1. InfoconDB
  2. OWASP
  3. AppSec USA 2013
  4. 2 Day Pre-Conference Training: Running A Software Security Program On Open Source Tools

2 Day Pre-Conference Training: Running A Software Security Program On Open Source Tools

Presented at AppSec USA 2013, Nov. 19, 2013, 9 a.m. (480 minutes).

2 Day Class running Monday Nov 18 and Tuesday Nov 19 Abstract: Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, Brakeman, Agnitio, w3af, OWASP Zed Attack Proxy (ZAP), and ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs. Outline: • So You Want To Roll Out A Software Security Program? • The Software Assurance Maturity Model (OpenSAMM) • ThreadFix: Overview • Governance: Strategy and Metrics • ThreadFix: Reporting • Governance: Policy and Compliance • Governance: Education and Guidance • OWASP Development Guide • OWASP Cheat Sheets • OWASP Secure Coding Practices • Construction: Threat Assessment • Construction: Security Requirements • Construction: Secure Architecture • ESAPI overview • Microsoft Web Protection Library (Anti-XSS) overview • Verification: Design Review • Microsoft Threat Analysis and Modeling Tool • Verification: Code Review • FindBugs • Brakeman • Agnitio • Verification: Security Testing • w3af • OWASP Zed Attack Proxy (ZAP) • Deployment: Vulnerability Management • ThreadFix: Defect Tracker Integration • Deployment: Environment Hardening • Microsoft Baseline Security Analyzer (MBSA) • Deployment: Operational Enablement • mod_security

Presenters:

  • Dan Cornell - CTO - Denim Group
    Entrepreneur, software developer and security professional. CTO at Denim Group. CrossFitty and Paleo-ish.

Links:

Similar Presentations: