I will be speaking at the Austin OWASP meeting on October 27, 2009 from 11:30 until 1:00. The meeting is at National Instruments on 11500 N Mopac in Building C.
Title: Vulnerability Management in an Application Security World
Abstract:
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities.
This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.
As always, OWASP meetings are open to all and free. Hope to see folks there.
More information can be found on the OWASP Austin website.
–Dan
dan _at_ denimgroup.com
@danielcornell
