SlideShare a Scribd company logo

Industrial Challenges of Secure Software Development

Achim D. Brucker
Achim D. Brucker

This document discusses the challenges of secure software development at an industrial scale. It describes SAP's secure software development lifecycle process, which includes training, threat modeling, security testing, validation, and response. It then discusses some of the key challenges for industrial software development, including scalability issues due to large codebases, maintenance challenges due to modular code, and the difficulty of achieving complete security or automation. The document argues for more research in risk-based and economic approaches to security, as well as techniques for composable, automated security testing of integrated software systems.

Software
1 of 41
Download to read offline
Industrial Challenges of Secure Software Development Achim D. Brucker achim.brucker@sap.com SAP SE Vincenz-Priessnitz-Str. 1, 76131 Karlsruhe, Germany CSP Forum Cluster Workshop, Florence, Italy October 8, 2014
Agenda 1 Introduction & Motivation 2 Secure Software Development at SAP 3 Challenges in Industrial Software Development 4 Discussion About Future Research Directions © 2014 SAP SE. All Rights Reserved. Page 4 of 30
Fact Sheet: SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms, e.g., • In-memory database and application server (HANA) • Netweaver for ABAP and Java • More than 25 industries • 63% of the world’s transaction revenue touches an SAP system • More than 67 000 employees worldwide • Headquartered in Walldorf, Germany (close to Heidelberg) © 2014 SAP SE. All Rights Reserved. Page 5 of 30
Costs of Vulnerabilities (Attacks on IT Systems) • TJX Company, Inc. (2007) $ 250 million • Sony (2011) $ 170 million • Heartland Payment Systems (2009) $ 41 million “ A hack not only costs a company money, but also its reputation and the trust of its customers. It can take years and millions of dollars to repair the damage that a single computer hack inflicts. (http://financialedge.investopedia.com/financial-edge/0711/Most-Costly-Computer-Hacks-Of-All-Time.aspx) © 2014 SAP SE. All Rights Reserved. Page 6 of 30
Vulnerability types of CVE reports since 1999 Execute Code 28% Denial of Service 17% Overflow 12% XSS 11% SQL Injection 8% Gain Information 5% Bypass Something 4% Other 15% • Causes for most vulnerabilities are • programming errors • configuration errors • Patching • is expensive • may introduce new bugs How can we ensure that no vulnerable code is shipped? © 2014 SAP SE. All Rights Reserved. Page 7 of 30
Agenda 1 Introduction & Motivation 2 Secure Software Development at SAP 3 Challenges in Industrial Software Development 4 Discussion About Future Research Directions © 2014 SAP SE. All Rights Reserved. Page 8 of 30
Secure Software Development Lifecycle Training Requirements Design Implementation Validation Shipment ResponseTraining Requirements Design Implementation Validation Shipment Response © 2014 SAP SE. All Rights Reserved. Page 9 of 30
Secure Software Development Lifecycle Training Training Requirements Design Implementation Validation Shipment ResponseTraining Requirements Design Implementation Validation Shipment Response • Goals: • Create security awareness across all areas and roles • Role-specific education, e.g., in development (examples): • Threat modeling • Secure Programming: ABAP, Java, C/C++ • Security testing (including static analysis) • Security expert curriculum • one year (part-time) • official job specialization © 2014 SAP SE. All Rights Reserved. Page 10 of 30
Secure Software Development Lifecycle Requirements: SAP Product Standard Security Training Requirements Design Implementation Validation Shipment ResponseTraining Requirements Design Implementation Validation Shipment Response Security and data protection requirements for all products 1 Regulatory Compliance • SAP software shall be able to log security relevant events 2 Data Protection and Privacy • SAP software shall support erasure of personal data 3 Vulnerability Prevention • SAP software shall be free of SQL Injection vulnerabilities 4 Strategy and Attack Surface Reduction • SAP products shall support to be deployed and run securely in segmented networks © 2014 SAP SE. All Rights Reserved. Page 11 of 30
Secure Software Development Lifecycle Requirements and Design: Threat Modeling Training Requirements Design Implementation Validation Shipment ResponseTraining Requirements Design Implementation Validation Shipment Response Workshops with • Threat modeling experts • Security experts • Product owner • Architect • . . . Systematic analysis, e.g., • What data is stored on device? • How is the user authenticated? © 2014 SAP SE. All Rights Reserved. Page 12 of 30
Secure Software Development Lifecycle Implementation: Security Testing Training Requirements Design Implementation Validation Shipment ResponseTraining Requirements Design Implementation Validation Shipment Response • Goal: ensure that security controls are effective • Static analysis since 2010 mandatory for all products Language Tool Vendor ABAP Netweaver CVA SAP C/C++ Coverity Coverity JavaScript, Ruby Checkmarx Checkmarx Others Fortify HP • Additional security testing activities based on requirements and design (IBM AppScan, HP WebInspect, Burp Suite, Fuzzers, own tooling, . . . ) © 2014 SAP SE. All Rights Reserved. Page 13 of 30
Secure Software Development Lifecycle Validation Training Requirements Design Implementation Validation Shipment ResponseTraining Requirements Design Implementation Validation Shipment Response Before shipment: • Check that products comply to SAP standards • Important part: penetration testing • Executed by independent group within SAP • Validates quality of previous steps in SSDL © 2014 SAP SE. All Rights Reserved. Page 14 of 30
