[HGI-news-int] HackPra Talk: Jeremiah Grossman

[English Newsletter of the Horst Goertz Institute of IT Security in Bochum]

HACKPRA TALK: JEREMIAH GROSSMAN

 

*Horst Görtz Institute for IT-Security,  Ruhr-University Bochum, Building
ID, Room 04/459*

*July 3, 2013 at 4pm* 

 

Jeremiah Grossman, founder and chief technology officer of WhiteHat
Security, is a world-renowned expert in web application security and a
founding member of the Web Application Security Consortium (WASC). He is a
frequent speaker at industry events including the BlackHat Briefings,
ISACA's Networks Security Conference, NASA, ISSA and Defcon. The Horst Görtz
Institute for IT-Security proudly presents his talk during HackPra on July
3, 2013 at 4pm.

 

*Abstract:*

 

What’s needed is more secure software, NOT more security software.

Understanding this subtle distinction is key. Organizations must demand that
software be designed in a way that makes it resilient against attack and
does not require additional security products to protect it.

The question that organizations should be asking themselves is: how do we
integrate security throughout the software development life-cycle (SDLC)?

 

As simple as these questions sound, the answers have proven elusive.

Most responses by the so- called experts are based purely on personal
anecdote and devoid of any statistically compelling evidence. Many of these
experts will cite various “best- practices,” such as software security
training for developers, security testing during QA, static code analysis,
centralized controls, Web Application Firewalls, penetration-testing, and
more; The reality, though, is that just because a certain practice works
well for one organization does not mean it will work at another.
Unfortunately, this hasn’t prevented many from boisterously and carelessly
advocating a litany of best-practices with little regard for true efficacy
and important operational considerations.

 

The net result: websites no less hackable today than they were yesterday. To
move in this direction we asked WhiteHat Security customers to assist us by
answering roughly a dozen very specific survey questions about their SDLC
and application security program. Questions such as: how often do you
perform security tests on your code during QA?

What is your typical rate of production code change? Do you perform static
code analysis? Have you deployed a Web Application Firewall? Who in your
organization is accountable in the event of a breach? We even

asked: has your website been breached?

 

We received responses to this survey from 76 organizations, and then
correlated those responses with WhiteHat Sentinel website vulnerability
data. The results were both stunning and deeply head scratching. The
connections from various software security controls and SDLC behaviors to
vulnerability outcomes and breaches is far more complicated than we ever
imagined.

 

The G Data Software AG offers an evening program, accompanying the "HackPra"
at the Horst Görtz Institute for IT-Security. Every participant is welcome
to meet the speakers and the "HackPra's" organizing crew in the G Data
Academy. Further information on G Data and the HackPra can be found here: 

http://www.nds.ruhr-uni-bochum.de/teaching/hackpra/

 <https://www.gdata.de/offensive-security-course>
https://www.gdata.de/offensive-security-course

 

*Participation is free of charge*

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ruhr-uni-bochum.de/pipermail/hgi-news-international/attachments/20130626/ba0255cf/attachment.html>