Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance
|
|
- Letitia Smith
- 8 years ago
- Views:
Transcription
1 Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance Sponsored by the U.S. Department of Homeland Security (DHS), the Software Engineering Institute (SEI) at Carnegie Mellon University developed recommendations for a Master of Software Assurance degree program, and college- and community college-level courses specializing in software assurance. By creating course guidelines for teaching software assurance in a university program, SEI aims to support demand for industry practitioners educated in secure software development practices, who can enter the workforce with the knowledge and skills required to protect software systems from vulnerabilities and attacks. Software Development for the Cyber World Requires Security Leaders In today s cybersecurity threat landscape, software applications not only need to function correctly, they must have security built in from the start. There is growing demand in the workforce across corporations, government, and military organizations for software assurance leaders with the knowledge and expertise to build secure, hacker-resistant applications. Build a Team of CSSLP-Certified Software Professionals (ISC) 2 Certified Secure Software Lifecycle Professional (CSSLP ) is the only certification designed to ensure that security is considered throughout the entire software development lifecycle. This industry-leading certification meets the highest standard of education and training, fully consistent with graduate-level course curriculum in software assurance recommended by the Software Engineering Institute (SEI) at Carnegie Mellon University. (ISC)² is the global leader in information and application security credentials. Besides CSSLP certification, (ISC) 2 also offers a realworld training program that maps to the recommendations established by SEI for a master s-level degree in software assurance. The CSSLP CBK (Common Body of Knowledge) education curriculum developed by (ISC) 2 contains the largest, most comprehensive collection of best practices, policies, and procedures to ensure a security initiative across all phases of application development, regardless of methodology. The CSSLP certification provides employers with industry-leading validation of an employee s professional expertise in secure software development practices. For more information on CSSLP, visit For information on the (ISC)² Global Academic Program, visit: For more information on the SEI Software Assurance Curriculum Project, visit
2 Carnegie Mellon SEI Recommendations and Alignment With CSSLP Certification The following charts detail how the CSSLP certification program aligns with SEI recommendations for a Master of Software Assurance degree program and undergraduate and community college courses specializing in software assurance. Master of Software Assurance Course Curriculum Assured Software Development 1 (ASD1) Course This course covers the fundamentals of incorporating assurance practices, methods, and technologies into software development and acquisition lifecycle processes and models. With this foundation, the course provides students with rigorous methods for eliciting software and system assurance requirements; using threat identification, characterization, and modeling; assurance risk assessment; and misuse/abuse cases. Students will also learn how to evaluate methods and environments for creating software and systems that meet their functionality and security requirements. ASD1 Course Syllabus Week 1: Software process overview lifecycle processes including spiral, waterfall, agile, and associated activities. Discuss the entire spectrum of lifecycle activities including evolution Week 2: Discuss supply chain, acquisition, and service. Discuss Common Criteria Week 3: Introduce processes that are specific to software assurance, such as CLASP and Secure Tropos Week 4: Teach BSIMM, SAFECode and OWASP best practices Week 5: Methods for evaluation of environments, languages, and tools Week 6: Teach quality factors and quality assessment methods as they relate to early lifecycle activities. Identify the different types of stakeholders and also likely developer roles Week 7: Teach practices that improve assurance at each lifecycle phase. Include requirements engineering, architecture, and design. Include coding, test, evolution, acquisition, and retirement. Teach practices such as threat modeling, assurance risk assessment, attack trees, and misuse and abuse cases (carries into the following week)
