When

July 14, 2010 at 08:00 AM 
to
July 14, 2010 at 10:00 AM 

Add to my calendar 

Where

CBTS Executive Briefing Center 
4650 Montgomery Road
Cincinnati, OH 45212 

 
Driving Directions 

July 14, 2010 Chapter Meeting

We are excited to announce that the July presenter for the Cincinnati ISSA meeting will be Marco M. Morana.  Marco serves as one of the leaders of OWASP (Open Web Application Security Project) organization where he is actively involved in evangelize on web application security through presentations at local chapter meetings in USA as well as internationally. Besides contributing to OWASP, Marco works as Sr. TISO (Technology Information Security Officer) for a large financial organization in North America with responsibilities in the definition of the organization web application security standards, management of application security assessments during the SDLC, threat-fraud analysis and training of software developers, project managers and architects on different topics related to application security.

Marco's research work on application and software security is widely published on several magazines such as In-secure magazine, Secure Enterprise, ISSA Journal and the C/C++ Users journal. Marco is currently writing a book on application threat modeling under contract with Wiley Publishing. Marco’s ideas and strategies for writing secure software are posted on his blog: http://securesoftware.blogspot.com.

The aim of this presentation is first to introduce information security practitioners to the basic ingredients for starting a software security assurance program within their organization. These ingredients are pre-conditions that organizations need to establish such as the hiring of a team of secure software technologists/managers, the assessment of the organization’s software security maturity using maturity models (e.g. SAMM or BSIMM) and the commitment from senior company management and/or sponsors.

The next step would to extend the information security domain from applications to software such as to address any potential security issues introduced during coding and implementation using source code analysis. From information security perspective, software security assessments represents an opportunity for security to drive security compliance during development of source code and identify and remediate vulnerabilities earlier in the project life-cycle.

Such roadmap envision a software security initiative pushed by the information security teams (e.g. Chief Information Security Officers and Managers) but that requires engagement with development teams (e.g. developers, architects, project managers, technical directors) throughout the SDLC. But reaching the goals of a software initiative needs to take into account the levels of software security maturity reached by the organization in different domains that include for example: the quality of software security engineering processes, the level of software security awareness and training for developer and the adoption of software security technology and tools.

Since the business case for software security initiative need to take into account both information security and software engineering stakeholders it is important that build these cases with data that might appeal to both: this includes both vulnerability and defect management metrics. The presentation will provide examples metrics and use the same later to assess process improvement and provide evidence of increased software security assurance as well as effective process management and reduced engineering a and defect management costs.
Event Marketing by