ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business...

Agile Secure Software Development in a Large Software Development OrganisationSecurity Testing

Achim D Bruckerachimbruckersapcom httpwwwbruckerch

SAP SE Vincenz-Priessnitz-Str 1 76131 Karlsruhe Germany

ASSD KeynoteFirst International Workshop on Agile Secure Software Development (ASSD)

Toulouse France August 24ndash28 2015

Abstract

Security testing is an important part of any (agile) secure software development lifecyle Still security testingis often understood as an activity done by security testers in the time between ldquoend of developmentrdquo andldquooffering the product to customersrdquoLearning from traditional testing that the fixing of bugs is the more costly the later it is done in developmentwe believe that security testing should be integrated into the daily development activities To achieve this wedeveloped a security testing strategy as part of SAPrsquos security development lifecycle which supports thespecific needs of the various software development models at SAPIn this presentation we will briefly presents SAPrsquos approach to an agile secure software development processin general and in particular present SAPrsquos Security Testing Strategy that enables developers to find securityvulnerabilities early by applying a variety of different security testing methods and tools

Agenda

1 Background

2 Motivation

3 Risk-based Security Testing as Part of SAPrsquos S2DL

4 Lessonrsquos Learned

5 How Does This Resonate With Agile Development

SAP SE

bull Leader in Business Softwarebull Cloudbull Mobilebull On premise

bull Many different technologies and platforms egbull In-memory database and application server (HANA)bull Netweaver for ABAP and Java

bull More than 25 industries

bull 63 of the worldrsquos transaction revenue touches an SAPsystem

bull over 68 000 employees worldwideover 25 000 software developers

bull Headquarters Walldorf Germany (close to Heidelberg)

Personal Background

bull I wear two hatsbull (Global) Security Testing Strategistbull Research ExpertArchitect

Working for the central software security team

bull BackgroundSecurity Formal Methods Software Engineering

bull Current work areas

bull Static code analysisbull (Dynamic) Security Testingbull Mobile Securitybull Security Development Lifecyclebull Secure Software Development Lifecycle

httpwwwbruckerch

SAP Uses a De-centralised Secure Development Approach

bull Central security expert team (S2DL owner)bull Organizes security trainingsbull Defines product standard ldquoSecurityrdquobull Defines risk and threat assessment methodsbull Defines security testing strategybull Selects and provides security testing toolsbull Validates productsbull Defines and executes response process

bull Local security expertsbull Embedded into development teamsbull Organize local security activitiesbull Support developers and architectsbull Support product owners (responsibles)

bull Development teamsbull Select technologiesbull Select development modelbull Design and execute security testing

planbull

Agenda

1 Background

2 Motivation

Vulnerability Distribution

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 20140

500

1000

1500

2000

2500

3000

Code Execution DoS Overflow Memory Corruption Sql InjectionXSS Directory Traversal Bypass something Gain Privileges CSRF

When Do We Fix Bugs

Microsoftrsquos SDL

Agenda

1 Background

2 Motivation

Our Start SAST as a Baseline

ABAP

Java

C

JavaScript

Others

SAST tools used at SAP

Language Tool Vendor

ABAP CVA (SLIN_SEC) SAPJavaScript Checkmarx CxSAST Checkmarx

CC++ Coverity CoverityOthers Fortify HP

bull Since 2010 mandatory for all SAP products

bull Multiple billions lines analyzed

bull Constant improvement of tool configuration

bull Further detailsDeploying Static Application Security Testing on a LargeScale In GI Sicherheit 2014 Lecture Notes in Informatics228 pages 91-101 GI 2014

Combining Multiple Security Testing Methods and Tools

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

bull Risks of only using only SASTbull Wasting effort that could be used more wisely

elsewherebull Shipping insecure software

bull Examples of SAST limitationsbull Not all programming languages supportedbull Covers not all layers of the software stack

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx (JavaScript)

Fortify (Java) Coverity (CC++)

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

A Risk-based Test Plan

Select from a list of

predefined application

types

Implementation detaos eg programming languages frameworks

Priority of SAP Security

Requirements

Security Test Plan

RISK ASSESMENT

(eg SECURIM Threat Modelling OWASP ASVS) bull Combines multiple security testing methods eg

code scans dynamic analysis manual penetrationtesting or fuzzing

bull Selects the most efficient test tools and test casesbased on the risks and the technologies used in theproject

bull Re-adjusts priorities of test cases based on identifiedrisks for the project

bull Monitors false negative findings in the results of riskassessment

SAPrsquo Secure Software Development Lifecycle (S2DL)