Secure Software Development Lifecycle Response Training Requirements Design Implementation Validation Shipment ResponseTraining Requirements Design Implementation Validation Shipment Response After shipment: • Handle security related bug reports • Monitor external security community • Organize roll-out of security patches © 2014 SAP SE. All Rights Reserved. Page 15 of 30
Secure Software Development Lifecycle Training Requirements Design Implementation Validation Shipment Response Outsourcing Acquisition © 2014 SAP SE. All Rights Reserved. Page 16 of 30
So Everything is Secure Now, Right? “ Our tool reports all vulnerabilities in your software – you only need to fix them and you are secure. Undisclosed sales engineer from a SAST tool vendor. © 2014 SAP SE. All Rights Reserved. Page 17 of 30
So Everything is Secure Now, Right? “ Our tool reports all vulnerabilities in your software – you only need to fix them and you are secure. Undisclosed sales engineer from a SAST tool vendor. Yes, this tools exists! It is called Code Assurance Tool (cat): © 2014 SAP SE. All Rights Reserved. Page 17 of 30
So Everything is Secure Now, Right? “ Our tool reports all vulnerabilities in your software – you only need to fix them and you are secure. Undisclosed sales engineer from a SAST tool vendor. Yes, this tools exists! It is called Code Assurance Tool (cat): • The cat tool reports each line, that might contain a vulnerability: © 2014 SAP SE. All Rights Reserved. Page 17 of 30
So Everything is Secure Now, Right? “ Our tool reports all vulnerabilities in your software – you only need to fix them and you are secure. Undisclosed sales engineer from a SAST tool vendor. Yes, this tools exists! It is called Code Assurance Tool (cat): • The cat tool reports each line, that might contain a vulnerability: • It supports also a mode that reports no false positives: © 2014 SAP SE. All Rights Reserved. Page 17 of 30
So Everything is Secure Now, Right? “ Our tool reports all vulnerabilities in your software – you only need to fix them and you are secure. Undisclosed sales engineer from a SAST tool vendor. Yes, this tools exists! It is called Code Assurance Tool (cat): • The cat tool reports each line, that might contain a vulnerability: • It supports also a mode that reports no false positives: • Note: • There are sound or complete tools, but only for specific domains • In practice, • requirements are not formal enough to be sound and complete • scalability is very important • modularity is very important © 2014 SAP SE. All Rights Reserved. Page 17 of 30
Agenda 1 Introduction & Motivation 2 Secure Software Development at SAP 3 Challenges in Industrial Software Development 4 Discussion About Future Research Directions © 2014 SAP SE. All Rights Reserved. Page 18 of 30
The Scalability Challenge • Increase in© 2014 SAP SE. All Rights Reserved. Page 19 of 30
The Software Maintenance Challenge (Modularity) © 2014 SAP SE. All Rights Reserved. Page 20 of 30
The Software Maintenance Challenge (Modularity) 0 20.000 40.000 60.000 80.000 100.000 120.000 1998 2004 2012 No. of Systems No. of Customers © 2014 SAP SE. All Rights Reserved. Page 20 of 30
The Software Maintenance Challenge (Modularity) 0 20.000 40.000 60.000 80.000 100.000 120.000 140.000 1998 2004 2012 No. of Systems No. of Customers Example Product Release EOL ext. EOL Windows XP 2001 2009 2014 Windows 8 2012 2018 2023 Red Hat Ent. Linux 2012 2020 2023 © 2014 SAP SE. All Rights Reserved. Page 20 of 30
Agenda 1 Introduction & Motivation 2 Secure Software Development at SAP 3 Challenges in Industrial Software Development 4 Discussion About Future Research Directions © 2014 SAP SE. All Rights Reserved. Page 21 of 30
Security is not a Binary Property “ Systems are either secure or insecure. • Security is only one property out of many: • Usability • New features • Time-to-market • We will never achieve 100% security • Question: Where should I spent my (limited) budget? Or: What is the risk of not fixing an issue and how to balance it with other requirements? • Claim: We need more research in • risk-based security • security economics (cost of fixing vs. costs of not fixing, etc.) © 2014 SAP SE. All Rights Reserved. Page 22 of 30
Soundness is not Binary Either “ Security testing methods should be sound. • Observations: • Proving soundness seems to be a prerequisite for getting an academic paper accepted. • (Nearly) no “real-world” tool is sound (the underlying method/theory might be sound) • Even worse: your sound tool will not report anything, on our frameworks • What I need (from vendors/researchers) to provide the best “blend” to my developers: • A Clear specification what it “in-scope” • A Clear specification what it “out-scope” • Test cases that validate the expected behavior (e.g., similar to qualification kits for DO178C) • Claim: We need more research in • “well-defined” unsound security testing methods • clear specifications of unsoundness • test sets for comparing security testing tools • extension/adaption points for security testing tools • If you want to read more: http://www.soundiness.org © 2014 SAP SE. All Rights Reserved. Page 23 of 30
Automation is Too important to Lie “ My tool is fully automated • No, it is (usually) not. And, btw, calling it interactive does not help either • Again, clearly specify • what is automated • what needs to be configured “one-time” • what needs to be done manually/interactively “on each use” • Claim: We need more research in • “automating” the knowledge of security experts • automation of “learning new frameworks and policies” • closing the gap between security (non-functional) and functional testing • need to be integrated into development and built environments • instant feedback (could be imprecise) • on each check-in • nightly/weekly (high quality, should generate compliance reports) © 2014 SAP SE. All Rights Reserved. Page 24 of 30