3 ASD1 Course Syllabus Week 8: Teach practices such as threat modeling, assurance risk assessment, attack trees, misuse/abuse cases Week 9: Tools that can be used in the early lifecycle phases, either as part of a larger environment such as Rational or standalone tools such as SQUARE Week 10: Teach a variety of elicitation methods, including those that are generic and those that are specific to security requirements Week 11: Ways of classifying or categorizing security requirements. How to distinguish requirements from architectural and design features, and mechanisms Week 12: Requirements prioritization methods, including group methods, formal cost/benefit tradeoff analysis, and factoring risk into the tradeoff analysis process Week 13: Requirements peer reviews, inspections, and traceability of requirements to assets and security goals Assured Software Development 2 (ASD2) Course This course covers rigorous methods for specifying assurance requirements and for architecting and designing software and systems to meet those requirements. Such methods include requirements specification; applying security principles; threat identification, characterization, and modeling; misuse/ abuse cases; architectural risk analysis; architectural vulnerability assessment; and technology-specific security guidelines. ASD2 Course Syllabus Week 1: Concepts of assured development lifecycle Week 2: Assurance issues in frontend development life cycle (specification, architecture, design) Week 3: Software development environments supporting specification, architecture, and high-level design Week 4: Tools support for assured software development Week 5: Languages review
4 ASD2 Course Syllabus Week 6: Project constraints aspects: cost, schedule, functionality, and quality factors Week 7: Formal specification languages and technologies Week 8: Improvements in technologies to support specification, architecture, and high-level design Week 9: Architectural models and viewpoints Week 10: Architectural risk and tradeoff analysis Week 11: Methods and technologies for developing assured system and software specifications, architectures, and high-level designs Week 12: Design models and languages Week 13: Design validation and software inspections Assured Software Development 3 (ASD3) Course This course covers rigorous methods, techniques, and tools for developing secure code. Such methods include code analysis for commonly known vulnerabilities, source code review using static analysis tools, and known, language-specific practices for producing secure code. This course also covers rigorous methods and tools for inspecting, testing, verifying, and validating software and systems to demonstrate that they meet functional and security requirements. Students will learn methods for verification and validation for security assurance and how security vulnerabilities can differ from programming errors. Team inspections and correctness verification methods will be covered. Testing techniques will include threat- and attack-based testing, functional testing, risk- and usage-based testing, stress testing, black- and white-box testing, and penetration testing. ASD3 Course Syllabus Week 1: Introduction Overview of vulnerabilities and their costs Properties of secure and resilient software Week 2: Vulnerabilities CWE/SANS top 25 most dangerous programming errors Security concepts
5 ASD3 Course Syllabus Week 3: General Strategies Security and resilience throughout the life cycle Attack surfaces and security perimeters OWASP best practices Week 4: Development Practices Best practices for requirements, architecture and design (e.g., abuse/misuse cases, threat modeling, risk analysis, design reviews, defense in depth) Week 5: Programming Practices OWASP top 10 security risks OWASP enterprise security API Cross-site scripting Injection attacks Authentication and session management Week 6: Memory Management in C and C++ Common memory management errors (buffer overflow, stack smashing) Input validation Week 7: Strings, Pointers and Integers Common string manipulation errors Integer overflow vulnerabilities Pointer subterfuge Week 8: Other vulnerabilities in C and C++ Formatted I/O operations File I/O race conditions (e.g., Time Of Use, Time Of Check) Other file system exploits Week 9: Inspections, proofs, and code reading Code-reading techniques Formal code inspections Program verification Week 10: Static Analysis Types of static analysis Modern analysis tools (e.g., Coverity, Fortify) Week 11: Testing Best practices for unit testing Penetration testing Fuzzing Overview of Common Criteria Week 12: Insecurities in Java and other languages Runtime environment Coding practices Overview of known vulnerabilities Week 13: Trends and Resources Comprehensive, Lightweight Application Security Process (CLASP) Certificates and courses in security and software assurance CSSLP, Associate of (ISC) 2, Official (ISC) 2 CSSLP Training Seminar
