Black Hat USA 2009 Weekend Training Session

July 25-26

Black Hat USA 2009 Weekday Training Session

July 27-28

Leading, Planning and Executing
an Application Security Initiative

Aspect Security

Overview

Today, every business function relies on custom software applications. These applications are typically built under tremendous time pressure by internal or contracted developers to fulfill a specific business need. Organizations need to be able to trust that this software has appropriate security mechanisms to thwart attacks and that the code does not contain vulnerabilities. Even software product companies have an extremely difficult time achieving trustworthy code, and experience shows that most custom applications have far more vulnerabilities. Recent market trends show a clear pattern: organizations need an Application Security Initiative in order to achieve this level of trust in their custom-built applications.

This course will provide answers to some of the key questions you may have been challenged with:

• Why is application security so important?
• What are the most critical vulnerability areas to focus on and how?
• What security tools and technologies do software projects need?
• How do I establish an application security initiative in my organization?
• How can I enhance my SDLC to include security activities?
• How do I measure my organization’s progress in application security?
• How can I get my developers to care about application security?
• What teams and roles should I create to address application security?
• How do I get a handle on the security of my entire application portfolio?
• What is the most effective way of securing legacy applications?

Who Should Attend

This is the right course at the right time for any executive or manager who has decided that secure application development is a priority. The analyst community is helping CIOs understand just how critical the problem of insecure programming has become. For example, the Robert Francis Group (a well-known application development analyst group) wrote:

"The lack of application security requirements and associated poor security focus in the development process can cripple business application security leading to significant revenue loss and perhaps liability claims from anyone impacted by this oversight. IT executives should review application development processes and direct development teams to build in security, rather than consider it after the application deployment."

In this two-day management session, you’ll get an industry perspective of application security, understand the key vulnerabilities to applications, be able to analyze root causes, and provide practical and proven techniques in building out an application security initiative. This course gives executives and managers the education and practical guidance they need to ensure that software projects properly address security. It provides a firm understanding of the importance of software security, the critical security activities required within the software development lifecycle, and how to efficiently manage security issues during development and maintenance. This understanding is reinforced through industry awareness, live demonstrations of commonly found application vulnerabilities, and workgroup exercises allowing attendees to conduct capability assessments and recommend improvement plans.

The intended audience for this course is:

• CISOs
• CSOs
• Program Managers
• Account Managers
• Functional/Resource Application Managers
• Technical Program/Project Managers (Chief Engineers)
• Executives
• Directors
• Key/Technical Decision Makers

Learning Objectives

Trainer:

Aspect Security has been working with development teams around the country for years to help them identify, diagnose, and address security issues throughout the application development lifecycle. Through these efforts, they have learned the key practices that development and project managers, and key support personnel must know to achieve secure applications.

Aspect’s instructors are full-time application security specialists that spend the majority of their time working with clients to secure the nation’s most critical applications. Leveraging this practical experience brings the class to life. Students will gain valuable insight into lessons learned from other development organizations. Our instructors also make themselves available to you for application security questions after the course is complete.

Aspect is a founding OWASP Member and supports several OWASP projects. In particular, Aspect conceived the OWASP Top Ten project and led the effort to build the document. We also built WebGoat, ESAPI, Stinger, and CSRFGuard and donated them to the OWASP effort. Aspect personnel assist with the management of the OWASP Foundation and help run the OWASP AppSec conference series.

John Pavone is Aspect Security's Acceleration Services Practice Lead, specializing in the enablement of application security within organizations. John has been an IT professional for over 20 years. In the last 12 years, John has concentrated solely on Information and IT Infrastructure Security.

John held various security related management positions, including the chief security architect for a large financial services firm. In this role, John established an enterprise-wide IT security program utilizing a quantitative risk assessment and mitigation approach with a direct line of sight to the organization's corporate dashboard. Other major accomplishments include the development and mainstreaming of an IT risk management process, the creation of an application vulnerability testing lab, and the security design and implementation of an enterprise single sign-on and authorization system.

John holds dual degrees in Mathematics and Computer Science from West Chester University.

Super Early: Ends Mar 15	Early: Ends May 1	Regular: Ends Jul 1	Late: Ends Jul 22	Onsite:
$1800	$1900	$2100	$2300	$2600