Software is Not Developed on The “Greenfield” “ Security testing is done by the developer of a software component • Observations: • Software evolves over time (both, on-premise and Cloud): small changes are the norm • Software is build using • Free and Open Source Software • third party libraries (closed source) • assets of acquired companies As vendor, you are responsible for all code you ship to customers • Claim: We need more research in • composable security testing techniques, e.g., • impact/change analysis for selecting (security) test cases • automated inference of security specifications of software components • in pushing security testing across the whole software supply chain • techniques that generate “security certificates” • formats and guidelines for exchanging “security test tool configurations” © 2014 SAP SE. All Rights Reserved. Page 25 of 30
Thank you! http://xkcd.com/327/
Bibliography I Ruediger Bachmann and Achim D. Brucker. Developing secure software: A holistic approach to security testing. Datenschutz und Datensicherheit (DuD), 38(4):257–261, April 2014. Achim D. Brucker and Uwe Sodan. Deploying static application security testing on a large scale. In Stefan Katzenbeisser, Volkmar Lotz, and Edgar Weippl, editors, GI Sicherheit 2014, volume 228 of Lecture Notes in Informatics (LNI), pages 91–101. GI, March 2014. © 2014 SAP SE. All Rights Reserved. Page 27 of 30
Part II Appendix
A Bluffers Guide to SQL Injection (1/2) • Assume an SQL Statement for selecting all users with “userName” from table “user” © 2014 SAP SE. All Rights Reserved. Page 29 of 30
A Bluffers Guide to SQL Injection (1/2) • Assume an SQL Statement for stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’" + userName + "’;" © 2014 SAP SE. All Rights Reserved. Page 29 of 30
A Bluffers Guide to SQL Injection (1/2) • Assume an SQL Statement for stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’" + userName + "’;" • What happens if we choose the following userName: userName = "’ or ’1’=’1" © 2014 SAP SE. All Rights Reserved. Page 29 of 30
A Bluffers Guide to SQL Injection (1/2) • Assume an SQL Statement for stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’" + userName + "’;" • What happens if we choose the following userName: userName = "’ or ’1’=’1" • Resulting in the following statement: stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’’ or ’1’=’1’;" © 2014 SAP SE. All Rights Reserved. Page 29 of 30
A Bluffers Guide to SQL Injection (1/2) • Assume an SQL Statement for stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’" + userName + "’;" • What happens if we choose the following userName: userName = "’ or ’1’=’1" • Resulting in the following statement: stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’’ or ’1’=’1’;" • Which is equivalent to stmt = "SELECT * FROM ‘users‘;" selecting the information of all users stored in the table ‘users’! © 2014 SAP SE. All Rights Reserved. Page 29 of 30
A Bluffers Guide to SQL Injection (2/2) void selectUser(HttpServletRequest req, HttpServletResponse resp) throws IOException { String userName = req.getParameter("fName"); // source String stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’" + userName +"’;" SQL.exec(stmt); //sink } • Many vulnerabilities have similar causes: • cross-site-scripting (XSS), code-injection, buffer-overflows, . . . • Root cause of a wide range of vulnerabilities • “bad” programming • mis-configuration • Warning: • for preventing SQL injections, consider the use of prepared statements • do whitelisting (specify what is allowed) and do not blacklisting © 2014 SAP SE. All Rights Reserved. Page 30 of 30
A Bluffers Guide to SQL Injection (2/2) void selectUser(HttpServletRequest req, HttpServletResponse resp) throws IOException { String userName = req.getParameter("fName"); // source String stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’" + userName +"’;" SQL.exec(stmt); //sink } • Many vulnerabilities have similar causes: • cross-site-scripting (XSS), code-injection, buffer-overflows, . . . • Root cause of a wide range of vulnerabilities • “bad” programming • mis-configuration • Warning: • for preventing SQL injections, consider the use of prepared statements • do whitelisting (specify what is allowed) and do not blacklisting © 2014 SAP SE. All Rights Reserved. Page 30 of 30
A Bluffers Guide to SQL Injection (2/2) void selectUser(HttpServletRequest req, HttpServletResponse resp) throws IOException { String userName = req.getParameter("fName"); // source userName = Security.whitelistOnlyLetter(userName); // sanitation String stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’" + userName +"’;" SQL.exec(stmt); //sink } • Many vulnerabilities have similar causes: • cross-site-scripting (XSS), code-injection, buffer-overflows, . . . • Root cause of a wide range of vulnerabilities • “bad” programming • mis-configuration • Warning: • for preventing SQL injections, consider the use of prepared statements • do whitelisting (specify what is allowed) and do not blacklisting © 2014 SAP SE. All Rights Reserved. Page 30 of 30
© 2014 SAP SE. All rights reserved No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP SE. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence. The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages. © 2014 SAP SE. All Rights Reserved. Page 31 of 30