6 Undergraduate Course Curriculum Software Security Engineering This course covers a range of topics that are relevant and tailored to software security engineering, including properties of secure software, requirements engineering, architecture and design, construction and testing, system integration/assembly, and governance and management. A summary of key practices and guidance on how to get started is provided. These are largely based on and inspired by material from the DHS Build Security In website [DHS 2010a]. Software Security Engineering Syllabus Why is security a software issue? Understanding the problem (threats, sources, assurance versus security), detecting software defects early, introduction to key practices What makes software secure? Properties of secure software, defender and attacker perspectives, attack patterns, introduction to assurance evidence Security of Web applications: consideration of network-level attacks, cross-site scripting, SQL injection Requirements engineering for secure software: importance of requirements engineering, quality Security requirements engineering, Security Quality Requirements Engineering (SQUARE) introduction, two SQUARE case studies, SQUARE extensions, technology transition Secure software architecture and design: architectural risk analysis activities (including application of security principles and guidelines) Considerations for secure coding and testing: introduction to practices (code analysis, code review, coding), software versus software security testing, security testing methods/techniques, testing throughout the software development life cycle (SDLC) Security and complexity system development challenges: security failures, perspectives for security analysis, complexity Governing and managing for more secure software: definitions and characteristics, risk management framework, project management security in the SDLC Getting started: determining where and how to begin, summary of key practices CSSLP Domain
7 Community College Course Curriculum Introduction to Assured Software Engineering This course covers the basic principles and concepts of assured software engineering; system requirements; secure programming in the large; modeling and testing; object-oriented analysis and design using the UML; design patterns; frameworks and APIs; client-server architecture; user interface technology; and the analysis, design, and programming of extensible software systems. Introduction to Assured Software Engineering Syllabus Introduction to software project management: project planning, estimation, configuration management, risk management; and software security process models: Building Security In Maturity Model (BSIMM), OWASP Software Assurance Maturity Model (SAMM), Microsoft Software Development Lifecycle (SDL) Role of assured software engineering: software engineering for assurance and its place as an engineering discipline Requirements analysis: requirements analysis for functional and quality requirements Introduction to software architecture: introduction to software architecture, including architectural patterns (pipe & filter, MVC), client-server computing Use and misuse cases: use cases, misuse cases, and user-centered design Design patterns: abstraction-occurrence, composite, player-role, singleton, observer, delegation, facade, adapter, etc. UML: review of object-oriented principles, UML class diagrams, and object-oriented analysis Domain modeling: examples of building class diagrams to model various domains Reusable technologies: review of reusable technologies as a basis for software engineering, risks associated with reuse (e.g. Ariane) Software behavior: representing software behavior: sequence diagrams, state machines, activity diagrams, correctness under all conditions of use Verification and validation: inspections and reviews, integration, system, and acceptance testing CSSLP Domain
8 The cybersecurity workforce needs software assurance professionals with security expertise. Become a CSSLP and get the only certification that validates your application security competency throughout the software development lifecycle. CSSLP training programs are conveniently delivered online and in training locations worldwide. For more information on CSSLP, visit: For information on the (ISC)² Global Academic Program, visit: Follow us on Twitter ( and Facebook (
Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,
Secure and Resilient Software Development Mark S. Merkow Lakshmikanth Raghavan CRC Press Taylor& Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor St Francis Group, an Informs
More informationSoftware Development: The Next Security Frontier
James E. Molini, CISSP, CSSLP Microsoft Member, (ISC)² Advisory Board of the Americas jmolini@microsoft.com http://www.codeguard.org/blog Software Development: The Next Security Frontier De-perimiterization
More informationDevelopment Processes (Lecture outline)
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationSecure Development LifeCycles (SDLC)
www.pwc.com Feb 2014 Secure Development LifeCycles (SDLC) Bart De Win Bart De Win? 15+ years of Information Security Experience Ph.D. in Computer Science - Application Security Author of >60 scientific
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationA Study on the Secure Software Development Life Cycle for Common Criteria (CC) Certification
