ISE® SOUTHEAST EXECUTIVE FORUM Nominee Showcase Presentation
Cox Automotive, Inc. Rugged DevOps Tony Spurlin Chief Information Security Officer Company Overview
• Number of Employees: 35,000 Globally • Annual Revenue: $11B • Global Enterprise • James Cox, founder of Cox Enterprises, ran against Franklin Transforming the way the world D. Roosevelt for the Democratic party ticket for the office of buys, sells and owns cars. the US President. FDR won the Presidency and Mr. Cox and his heirs went on to build a global enterprise.
ISE® Southeast Executive Forum #ISEawards Company Overview
ISE® Southeast Executive Forum #ISEawards Presentation Overview
• Paradigm Shift • Application Security • Development Lifecycles • Rugged DevOps Overview • 3 Pillars • Integration and Process • Capabilities • Results & Trends • Lessons Learned
ISE® Southeast Executive Forum #ISEawards Paradigm Shift – Application Security
• Unsecured application code is the result of code defects a.k.a software bug, software flaw • A software bug is an error, flaw, failure or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways • Developers MBO’s align to producing high quality, error free or bug free application code
Application Security at Cox Automotive is a Quality Program!
ISE® Southeast Executive Forum #ISEawards Paradigm Shift – Development Lifecycles
ISE® Southeast Executive Forum #ISEawards Rugged DevOps – Program Overview
ISE® Southeast Executive Forum #ISEawards Rugged DevOps – Program Overview
Build Systems
HP Fortify On Demand
Daily
Newly Opened issues ERS Defect Tracking Aggregation Systems MiddleWare Closed issues
Daily
Defect Tracking Systems
Defects Report
ISE® Southeast Executive Forum #ISEawards Rugged DevOps – Program Overview
Ø Secure Development Training Ø Basic secure development principles Ø Language specific training Ø .Net, Java, Mobile Ø Secure application development standards Ø Language specific Ø Static Code Analysis – Integrated into build lifecycles and developer bug tracking systems Ø Next Steps: Integration with ITIL ticketing system (ServiceNow) Ø Dynamic Code Analysis Ø Test critically categorized compiled applications periodically
ISE® Southeast Executive Forum #ISEawards Lessons Learned/Best Practices
Ø Align your application security program with Quality Assurance § Software Flaws § Software Bugs = Security Vulnerabilities Ø Integrate with common organizational tools and processes to simplify and facilitate adoption: § Build servers § Bug Tracking § Ticketing § Development Reporting § SDLC, Agile & Change Management Ø Leverage 3 Pillars: Education, Standards and Testing Ø What gets measured, gets done! § Report monthly on progress of program adoption and code remediation
ISE® Southeast Executive Forum #ISEawards Thank you and Questions
Questions?
Contact Info: • Phone: 404-568-5228 • [email protected]
ISE® Southeast Executive Forum #ISEawards