Recommended

Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Thierry Zoller
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
Achim D. Brucker
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
Denim Group
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
Simone Onofri
 
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureContinuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
DevOps Indonesia
 

Recommended

Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Thierry Zoller
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
Achim D. Brucker
 
Create code confidence for better application security
Create code confidence for better application securityCreate code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
Denim Group
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
Simone Onofri
 
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous CultureContinuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
Continuous Delivery to Continuous Operations, DevOps & SRE = Continuous Culture
DevOps Indonesia
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Kevin Fealey
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Phil Agcaoili
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
Agile security
Agile securityAgile security
Agile security
Arthur Donkers
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
Rogue Wave Software
 
OWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingOWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter Meeting
Phil Agcaoili
 
Keynote: Inflectra Company Vision - InflectraCon 2019
Keynote: Inflectra Company Vision - InflectraCon 2019Keynote: Inflectra Company Vision - InflectraCon 2019
Keynote: Inflectra Company Vision - InflectraCon 2019
Inflectra
 
Team MESA - Make Elderly Safe Again
Team MESA - Make Elderly Safe AgainTeam MESA - Make Elderly Safe Again
Team MESA - Make Elderly Safe Again
James Neo
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
Oleg Gryb
 
Owasp summit slides day 2
Owasp summit slides day 2Owasp summit slides day 2
Owasp summit slides day 2
Dinis Cruz
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav Breslavskyi
Nazar Tymoshyk, CEH, Ph.D.
 
Owasp summit 2017
Owasp summit 2017 Owasp summit 2017
Owasp summit 2017
Dinis Cruz
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
Nadira Bajrei
 
Methodologies 1: Managing Agile Projects
Methodologies 1: Managing Agile ProjectsMethodologies 1: Managing Agile Projects
Methodologies 1: Managing Agile Projects
Inflectra
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
Nazar Tymoshyk, CEH, Ph.D.
 
Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addict
Priyanka Aash
 
Why 'positive security' is a software security game changer
Why 'positive security' is a software security game changerWhy 'positive security' is a software security game changer
Why 'positive security' is a software security game changer
Jaap Karan Singh
 
Noip2 stack buffer overflow
Noip2 stack buffer overflowNoip2 stack buffer overflow
Noip2 stack buffer overflow
b0920075
 
就差這味!讓你的APP亮點突圍
就差這味!讓你的APP亮點突圍就差這味!讓你的APP亮點突圍
就差這味!讓你的APP亮點突圍
Aidan Wu
 

More Related Content

What's hot

Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Kevin Fealey
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Phil Agcaoili
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
Kevin Fealey
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
Rogue Wave Software
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
Nadira Bajrei
 

What's hot (20)

Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
Agile security
Agile securityAgile security
Agile security
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
 
OWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter MeetingOWASP Knoxville Inaugural Chapter Meeting
OWASP Knoxville Inaugural Chapter Meeting
 
Keynote: Inflectra Company Vision - InflectraCon 2019
Keynote: Inflectra Company Vision - InflectraCon 2019Keynote: Inflectra Company Vision - InflectraCon 2019
Keynote: Inflectra Company Vision - InflectraCon 2019
 
Team MESA - Make Elderly Safe Again
Team MESA - Make Elderly Safe AgainTeam MESA - Make Elderly Safe Again
Team MESA - Make Elderly Safe Again
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Owasp summit slides day 2
Owasp summit slides day 2Owasp summit slides day 2
Owasp summit slides day 2
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav Breslavskyi
 
Owasp summit 2017
Owasp summit 2017 Owasp summit 2017
Owasp summit 2017
 
Dev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien HarisenDev secops indonesia-devsecops as a service-Amien Harisen
Dev secops indonesia-devsecops as a service-Amien Harisen
 
Methodologies 1: Managing Agile Projects
Methodologies 1: Managing Agile ProjectsMethodologies 1: Managing Agile Projects
Methodologies 1: Managing Agile Projects
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
 
Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addict
 
Why 'positive security' is a software security game changer
Why 'positive security' is a software security game changerWhy 'positive security' is a software security game changer
Why 'positive security' is a software security game changer
 

Viewers also liked

就差這味!讓你的APP亮點突圍
就差這味!讓你的APP亮點突圍就差這味!讓你的APP亮點突圍
就差這味!讓你的APP亮點突圍
Aidan Wu
 

Viewers also liked (12)

Noip2 stack buffer overflow
Noip2 stack buffer overflowNoip2 stack buffer overflow
Noip2 stack buffer overflow
 
就差這味!讓你的APP亮點突圍
就差這味!讓你的APP亮點突圍就差這味!讓你的APP亮點突圍
就差這味!讓你的APP亮點突圍
 
成長駭客 Growth Hacker
成長駭客 Growth Hacker成長駭客 Growth Hacker
成長駭客 Growth Hacker
 
從學步到起飛,談Lean Startup和PMF
從學步到起飛,談Lean Startup和PMF從學步到起飛,談Lean Startup和PMF
從學步到起飛,談Lean Startup和PMF
 