Figure SAP SSDL

Security Validation

bull Acts as first customer

bull Is not a replacement for security testing during development

bull Security Validationbull Check for ldquoflawsrdquo in the implementation of the S2DLbull Ideally security validation findsbull No issues that can be fixeddetected earlierbull Only issues that cannot be detect earlier

(eg insecure default configurations missing security documentation)

Penetration tests in productive environments are different

bull They test the actual configuration

bull They test the productive environment (eg cloudhosting)

Security Validation

How to Measure Success

bull Analyze the vulnerabilities reported bybull Security Validationbull External security researchers

bull Vulnerability not detected by our security testingtools

bull Improve tool configurationbull Introduce new tools

bull Vulnerability detected by our security testing toolsbull Vulnerability in older software releasebull Analyze reason for missing vulnerability

Success criteriaPercentage of vulnerabilities not covered by our security testing tools increases

Covered

Not Covered

Covered

Not Covered

Covered

Not Covered

NewlyCovered

Agenda

1 Background

2 Motivation

Key Success Factors

bull A holistic security awareness program forbull Developersbull Managers

bull Yes security awareness is important but

Developer awareness is even more important

Key Success Factors

bull Yes security awareness is important

but

Key Success Factors

Listen to Your Developers

We are often talking about a lack of security awareness and by thatforget the problem of lacking development awareness

bull Building a secure system more difficult than finding a successful attack

bull Do not expect your developers to become penetration testers (or security experts)

Security Testing for Developers

Security testing tools for developers need to

bull Be applicable from the start ofdevelopment

bull Automate the security knowledge

bull Be deeply integrated into the dev enveg

bull IDE (instant feedback)bull Continuous integration

bull Provide easy to understand fixrecommendations

bull Declare their ldquosweet spotsrdquo

Collaborate

Security experts need to collaborate with development experts to

bull Create easy to use security APIs (ever tried to use an SSL API securely)

bull Create languages and frameworks that make it hard to implement insecure systems

bull Explain how to program securely

Agenda

1 Background

2 Motivation

Agile Development

bull What is agile for youSCRUM Continuous Delivery DevOps SCRUM Cloud development

bull Cloudagile development lifecycle

t

Deliveries

Secure Agile Development

Level of TrustLevel of Trust Risk IdentificationRisk Identification

Threat ModellingThreat Modelling

Security MeasuresSecurity

Measures

Security Testing

PSC SecurityPSC Security

Risk Mitigation amp TestingRisk Mitigation amp Testing

Static TestingStatic Testing

Dynamic TestingDynamic Testing

Manual TestingManual Testing

Security ValidationSecurity Validation

Secure ProgrammingSecure Programming

Security ResponseSecurity

Response

Open (Research) Questions

bull Social aspectsbull Does the SecDevOps model increase security awareness

(Developers and their managers are also responsible for operational risks)bull Does this impact the willingness to take (security) risks andor the risk assessment

bull Process and organisational aspectsbull What services should be offered centrallybull How to ensure a certain level of security across all productsbull How to ensure a certain level of security across the end-to-end supply chain

bull Technical and fundamental aspectsbull How do we need to adapt development supportbull How do we need to adapt threat modelling or risk assessment methodsbull How do we need to adapt security testing techniques

bull The big challenge in practiceProducts are often offered in the cloud (SaaS) and on premise

Thank you

httpxkcdcom327

Dr Achim D Bruckerachimbruckersapcomhttpwwwbruckerch

Related Publications

Ruediger Bachmann and Achim D Brucker

Developing secure software A holistic approach to security testingDatenschutz und Datensicherheit (DuD) 38(4)257ndash261 April 2014httpwwwbruckerchbibliographyabstractbachmannea-security-testing-2014

Achim D Brucker Lukas Bruumlgger and Burkhart Wolff

Formal firewall conformance testing An application of test and proof techniquesSoftware Testing Verification amp Reliability (STVR) 25(1)34ndash71 2015httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014

Achim D Brucker and Uwe Sodan

Deploying static application security testing on a large scaleIn Stefan Katzenbeisser Volkmar Lotz and Edgar Weippl editors gi Sicherheit 2014 volume 228 of Lecture Notes in Informatics pages 91ndash101 gi March 2014ISBN 978-3-88579-622-0httpwwwbruckerchbibliographyabstractbruckerea-sast-expierences-2014

