It’s my second year at the OWASP AppSec Conference and this year it is in Washington, DC.  The New York City Conference last year proved to be probably the best conference I’ve ever been to.  Based on the agenda and the facilities, this year is looking very promising.  Today’s keynote is by Joe Jarzombeck, the Director for Software Assurance at the National Cyber Security Division for the Office of the Assistant Secretary of Cybersecurity and Communication.  Man, is that a mouthful.  My notes on the presentation are below:

DHS NCSD Software Assurance Program

  • A public/private collaboration that promotes security and software resilence throughout the SDLC
  • Reduce exploitable software weaknesses
  • Address means to improve capabilities that routinely develop, acquire, and deploy resilent software products
  • IT/Software Security risk landscape is a convergence between “defense in depth” and “defense in breadth”
  • Applications now cut through the security perimeter
  • Rather than attempt to break or defeat network or system security, hackers opt to target application software to circumvent security controls
    • 75% of hacks are at the application level
    • Most exploitable software vulnerabilities are attributed to non-secure coding practices
  • Enable software supply chain transparency
    • Acquisition managers and users factored risks posed by software supply chain as part of the trade-space in risk mitigation efforts
  • DHS Software Assurance program scoped to address:
    • Trustworthiness
    • Dependability
    • Survivability
    • Conformity
  • Standalone Common Body of Knowledge (CBK) drawing upon contributing companies/industries

Build Security In: https://buildsecurityin.us-cert.gov

  • Focus on making software security a normal part of software engineering
  • Process agnostic lifestyle
  • There was an interesting slide on touchpoints and artifacts that I took a picture of with my phone and I will try to post here.

Resources to Check Out

“Software Security Engineering: A Guide for Project Managers”

“Enhancing the Development Lifecycle to Produce Secure Software”

Fundamental Practices for Secure Software Development

http://www.safecode.org/publications/SAFECode_Dev_Practices1008.pdf

The Software Assurance Pocket Guide Series

Software Assurance in Acquisition: Mitigating Risks to the Enterprise

  • Check out Appendix D – Software Due Diligence Questionnaires

“Making the Business Case for Software Assurance”

“Measuring … Assurance”

Common Weakness Enumeration (CWE)

  • If you have this weakness, then it’s not a matter of if, but when you’ll be breached.