I’m giving two talks at the Better Software Conference in Las Vegas in June 2007.
My all day tutorial is:
The key to proactive, effective computer system security is getting a risk management handle on the problem of security inside the software. Created by the experts who literally wrote the book on software security, this interactive session encompasses the software security awareness and best practices you need to achieve a secure and trustworthy environment. Everyone involved in software development requires baseline knowledge of software security problems and risks, along with an overall understanding of approaches for producing secure software. Join me as I define the software security problem and then describe a set of software security principles, touch points, and key concepts that can be integrated into any software development lifecycle. I describe how and why software is exploited and present an overview of architectural risk analysis, security testing, and advanced tools for code review. Learn why software security is everyone’s job, and take back an overview of next steps for adopting a comprehensive software security program.
On Wednesday I’m doing a brief talk:
Security threats are becoming increasingly more dangerous to consumers and to your organization. I’ll provide the latest on static analysis techniques for finding vulnerabilities and the tools you need for performing white-box secure code reviews. I’ll provide guidance on selecting and using source code static analysis and navigation tools. You’ll learn why secure code reviews are imperative and how to implement a secure code review process in terms of tasks, tools, and artifacts. In addition to describing the steps in the static analysis process, I’ll explain methods for examining threat boundaries, error handling, and other “hot spots” in software. You’ll find out about the analysis techniques of Attack Resistance Analysis, Ambiguity Analysis, and Underlying Framework Analysis as ways to expose risk and prioritize remediation of insecure code.
- Why secure code reviews are the right approach for finding security defects
- How to prioritize critical software components for a deep security analysis
- Techniques for source code analysis on high-risk components