Achim D Brucker and Burkhart Wolff

On theorem prover-based testingFormal Aspects of Computing (FAC) 25(5)683ndash721 2013ISSN 0934-5043httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012

No part of this publication may be reproduced or transmitted in any form or for any purposewithout the express permission of SAP SE The information contained herein may be changedwithout prior noticeSome software products marketed by SAP SE and its distributors contain proprietary softwarecomponents of other software vendorsMicrosoft Windows Excel Outlook and PowerPoint are registered trademarks of MicrosoftCorporationIBM DB2 DB2 Universal Database System i System i5 System p System p5 System xSystem z System z10 System z9 z10 z9 iSeries pSeries xSeries zSeries eServer zVMzOS i5OS S390 OS390 OS400 AS400 S390 Parallel Enterprise Server PowerVM PowerArchitecture POWER6+ POWER6 POWER5+ POWER5 POWER OpenPower PowerPCBatchPipes BladeCenter System Storage GPFS HACMP RETAIN DB2 Connect RACFRedbooks OS2 Parallel Sysplex MVSESA AIX Intelligent Miner WebSphere Netfinity Tivoliand Informix are trademarks or registered trademarks of IBM CorporationLinux is the registered trademark of Linus Torvalds in the US and other countriesAdobe the Adobe logo Acrobat PostScript and Reader are either trademarks or registeredtrademarks of Adobe Systems Incorporated in the United States andor other countriesOracle is a registered trademark of Oracle CorporationUNIX XOpen OSF1 and Motif are registered trademarks of the Open GroupCitrix ICA Program Neighborhood MetaFrame WinFrame VideoFrame and MultiWin aretrademarks or registered trademarks of Citrix Systems IncHTML XML XHTML and W3C are trademarks or registered trademarks of W3Creg World WideWeb Consortium Massachusetts Institute of TechnologyJava is a registered trademark of Sun Microsystems IncJavaScript is a registered trademark of Sun Microsystems Inc used under license fortechnology invented and implemented by NetscapeSAP R3 SAP NetWeaver Duet PartnerEdge ByDesign SAP BusinessObjects ExplorerStreamWork and other SAP products and services mentioned herein as well as theirrespective logos are trademarks or registered trademarks of SAP SE in Germany and othercountries

Business Objects and the Business Objects logo BusinessObjects Crystal Reports Crystal DecisionsWeb Intelligence Xcelsius and other Business Objects products and services mentioned herein as wellas their respective logos are trademarks or registered trademarks of Business Objects Software LtdBusiness Objects is an SAP companySybase and Adaptive Server iAnywhere Sybase 365 SQL Anywhere and other Sybase products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks ofSybase Inc Sybase is an SAP companyAll other product and service names mentioned are the trademarks of their respective companies Datacontained in this document serves informational purposes only National product specifications mayvaryThe information in this document is proprietary to SAP No part of this document may be reproducedcopied or transmitted in any form or for any purpose without the express prior written permission ofSAP SEThis document is a preliminary version and not subject to your license agreement or any otheragreement with SAP This document contains only intended strategies developments andfunctionalities of the SAPreg product and is not intended to be binding upon SAP to any particular courseof business product strategy andor development Please note that this document is subject to changeand may be changed by SAP at any time without noticeSAP assumes no responsibility for errors or omissions in this document SAP does not warrant theaccuracy or completeness of the information text graphics links or other items contained within thismaterial This document is provided without a warranty of any kind either express or implied includingbut not limited to the implied warranties of merchantability fitness for a particular purpose ornon-infringementSAP shall have no liability for damages of any kind including without limitation direct special indirector consequential damages that may result from the use of these materials This limitation shall notapply in cases of intent or gross negligenceThe statutory liability for personal injury and defective products is not affected SAP has no control overthe information that you may access through the use of hot links contained in these materials and doesnot endorse your use of third-party Web pages nor provide any warranty whatsoever relating tothird-party Web pages

Background
Motivation
Risk-based Security Testing as Part of SAPs Smath text inlined[fg]math text inlinedfgmath text inlined[fg]math text inlinedfg2DL
Lessons Learned
How Does This Resonate With Agile Development

Page 2: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Abstract

Security testing is an important part of any (agile) secure software development lifecyle Still security testingis often understood as an activity done by security testers in the time between ldquoend of developmentrdquo andldquooffering the product to customersrdquoLearning from traditional testing that the fixing of bugs is the more costly the later it is done in developmentwe believe that security testing should be integrated into the daily development activities To achieve this wedeveloped a security testing strategy as part of SAPrsquos security development lifecycle which supports thespecific needs of the various software development models at SAPIn this presentation we will briefly presents SAPrsquos approach to an agile secure software development processin general and in particular present SAPrsquos Security Testing Strategy that enables developers to find securityvulnerabilities early by applying a variety of different security testing methods and tools