, pp. 131-142 http://dx.doi.org/10.14257/ijseia.2015.9.10.13 A Study on the Secure Software Development Life Cycle for Common Criteria (CC) Certification Min-gyu Lee 1, Hyo-jung Sohn 2, Baek-min Seong
More informationComparison of Secure Development Frameworks for Korean e- Government Systems
, pp.355-362 http://dx.doi.org/10.14257/ijsia.2014.8.1.33 Comparison of Secure Development Frameworks for Korean e- Government Systems Dongsu Seo School of Information Technology Sungshin University dseo@sungshin.ac.kr
More informationLEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3. Copyright 2015. Security Compass. 1
LEARNING CURRICULUM SECURITY COMPASS TRAINING 2015 Q3 Copyright 2015. Security Compass. 1 CONTENTS WHY SECURITY COMPASS...3 RECOMMENDED LEARNING PATHs...4 TECHNICAL LEARNING PATHS...4 BUSINESS / SUPPORT
More informationA Survey on Requirements and Design Methods for Secure Software Development*
A Survey on Requirements and Design Methods for Secure Software Development* Muhammad Umair Ahmed Khan and Mohammad Zulkernine School of Computing Queen s University Kingston, Ontario, Canada K7L 3N6 {umair
More informationApplication Security Testing How to find software vulnerabilities before you ship or procure code
Application Security Testing How to find software vulnerabilities before you ship or procure code Anita D Amico, Ph.D. Hassan Radwan 1 Overview Why Care About Application Security? Quality vs Security
More informationEntire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com
Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center www.praetorian.com Threat Modeling "Threat modeling at the design phase is really the only way to
More informationSAFECode Security Development Lifecycle (SDL)
SAFECode Security Development Lifecycle (SDL) Michael Howard Microsoft Matthew Coles EMC 15th Semi-annual Software Assurance Forum, September 12-16, 2011 Agenda Introduction to SAFECode Security Training
More informationSoftware Application Control and SDLC
Software Application Control and SDLC Albert J. Marcella, Jr., Ph.D., CISA, CISM 1 The most effective way to achieve secure software is for its development life cycle processes to rigorously conform to
More informationISSECO Syllabus Public Version v1.0
ISSECO Syllabus Public Version v1.0 ISSECO Certified Professional for Secure Software Engineering Date: October 16th, 2009 This document was produced by the ISSECO Working Party Syllabus Introduction to
More informationBuilding Security into the Software Life Cycle
Building Security into the Software Life Cycle A Business Case Marco M. Morana Senior Consultant Foundstone Professional Services, a Division of McAfee Outline» Glossary» What is at risk, what we do about
More informationMaster of Science in Software Engineering Student Guide
King Fahd University of Petroleum & Minerals College of Computer Sciences and Engineering Information and Computer Science Department Master of Science in Software Engineering Student Guide http://www.ccse.kfupm.edu.sa/swe/
More informationWeb Application Security
Web Application Security A Beginner's Guide Bryan Sullivan Vincent Liu Mc r New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto Contents
More informationA Security Approach in System Development Life Cycle
A Security Approach in System Development Life Cycle (1) P.Mahizharuvi, Research Scholar, Dept of MCA, Computer Center, Madurai Kamaraj University, Madurai. mahiconference@gmail.com (2) Dr.K.Alagarsamy,
More information90% of data breaches are caused by software vulnerabilities.
90% of data breaches are caused by software vulnerabilities. Get the skills you need to build secure software applications Secure Software Development (SSD) www.ce.ucf.edu/ssd Offered in partnership with
More informationHow To Understand Software Engineering
PESIT Bangalore South Campus Department of MCA SOFTWARE ENGINEERING 1. GENERAL INFORMATION Academic Year: JULY-NOV 2015 Semester(s):III Title Code Duration (hrs) SOFTWARE ENGINEERING 13MCA33 Lectures 52Hrs
More informationGetting Started with Web Application Security
Written by Gregory Leonard February 2016 Sponsored by Veracode 2016 SANS Institute Since as far back as 2005, 1 web applications have been attackers predominant target for the rich data that can be pulled
More informationIntroduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006
Introduction to Web Application Security Microsoft CSO Roundtable Houston, TX September 13 th, 2006 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From
More informationSoftware Security Touchpoint: Architectural Risk Analysis
Software Security Touchpoint: Architectural Risk Analysis Gary McGraw, Ph.D. Chief Technology Officer, Cigital Founded in 1992 to provide software security and software quality professional services Recognized
More informationJOURNAL OF OBJECT TECHNOLOGY
JOURNAL OF OBJECT TECHNOLOGY Online at www.jot.fm. Published by ETH Zurich, Chair of Software Engineering JOT, 2006 Vol. 5. No. 8, November-December 2006 Requirements Engineering Tasks Donald Firesmith,
More informationWhat is a life cycle model?