實用分析工具 Amplitude / 分析工具hub - Segment
實用分析工具 Amplitude / 分析工具hub - Segment實用分析工具 Amplitude / 分析工具hub - Segment
實用分析工具 Amplitude / 分析工具hub - Segment
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented Programming
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitation
 
Execution
ExecutionExecution
Execution
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaion
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit Technique
 
百人團隊敏捷轉型暨持續性整合與交付實踐
百人團隊敏捷轉型暨持續性整合與交付實踐百人團隊敏捷轉型暨持續性整合與交付實踐
百人團隊敏捷轉型暨持續性整合與交付實踐
 

Similar to Industrial Challenges of Secure Software Development

Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Achim D. Brucker
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
Achim D. Brucker
 
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessIntegrating Application Security into a Software Development Process
Integrating Application Security into a Software Development Process
Achim D. Brucker
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
Dinis Cruz
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
pvanwoud
 

Similar to Industrial Challenges of Secure Software Development (20)

Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
 
Protect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksProtect Your Customers Data from Cyberattacks
Protect Your Customers Data from Cyberattacks
 
Integrating Application Security into a Software Development Process
Integrating Application Security into a Software Development ProcessIntegrating Application Security into a Software Development Process
Integrating Application Security into a Software Development Process
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
Many products-no-security (1)
Many products-no-security (1)Many products-no-security (1)
Many products-no-security (1)
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis OverviewSAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
SAP NetWeaver Application Server Add-On for Code Vulnerability Analysis Overview
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?
 
The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 

More from Achim D. Brucker

Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A Nightmare
Achim D. Brucker
 
Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and Proof
Achim D. Brucker
 
Combining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsCombining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid Apps
Achim D. Brucker
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your Browser
Achim D. Brucker
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure Code
Achim D. Brucker
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
Achim D. Brucker
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
Achim D. Brucker
 
Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?
Achim D. Brucker
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedEncoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Achim D. Brucker
 
A Framework for Secure Service Composition
A Framework for Secure Service CompositionA Framework for Secure Service Composition
A Framework for Secure Service Composition
Achim D. Brucker
 
Extending Access Control Models with Break-glass
Extending Access Control Models with Break-glassExtending Access Control Models with Break-glass
Extending Access Control Models with Break-glass
Achim D. Brucker
 

More from Achim D. Brucker (18)

Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A Nightmare
 
Formalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and ProofFormalizing (Web) Standards: An Application of Test and Proof
Formalizing (Web) Standards: An Application of Test and Proof
 
Your (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the InternetYour (not so) smart TV is currently busy with taking down the Internet
Your (not so) smart TV is currently busy with taking down the Internet
 
Combining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid AppsCombining the Security Risks of Native and Web Development: Hybrid Apps
Combining the Security Risks of Native and Web Development: Hybrid Apps
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your Browser
 
How to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure CodeHow to Enable Developers to Deliver Secure Code
How to Enable Developers to Deliver Secure Code
 
Developing Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software VendorDeveloping Secure Software: Experiences From an International Software Vendor
Developing Secure Software: Experiences From an International Software Vendor
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
 
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache...
 
Isabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof AssistantIsabelle: Not Only a Proof Assistant
Isabelle: Not Only a Proof Assistant
 
SAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial ToolsSAST for JavaScript: A Brief Overview of Commercial Tools
SAST for JavaScript: A Brief Overview of Commercial Tools
 
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
A Collection of Real World (JavaScript) Security Problems: Examples from 2 1/...
 
Model-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security PropertiesModel-based Conformance Testing of Security Properties
Model-based Conformance Testing of Security Properties
 
Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?Service Compositions: Curse or Blessing for Security?
Service Compositions: Curse or Blessing for Security?
 
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records RevisitedEncoding Object-oriented Datatypes in HOL: Extensible Records Revisited
Encoding Object-oriented Datatypes in HOL: Extensible Records Revisited
 
A Framework for Secure Service Composition
A Framework for Secure Service CompositionA Framework for Secure Service Composition
A Framework for Secure Service Composition
 
Extending Access Control Models with Break-glass
Extending Access Control Models with Break-glassExtending Access Control Models with Break-glass
Extending Access Control Models with Break-glass
 
Security in the Context of Business Processes: Thoughts from a System Vendor'...
Security in the Context of Business Processes: Thoughts from a System Vendor'...Security in the Context of Business Processes: Thoughts from a System Vendor'...
Security in the Context of Business Processes: Thoughts from a System Vendor'...
 

