Black Hat USA 2008 Training

Caesars Palace Las Vegas • August 2-3

Leading, Planning, and Executing an Application Security Initiative

Aspect Security

Overview

Today, every business function relies on custom software applications. These applications are typically built under tremendous time pressure by internal or contracted developers to fulfill a specific business need. Organizations need to be able to trust that this software has appropriate security mechanisms to thwart attacks and that the code does not contain vulnerabilities. Even software product companies have an extremely difficult time achieving trustworthy code, and experience shows that most custom applications have far more vulnerabilities. Recent market trends show a clear pattern: organizations need an Application Security Initiative in order to achieve this level of trust in their custom-built applications.

This course will provide answers to some of the key questions you may have been challenged with:

Why is application security so important?
What are the most critical vulnerability areas to focus on and how?
What security tools and technologies do software projects need?
How do I establish an application security initiative in my organization?
How can I enhance my SDLC to include security activities?
How do I measure my organization’s progress in application security?
How can I get my developers to care about application security?
What teams and roles should I create to address application security?
How do I get a handle on the security of my entire application portfolio?
What is the most effective way of securing legacy applications?

Who Should Attend

This is the right course at the right time for any executive or manager who has decided that secure application development is a priority. The analyst community is helping CIOs understand just how critical the problem of insecure programming has become. For example, the Robert Francis Group (a well-known application development analyst group) wrote:

"The lack of application security requirements and associated poor security focus in the development process can cripple business application security leading to significant revenue loss and perhaps liability claims from anyone impacted by this oversight. IT executives should review application development processes and direct development teams to build in security, rather than consider it after the application deployment."

In this two-day management session, you’ll get an industry perspective of application security, understand the key vulnerabilities to applications, be able to analyze root causes, and provide practical and proven techniques in building out an application security initiative. This course gives executives and managers the education and practical guidance they need to ensure that software projects properly address security. It provides a firm understanding of the importance of software security, the critical security activities required within the software development lifecycle, and how to efficiently manage security issues during development and maintenance. This understanding is reinforced through industry awareness, live demonstrations of commonly found application vulnerabilities, and workgroup exercises allowing attendees to conduct capability assessments and recommend improvement plans.

The intended audience for this course is:

CISOs
CSOs
Program Managers
Account Managers
Functional/Resource Application Managers
Technical Program/Project Managers (Chief Engineers)
Executives
Directors
Key/Technical Decision Makers

Learning Objectives

Importance of Application Security - Be aware of secure application development and the value it brings

State of the Industry - Be able to compare your project with other comparable companies efforts in application security

Identifying Risks - Understand that application security risks and their associated business risks need to be identified for all applications

Security Areas - Be aware of the key security areas and understand the major threats to each

Managing Application Security - Understand application security root causes, analyze an organization’s capability and utilize proven techniques in planning and managing an effective application security initiative.

Process - Understand how to successfully integrate secure coding activities and techniques across the application development lifecycle

People - Be able to determine whether their team has the appropriate skills to build a secure application, and how to build teams with the required skills.

Application Security Technologies - Be familiar with common application security tools and technologies for building secure web applications and what security capabilities they provide

Trainer:

Aspect Security has been working with development teams around the country for years to help them identify, diagnose, and address security issues throughout the application development lifecycle. Through these efforts, they have learned the key practices that development and project managers, and key support personnel must know to achieve secure applications.

Aspect’s instructors are full-time application security specialists that spend the majority of their time working with clients to secure the nation’s most critical applications. Leveraging this practical experience brings the class to life. Students will gain valuable insight into lessons learned from other development organizations. Our instructors also make themselves available to you for application security questions after the course is complete.

Aspect is a founding OWASP Member and supports several OWASP projects. In particular, Aspect conceived the OWASP Top Ten project and led the effort to build the document. We also built WebGoat, ESAPI, Stinger, and CSRFGuard and donated them to the OWASP effort. Aspect personnel assist with the management of the OWASP Foundation and help run the OWASP AppSec conference series.

Eric Sheridan is an Application Security Consultant at Aspect Security, a consulting services company specializing in application security. At Aspect Security, Eric specializes in execution of security verification assessments and the establishment of security activities throughout the development lifecycle. In addition, Eric is an instructor in Aspect's portfolio of Application Security Courses. Eric is also an active participant in the non-profit Open Web Application Security Project (OWASP), whose contributions include Stinger, CSRFGuard, and SASAP. Eric was also a featured speaker at the 2007 OWASP/WASC San Jose conference.

John Pavone is Aspect Security's Acceleration Services Practice Lead, specializing in the enablement of application security within organizations. John has been an IT professional for over 20 years. In the last 12 years, John has concentrated solely on Information and IT Infrastructure Security.

John held various security related management positions, including the chief security architect for a large financial services firm. In this role, John established an enterprise-wide IT security program utilizing a quantitative risk assessment and mitigation approach with a direct line of sight to the organization's corporate dashboard. Other major accomplishments include the development and mainstreaming of an IT risk management process, the creation of an application vulnerability testing lab, and the security design and implementation of an enterprise single sign-on and authorization system.

John holds dual degrees in Mathematics and Computer Science from West Chester University.

Early: Ends May 1	Regular: Ends July 1	Late: Ends July 31	Late/Onsite: Begins August 1
USD 1800	USD 2000	USD 2200	USD 2500