What is a life cycle model? Framework under which a software product is going to be developed. Defines the phases that the product under development will go through. Identifies activities involved in each
More informationSecure Code Development
ISACA South Florida 7th Annual WOW! Event Copyright Elevate Consult LLC. All Rights Reserved 1 Agenda i. Background ii. iii. iv. Building a Business Case for Secure Coding Top-Down Approach to Develop
More informationLearning Course Curriculum
Learning Course Curriculum Security Compass Training Learning Curriculum. Copyright 2012. Security Compass. 1 It has long been discussed that identifying and resolving software vulnerabilities at an early
More informationInformation Security and Privacy. Lynn McNulty, CISSP. Advisory Board November 2008
Information Security and Privacy Lynn McNulty, CISSP Advisory Board November 2008 Global leaders in certifying and educating information security professionals with the CISSP and related concentrations,
More informationTHE HACKERS NEXT TARGET
Governance and Risk Management THE HACKERS NEXT TARGET YOUR WEB AND SOFTWARE Anthony Lim MBA CISSP CSSLP FCITIL Director, Security, Asia Pacific Rational Software ISC2 CyberSecurity Conference 09 Kuala
More informationKEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)
TECHNOLOGY TRANSFER PRESENTS KEN VAN WYK Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY) info@technologytransfer.it www.technologytransfer.it
More informationHow to Develop Cloud Applications Based on Web App Security Lessons
Applications Based on Before moving applications to the public cloud, it is important to implement security practices and techniques. This expert E-Guide provides guidance on how to develop secure applications
More informationSoftware Assurance Competency Model
Software Assurance Competency Model Thomas Hilburn, Embry-Riddle Aeronautical University Mark Ardis, Stevens Institute of Technology Glenn Johnson, (ISC) 2 Andrew Kornecki, Embry-Riddle Aeronautical University
More informationEffective Software Security Management
Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1
More informationFedVTE Training Catalog SPRING 2015. advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov
FedVTE Training Catalog SPRING 2015 advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov If you need any assistance please contact the FedVTE Help Desk here or email the
More informationApproach to Information Security Architecture. Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera
Approach to Information Security Architecture Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera About TeliaSonera TeliaSonera provides network access and telecommunication services that help
More informationSeven Practical Steps to Delivering More Secure Software. January 2011
Seven Practical Steps to Delivering More Secure Software January 2011 Table of Contents Actions You Can Take Today 3 Delivering More Secure Code: The Seven Steps 4 Step 1: Quick Evaluation and Plan 5 Step
More informationThe Security Development Lifecycle
The Security Development Lifecycle Steven B. Lipner Director of Security Engineering Strategy Security Business and Technology Unit Microsoft Corporation Context and History 1960s penetrate and patch 1970s
More informationStandard: Web Application Development
Information Security Standards Web Application Development Standard IS-WAD Effective Date TBD Email security@sjsu.edu # Version 2.0 Contact Mike Cook Phone 408-924-1705 Standard: Web Application Development
More informationHow to Build a Trusted Application. John Dickson, CISSP
How to Build a Trusted Application John Dickson, CISSP Overview What is Application Security? Examples of Potential Vulnerabilities Strategies to Build Secure Apps Questions and Answers Denim Group, Ltd.
More informationHow to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP
How to start a software security initiative within your organization: a maturity based and metrics driven approach Marco Morana OWASP Lead/ TISO Citigroup OWASP Application Security For E-Government Copyright
More informationIntegrating web application security control in the system development lifecycle
Integrating web application security control in the system development lifecycle Chester Soong, CISSP-ISSAP, ISSMP, CISA Managing Director Security Consulting Services Ltd. What are the Challenges Application
More informationIT3203 Fundamentals of Software Engineering (Compulsory) BIT 2 nd YEAR SEMESTER 3
Fundamentals of Software Engineering (Compulsory) BIT 2 nd YEAR SEMESTER 3 INTRODUCTION This course is designed to provide the students with the basic competencies required to identify requirements, document
More informationYour Software Quality is Our Business. INDEPENDENT VERIFICATION AND VALIDATION (IV&V) WHITE PAPER Prepared by Adnet, Inc.
INDEPENDENT VERIFICATION AND VALIDATION (IV&V) WHITE PAPER Prepared by Adnet, Inc. February 2013 1 Executive Summary Adnet is pleased to provide this white paper, describing our approach to performing
More informationSECURE SOFTWARE DEVELOPMENT PROCESS FOR EMBEDDED SYSTEMS CONTROL
SECURE SOFTWARE DEVELOPMENT PROCESS FOR EMBEDDED SYSTEMS CONTROL Sanjai Gupta 1, Md Faisal 2, Mohammed Hussain 3 1 Department of Computer Science & Engineering, CMJ University, Meghalaya, India 1 guptasanjay3@gmail.com
More informationIt s time we addressed the holes in software development.