Recently uploaded

introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
ayushiqss
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 

Recently uploaded (20)

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
Generic or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisions
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 

Industrial Challenges of Secure Software Development

  • 1. Industrial Challenges of Secure Software Development Achim D. Brucker achim.brucker@sap.com SAP SE Vincenz-Priessnitz-Str. 1, 76131 Karlsruhe, Germany CSP Forum Cluster Workshop, Florence, Italy October 8, 2014
  • 2. Agenda 1 Introduction & Motivation 2 Secure Software Development at SAP 3 Challenges in Industrial Software Development 4 Discussion About Future Research Directions © 2014 SAP SE. All Rights Reserved. Page 4 of 30
  • 3. Fact Sheet: SAP SE • Leader in Business Software • Cloud • Mobile • On premise • Many different technologies and platforms, e.g., • In-memory database and application server (HANA) • Netweaver for ABAP and Java • More than 25 industries • 63% of the world’s transaction revenue touches an SAP system • More than 67 000 employees worldwide • Headquartered in Walldorf, Germany (close to Heidelberg) © 2014 SAP SE. All Rights Reserved. Page 5 of 30
  • 4. Costs of Vulnerabilities (Attacks on IT Systems) • TJX Company, Inc. (2007) $ 250 million • Sony (2011) $ 170 million • Heartland Payment Systems (2009) $ 41 million “ A hack not only costs a company money, but also its reputation and the trust of its customers. It can take years and millions of dollars to repair the damage that a single computer hack inflicts. (http://financialedge.investopedia.com/financial-edge/0711/Most-Costly-Computer-Hacks-Of-All-Time.aspx) © 2014 SAP SE. All Rights Reserved. Page 6 of 30
  • 5. Vulnerability types of CVE reports since 1999 Execute Code 28% Denial of Service 17% Overflow 12% XSS 11% SQL Injection 8% Gain Information 5% Bypass Something 4% Other 15% • Causes for most vulnerabilities are • programming errors • configuration errors • Patching • is expensive • may introduce new bugs How can we ensure that no vulnerable code is shipped? © 2014 SAP SE. All Rights Reserved. Page 7 of 30
  • 6. Agenda 1 Introduction & Motivation 2 Secure Software Development at SAP 3 Challenges in Industrial Software Development 4 Discussion About Future Research Directions © 2014 SAP SE. All Rights Reserved. Page 8 of 30
  • 7. Secure Software Development Lifecycle Training Requirements Design Implementation Validation Shipment ResponseTraining Requirements Design Implementation Validation Shipment Response © 2014 SAP SE. All Rights Reserved. Page 9 of 30
  • 8. Secure Software Development Lifecycle Training Training Requirements Design Implementation Validation Shipment ResponseTraining Requirements Design Implementation Validation Shipment Response • Goals: • Create security awareness across all areas and roles • Role-specific education, e.g., in development (examples): • Threat modeling • Secure Programming: ABAP, Java, C/C++ • Security testing (including static analysis) • Security expert curriculum • one year (part-time) • official job specialization © 2014 SAP SE. All Rights Reserved. Page 10 of 30
  • 9. Secure Software Development Lifecycle Requirements: SAP Product Standard Security Training Requirements Design Implementation Validation Shipment ResponseTraining Requirements Design Implementation Validation Shipment Response Security and data protection requirements for all products 1 Regulatory Compliance • SAP software shall be able to log security relevant events 2 Data Protection and Privacy • SAP software shall support erasure of personal data 3 Vulnerability Prevention • SAP software shall be free of SQL Injection vulnerabilities 4 Strategy and Attack Surface Reduction • SAP products shall support to be deployed and run securely in segmented networks © 2014 SAP SE. All Rights Reserved. Page 11 of 30
  • 10. Secure Software Development Lifecycle Requirements and Design: Threat Modeling Training Requirements Design Implementation Validation Shipment ResponseTraining Requirements Design Implementation Validation Shipment Response Workshops with • Threat modeling experts • Security experts • Product owner • Architect • . . . Systematic analysis, e.g., • What data is stored on device? • How is the user authenticated? © 2014 SAP SE. All Rights Reserved. Page 12 of 30
  • 11. Secure Software Development Lifecycle Implementation: Security Testing Training Requirements Design Implementation Validation Shipment ResponseTraining Requirements Design Implementation Validation Shipment Response • Goal: ensure that security controls are effective • Static analysis since 2010 mandatory for all products Language Tool Vendor ABAP Netweaver CVA SAP C/C++ Coverity Coverity JavaScript, Ruby Checkmarx Checkmarx Others Fortify HP • Additional security testing activities based on requirements and design (IBM AppScan, HP WebInspect, Burp Suite, Fuzzers, own tooling, . . . ) © 2014 SAP SE. All Rights Reserved. Page 13 of 30
  • 12. Secure Software Development Lifecycle Validation Training Requirements Design Implementation Validation Shipment ResponseTraining Requirements Design Implementation Validation Shipment Response Before shipment: • Check that products comply to SAP standards • Important part: penetration testing • Executed by independent group within SAP • Validates quality of previous steps in SSDL © 2014 SAP SE. All Rights Reserved. Page 14 of 30
