THE SOFTWARE SECURITY SUMMIT
IS OVER. THANK YOU FOR ATTENDING

 

 


SOFTWARCURITY
April 16-17, 2007
San Mateo, Calif.

Home
From the Chairman
Demonstration Hall
Keynotes
Monday Classes
Tuesday Tutorials
Expert Faculty
Conference FAQ
S-3 AT A GLANCE
Exhibitor Information
Call for Speakers
Contact Us


DOWNLOAD THE CONFERENCE CATALOG!

Produced by

Publisher of
 SD Times
Software Test & Performance
Eclipse Review

Producer of
 STPCON
Software Security Summit
EclipseWorld

TUESDAY, APRIL 17
FULL-DAY TUTORIALS

Quick links
 Monday technical classes
Conference faculty
Conference program home page

 

Tuesday, April 17, 9:00 am - 5:00 pm
T-1. Building Security In: Implementing a Software Security Improvement Program
By Roger Thornton

Business applications are increasingly being opened up to the outside world—bypassing the firewalls designed to protect them and the valuable data they contain. These open applications are subject to greater and greater levels and types of attacks as hackers exploit vulnerabilities within the software.

These vulnerabilities are created during development, and therefore they must be addressed during the software development process. But the individuals best at creating applications are often least knowledgeable at understanding how they can be compromised. Why? Because developers are not intimately involved with the operational aspects of the software, nor are they expert hackers. Developers are largely oblivious to these changes and the dangers they hold. In fact, every trick and technique that hackers employ depends upon a lack of knowledge and understanding by the developer, which the hacker exploits. Essentially, the developer becomes the hacker’s unwitting accomplice.

In this tutorial you will learn how to assess the technical, procedural and organizational issues facing your own team's software security problems, and then leverage your internal resources to build a successful security improvement program. We’ll look at the common traps and pitfalls, covering not only internal development and outsourcing, but spanning the entire application development life cycle. You’ll learn results that work—and get security you can measure.

Tuesday, April 17, 9:00 am - 5:00 pm
T-2. Creating Enterprise Software Security Standards
By John Steven

How secure is “secure enough”? That’s defined by an organization’s security policy. What should a security policy contain? Who writes it? Who approves it? This tutorial will teach you how to create software security policies that really work for your organization.

We will begin with the fundamentals of security policies and show how to capture software security principles to ensure that application developers and managers know what they’re responsible for. From here, we will define what good and bad security standards look like. Should you list technologies, ciphers, algorithms, vendor products? What is most likely to direct architects and developers without constraining their solutions unduly?

In the second half of the tutorial, we’ll examine technical standards and learn how your organization can define technology-specific standards around the tool, platform and framework stacks that your development teams are adopting. You’ll learn what accessible technical standards look like and how you can ensure that they are represented in testable, specific requirements and mirrored in test. You’ll walk away with state-of-the-art guidance you can provide developers, including design patterns, code samples and other development aids to ease the process of standards compliance. Finally, you’ll learn how to plan the movement toward a secure reference architecture and application frameworks.

Tuesday, April 17, 9:00 am - 5:00 pm
T-3. How to Break Software Security
By Herbert H. Thompson

Learn how to recognize potential security holes before attackers do! This tutorial gives testers and developers the tools and techniques they need to help find security problems before their application is released. The course content is based on the first book to be published on the topic of application security testing, “How to Break Software Security,” and lays the foundation you need to effectively recognize and expose security flaws in software.

You’ll learn about a fault model that helps testers conceptualize these types of bugs, and will explore a set of software attacks that have proven effective at exposing security bugs. You’ll walk away with a full arsenal of software attacks to uncover security vulnerabilities in your software before hackers discover them for you.

In this practical course, you will learn:
• How security bugs are different from functional bugs and how to quickly identify symptoms of security vulnerabilities.
• How to recognize the range of vulnerabilities and threats to which an organization’s information assets may be exposed.
• 19 focused security testing techniques that will allow you to expose vulnerabilities in your own software.
• How to effectively apply the attacks to a broad range of applications, through real-world and interactive examples.

   


About BZ Media     Privacy Policy     Contact BZ Media

Software Security Summit™ and S-3 ™ are trademarks of BZ Media LLC.
This site's content copyright © 2004-2007 by BZ Media LLC. All rights reserved.
Software Security Summit™ is a trademark of BZ Media LLC.