AppSec Training, Securing the SDLC, WebGoat.NET and the Meaning of Life

Presented at AppSec USA 2012, Oct. 25, 2012, 2 p.m. (45 minutes).

One of the most vital pieces of a secure SDLC is security training - not only for developers, but for Architects, QA and anyone else involved in the creation of software. Too frequently, this is minimized, overlooked or completely absent within an organization. In some cases, the very idea of application security is dismissed as unnecessary. This talk starts by making a strong argument for developer education, and how it fits into any organization's SDLC. Training will be put into the context of NIST's "Security considerations in System Development Life Cycle" Document, Microsoft's Simplified SDL, BSIMM3 and OWASP Open SAMM. From there, we discuss other OWASP resources and projects dedicated to developer education, and an in-depth discussion of OWASP WebGoat.NET - an ASP.NET specific re-design of OWASP which meets the needs and addresses the challenges of modern application security training programs. Lecture will be delivered by Jerry Hoff, VP of Static Code Analysis Division at WhiteHat Security. Jerry is the leader of the OWASP Appsec Tutorial Series, WebGoat.NET and AntiSamy.NET. Jerry is a former developer, author, and has over 10,000 hours delivering technical training. Jerry holds a Masters degree in Computer Science from Washington University in St. Louis. Key Points: - Developers need a better way to be education in AppSec - Equip participants with the tools and evidence they need make an irrefutable case for developer security training - Analysis of tools/docuemnts/videos that OWASP provides for training - Introduction of WebGoat.NET: OWASP's latest tool to help education developers - Interactive demonstration of WebGoat.NET with full audience participation

Presenters:

  • Jerry Hoff - VP, Static Code Analysis Division - WhiteHat Security
    Jerry Hoff is the VP of the Static Code Analysis Division at WhiteHat Security. In addition to WhiteHat, he is a co-founder and managing partner at Infrared Security. Jerry has worked at a number of fortune ten financial firms, along with years of hands-on security consulting, where he specialized in manual code review, web application penetration testing, and architecture reviews. Jerry also has years of development and teaching experience. He taught for over seven years at Washington University's CAIT program, and the microcomputer program at University of Missouri in St. Louis. Jerry is the writer/producer of the popular OWASP Appsec Tutorial Series and the lead developer for the WebGoat.NET project.

Links:

Similar Presentations: