ISE Southeast Nominee Presentation

ISE® SOUTHEAST EXECUTIVE FORUM Nominee Showcase Presentation

Cox Automotive, Inc. Rugged DevOps Tony Spurlin Chief Information Security Officer Company Overview

• Number of Employees: 35,000 Globally • Annual Revenue: $11B • Global Enterprise • James Cox, founder of Cox Enterprises, ran against Franklin Transforming the way the world D. Roosevelt for the Democratic party ticket for the office of buys, sells and owns cars. the US President. FDR won the Presidency and Mr. Cox and his heirs went on to build a global enterprise.

ISE® Southeast Executive Forum #ISEawards Company Overview

ISE® Southeast Executive Forum #ISEawards Presentation Overview

• Paradigm Shift • Application Security • Development Lifecycles • Rugged DevOps Overview • 3 Pillars • Integration and Process • Capabilities • Results & Trends • Lessons Learned

ISE® Southeast Executive Forum #ISEawards Paradigm Shift – Application Security

• Unsecured application code is the result of code defects a.k.a software bug, software flaw • A software bug is an error, flaw, failure or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways • Developers MBO’s align to producing high quality, error free or bug free application code

Application Security at Cox Automotive is a Quality Program!

ISE® Southeast Executive Forum #ISEawards Paradigm Shift – Development Lifecycles

ISE® Southeast Executive Forum #ISEawards Rugged DevOps – Program Overview

Build Systems

HP Fortify On Demand

Daily

Newly Opened issues ERS Defect Tracking Aggregation Systems MiddleWare Closed issues

Daily

Defect Tracking Systems

Defects Report

ISE® Southeast Executive Forum #ISEawards Rugged DevOps – Program Overview

Ø Secure Development Training Ø Basic secure development principles Ø Language specific training Ø .Net, Java, Mobile Ø Secure application development standards Ø Language specific Ø Static Code Analysis – Integrated into build lifecycles and developer bug tracking systems Ø Next Steps: Integration with ITIL ticketing system (ServiceNow) Ø Dynamic Code Analysis Ø Test critically categorized compiled applications periodically

ISE® Southeast Executive Forum #ISEawards Lessons Learned/Best Practices

Ø Align your application security program with Quality Assurance § Software Flaws § Software Bugs = Security Vulnerabilities Ø Integrate with common organizational tools and processes to simplify and facilitate adoption: § Build servers § Bug Tracking § Ticketing § Development Reporting § SDLC, Agile & Change Management Ø Leverage 3 Pillars: Education, Standards and Testing Ø What gets measured, gets done! § Report monthly on progress of program adoption and code remediation

ISE® Southeast Executive Forum #ISEawards Thank you and Questions

Questions?

Contact Info: • Phone: 404-568-5228 • [email protected]

ISE® Southeast Executive Forum #ISEawards