Software Assurance Forum for Excellence in Code



Similar documents
SAFECode Security Development Lifecycle (SDL)

DEVELOPING SECURE SOFTWARE

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

The Software Supply Chain Integrity Framework. Defining Risks and Responsibilities for Securing Software in the Global Supply Chain.

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

elearning for Secure Application Development

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

The Seven Deadly Myths of Software Security Busting the Myths

Developing Secure Software in the Age of Advanced Persistent Threats

Principles for Software Assurance Assessment. A Framework for Examining the Secure Development Processes of Commercial Technology Providers

Enterprise Application Security Program

Software Assurance: An Overview of Current Industry Best Practices

Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Development Processes (Lecture outline)

G- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview

Network Threats and Vulnerabilities. Ed Crowley

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Payment Card Industry (PCI) Terminal Software Security. Best Practices

Editor Stacy Simpson, SAFECode. Contributors

ISSECO Syllabus Public Version v1.0

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Application Security Testing

Software Development: The Next Security Frontier

EC-Council E C S P.NET. EC-Council. EC-Council Certified Secure Programmer (.NET)

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

Passing PCI Compliance How to Address the Application Security Mandates

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006

The Security Development Lifecycle

Integrating Tools Into the SDLC

Application Code Development Standards

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

Security-as-a-Service (Sec-aaS) Framework. Service Introduction

Mastering Continuous Integration with Jenkins

Security Innovation Application Security Education Curriculum. Courses to Help Build and Deploy more Secure Software and Information Systems

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

White Paper. Understanding NIST FISMA Requirements

Software security specification and verification

Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group

Testing for Security

Software Integrity Controls. An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain. June 14, Contributors.

Information Security. Training

How To Perform An External Security Vulnerability Assessment Of An External Computer System

SECURITY EDUCATION CATALOGUE

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Transforming Software Quality Assurance &Testing

November 12 th 13 th London: Mastering Continuous Integration with Jenkins

Secure Software Development Lifecycle. Security... Not getting better

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Security Testing & Load Testing for Online Document Management system

Rapid Security Framework (RSF) Taxonomie, Bewertungsparameter und Marktanalyse zur Auswahl von Fuzzing-Tools

CompTIA Security+ (Exam SY0-410)

Penetration Testing in Romania

Web Application Security Considerations

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

ensuring security the way how we do it

Strategic Information Security. Attacking and Defending Web Services

Microsoft Security Development Lifecycle for IT. Rob Labbé Application Consulting and Engineering Services

Developing secure software A practical approach

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

DESIGNING WEB LABS FOR TEACHING SECURITY CONCEPTS ABSTRACT

Integrigy Corporate Overview

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation

OUTSOURCING YOUR GUARD SERVICE

Attack Vector Detail Report Atlassian

Production Security and the SDLC. Mark Kraynak Sr. Dir. Strategic Marketing Imperva

Building & Measuring Security in Web Applications. Fabio Cerullo Cycubix Limited 30 May Belfast

Dean C. Garfield President & CEO, Information Technology Industry Council (ITI) Committee on Energy and Commerce

Columbia University Web Security Standards and Practices. Objective and Scope

Cenzic Product Guide. Cloud, Mobile and Web Application Security

Learning objectives for today s session

Mobile Testing in a Fast Paced World

Software Security Touchpoint: Architectural Risk Analysis

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Transcription:

Software Assurance Forum for Excellence in Code Security Engineering Training: Building the Foundation for Software Security Success March 2012

About SAFECode The Software Assurance Forum for Excellence in Code (SAFECode) is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services

Fundamental to our success: The people who are designing, developing, testing and delivering software must understand the fundamentals of secure software engineering that lead to secure practices and products

How We Get There Today s reality: Every SAFECode member software assurance program is supported by an internally developed training program It is the only way to build specialized skills and knowledge to support their own organization s unique development environment This does not mean there is not value in university programs and professional certification/external training programs

Define Goals Content should create an understanding of basic security such as: Secure Design Principles Secure Coding Principles The Most Common Errors that Lead to Security Vulnerabilities Threat Modeling How to Find / Test Security-related Issues in Code How to Fix Security Issues etc. Security in the company s Software Development Lifecycle A conceptual understanding of security issues should include buffer overflows, data validation, SQL injection, cross site scripting, format string vulnerabilities and use of unsafe functions or behaviors, etc.

Define Audience Target a Broad Internal Audience Spread awareness of software security Develop security-aware culture & mindset Develop advocates in Engineering Target all who touch products!!! SAFECode member companies believe that the basics of security engineering need to be understood by everyone involved with software development including Product Managers, Product Architects/ Designers, Program/ Project Managers, Development Engineers and Quality Assurance (QA) Engineers.

Foundational Basic understanding of the current threat environment and the important role of secure development practices in attack prevention Overview of business risks/rationale, internal standards and policies, basics of secure coding and testing Overview of a company s approach to security in the development lifecycle Intended for all employees involved in product development and management.

Advanced Language & OS specific techniques to prevent and fix software vulnerabilities Secure design principles Secure testing methodologies Secure coding techniques Find and fix security flaws against common definitions (e.g. CWE,CVE) Threat modeling techniques Intended for all employees involved in product development and testing

Specialized Role-based Directly tied to job functions Security tools (e.g., specific static code analysis tool) Specific technology implementations and their associated security concerns Cryptography Intended for engineers seeking to improve their security knowledge in specialized areas.

Training as an Ongoing Effort While some of the skills / knowledge required are static; others need constant education It is important to develop an understanding of the ever-changing, dynamic threat Many SAFECode members supplement their internal training programs with informal approaches to keep product teams updated on security developments podcasts, newsletters, in-house conferences, webinars, guest speakers, etc.

Program Implementation Must be relevant to work at hand Sensitive to corporate culture Mandated vs. professional development Must reward people; develop incentives Keep direct link between content and performance

Implementation Obstacles Time is most the precious commodity Customized and adaptable Applying the techniques lead to less time to fix errors Tailor to product development cycles

Program Implementation Computer Based Training vs. Instructor Led Training debate Depends on: company s unique attributes, size, culture, distribution SAFECode members: Adopt Hybrid Computer Based Flexible Schedule Cost Effective Suited for global orgs Can intermix COTS content Instructor Led Get direct answers May accommodate labs In-house mentoring Build peer resources

Measurement Tie training measurement to corporate goals (and individual performance) Direct and in-direct measurements How many team members have been training? How is training being received by learners? Has it affected quality of output i.e. teams with more trained engineers produce code with fewer vulnerabilities than those teams with less

What s Next Though not a replacement for formal education on secure development principles and practices at the university level, in-house training is essential to success Industry must drive its own improvements; can t afford to wait for someone else to train workforce This is not without challenges SAFECode working to help address some of these challenges

For More: Security Engineering Training: A Framework for Corporate Training Programs on the Principles of Secure Software Development - http://www.safecode.org/publications/safecode_training0 409.pdf All SAFECode Papers available at www.safecode.org at no cost For more: Stacy Simpson SAFECode Policy Director stacy@safecode.org

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information