It s time we addressed the holes in software development. WHAT HOLES? No security built in, that s the hole, the flaw and it s huge. David Rice, esteemed author of Geekonomics: The Real Cost of Insecure
More informationSoftware Security Engineering: A Key Discipline for Project Managers
Software Security Engineering: A Key Discipline for Project Managers Julia H. Allen Software Engineering Institute (SEI) Email: jha@sei.cmu.edu Sean Barnum Cigital Robert J. Ellison SEI Gary McGraw Cigital
More informationSecurity Software Engineering: Do it the right way
Proceedings of the 6th WSEAS Int. Conf. on Software Engineering, Parallel and Distributed Systems, Corfu Island, Greece, February 16-19, 2007 19 Security Software Engineering: Do it the right way Ahmad
More informationVOLUME 4. State of Software Security Report. The Intractable Problem of Insecure Software
VOLUME 4 State of Software Security Report The Intractable Problem of Insecure Software December 7, 2011 Executive Summary The following are some of the most significant findings in the Veracode State
More informationDeveloping Secure Software in the Age of Advanced Persistent Threats
Developing Secure Software in the Age of Advanced Persistent Threats ERIC BAIZE EMC Corporation DAVE MARTIN EMC Corporation Session ID: ASEC-201 Session Classification: Intermediate Our Job: Keep our Employer
More informationTECHNOLOGY TRANSFER PRESENTS KEN VAN WYK JUNE 8-9, 2015 JUNE 10-11, 2015 VISCONTI PALACE HOTEL - VIA FEDERICO CESI, 37 ROME (ITALY)
TECHNOLOGY TRANSFER PRESENTS KEN VAN WYK BREAKING AND FIXING WEB APPLICATIONS SECURITY PENETRATION TESTING IOS APPS JUNE 8-9, 2015 JUNE 10-11, 2015 VISCONTI PALACE HOTEL - VIA FEDERICO CESI, 37 ROME (ITALY)
More informationDEVELOPING SECURE SOFTWARE
DEVELOPING SECURE SOFTWARE A FOUNDATION FOR CLOUD AND IOT SECURITY Eric Baize @ericbaize Senior Director, Product Security Office EMC Corporation Chairman of SAFECode CSA EMEA Congress November 2015 1
More informationIntroduction. Secure Software Development 9/03/2015. Matias starts. Daan takes over. Matias takes over. Who are we? Round of introductions
Matias starts Who are we? Applying Static Analysis Matias Madou and Daan Raman, Leuven, Feb 27, 2015 1 At NVISO, I m responsible for the software security practice. Next to the client work, I also leads
More informationIntegrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper
Integrating Application Security into the Mobile Software Development Lifecycle WhiteHat Security Paper Keeping pace with the growth of mobile According to the November 2015 edition of the Ericsson Mobility
More informationDepartment of Homeland Security Federal Government Offerings, Products, and Services
Department of Homeland Security Federal Government Offerings, Products, and Services The Department of Homeland Security (DHS) partners with the public and private sectors to improve the cybersecurity
More informationDeveloping Secure Software, assignment 1
Developing Secure Software, assignment 1 During development of software, faults and flaws are introduced either from the implementation or from the design of the software. During runtime these faults and
More informationAgile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007
Agile and Secure Can We Be Both? Chicago OWASP June 20 th, 2007 The Agile Practitioner s Dilemma Agile Forces: Be more responsive to business concerns Increase the frequency of stable releases Decrease
More informationCITY UNIVERSITY OF HONG KONG. Information System Acquisition, PUBLIC Development and Maintenance Standard
CITY UNIVERSITY OF HONG KONG Development and Maintenance Standard (Approved by the Information Strategy and Governance Committee in December 2013; revision 1.1 approved by Chief Information Officer in
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationAppendix 2-A. Application and System Development Requirements
Appendix 2-A. Application and System Development Requirements Introduction AHRQ has set up a Distributed Systems Engineering Lab (DSEL) to support all internal development efforts and provide a facility
More informationCoverity White Paper. Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing
Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing The Stakes Are Rising Security breaches in software and mobile devices are making headline news and costing companies
More informationPoints of View. CxO s point of view. Developer s point of view. Attacker s point of view
Web App Security 2 CxO s point of view Points of View Measurable security SCAP (Security Content Automation Protocol) Developer s point of view Secure coding/software security CWE (Common Weakness Enumeration)
More informationVulnerability Analysis of Energy Delivery Control Systems
INL/EXT-10-18381 Vulnerability Analysis of Energy Delivery Control Systems September 2011 Idaho National Laboratory Idaho Falls, Idaho 83415 http://www.inl.gov Prepared for the U.S. Department of Energy
More informationHow To Ensure That Your Computer System Is Safe
Establishing a Continuous Process for PCI DSS Compliance Visa, MasterCard, American Express, and other payment card companies currently require all U.S. merchants accepting credit card payments to comply
More informationSecure Development Lifecycle. Eoin Keary & Jim Manico
Secure Development Lifecycle Jim Manico @manicode OWASP Volunteer Global OWASP Board Member OWASP Cheat-Sheet Series Manager VP of Security Architecture, WhiteHat Security 16 years of web-based, database-driven
More informationPlan-Driven Methodologies
Plan-Driven Methodologies The traditional way to develop software Based on system engineering and quality disciplines (process improvement) Standards developed from DoD & industry to make process fit a
More informationSECURITY EDUCATION CATALOGUE
SECURITY EDUCATION CATALOGUE i ii TABLE OF CONTENTS Introduction 2 Security Awareness Education 3 Security Awareness Course Catalogue 4 Security Awareness Course Builder 7 SAE Print Material 8 Secure Code
More informationComplete Web Application Security. Phase1-Building Web Application Security into Your Development Process
Complete Web Application Security Phase1-Building Web Application Security into Your Development Process Table of Contents Introduction 3 Thinking of security as a process 4 The Development Life Cycle
More informationCourse Modules for Software Security
Course Modules for Software Security Austin Frazier, Xiaohong Yuan, Yaohang Li, Stephan Hudson, North Carolina A&T State University Abstract Each year the reported number of security vulnerabilities increases
More informationThe introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.
1 Cyber-attacks frequently take advantage of software weaknesses unintentionally created during development. This presentation discusses some ways that improved acquisition practices can reduce the likelihood
More informationWeb application testing
CL-WTS Web application testing Classroom 2 days Testing plays a very important role in ensuring security and robustness of web applications. Various approaches from high level auditing through penetration
More informationRising to the Challenge
CYBERSECURITY: Rising to the Challenge Dialogues with Subject Matter Experts Advanced persistent threats. Zero-day attacks. Insider threats. Cybersecurity experts say that if IT leaders are not concerned
More informationDFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)
Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage
More informationAccess FedVTE online at: fedvte.usalearning.gov
FALL 2015 Access FedVTE online at: fedvte.usalearning.gov If you need any assistance please contact the FedVTE Help Desk her e or email the Help Desk at support@usalearning.net. To speak with a Help Desk
More informationFedVTE Training Catalog SUMMER 2015. advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov
FedVTE Training Catalog SUMMER 2015 advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov Access FedVTE online at: fedvte.usalearning.gov If you need any assistance please
More informationVOLUME 3. State of Software Security Report. The Intractable Problem of Insecure Software
VOLUME 3 State of Software Security Report The Intractable Problem of Insecure Software Executive Summary April 19, 2011 Executive Summary The following are some of the most significant findings in the
More informationHP Application Security Center
HP Application Security Center Web application security across the application lifecycle Solution brief HP Application Security Center helps security professionals, quality assurance (QA) specialists and
More informationWeighted Total Mark. Weighted Exam Mark
CMP2101 Software Engineering Period per Week Contact Hour per Semester Total Mark Exam Mark Continuous Assessment Mark Credit Units LH PH TH CH WTM WEM WCM CU 45 00 30 60 100 40 100 4 Rationale Software
More informationDeveloping secure software A practical approach
Developing secure software A practical approach Juan Marcelo da Cruz Pinto Security Architect Legal notice Intel Active Management Technology requires the computer system to have an Intel(R) AMT-enabled
More informationKnow your enemy. Class Objectives Threat Model Express. and know yourself and you can fight a hundred battles without disaster.
Know your enemy and know yourself and you can fight a hundred battles without disaster. Sun Tzu Class Objectives Threat Model Express Create quick, informal threat models 2012 Security Compass inc. 2 1
More informationSTS Federal Government Consulting Practice IV&V Offering
STS Federal Government Consulting Practice IV&V Offering WBE Certified GSA Contract GS-35F-0108T For information Please contact: gsa70@stsv.com 2007 by STS, Inc. Outline Background on STS What is IV&V?
More informationLearning objectives for today s session
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand what a black box and white box assessment is and how they differ Identify
More informationIoT & SCADA Cyber Security Services
IoT & SCADA Cyber Security Services RIOT SOLUTIONS PTY LTD P.O. Box 10087, Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 4, 60 Edward St, Brisbane, QLD 4000 T: 1300 744 028 Email: sales@riotsolutions.com.au
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationUpdate on the CSSLP And its Impact on the SDLC Profession. Hart Rossman, CSSLP Member, (ISC) 2 Application Security Advisory Board
Update on the CSSLP And its Impact on the SDLC Profession Hart Rossman, CSSLP Member, (ISC) 2 Application Security Advisory Board (ISC)² Built the largest, most comprehensive Software Security Body of
More informationIs your business prepared for Cyber Risks in 2016
Is your business prepared for Cyber Risks in 2016 The 2016 GSS Find out Security with the Assessment Excellus BCBS customers hurt by security breach Hackers Access 80 Mn Medical Records At Anthem Hackers
More informationMicrosoft SDL: Agile Development
Microsoft SDL: Agile Development June 24, 2010 Nick Coblentz, CISSP Senior Security Consultant AT&T Consulting Nick.Coblentz@gmail.com http://nickcoblentz.blogspot.com http://www.twitter.com/sekhmetn Copyright
More informationContents. Introduction and System Engineering 1. Introduction 2. Software Process and Methodology 16. System Engineering 53
Preface xvi Part I Introduction and System Engineering 1 Chapter 1 Introduction 2 1.1 What Is Software Engineering? 2 1.2 Why Software Engineering? 3 1.3 Software Life-Cycle Activities 4 1.3.1 Software
More informationSecuring Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group
Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability
More informationPanel: SwA Practices - Getting to Effectiveness in Implementation
Panel: SwA Practices - Getting to Effectiveness in Implementation (EMC s Evolution of Product Security Assurance) Dan Reddy, CISSP, CSSLP EMC Product Security Office Software Assurance Forum Gaithersburg,
More informationYour Web and Applications
Governance and Risk Management Your Web and Applications The Hacker s New Target Anthony Lim MBA CISSP CSSLP FCITIL Director, Security, Asia Pacific Rational Software Social Engineering in the Business
More informationAgile and Secure: OWASP AppSec Seattle Oct 2006. The OWASP Foundation http://www.owasp.org/
Agile and Secure: Can We Be Both? OWASP AppSec Seattle Oct 2006 Dan Cornell, OWASP San Antonio Leader Principal, Denim Group Ltd. dan@denimgroup.com (210) 572-4400 Copyright 2006 - The OWASP Foundation
More informationSoftware Development Life Cycle (SDLC)
Software Development Life Cycle (SDLC) Supriyo Bhattacharjee MOF Capability Maturity Model (CMM) A bench-mark for measuring the maturity of an organization s software process CMM defines 5 levels of process
More informationBlack Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP
Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP Learning objectives for today s session Understand different types of application assessments and how they differ Be
More informationA Systems Engineering Approach to Developing Cyber Security Professionals
A Systems Engineering Approach to Developing Cyber Security Professionals D r. J e r r y H i l l Approved for Public Release; Distribution Unlimited. 13-3793 2013 The MITRE Corporation. All rights reserved.
More informationHP Fortify application security
HP Fortify application security Erik Costlow Enterprise Security The problem Cyber attackers are targeting applications Networks Hardware Applications Intellectual Property Security Measures Switch/Router
More informationHP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security
HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA lvonstockhausen@hp.com +49 1520 1898430 Enterprise Security The problem Cyber attackers are targeting applications
More informationRapid Security Framework (RSF) Taxonomie, Bewertungsparameter und Marktanalyse zur Auswahl von Fuzzing-Tools
Rapid Security Framework (RSF) Taxonomie, Bewertungsparameter und Marktanalyse zur Auswahl von Fuzzing-Tools Prof. Dr. Hartmut Pohl Peter Sakal, B.Sc. M.Sc. Motivation Attacks Industrial espionage Sabotage
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationContinuous???? Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
???? 1 Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Application Delivery is Accelerating Surge in # of releases per app
More informationTesting for Security
Testing for Security Kenneth Ingham September 29, 2009 1 Course overview The threat that security breaches present to your products and ultimately your customer base can be significant. This course is
More information