Part of my new role as the Information Security Program Owner at NI is taking care of our regulatory compliance concerns which means I spend quite a bit of time dealing with auditors. Now auditors are nice people and I want to preface what I’ll say next by saying that I think auditors do perform […]
This presentation was by Boaz Belboard, the Executive Director of Information Security for Wireless Generation and the Project Leader for the OWASP Security Spending Benchmarks Project. My notes are below: It does cost more to produce a secure product than an insecure product. Most people will still shop somewhere, go to a hospital, or enroll […]
This presentation was by Keith Turpin from The Boeing Company. About three years ago, all of Boeing’s assessments were coming from outsourced service providers. They realized that they were unable to have control over the people and process and had difficulties integrating the controls into the SDLC and decided to bring these functions in house. […]
This presentation was by Dave WIchers, COO of Aspect Security and an OWASP Board Member. My notes are below: What’s Changed? It’s about Risks, not just vulnerabilities New title is: “The Top 10 Most Critical Web Application Security Risks” OWASP Top 10 Risk Rating Methodology Based on the OWASP Risk Rating Methodology, used to prioritize […]
This presentation was by Chris Wysopal, the CTO of Veracode. My notes are below: “To measure is to know.” – James Clerk Maxwell “Measurement motivates.” – John Kenneth Galbraith Metrics do Matter Metrics quantify the otherwise unquantifiable Metrics can show trends and trends matter more than measurements do Metrics can show if we are doing […]
This presentation was by Rohit Sethi, the Project Leader for the Secure Pattern Analysis Project at OWASP and he works at Security Compass, a security analysis and training company. My notes from the session are below: Before anyone starts building complex systems, they need to design. We create threat models on completed designs. What about […]
This presentation was by Lars Ewe, CTO of Cenzic on AJAX applications and trying to explore the different implications of running AJAX in your environment. My notes are below: Agenda What is AJAX? AJAX and Web App Security AJAX and Test Automation Vulnerability Examples: XSS, CSRF, & JavaScript Hijacking AJAX Best Security Practices Demo Q&A […]
The first presentation of the day that I went to was by GE’s Darren Challey and was about GE’s application security program and how he took a holistic approach to securing the enterprise. My notes on this presentation are below: Why is AppSec so hard? AppSec changes rapidly (look at difference between 2004, 2007, and […]
The last presentation of the day was by Rich Mogull on “Everything you need to know about cloud security in 30 minutes or less”. It all started with all of the presentations and diagrams having pictures of clouds so some guy decides to sell that. Makes security practitioners sad. Why the cloud is a problem […]
The next session during the ISSA half-day seminar on Virtualization and Cloud Computing Security was on security best practices from a customer and vendor perspective. It featured Brian Engle, CIO of Temple Inland, and Rob Randell, CISSP and Senior Security Specialist at VMware, Inc. My notes from the presentation are below: Temple Inland Implementation – […]
