Friday, 4 May 2012

TeamMentor Demo Script

Below is a document that Jason (from SecurityInnovation) wrote about how to present TeamMentor for potential customers.

It is a really nice overview of how TeamMentor works and how to present it.

Note that this was written from  SecurityInnovation's point of view. If you want to reuse this to present TeamMentor, you probably want you add your own magic sauce into it :). 

--------------------------------

Introduction


Start by explaining how TeamMentor fits into the three pillars of success:

  1. Our goal is to help you reduce your application security risk
  2. The best way to reduce application security risk is to use a secure software development lifecycle
  3. The three pillars of success are:
    • Standards. These are the architecture, coding and deployment standards that allow your teams to comply with your corporate security policies.
    • Training. This is how you set the foundation of knowledge that your team needs in order to succeed.
    • Assessment. Use assessments to check your teams compliance with your security policies. Based on the gaps you find you can update your standards and your training
  4. TeamMentor is our solution of distributing secure development standards to your team and linking them to your security policies
  5. TeamProfessor is our solution for education
  6. We provide a set of assessment services to help you find and fix vulnerabilities in your code and gaps in your development processes.

Demo


Browse to http://teammentor.net

Log in:

  • Username: Admin
  • Password: ******

Explain what TeamMentor Is, and then flow the demo by the use cases first
  • TeamMentor consist of a web application, back end and source content.
  • The application allows you to use the content as is, customize it, or create your own.
  • Customers use TeamMentor in several ways. The key use cases are
    • A central place that allows easy access to the standards we talked about in a way that the information needed for a given task is easily accessible from the policy information to the technical information needed to implement the policy. Customer put their policies in TM and can link them to SI provided technical information, also customized for the environment.
    • A reference for the technical information needed to remediate software vulnerabilities found by scanners and assessments. TM allows easy searching and filtering to find the specific information needed in the language being used
    • A general reference for all SDLC secure application development best practices for all phases from design and architecture, through development, testing and deployment

Explain some TeamMentor facts:



  • TeamMentor contains over 3000 articles covering a wide range of technologies and best practices
  • We’ve broken them into a set of libraries based on technology areas such as .NET, Java, PHP, C++, etc.
  • Show the libraries UI and expand the .NET 3.5 library:
  • Explain how the libraries are organized into a library, folder, view structure
    • Libraries contain folders to focus on various important areas
    • Folders organize views
    • Views organize articles
  • Explain how the above structure makes it easy to organize policies and standards for easy access to what is needed at the time of use
  • Show some examples
    • Expand fundamentals of security and show how it collects articles for areas of security where mistakes are most often made
    • Expand OWASP Top 10 and show how it organizes articles by the Top 10 most pervasive threats for web applications. Talk about how this includes best practice and remediation advice in detail
    • Expand PCI DSS Compliance and show how it gives guidance on how to comply with each PCI requirement. Talk about how this can be integrated with corporate policies to ensure PCI compliance as part of practices OR can be used as is as the basis of a PCI app dev compliance.
    • Expand Security Engineering and show how we have process guidance for each phase of the software development lifecycle
    • Explain that we included top 5 vulnerabilities for thick client and web services to complement the more well known OWASP Top 10
  • Security engineer should still be expanded so click on Test Activities and show the two guidance items in this view.
  • Explain that guidelines represent prescriptive guidance, a standard you can use to guide you to do the right thing when trying to accomplish a task which can be linked to from policy or vulnerability reports
  • Checklists are created for every guideline and they explain how to assess that the standard has been followed. We are strong believers in a checklist-based approach to assessments so we’ve created checklists in every area to help with   code review, pen test, process review, etc. Explain how checklists can be used to help ensure compliance to internal policies and external requirements
  • Open the guideline and explain how the structure always shows What to do, why it matters, when to do it and then how to get it right.
  • Explain that this is how we take policies to the next level. Policies explain only what to do, our guidance explain how to do it right for the specific technology and environment that is relevant for the developer
  • Open the checklist item and explain how the structure always shows what to check for, why it matters, how to check and then if a problem is found, how to fix.
  • Open the article in a new window by either double clicking the title in the list view or by clicking the expand icon in the preview panel
  • Explain that articles can be edited by anyone with the proper permissions.
  • Click the edit guidance item
  • Show the editor and explain that you can modify the article title, attributes or content itself

  • Close the window and return to the main UI.
  • Mention that the entire library can be edited, click on the edit mode link to reveal this functionality
  • Right click on the .net 3.5 library and show the menu that allows you to add views, folders, new items, or add and delete libraries themselves.

Frequently Asked Questions


Q: What are the install requirements?
A: TeamMentor is typically run on IIS, though you can run it locally on Cassinni as well. You don’t need a database server or any other services, IIS alone is enough. The articles are all stored on the file system in XML files. We did this not only for ease of deployment but also for performance reasons. SQL was used in TeamMentor v1 and v2 but it was overkill.

Q: What are the performance constraints of TeamMentor?
A: We’ve used TeamMentor with 5,000 articles in a library and it ran fine. We found that it works best, however, if you have 3,000 or less articles in a library this is one reason we broke our articles into multiple technology articles. All of our processing is done on the client, so that is why searching, filtering and viewing articles is so fast. On a slow connection you may see a delay when you first load TeamMentor. This is caused by the fact that we pre-fetch the TeamMentor libraries when you first open the application.

Q: How do we handle updates if we make changes to the libraries?
A: We will create a github fork for you and you can use that source control for all of your articles. When we have an update ready for you, we will perform a merge for you so that your changes are retained and you get the newest updates from us. If you cannot use github we will work with you on another solution.

Q: When will you have X technology covered in your libraries?
A: We base our roadmap on customer feedback such as yours. If you purchase and have a technology area that you want included in a future release, please let us know and we’ll make it a priority. We update TeamMentor every quarter with new content and application improvements.