  • 13. Secure Software Development Lifecycle Response Training Requirements Design Implementation Validation Shipment ResponseTraining Requirements Design Implementation Validation Shipment Response After shipment: • Handle security related bug reports • Monitor external security community • Organize roll-out of security patches © 2014 SAP SE. All Rights Reserved. Page 15 of 30
  • 14. Secure Software Development Lifecycle Training Requirements Design Implementation Validation Shipment Response Outsourcing Acquisition © 2014 SAP SE. All Rights Reserved. Page 16 of 30
  • 15. So Everything is Secure Now, Right? “ Our tool reports all vulnerabilities in your software – you only need to fix them and you are secure. Undisclosed sales engineer from a SAST tool vendor. © 2014 SAP SE. All Rights Reserved. Page 17 of 30
  • 16. So Everything is Secure Now, Right? “ Our tool reports all vulnerabilities in your software – you only need to fix them and you are secure. Undisclosed sales engineer from a SAST tool vendor. Yes, this tools exists! It is called Code Assurance Tool (cat): © 2014 SAP SE. All Rights Reserved. Page 17 of 30
  • 17. So Everything is Secure Now, Right? “ Our tool reports all vulnerabilities in your software – you only need to fix them and you are secure. Undisclosed sales engineer from a SAST tool vendor. Yes, this tools exists! It is called Code Assurance Tool (cat): • The cat tool reports each line, that might contain a vulnerability: © 2014 SAP SE. All Rights Reserved. Page 17 of 30
  • 18. So Everything is Secure Now, Right? “ Our tool reports all vulnerabilities in your software – you only need to fix them and you are secure. Undisclosed sales engineer from a SAST tool vendor. Yes, this tools exists! It is called Code Assurance Tool (cat): • The cat tool reports each line, that might contain a vulnerability: • It supports also a mode that reports no false positives: © 2014 SAP SE. All Rights Reserved. Page 17 of 30
  • 19. So Everything is Secure Now, Right? “ Our tool reports all vulnerabilities in your software – you only need to fix them and you are secure. Undisclosed sales engineer from a SAST tool vendor. Yes, this tools exists! It is called Code Assurance Tool (cat): • The cat tool reports each line, that might contain a vulnerability: • It supports also a mode that reports no false positives: • Note: • There are sound or complete tools, but only for specific domains • In practice, • requirements are not formal enough to be sound and complete • scalability is very important • modularity is very important © 2014 SAP SE. All Rights Reserved. Page 17 of 30
  • 20. Agenda 1 Introduction & Motivation 2 Secure Software Development at SAP 3 Challenges in Industrial Software Development 4 Discussion About Future Research Directions © 2014 SAP SE. All Rights Reserved. Page 18 of 30
  • 21. The Scalability Challenge • Increase in© 2014 SAP SE. All Rights Reserved. Page 19 of 30
  • 22. The Software Maintenance Challenge (Modularity) © 2014 SAP SE. All Rights Reserved. Page 20 of 30
  • 23. The Software Maintenance Challenge (Modularity) 0 20.000 40.000 60.000 80.000 100.000 120.000 1998 2004 2012 No. of Systems No. of Customers © 2014 SAP SE. All Rights Reserved. Page 20 of 30
  • 24. The Software Maintenance Challenge (Modularity) 0 20.000 40.000 60.000 80.000 100.000 120.000 140.000 1998 2004 2012 No. of Systems No. of Customers Example Product Release EOL ext. EOL Windows XP 2001 2009 2014 Windows 8 2012 2018 2023 Red Hat Ent. Linux 2012 2020 2023 © 2014 SAP SE. All Rights Reserved. Page 20 of 30
  • 25. Agenda 1 Introduction & Motivation 2 Secure Software Development at SAP 3 Challenges in Industrial Software Development 4 Discussion About Future Research Directions © 2014 SAP SE. All Rights Reserved. Page 21 of 30
  • 26. Security is not a Binary Property “ Systems are either secure or insecure. • Security is only one property out of many: • Usability • New features • Time-to-market • We will never achieve 100% security • Question: Where should I spent my (limited) budget? Or: What is the risk of not fixing an issue and how to balance it with other requirements? • Claim: We need more research in • risk-based security • security economics (cost of fixing vs. costs of not fixing, etc.) © 2014 SAP SE. All Rights Reserved. Page 22 of 30
  • 27. Soundness is not Binary Either “ Security testing methods should be sound. • Observations: • Proving soundness seems to be a prerequisite for getting an academic paper accepted. • (Nearly) no “real-world” tool is sound (the underlying method/theory might be sound) • Even worse: your sound tool will not report anything, on our frameworks • What I need (from vendors/researchers) to provide the best “blend” to my developers: • A Clear specification what it “in-scope” • A Clear specification what it “out-scope” • Test cases that validate the expected behavior (e.g., similar to qualification kits for DO178C) • Claim: We need more research in • “well-defined” unsound security testing methods • clear specifications of unsoundness • test sets for comparing security testing tools • extension/adaption points for security testing tools • If you want to read more: http://www.soundiness.org © 2014 SAP SE. All Rights Reserved. Page 23 of 30
  • 28. Automation is Too important to Lie “ My tool is fully automated • No, it is (usually) not. And, btw, calling it interactive does not help either • Again, clearly specify • what is automated • what needs to be configured “one-time” • what needs to be done manually/interactively “on each use” • Claim: We need more research in • “automating” the knowledge of security experts • automation of “learning new frameworks and policies” • closing the gap between security (non-functional) and functional testing • need to be integrated into development and built environments • instant feedback (could be imprecise) • on each check-in • nightly/weekly (high quality, should generate compliance reports) © 2014 SAP SE. All Rights Reserved. Page 24 of 30
