Building an Effective SDLC Program:

Case Study

Guy Bejerano, CSO, LivePersonOfer Maor, CTO, Seeker Security

SDLC – Why Do We Bother?Vendor Heaven – Sell All You Can SellFinding Your Path in The Jungle -

Assembling The Puzzle to Build a Robust SDLC Program

The Next 45 Min

Data & Insights based on our experience @ LivePerson

Seeker Security

Formerly Hacktics® (Acquired by EY)New Generation of Application Security Testing (IAST)Recognized as Top 10 Most Innovative Companies at RSA® 2010.Recognized as “Cool Vendor” by Gartner

Identify, Demonstrate & MitigateCritical Application Business Risk

LivePersonMonitor web visitor’s behavior(Over 1.2 B visits each month)

Providing Engagement platform(Over 10 M chats each month)

Deploying code on customers’ websites

SAAS in a full Multi-tenancy environment

Process and Store customers’ data on our systems

Providing Service to Some of the Biggest

Cloud Motivation for Building Secure Code

Reputation in a social era

Risk Characteristics • Cyber Crime – Financial motivation• Systems are more accessible and Perimeter

protection is not enough

Legal liability and cost of non-compliance

Customers (over 15 application pen-tests in the past year)

The Impact of Security Bugs in Production

Highly expensive to fix (4X than during the dev process)

We are not focusing on the upside

Creates friction – Externally and Internally

Back in the Waterfall Days

Design Development QA Rollout

3rd party Pen-Testing

SecurityRequirements

Bug Fixing

Challenges• Accuracy of Testing• Same Findings Repeating• Internal Friction Still Exists

Customer Testing

And Then We Moved to Agile

Sprint

PlanSprint & Regression Rollout

SecurityRequirements

Challenges• Shorter Cycle (Design, Bug Fixing)• Greater Friction

In Production

Customer Testing

3rd party Pen-Testing

The Solution Matrix

Vendor HeavenInfinite Services, Products, Solutions & Combinations

In House / Outsourced Services / Product / SaaS Manual / AutomatedBlackbox / WhiteboxPenetration Test / Code ReviewDAST / SAST / IAST

In-House/OutsourcedSkills

AvailabilityCostRepeatability

SDLC Integration

Service/Product/SaaS (Manual/Automated)

Accuracy False PositivesFalse Negatives

Skills/QualityRepeatabilityEase of Use

SDLC IntegrationIntellectual Property

CoverageDAST/SAST/IAST (PT/CR, Black/White Box)Accuracy False Positives

False Negatives Quality of ResultsPinpointing Code

Data HandlingValidation

Ease of Operation3rd Party CodeScale

The Solution Matrix - Considerations

How to Assemble All the Pieces?

Define Your Playground

Risk – Web, Data, Multi-TenancyCustomers – SLA, Standards

Choose a Framework

Who Leads This Program

Highly Technical Organization (System Owners, Scrum Masters, Tech Leaders)

Knowledge – Who & How

Hands-On… QA FirstOn-going sessions

How to Assemble All the Pieces?

Fitting Tools to Platform and Development Process

Java – Multi-TierAgile Methodology JIRA (For bug tracking)

Define Operational cycle

Key Performance IndicatorsOperational Review (by system owners)

Pen-Test Strategy 3rd PartyBlackboxPre-defined flows to check

SDLC Take #2

Sprint

PlanSprint & Regression Rollout

SecurityDesign

In Production

Customer Testing

3rd party Pen-Testing

Budgeted “Certification” Program

R&D / QA Ownership (Tech Leaders & System Owners)

Knowledge (Hands-On Training + On-Going Sessions)

Embedded Bug Tracking in Dev Tools

Static Code Analysis

Runtime/Dynamic Code Analysis

Thank You!

Q&A