Agenda

1 Background

2 Motivation

SAP SE

Personal Background

httpwwwbruckerch

planbull

Agenda

1 Background

2 Motivation

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 20140

500

1000

1500

2000

2500

3000

When Do We Fix Bugs

Microsoftrsquos SDL

Agenda

1 Background

2 Motivation

ABAP

Java

C

JavaScript

Others

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

types

Requirements

Security Test Plan

RISK ASSESMENT

Figure SAP SSDL

Security Validation

Covered

Not Covered

Covered

Not Covered

Covered

Not Covered

NewlyCovered

Agenda

1 Background

2 Motivation

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 3: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Agenda

1 Background

2 Motivation

SAP SE

Personal Background

httpwwwbruckerch

planbull

Agenda

1 Background

2 Motivation

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 20140

500

1000

1500

2000

2500

3000

When Do We Fix Bugs

Microsoftrsquos SDL

Agenda

1 Background

2 Motivation

ABAP

Java

C

JavaScript

Others

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

types

Requirements

Security Test Plan

RISK ASSESMENT

Figure SAP SSDL

Security Validation

Covered

Not Covered

Covered

Not Covered

Covered

Not Covered

NewlyCovered

Agenda

1 Background

2 Motivation

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

SAP SE

Personal Background

httpwwwbruckerch

planbull

Agenda

1 Background

2 Motivation

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 20140

500

1000

1500

2000

2500

3000

When Do We Fix Bugs

Microsoftrsquos SDL

Agenda

1 Background

2 Motivation

ABAP

Java

C

JavaScript

Others

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

types

Requirements

Security Test Plan

RISK ASSESMENT

Figure SAP SSDL

Security Validation

Covered

Not Covered

Covered

Not Covered

Covered

Not Covered

NewlyCovered

Agenda

1 Background

2 Motivation

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 5: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Personal Background

httpwwwbruckerch

planbull

Agenda

1 Background

2 Motivation

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 20140

500

1000

1500

2000

2500

3000

When Do We Fix Bugs

Microsoftrsquos SDL

Agenda

1 Background

2 Motivation

ABAP

Java

C

JavaScript

Others

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

types

Requirements

Security Test Plan

RISK ASSESMENT

Figure SAP SSDL

Security Validation

Covered

Not Covered

Covered

Not Covered

Covered

Not Covered

NewlyCovered

Agenda

1 Background

2 Motivation

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 6: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

planbull

Agenda

1 Background

2 Motivation

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 20140

500

1000

1500

2000

2500

3000

When Do We Fix Bugs

Microsoftrsquos SDL

Agenda

1 Background

2 Motivation

ABAP

Java

C

JavaScript

Others

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

types

Requirements

Security Test Plan

RISK ASSESMENT

Figure SAP SSDL

Security Validation

Covered

Not Covered

Covered

Not Covered

Covered

Not Covered

NewlyCovered

Agenda

1 Background

2 Motivation

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 7: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Agenda

1 Background

2 Motivation

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 20140

500

1000

1500

2000

2500

3000

When Do We Fix Bugs

Microsoftrsquos SDL

Agenda

1 Background

2 Motivation

ABAP

Java

C

JavaScript

Others

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

types

Requirements

Security Test Plan

RISK ASSESMENT

Figure SAP SSDL

Security Validation

Covered

Not Covered

Covered

Not Covered

Covered

Not Covered

NewlyCovered

Agenda

1 Background

2 Motivation

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 8: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 20140

500

1000

1500

2000

2500

3000

When Do We Fix Bugs

Microsoftrsquos SDL

Agenda

1 Background

2 Motivation

ABAP

Java

C

JavaScript

Others

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

types

Requirements

Security Test Plan

RISK ASSESMENT

Figure SAP SSDL

Security Validation

Covered

Not Covered

Covered

Not Covered

Covered

Not Covered

NewlyCovered

Agenda

1 Background

2 Motivation

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 9: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

When Do We Fix Bugs

Microsoftrsquos SDL

Agenda

1 Background

2 Motivation

ABAP

Java

C

JavaScript

Others

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

types

Requirements

Security Test Plan

RISK ASSESMENT

Figure SAP SSDL

Security Validation

Covered

Not Covered

Covered

Not Covered

Covered

Not Covered

NewlyCovered

Agenda

1 Background

2 Motivation

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 10: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Microsoftrsquos SDL

