Presentation is loading. Please wait.

Presentation is loading. Please wait.

Finding vulnerabilities in your software before attackers do Supported by Her Majesty’s Government and U.S. Department of Homeland Security, Science &

Similar presentations


Presentation on theme: "Finding vulnerabilities in your software before attackers do Supported by Her Majesty’s Government and U.S. Department of Homeland Security, Science &"— Presentation transcript:

1 Finding vulnerabilities in your software before attackers do Supported by Her Majesty’s Government and U.S. Department of Homeland Security, Science & Technology Directorate Secure Decisions presents ANITA D’AMICO 17 SEPTEMBER, 2014

2 1.2B user names and passwords stolen via an SQL injection exploit via SQLi; $3M to clean up and upgrade Heartbleed bug: > 600,000 servers, $1B to remedy 90% of cyber incidents are traced to software flaws Bug Bounties Google pays “white hat” hackers up to £12,300 ($20k) to find vulnerabilities in its Web browser, before the attackers do Microsoft offers a much as £92,600 ($150k) Critical infrastructure (financial, power, health) can be disabled via software flaws

3 IgnoranceMost developers don’t know how to find and fix vulnerabilities ExpenseCommercial tools (e.g. HP Fortify, IBM AppScan) that find security flaws during development often cost > $100,000 a year Difficulty“Free” open source tools (FindBugs, cppcheck, Jlint, others) are hard to configure and interpret results Hard to prioritize thousands of vulnerabilities Why is non-secure software even shipped? Incomplete Coverage On average, a single code analysis tool finds only 14% of vulnerabilities Need to run several tools on a single code base to find even half the vulnerabilities Each tool outputs in different format; hard to compare results Inconsistent Results

4 Code Dx solution 1.Combines Multiple Tools Imports and correlates results from multiple tools, both commercial and open source 2.Easy to Compare Results Normalizes results; common severity scale 3.Prioritization Visual analytics to rapidly triage results, remove false positives 4.Easy to Use Bundles in and automatically runs language-specific open source tools for use with or without commercial tools 5.Affordable Standard Edition starts at $2,500; Enterprise Edition $9,700 6.Builds awareness Free educational version builds new educated consumer base and target market Find, prioritize, and visualize software vulnerabilities – fast and affordably

5 Software developersFind and fix problems during development Security analystsAssess the security of software as it is developed Security auditorsCheck for regulatory compliance Acquisition authoritiesConfirm software is secure Who benefits from Code Dx? Aggregate Application Security Testing market is projected to be $1B in 2014, with CAGR of 20%.

6 Regulatory compliance is major driver in growing adoption of application security testing tools The next major version of Code Dx will show which vulnerabilities are violations of compliance standards Regulatory compliance is driving market growth Recent pricing requests are for 2,500 users, far exceeding our original estimate of typical adoption patterns by customers

7 Available now!

8

9 EXTRA SLIDES THAT MAY BE NEEDED TO ANSWER QUESTIONS

10 Standard Edition – Leverage open source for those with earthly budgets Overcomes cost barrier of commercial tools –HP Fortify, IBM AppScan, Parasoft, and others are six-figure investments Easier to use: automatically configures and runs open source application security testing tools so you don’t have to Combines tool results in a way that makes sense, giving one clear picture of the data Enterprise Edition – Extract more value from costly commercial tools Improves vulnerability coverage by adding results of several open source tools to those already gathered by commercial tools and manual analysis Normalizes results to the same severity scales, making triage less painful Correlates results of multiple commercial tools; removes overlapping results Allows consumer to expand beyond a single tool supplier, and get unified results Code Dx competitive advantages

11 Operational pilots in state and federal agencies –Supported by our DHS sponsor –Experience with operational users refines: usability, scalability, value prop Government sales –Extended pricing model to accommodate price quotes for 2,500 users –Looking for the right US government reseller Commercial sales –“Try before you Buy” on Standard Edition –Affordability attracts new consumer base –Users of other commercial tools can buy Code Dx to add value to current investment at a very low price Go-to-market strategy

12 Visual Analytics for triage, remediation, and communication 12 Workflows tailored to each type of user Interactive, powerful filtering Visualize thousands of weaknesses in a single view Quickly and effectively triage large weakness lists

13 SINGLE INTERFACE FOR CORRELATED RESULTS FROM MULTIPLE TOOLS normalized severities tool attribution correlated standards mappings totals from all 5 tools overlap detection correlated source code mappings


Download ppt "Finding vulnerabilities in your software before attackers do Supported by Her Majesty’s Government and U.S. Department of Homeland Security, Science &"

Similar presentations


Ads by Google