SANS AppSec 2013 will be held from April 22nd through April 27th in Austin, TX. Monday April 22nd, John Dickson will be moderating a panel titled “AppSec 2.0: Strategies for Moving the Needle on Application Security” The panel abstract is:
Thousands of applications, millions of lines of code, numerous development teams spread across the planet. You thought your application security program had it bad! The participants in this panel discussion have been tackling the issue of software security in their large corporate environments for years, helping thousands of software developers improve how they build software and helping identify software vulnerabilities before attackers do. They will discuss how they have built large-scale vulnerability scanning programs, how they interact with their respective business units and how they get executive buypin to further the case of application security. Come join this interactive session with application security industry leaders who will discuss practical approaches to securing software.
Panel participants include:
- John Dickson, CISSP, Principal, Denim Group (Moderator)
- Chris Haggard, Manager of eCommerce/Application Security, FedEx
- John Heimann, Senior Director-Security Programs, Oracle
- Jim Apple, Senior Manager, Applications, Bank of America
Tuesday I will be giving a lunchtime presentation titled “Do You Have a Scanner or a Scanning Program?” and the abstract is:
By this point, most organizations have purchased at least one code or application scanning technology to incorporate into their software security program. Unfortunately, for many organizations the scanner represents the entirety of that so-called “program” and often the scanners are not used correctly or on a consistent basis.
This presentation looks at the components of a comprehensive software security program and the role that automation plays in these programs. It also looks at common pitfalls organizations encounter when trying to deploy scanning technologies as well as ways to address these issues. Finally it walks through metrics organizations can use to keep tabs on their scanning progress so they can identify and address issues such as portfolio and scanner coverage. Demonstrations using freely available tools are provided as well as discussion of how these approaches can be applied for both commercial and free static and dynamic scanning technologies.
We are looking forward to catching up with folks at SANS AppSec in Austin. Contact us if you would like a special discount code for the event.
dan _at_ denimgroup.com