Agenda

1 Background

2 Motivation

ABAP

Java

C

JavaScript

Others

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

types

Requirements

Security Test Plan

RISK ASSESMENT

Figure SAP SSDL

Security Validation

Covered

Not Covered

Covered

Not Covered

Covered

Not Covered

NewlyCovered

Agenda

1 Background

2 Motivation

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 11: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Agenda

1 Background

2 Motivation

ABAP

Java

C

JavaScript

Others

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

types

Requirements

Security Test Plan

RISK ASSESMENT

Figure SAP SSDL

Security Validation

Covered

Not Covered

Covered

Not Covered

Covered

Not Covered

NewlyCovered

Agenda

1 Background

2 Motivation

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 12: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

ABAP

Java

C

JavaScript

Others

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

types

Requirements

Security Test Plan

RISK ASSESMENT

Figure SAP SSDL

Security Validation

Covered

Not Covered

Covered

Not Covered

Covered

Not Covered

NewlyCovered

Agenda

1 Background

2 Motivation

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 13: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

types

Requirements

Security Test Plan

RISK ASSESMENT

Figure SAP SSDL

Security Validation

Covered

Not Covered

Covered

Not Covered

Covered

Not Covered

NewlyCovered

Agenda

1 Background

2 Motivation

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 14: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

types

Requirements

Security Test Plan

RISK ASSESMENT

Figure SAP SSDL

Security Validation

Covered

Not Covered

Covered

Not Covered

Covered

Not Covered

NewlyCovered

Agenda

1 Background

2 Motivation

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 15: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Fortify (Java)

DO

Min

ato

r

Coverity (CC++)

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

types

Requirements

Security Test Plan

RISK ASSESMENT

Figure SAP SSDL

Security Validation

Covered

Not Covered

Covered

Not Covered

Covered

Not Covered

NewlyCovered

Agenda

1 Background

2 Motivation

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 16: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Client Application

Web Browser

Server Application

Runtime Container

Backend Systems

Checkmarx

Fortify (Java)

DO

Min

ato

r

HP

We

bIn

sp

ect

IB

M A

pp

Sca

n

types

Requirements

Security Test Plan

RISK ASSESMENT

Figure SAP SSDL

Security Validation

Covered

Not Covered

Covered

Not Covered

Covered

Not Covered

NewlyCovered

Agenda

1 Background

2 Motivation

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 17: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

types

Requirements

Security Test Plan

RISK ASSESMENT

Figure SAP SSDL

Security Validation

Covered

Not Covered

Covered

Not Covered

Covered

Not Covered

NewlyCovered

Agenda

1 Background

2 Motivation

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 18: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Figure SAP SSDL

Security Validation

Covered

Not Covered

Covered

Not Covered

Covered

Not Covered

NewlyCovered

Agenda

1 Background

2 Motivation

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 19: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Security Validation

Covered

Not Covered

Covered

Not Covered

Covered

Not Covered

NewlyCovered

Agenda

1 Background

2 Motivation

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 20: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Security Validation

Covered

Not Covered

Covered

Not Covered

Covered

Not Covered

NewlyCovered

Agenda

1 Background

2 Motivation

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 21: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Covered

Not Covered

Covered

Not Covered

Covered

Not Covered

NewlyCovered

Agenda

1 Background

2 Motivation

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 22: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Covered

Not Covered

Covered

Not Covered

Covered

Not Covered

NewlyCovered

Agenda

1 Background

2 Motivation

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 23: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Covered

Not Covered

Covered

Not Covered

NewlyCovered

Agenda

1 Background

2 Motivation

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 24: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Covered

Not Covered

NewlyCovered

Agenda

1 Background

2 Motivation

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 25: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Agenda

1 Background

2 Motivation

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 26: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 27: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Key Success Factors

but

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 28: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 29: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Key Success Factors

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 30: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 31: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 32: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Collaborate

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 33: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Agenda

1 Background

2 Motivation

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 34: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Agile Development

t

Deliveries

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 35: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Measures

Security Testing

Response

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 36: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 37: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Thank you

httpxkcdcom327

Background
Motivation
Lessons Learned

Page 38: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Background
Motivation
Lessons Learned

Page 39: ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms,

Background
Motivation
Lessons Learned

Date post:	15-Aug-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

ASSD Keynote First International Workshop on Agile Secure ... · SAP SE • Leader in Business...

Documents