|
|
|
Better Software Conference & EXPO 2006 Concurrent Sessions
Go To: Agile Development | Managing Projects and Teams | Measurement | Outsourcing | Plan-Driven Development |
Process Improvement | Quality Assurance | Security | Special Topics | System Requirements | Testing
View by Date
| Security | | | Wednesday, June 28, 2006 11:30 AM |
Operational Security in Software Development
Carol Woody, Software Engineering Institute
Research conducted by CERT, the computer security incident response team based at the Software Engineering Institute (SEI), indicates that writing quality coding is not enough to ensure system security. Operating platforms, supported user devices, interface designs, linkages with legacy systems, source code management, data exchange protocols, and controls for authentication data among system modules all impact operational security. Incomplete security requirements and poorly planned implementations further contribute to security risk. Using both research and a follow-up case study, Carol Woody describes the things you can do in your development and test organizations to improve operational security. She introduces an analysis technique for evaluating operational risks within the development process and offers guidelines for clearly defining testable security requirements. Discover an approach to coordinate security risks among stakeholders to reduce and possibly eliminate high impact operational security failures.
� The attributes of good operational security
• Incorporate verifiable security requirements into software development
• Steps for a security risk analysis of your current and future systems |
| | | Wednesday, June 28, 2006 1:45 PM |
Building Secure Software with New Web Technologies
Ivan Krstic, Harvard University
The latest generation of Web technologies�AJAX, improved client-side scripting, support for extensive DOM manipulation in browsers, content syndication, Web service APIs, and simple interchange formats such as JSON�are all driving new, powerful Web applications. Based on his work on real world �Web 2.0� applications, Ivan Krstic discusses the security implications of these new technologies. Ivan describes specific attacks such as Web-based worms, XSS, CSRF, and HTTP response splitting and offers advice on mitigating security risks during the engineering process. Learn how standard security guidelines such as The Confidentiality-Integrity-Availability (CIA) model apply to the modern Web and about the role of cryptography and crypto-engineering in Web security. Take back concrete recommendations for security specifications during initial software design, guidelines for implementation, and security tracking requirements after deployment.
� New Web technologies that fuel new security threats
• The most successful security strategy for developers
• Harden software from attacks at each stage of development |
| | | Wednesday, June 28, 2006 3:00 PM |
Integrating Security into the Development Lifecycle
Ryan English, SPI Dynamics Inc
Software security is neither a development problem nor an IT operations problem. Rather, it is a paramount business problem requiring a multidisciplinary approach that minimizes organizational risk when delivering software products. By making a program-level commitment to security, IT organizations will be in the best position to defend their businesses from growing threats. Ryan English explores business management and the process components of defining, designing, instituting, and verifying secure development practices. He describes a broad set of principles that leading companies are adopting to improve the security of their software and outlines an application security program your company can implement. This approach requires a commitment to application security at all levels of management and offers the promise of a mature level of security without undue effect on the overall development process and delivery schedules.
� Standards, processes, tools, and educational needs for delivering secure systems
• Examples of clear, concise development standards for secure software
• How to create an Application Security Assurance Program (ASAP) |
| |
|
|
