Continuous Quality, Continuous Security

1
Continuous Quality,Continuous Security

• Rob Cheng, Director of DI Solutions, Borland
• Scott Parcel, VP of Engineering, Cenzic

March 15, 2007
2
High Level CBIs Cost, Risk of SW Delivery

• Cost Lack of early defect detection

• Risk Development black box limits ALM
  visibility

Are we on schedule? How confident are we about re
adiness?
How effective are our teams?
3
Improve Quality, Visibility, and Confidence

• Traditional Development
• Large defect backlog
• Expensive rework
• Poor metrics and visibility

Continuous Test Small defect backlog
Inexpensive rework
Good metrics and visibility
Release
4
What is Gauntlet?

• Continuous build and test automation system
• Integrates quality control and measurement into
  existing version control process to improve
  quality and visibility

Developer
Stability Metrics Activity trends Build resul
ts Large changes Quality Metrics Test result
s Test coverage trends Per-developer Metrics
Correlation Analysis
Gauntlet
Submit Changes
Build Test Audit
MonitorChanges
GenerateMetrics
Web Dashboard
Datamart
5
Wide Range of Quality Controls and Policies
Open Source and Custom Tools
Commercial Plug-ins Integrations
6
Gauntlet Screenshots
Are my teams working on what they should be
working on?
Large changes. What is this developer doing?
How stable is the software? How often do builds
fail?Should QA start testing yet?
Clean build but low code coverage. Need more
testing here.
7
Gauntlet Screenshots
Where are the gaps in our testing efforts?
Is our test coverage improving?
How effective are our tests? Are our tests
testing what we think theyre testing?
Who is adding lots of untested code? Who is
fixing it?
8
Gauntlet Screenshots
A build or test has just failed. What was the
source of the problem?
What specific source code changes caused the
regression?
9
Whitepapers and Trial Downloadshttp//www.borland
.com/us/rc/lifecycle-quality-management/continuous
-build-and-test-automation.htmlBorland
Websitehttp//www.borland.com
10
Cenzic HailstormBorland Gauntlet Product
Integration

• March 15, 2007
• Scott Parcel
• VP Engineering

11
Who is Cenzic, Inc.?

• Trusted by major F500 companies
• Supported by Analysts Gartner, IDC, Forrester
  and Yankee Group
  
• Lauded by (Editors Choice
  Award)
  
• 
  (Rated 1 product in app
  security)
  
• 
  (Best of Show)
  
• (Voted Top 100 Software Company)

12
Why Focus on Application Security

• Web front ends are everywhere
• of attacks are increasing
• Regulatory compliance issues (e.g. GLBA,
  Sarbanes-Oxley, SB1386, HIPAA)

The last mile in terms of security is the
application. The best network, host, and data
security cant effectively protect a weak
application" - Gartner Group, December, 2005
13
Application development life-cycle
Design
Build
Deploy
Operate
Dispose
Perform a risk analysis Automated test for
vulnerabilities in Q.A. Benchmark again
st requirements
Security training
Automated test for vulnerabilities Ongoing u
pdates
Identify security issues up front
Security training Identify security resourc
es people and tools
Continued testing for new vulnerabilities
Test new code
Ongoing updates
Ensure that the disposed application doesnt
have any links or backdoors into active
applications

Vulnerabilities get injected at the design and
build phases. Today's most security efforts star
t and end at operation phase

14
Today's Solution - Cenzic Hailstorm

• Automated product emulating a hacker/manual
  tester (Penetration tester in a box)
  
• High accuracy in discovering vulnerabilities
• Hours of assessment time vs. weeks for manual
  testing
  
• Lower cost and improved productivity per
  application
  
• Assesses compliance requirements
• Internal policy compliance (privacy, password,
  others)
  
• Regulatory compliance (GLBA, PCI, SB1386,
  others)
  
• Safeguards against ongoing attacks
• Regular updates to SmartAttacks

15
Borland Cenzic Partnership

• Borland Gauntlet role
• Improve web application functionality
• Quality
• Visibility
• Confidence
• Cenzic Hailstorm role
• Improve web application security
• Reduce risk
• Decrease cost
• Eliminate liability

Fit in with the customers SDLC process and
development environment
16
Customer Impact and value

• Address urgent need application security
• Saves development and operational costs by
  identifying and fixing vulnerabilities earlier
  
• Provides a baseline for further use case security
  testing by QA team
  
• Delivers quantitative metrics for risk assessment

Application Security Risk
17
Using Hailstorm with Gauntlet

• Install Hailstorm
• Add Hailstorm as plug-in within Gauntlet
• Modify Gauntlet build file to perform Hailstorm
  security assessment
  
• Check in the module
• View results

18
Upgrade Path Hailstorm Enterprise ARC
Hailstorm Desktop
Web server
Job execution engine
Database Server






Job execution engine
Borland Gauntlet
19
How to get started

• Hailstorm Core Demo
• http//www.borland.com/us/products/silk/gauntlet/p
  lugins.html
  
• Hailstorm Core Trial
• http//www.borland.com/us/products/silk/gauntlet/p
  lugins.html
  
• Cenzic web site
• http//www.cenzic.com