Centralized Secure Vault with Dimensions CM
1 like•543 views
The document discusses security breaches that occur through third party systems and vendors. It describes how attackers were able to access Target's corporate network by compromising a refrigeration contractor called Fazio Mechanical through a phishing email. This allowed malware called Citadel to be installed on Fazio computers. The document also discusses the importance of implementing a secure software development lifecycle (SDLC) and using tools like Dimensions CM to integrate code reviews, continuous inspection, and maintain a centralized secure vault for source code repositories.
Centralized Secure Vault with Dimensions CM
- 1. 1 FUG2016Copyright © Serena Software 2016 WE OWN IT! Centralized Secure Vault with Dimensions CM Rose M Wellman Sr Mgr, Solutions Architects
- 2. 2 FUG2016 What do these number represent?
- 3. 3 FUG2016 That We Know About
- 4. 4 FUG2016 Security Breaches Change Over Time Open the safe! Amateur!
- 6. 6 FUG2016 Breaches by 3rd Party Systems • The attackers backed their way into Target's corporate network by compromising a third-party vendor. The number of vendors targeted is unknown. However, it only took one. That happened to be Fazio Mechanical, a refrigeration contractor. • A phishing email duped at least one Fazio employee, allowing Citadel, a variant of the Zeus banking trojan, to be installed on Fazio computers. With Citadel in place, the attackers waited until the malware offered what they were looking for -- Fazio Mechanical's login credentials. • At the time of the breach, all major versions of enterprise anti- malware detected the Citadel malware. Unsubstantiated sources mentioned Fazio used the free version of Malwarebytes anti-malware, which offered no real-time protection being an on-demand scanner. (Note: Malwarebytes anti-malware is highly regarded by experts when used in the correct manner.)
- 7. 7 FUG2016 Everyone is a Target
- 8. 8 FUG2016 Ensuring Security in Today’s World
- 12. 12 FUG2016 Requirements • Establish security requirements/stories • Define security tests Development • Peer code reviews • Static Analysis Testing • Vulnerability testing • Penetration testing Release • Software quality review • Release readiness review Secure SDLC
- 13. 13 FUG2016 Serena Dimensions CM - Integrated Peer Code Review Develop with velocity - collaboratively, securely and efficiently Key Capabilities • Collaborative web based architecture • Integrates with Agile stories and requests • Linked to Continuous Inspection • Strengthens audit trail & governance • Configurable for Projects & Teams Value Benefits • Improved code quality • Find 70-90% of all defects earlier • Cost reduction • Save up to 30% of re-work hours • Developer productivity • Up to 25% improvement in coding Peer Reviews in Software - A Practical Guide by Karl E. Wiegers
- 14. 14 FUG2016 Serena Dimensions CM – Continuous Inspection Toolchain Develop with velocity - collaboratively, securely and efficiently Key Capabilities • Extensible plug-in architecture • Schedule & inspect code changes • Report findings & vulnerabilities • Aggregated KPI Metrics • Supports DevOps “Shift-Left” Value Benefits • Display results in code review • Real-time developer feedback • Reduce coding risks & issues • Monitor code health & quality • Speed release readiness "Given enough eyeballs, all bugs are shallow." The Cathedral and the Bazar —Eric Raymond
- 15. 15 FUG2016 • Code Hygiene • Refers to the “cleanliness” of an application – in particular, minimizing vulnerabilities and code complexity. • Good code hygiene requires visibility into all the components used to build the application. • Several activities in the software development lifecycle support good code hygiene, including threat modeling and automated testing (i.e., static and dynamic analysis). • The shortcoming of each of these activities is that they only provide a point-in-time snapshot of code hygiene, and can’t account for a changing threat space. • You have to continuously monitor or continuously apply good hygiene. • More than 4,000 new vulnerabilities were disclosed by the National Vulnerability Database in open- source components in 2014 alone. The fact that your open-source code bases are free from vulnerabilities today doesn’t mean you can ignore them for the next year. • OWASP Dependency-Check Open Source
- 17. 17 FUG2016 Problem – Repository Sprawl • DevOps driving option of Git • Repository Sprawl • Multiple Source Code Repos • Individually Managed/Maintained • Security? • Reliability? • Cross-team collaboration? • Audit trail?
- 18. 18 FUG2016 No Built-in Security and Authorization • Read/Write security on all objects • Group role assignments • Full audit trail of all objects
- 19. 19 FUG2016 Git/SVN Goes into the Dimensions CM Secure Vault Release Control Dev DevOps Ops Dimensions CM Deployment Automation CM Secure Vault ChangeMan ZMF Deployment pipeline Deployment pipeline Deployment pipeline Deployment pipeline
- 20. 20 FUG2016 Better Solution – Git Connector Dimensions CM Vault Dimensions CM Deployment Pipeline Serena Deployment Automation Dimensions CM = Git Master Repository Dimensions CM Pulse DimensionsCM GitConnector
- 21. 21 FUG2016 • The Developers don’t have to change the tools they are using • The Business gets the control it needs – Single source of truth – Enterprise Security – Robust and scalable • With the additional value of Dimensions CM – Continuous Inspection – Enterprise Change Management – Control over path to production – Full audit trail across all components Dimensions CM Git Connector Benefit
- 22. 22 FUG2016 Customer Quotes “ We’re a bank not a startup, and we need to be using appropriate tools to ensure the integrity and security of change, not tools that add to a developers resume. We don’t want to be the next big headline! ” Richard landoli SVP QA Brown Brothers Harriman “ The visibility and insight that Dimensions CM 14 provides, allows us to see if we are converging to quality or diverging from quality in real time. ” Ken Vane IT Change & Configuration Manager, Navy Federal Credit Union