are using
• The Business gets the control it needs– Single source of truth– Enterprise Security– Robust and scalable
• With the additional value of Dimensions CM– Continuous Inspection– Enterprise Change Management– Control over path to production– Full audit trail across all components
Dimensions CM Git Connector Benefit
22 FUG2016
Customer Quotes
“We’re a bank not a startup, and we need to be using appropriate tools to ensure the integrity and security of change, not tools that add to a developers resume. We don’t want to be the next big headline!
”Richard landoliSVP QABrown Brothers Harriman
“The visibility and insight that Dimensions CM 14 provides, allows us to see if we are converging to quality or diverging from quality in real time.
”Ken VaneIT Change & Configuration Manager,Navy Federal Credit Union