Security

Conference Presentations

Penetration Testing Demystified

Penetration testing is a method of evaluating the security of a system by maliciously attacking it and analyzing its possible weaknesses. Penetration testing uses a suite of tests, generally performed in a gray-box fashion, to attack the system as real attackers would-approaching the system with attacker eyes, knowledge, skills, and tools. Edward Bonver explains why and how penetration testing should be done on any mission-critical system as part of a comprehensive security testing strategy. He describes the factors that influence the success of penetration testing include testing environment readiness, technical information, and the availability of the product teams’ key contacts. You’ll learn the details behind penetration testing, common approaches, testing options, and best practices.

Edward Bonver, Symantec Corporation
Security Testing: Thinking Like an Attacker

Compared to traditional functional testing, security testing requires testers to develop the mindset of real attackers and pro-actively look for security vulnerabilities throughout the software development lifecycle. Using live demos, Frank Kim shows you how to think-and act-like a hacker. Rather than just talking about issues such as Cross Site Scripting (XSS), SQL Injection, and Cross Site Request Forgery (CSRF), Frank shows-live and in color-how hackers abuse potentially devastating defects by finding and exploiting vulnerabilities in a live web application. Find out how attackers approach the problem of gaining unauthorized access to systems. Discover the tools hackers have that you don't even know exist and how you can find critical security defects in your production apps. In this revealing session, you'll learn how to become a better tester and find serious security vulnerabilities in your systems before the bad guys do.

Frank Kim, ThinkSec
Is Open Source Too Open? Tips for Implementing a Governance Program

By next year, 90 percent of large enterprises will include open-source software as business critical elements of their IT portfolios. However, most software development organizations have limited capability to govern the process of selecting, managing, and distributing open-source components-leaving them exposed to unforeseen technical and compliance risks. Larry Roshfeld examines how open-source components-and their dependencies-may expose your company to unforeseen and unnecessary vulnerabilities. He outlines the significant threats to software quality, stability, performance, security, and intellectual property that have occurred using such components. Then, Larry shares an action plan for balancing the risk/reward trade-offs of open-source software in the enterprise. Find out how to ensure that your organization uses only the highest quality open-source components and avoids the common vulnerabilities.

Larry Roshfeld, Sonatype
Testing Application Security: The Hacker Psyche Exposed
Slideshow

Computer hacking isn’t a new thing, but the threat is real and growing even today. It is always the attacker’s advantage and the defender’s dilemma. How do you keep your secrets safe and your data protected? In today’s ever-changing technology landscape, the fundamentals of producing...

Mike Benkovich, Imagine Technologies, Inc.
Security Testing: The Foundations and More

Your organization is doing well with functional, usability, and performance testing. However, you know that software security is a key part of your assurance and compliance strategy for protecting applications and critical data. Left undiscovered, security-related defects can wreak havoc in a system when malicious invaders attack. If you don’t know where to start with security testing and don’t know what you are looking for, this session is for you. Alan Crouch describes how to get started with security testing, introducing foundational security testing concepts and showing you how to apply those security testing concepts with free and commercial tools and resources. Offering a practical risk-based approach, Alan discusses why security testing is important, how to use security risk information to improve your test strategy, and how to add security testing into your software development lifecycle.

Alan Crouch, Coveros, Inc.
Building Secure Applications

The Internet is full of insecure applications that cost organizations money and time, while damaging their reputations when their systems are compromised. We need to build secure applications as never before, but most developers are not now-and never will be-security specialists. By incorporating security controls into the frameworks used to create applications, Tom Stiehm asserts that any organization can imbue security into its applications. Building security into a framework allows highly specialized security experts to create components that maximize your application security profile while reducing the need for your development teams to have specialized application security knowledge. Learn to pick the right places in your framework to insert security controls and then enforce their use. Join Tom to explore real-world security controls he's applied to commonly used application frameworks.

Thomas Stiehm, Coveros, Inc.
Mobile Applications Security

Mobile applications enable millions of users to have more fun, be more productive, and interact with their world in more ways than ever before. Mobile architectures run the gamut from simple web-based applications optimized for mobile displays to custom-built handset-specific applications that can interact directly with the mobile operating system. This diversity of architectures presents a huge challenge to ensure that applications meet security requirements, such as confidentiality and integrity. Targeted at beginners in the mobile development space, Scott Matsumoto introduces the basics of mobile applications-deployment, digital rights management, and the cellular network-and then addresses popular security attack vectors that hackers exploit. Scott explores the mobile threat model you must consider when developing mobile business applications.

Scott Matsumoto, Cigital
Can You Hear Me Now? Yes...and Everyone Else Can Too

Mobile devices-connected to the world through the Internet, web, networks, and messaging-are everywhere and expanding rapidly in numbers, functionality, and, unfortunately, security threats. Not too many years ago, little attention was paid to mobile device security. Now, we hear reports almost daily of phone emails/messages being hacked, apps with worms, phishing via smart devices, and smart device fraud. People often have their records, personal data, and financial records on or accessible by the mobile device. In addition, organizations are using these devices to conduct critical business. Jon Hagar shares and analyzes case histories and examples of mobile application security failures. Based on this analysis, Jon summarizes these attacks and describes how to expose security bugs within these devices.

Jon Hagar, Consultant
Implementing a Security-focused Development Lifecycle

Assaults against digital assets are unquestionably on the rise. If you create applications that handle valuable assets, your code WILL be attacked. In addition to lost revenue and productivity, the consequences of compromised systems can include loss of trust, a tarnished reputation, and legal problems. Much like quality assurance, it’s important to have a holistic approach to security that unifies people, process, and technology. Cassio Goldschmidt introduces defense techniques that measurably reduce the number and severity of software vulnerabilities. These include secure coding techniques, minimizing the use of unsafe functions, use of compiler and linker security options, and specialized static analysis tools. Enrich your development lifecycle with threat modeling, security code review, penetration testing, and vulnerability management.

Cassio Goldschmidt, Symantec Corporation
Risk Identification, Analysis, and Mitigation in Agile Environments

Although risk identification, analysis, and mitigation are critically important parts of any software project effort, agile projects require non-traditional techniques that are much quicker and easier to use than classical risk techniques. James McCaffrey focuses-not on theory-but on realistic risk analysis methods agile teams can readily implement with lightweight tools. James explains and demonstrates how you can employ taxonomy and storyboarding methods to recognize project meta-risks and identify product risks throughout the development lifecycle. Using “central moment” and “PERIL” techniques, you'll learn to analyze these risks and develop management and mitigation strategies dynamically, while the project is underway.

James McCaffrey, Volt VTE

Pages

StickyMinds is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.