Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementation Lessons Learned Application Security Summit 2007

Published byDomenic Pierce Modified over 5 years ago

Similar presentations

Presentation on theme: "Implementation Lessons Learned Application Security Summit 2007"— Presentation transcript:

1 Implementation Lessons Learned Application Security Summit 2007
SANS August 15, 2007

2 Too Many Experts, Not Enough Coders
Three Things No Silver Bullet Too Many Experts, Not Enough Coders Grassroots Works If…(no wait)…It Doesn’t

3 X No Single Solution Tools + Experts No Silver Bullet Dynamic Tool
Directory Browsing Insecure Function Secure Design Dynamic Tool X Static Tool Expert Testing No Single Solution To borrow from Fred Brooks’ concept – the complexity of application security is similar to that of software engineering because it possesses certain elements of essential complexity There are problems that can’t be solved with “simple solutions” because they don’t address all problems adequately. A lot of people go out into the market and look for a tool or a vendor that will solve their application security problem – this is the wrong approach, unfortunately, it’s not that easy.

4 Use Experts Use Tools Experts == $Expensive Smart & Accurate
No Silver Bullet Use Experts Experts == $Expensive Smart & Accurate Use Tools Tools == Spell Checkers Fast & Cheap Use Multiple Tools What can tools do for you? LHF. Make you a better speller NOT a better writer. Tools will help you catch the basic security issues, they aren’t intelligent enough to catch anything beyond that. It requires manual review to identify issues in design and business logic.

5 Overtraining Developers
Too Many Experts Overtraining Developers The problem of improperly applying resources.

6 You can’t architect SQL injection out of your code.
Not Enough Coders You can’t architect SQL injection out of your code. You can’t code directory browsing out of your server. You can’t configure a bad password out of your server. Use the right people with the right tools at the right time.

7 Grassroots Doesn’t Work
You need money, you need time, and you need resources. Find a Compelling Reason Assessments (shock & awe) Incident Compliance Find a Sponsor Executive Support Developers won’t give you any of these. Don’t waste your time.

8 Grassroots Works If…(no wait)…It Doesn’t
Three Things No Silver Bullet It takes Tools and Experts Too Many Experts, Not Enough Coders Use a Balanced Approach Grassroots Works If…(no wait)…It Doesn’t Get Executive Support

9 Q & A Thank you for your time. Questions?

10 Additional Slide These are not the slides you a looking for…

Download ppt "Implementation Lessons Learned Application Security Summit 2007"

Similar presentations

Ch.1 Introduction to Software Engineering The Evolution 1.1 The Evolving Role of Software 1/15 In the early days: User Computer Software = Place a sequence.

Ch.1 Introduction to Software Engineering The Evolution 1.1 The Evolving Role of Software 1/15 In the early days: User Computer Software = Place a sequence.
© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.

© 2008 All Right Reserved Fortify Software Inc. Hybrid 2.0 – In search of the holy grail… A Talk for OWASP BeNeLux by Roger Thornton Founder/CTO Fortify.
Using the Cloud and SaaS to Secure the SDLC. About Me Andy Earle HP/Fortify – Security Solutions Architect / Presales Engineer – Sell, deliver solutions.

Using the Cloud and SaaS to Secure the SDLC. About Me Andy Earle HP/Fortify – Security Solutions Architect / Presales Engineer – Sell, deliver solutions.
Adding scalability to legacy PHP web applications Overview Mario A. Valdez-Ramirez.

Adding scalability to legacy PHP web applications Overview Mario A. Valdez-Ramirez.
No Silver Bullet - Essence and Accident in Software Engineering By: R. Adam Mead.

No Silver Bullet - Essence and Accident in Software Engineering By: R. Adam Mead.
Today’s Goals Concepts  I want you to understand the difference between  Data  Information  Knowledge  Intelligence.

Today’s Goals Concepts  I want you to understand the difference between  Data  Information  Knowledge  Intelligence.
#1 The Future of Software Security David Wagner U.C. Berkeley.

#1 The Future of Software Security David Wagner U.C. Berkeley.
SAP R/3 in the Standard Software Market Ian Mizrahi December 3, 1998.

SAP R/3 in the Standard Software Market Ian Mizrahi December 3, 1998.
Why teach coding?.

Why teach coding?.
SM3121 Software Technology Mark Green School of Creative Media.

SM3121 Software Technology Mark Green School of Creative Media.
Business Intelligence Technology and Career Options Paul Boal Director - Data Management Mercy (www.mercy.net)www.mercy.net April 7, 2014.

Business Intelligence Technology and Career Options Paul Boal Director - Data Management Mercy ( April 7, 2014.
Design Prototyping Bringing Wireframes to Life Dan Harrelson.

Design Prototyping Bringing Wireframes to Life Dan Harrelson.
Security Analysis What is it? Rapidly growing area of computer science. Concerned with whether or not a system and its communications are secure. Why do.

Security Analysis What is it? Rapidly growing area of computer science. Concerned with whether or not a system and its communications are secure. Why do.
Federated Search: True Enterprise Search Abe Lederman, President and CTO Deep Web Technologies Search Engine Meeting – April 28-29, 2008.

Federated Search: True Enterprise Search Abe Lederman, President and CTO Deep Web Technologies Search Engine Meeting – April 28-29, 2008.
Object Oriented Databases by Adam Stevenson. Object Databases Became commercially popular in mid 1990’s Became commercially popular in mid 1990’s You.

Object Oriented Databases by Adam Stevenson. Object Databases Became commercially popular in mid 1990’s Became commercially popular in mid 1990’s You.
HTML and Designing Web Pages. u At its creation, the web was all about –Web pages were clumsily assembled –Web sites were accumulations of hyperlinked.

HTML and Designing Web Pages. u At its creation, the web was all about –Web pages were clumsily assembled –Web sites were accumulations of hyperlinked.
Katanosh Morovat.   This concept is a formal approach for identifying the rules that encapsulate the structure, constraint, and control of the operation.

Katanosh Morovat.   This concept is a formal approach for identifying the rules that encapsulate the structure, constraint, and control of the operation.
Overview Coding Practices Balancing standards Configuration Management Providing Change Control Software Estimation Reasons why Programmers and Managers.

Overview Coding Practices Balancing standards Configuration Management Providing Change Control Software Estimation Reasons why Programmers and Managers.
VeribisCRM CUSTOMER RELATIONSHIP MANAGEMENT Engin Duran www.veribis.com.tr Experience is our know how.

VeribisCRM CUSTOMER RELATIONSHIP MANAGEMENT Engin Duran Experience is our know how.
An Introduction to MBT  what, why and when 张 坚 2015-9-11.

An Introduction to MBT  what, why and when 张 坚

Similar presentations

Ads by Google