Nashville Technology Council

Application Security – Room #201

9:35 – 10:25
Web Application Firewall
by Ryan Barnett, Director of Application Security Research, Breach Security

The web hacking incident database (WHID) is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents. WHID goal is to serve as a tool for raising awareness of the web application security problem and provide information for statistical analysis of web applications security incidents. The database is unique in tracking only media reported security incidents that can be associated with a web application security vulnerability. This presentation will highlight the statistics gathered from Jan – June of 2009 and provide insight into categories such as: 1) Top Attack Methods, 2) Top Compromise Outcomes, 3) Top Target Geographic Region, 4) Top Vertical Markets Hit. The presenter will also provide some in-depth analysis for specific WHID entries.

10:40 – 11:30
Delivering Security Services in the Cloud – Panacea or Propaganda?
by Michael Sutton, VP of Security Research, Zscaler Labs

‘Cloud’ has become the favored buzzword among IT vendors rushing to deliver more for less in a tight economic environment. Security vendors have certainly not failed to miss this opportunity and a variety of security solutions once available from product vendors are now being delivered as services in the cloud. From securing email and web traffic to anti-virus engines and delivering vulnerability scanning, numerous security functions can now be obtained in a service model, delivered by third parties.

Tough economic times are a selling point for such services as they enable managers to convert capex to opex at a time when budgets are being slashed. Costs can also be made more predictable.  Services delivered based on head count as opposed to software and hardware purchases are made when traffic levels exceed certain thresholds or additional office space is acquired. But what is the true cost? Are short term cost savings outweighed by the hidden costs associated with outsourcing security?

Although cloud services have recently been hyped in virtually all areas of IT thanks to over-eager marketing departments, cloud based security services are at differing levels of maturity.  Services such as email security and vulnerability scanning emerged as service based offerings before the term ‘cloud security’ was coined. In other areas such as web security and anti-virus/spyware solutions, vendors are just now deploying solutions. As such, we’ll consider the challenges inherent in delivering cloud offering among different segments of the security industry.

Cloud based security services are a relatively new phenomenon and as such, enterprises typically have a variety of concerns that need to be addressed prior to committing to such an approach. In this talk we’ll consider the following common concerns from the buyers perspective:

• Privacy – Can corporate data be adequately secured in a multi-tenant environment?
• Functionality – Can a third party services deliver equivalent functionality when compared to in-house solutions?
• Reliability – What if the service goes offline?
• Compliance – Can I meet compliance objectives if functionality is outsourced?

In order to address these issues, we’ll investigate the various categories of security offerings now being delivered ‘in the cloud’. We’ll consider the various architectural approaches taken by vendors and debate the merits of each. We’ll also consider guidance provided by industry organizations such as the Cloud Security Alliance and Jericho Forum to identify best practices. Attendees can expect to understand the pros and cons of cloud security services and leave with the questions that need to be answered upfront by all enterprises considering such offerings.

2:00 – 2:50
Application Security Threat Modeling
by Dirk Maxwell, Director of Security & Compliance, Kroll

When it comes to application security, many organizations have established security requirements as a part of their development lifecycle, adopted secure coding practices, implemented code review, regularly perform security scans of applications prior to release, and sometimes spent a lot of money on independent penetration testing of their applications.  A few organizations also utilize static source code analysis tools and other methods to help ensure secure software.  Yet, outside of some large organizations and forward thinking software development houses, relatively few organizations have implemented what is arguably one of the most cost-effective and far-reaching practices when it comes to secure software development.  In this talk, I will address Application Security Threat Modeling, how it can be used to inform virtually every other application security practice, and I believe it is foundational to achieving an effective software security program.

3:00 – 3:50
Building Security In Maturity Model (BSIMM)
by Dean Saxe, Managing Consultant, Foundstone Professional Services (A Division of McAfee)

Software insecurity affects organizations of all sizes that develop software.  No organization is immune from the ever present threat of attacks seeking to gain access to personally identifiable information (PII), protected health information, credit cards and more.  The costs associated with information loss, directly from fines and lawsuits, and indirectly from lost customers and market share are significant.  Implementing a secure software development lifecycle (S-SDLC) has been touted as the way to improve the security of software, however, guidance in such efforts has been difficult to obtain.  The Building Security In Maturity Model provide a framework to design and implement a S-SDLC based upon the best practices collected from nine large scale, successful software security initiatives.  In this talk,  we’ll explore the basis of BSI-MM, the drivers for implementing a S-SDLC and examine a handful of the 110 activities defined in BSI-MM that may be used as part of a comprehensive S-SDLC initiative.