  • 29. Software is Not Developed on The “Greenfield” “ Security testing is done by the developer of a software component • Observations: • Software evolves over time (both, on-premise and Cloud): small changes are the norm • Software is build using • Free and Open Source Software • third party libraries (closed source) • assets of acquired companies As vendor, you are responsible for all code you ship to customers • Claim: We need more research in • composable security testing techniques, e.g., • impact/change analysis for selecting (security) test cases • automated inference of security specifications of software components • in pushing security testing across the whole software supply chain • techniques that generate “security certificates” • formats and guidelines for exchanging “security test tool configurations” © 2014 SAP SE. All Rights Reserved. Page 25 of 30
  • 31. Bibliography I Ruediger Bachmann and Achim D. Brucker. Developing secure software: A holistic approach to security testing. Datenschutz und Datensicherheit (DuD), 38(4):257–261, April 2014. Achim D. Brucker and Uwe Sodan. Deploying static application security testing on a large scale. In Stefan Katzenbeisser, Volkmar Lotz, and Edgar Weippl, editors, GI Sicherheit 2014, volume 228 of Lecture Notes in Informatics (LNI), pages 91–101. GI, March 2014. © 2014 SAP SE. All Rights Reserved. Page 27 of 30
  • 33. A Bluffers Guide to SQL Injection (1/2) • Assume an SQL Statement for selecting all users with “userName” from table “user” © 2014 SAP SE. All Rights Reserved. Page 29 of 30
  • 34. A Bluffers Guide to SQL Injection (1/2) • Assume an SQL Statement for stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’" + userName + "’;" © 2014 SAP SE. All Rights Reserved. Page 29 of 30
  • 35. A Bluffers Guide to SQL Injection (1/2) • Assume an SQL Statement for stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’" + userName + "’;" • What happens if we choose the following userName: userName = "’ or ’1’=’1" © 2014 SAP SE. All Rights Reserved. Page 29 of 30
  • 36. A Bluffers Guide to SQL Injection (1/2) • Assume an SQL Statement for stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’" + userName + "’;" • What happens if we choose the following userName: userName = "’ or ’1’=’1" • Resulting in the following statement: stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’’ or ’1’=’1’;" © 2014 SAP SE. All Rights Reserved. Page 29 of 30
  • 37. A Bluffers Guide to SQL Injection (1/2) • Assume an SQL Statement for stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’" + userName + "’;" • What happens if we choose the following userName: userName = "’ or ’1’=’1" • Resulting in the following statement: stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’’ or ’1’=’1’;" • Which is equivalent to stmt = "SELECT * FROM ‘users‘;" selecting the information of all users stored in the table ‘users’! © 2014 SAP SE. All Rights Reserved. Page 29 of 30
  • 38. A Bluffers Guide to SQL Injection (2/2) void selectUser(HttpServletRequest req, HttpServletResponse resp) throws IOException { String userName = req.getParameter("fName"); // source String stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’" + userName +"’;" SQL.exec(stmt); //sink } • Many vulnerabilities have similar causes: • cross-site-scripting (XSS), code-injection, buffer-overflows, . . . • Root cause of a wide range of vulnerabilities • “bad” programming • mis-configuration • Warning: • for preventing SQL injections, consider the use of prepared statements • do whitelisting (specify what is allowed) and do not blacklisting © 2014 SAP SE. All Rights Reserved. Page 30 of 30
  • 39. A Bluffers Guide to SQL Injection (2/2) void selectUser(HttpServletRequest req, HttpServletResponse resp) throws IOException { String userName = req.getParameter("fName"); // source String stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’" + userName +"’;" SQL.exec(stmt); //sink } • Many vulnerabilities have similar causes: • cross-site-scripting (XSS), code-injection, buffer-overflows, . . . • Root cause of a wide range of vulnerabilities • “bad” programming • mis-configuration • Warning: • for preventing SQL injections, consider the use of prepared statements • do whitelisting (specify what is allowed) and do not blacklisting © 2014 SAP SE. All Rights Reserved. Page 30 of 30
  • 40. A Bluffers Guide to SQL Injection (2/2) void selectUser(HttpServletRequest req, HttpServletResponse resp) throws IOException { String userName = req.getParameter("fName"); // source userName = Security.whitelistOnlyLetter(userName); // sanitation String stmt = "SELECT * FROM ‘users‘ WHERE ‘name‘ = ’" + userName +"’;" SQL.exec(stmt); //sink } • Many vulnerabilities have similar causes: • cross-site-scripting (XSS), code-injection, buffer-overflows, . . . • Root cause of a wide range of vulnerabilities • “bad” programming • mis-configuration • Warning: • for preventing SQL injections, consider the use of prepared statements • do whitelisting (specify what is allowed) and do not blacklisting © 2014 SAP SE. All Rights Reserved. Page 30 of 30
  • 41. © 2014 SAP SE. All rights reserved No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP SE. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence. The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages. © 2014 SAP SE. All Rights Reserved. Page 31 of 30