REPLAY: Fast-Tracking Software Assurance

Principle-based approaches have long been at the core of “traditional” engineering disciplines. However, when it comes to building software and IT systems, best practices around encryption, access control, and authorization are often lackluster. The ability to understand and apply security concepts is essential to protecting today’s digital business.

Join host Ed Adams, a Ponemon Institute research fellow, for a panel discussion with security professionals whose collective experience spans Fortune 500 technology, financial services, and medical device industries.

JOSHUA CORMAN
Founder of I Am the Cavalry (dot org). His approach to security in the context of human factors, adversary motivations, and social impact has helped position him as one of the most trusted names in security.

UMA CHANDRASHEKHAR
Leader of the Global Information Product Security function at Alcon. She holds several patents in information security, privacy, and reliability and was an invited council member of the U.S. Federal Communications Commission’s Security, Reliability, and Interoperability Council (CSRIC).

MARK MERKOW
CISSP, CISM, CSSLP. A prolific author and advocate for building security into the SDLC with software-quality and security activities, tools, processes, and education.

Topics to be discussed:

* Why and for whom are security principles important?
* Have principles become a lost art form, or did they never really take off?
* What is the most underutilized principle? Does it vary based on tech stack and deployment?

FREE GIVEAWAY
We'll also be raffling off three copies of Mark Merkow's latest book "Secure, Resilient, and Agile Software Development" during the webinar.

The cloud offers near-instant scale and numerous security features that organizations can leverage; however, it’s not that way by default. Despite wide adoption of cloud services, many organizations remain unprepared and unknowingly expand their attack surface. Gartner predicts that by 2025, 99% of cloud security issues will be the customer’s fault.

Information systems in the digital age are complex and expansive, with attack vectors coming in from every angle. This makes analyzing risk challenging, but more critical than ever.

Attend this webcast to better understand the dynamics of modern IT systems, security controls that protect them, and best practices for adherence to today’s GRC requirements.

Topics include:
· Threats, vulnerabilities, weaknesses – why their difference matters
· How vulnerability scanning can help (and hinder) your efforts
· Security engineering and the system development lifecycle
· High impact activities - application risk rating and threat modeling

Did you lock the door before leaving your house this morning? If you did, you threat modeled without even realizing it. Threat modeling is identifying potential threats (house robbery) and implementing measures to mitigate the risk (locking your door).

Protecting valuable assets, no matter if personal assets or business-related assets such as the software you are developing, threat modeling should become an instinctual and necessary part of your process.

Our talk highlights how nearly 50% of security flaws can be mitigated through threat modeling. We help you prevent and mitigate risks by utilizing a reliable and hard-hitting analysis technique that can be applied to individual applications or across an entire portfolio. We show you how to effectively apply these techniques at the start of the design phase and throughout every phase of the development lifecycle so you can maximize the ROI of your security efforts.

Topics covered include:
• Threat Modeling 101
• The propagating effect of poor design
• Tabletop exercise – a world with and without threat modeling
• Best practices and metrics for every stakeholder

Regulatory compliance mandates have historically focused on IT & endpoint security as the primary means to protect data. However, as our digital economy has increasingly become software dependent, standards bodies have dutifully added requirements as they relate to development and deployment practices. Enterprise applications and cloud-based services constantly store and transmit data; yet, they are often difficult to understand and assess for compliance.

This webcast will present a practical approach towards mapping application security practices to common compliance frameworks. It will discuss how to define and enact a secure, repeatable software development lifecycle (SDLC) and highlight activities that can be leveraged across multiple compliance controls. Topics include:

* Consolidating security and compliance controls
* Creating application security standards for development and operations teams
* Identifying and remediating gaps between current practices and industry accepted "best practices”

Today, a significant percentage of all software is assembled from open-source software and COTS. Akin to a baker who didn’t grow their ingredients, how well do development teams know their ingredients and the inherent risk they carry?

This webinar provides an understanding of how to “shift left” in a DevOps SDLC by conducting early stage scrutiny to better manage software risk. Topics include:

•Choosing components wisely to reduce attack surface
•Ongoing threat modeling
•Cloud configuration and deployment review
•Procurement strategies and contracting tools
•Mitigating weaknesses in supply chain elements

High-performing InfoSec programs are critical to protecting sensitive data, securing systems, and maintaining compliance. However, organizations continuously struggle with the “how are we doing?” question.

Attend our next Ed Talk to learn how to identify key metrics and implement measurement vehicles to understand your real security posture.

* Benchmarking: What do you measure? And against what?

* Analysis Paralysis: What to do with the results and avoiding misleading and distracting data

* Metric Traps: Red flags versus red herrings

Software runs today’s business; however, security implications are often misunderstood, creating significant organizational risk. Poorly configured servers, 3rd-party software, and continuous release cycles put additional pressure on already stressed teams.

Hackers no longer just exploit vulnerabilities in code -- faulty cloud deployments, weak database structures, and business logic problems are also easy targets for attackers. To reduce risk, you’ve got to audit your system in the same way an attacker would.

This presentation demonstrates how attackers compromise the modern enterprise. For each attack demonstrated, mitigation practices will be discussed. WARNING: software will be harmed during this presentation. Viewer discretion advised.

Topics include:

- The modern technology stack
- Easy pickings – hacking demonstrations!!
- Auditing software-based systems:
o Standards and policies
o System updates and patching
o Data leakage/exfiltration
o Identity & access management
o System logs and tracking
o Tamper protections and detection
o Authentication and access controls

As organizations shift control of their infrastructure and data to the cloud, it is critical that they rethink their application security efforts. This can be accomplished by ensuring applications are designed to take advantage of built-in cloud security controls and configured properly in deployment.

Attend this webcast to gain insight into the security nuances of the cloud platform and risk mitigation techniques. Topics include:
• Common cloud threats and vulnerabilities
• Exposing data with insufficient Authorization and Authentication
• The danger of relying on untrusted components
• Distributed Denial of Service (DDoS) and other application attacks
• Securing APIs and other defensive measures

A replay of one of our most-viewed webinars from 2019.

Welcome to the lighter side of the software security world!

We’ll explain complex topics like injection flaws, configuration errors, and parameter tampering with real-world analogies, like breaking into your house through your shed, or sneaking into a Coldplay concert using a reflective yellow vest, a walkie talkie toy, and your bravado. If you’ve ever struggled to remember exactly how these issues work or struggled to explain them to someone outside of the security field, this presentation will help (and probably make you laugh).

Topics covered include:
- Injection Flaws
- XSS
- SQL Injection
- Broken Authentication
- Privilege Escalation
- Information Disclosure
- Parameter Tampering
- Configuration Errors

This webinar is ideal for anyone who wants to understand core Application Security concepts so they can apply risk mitigation strategies with better context.

The use of cloud services and infrastructure continues to skyrocket. Meanwhile, the proliferation of turn-key SaaS solutions makes it compelling for enterprises to use cloud-based software. Organizations are spinning up servers and databases in minutes, moving their applications to take advantage of CSP scalability, and mistakenly assuming they are immediately more secure.

There’s no doubt the cloud can deliver on the promises of improved scalability, availability, and security; however, consumers need to do their part. Come listen to 3 experts debate data and software security in the cloud. Topics include:
• Key considerations - new skills, migration challenges, compliance implications
• Unwanted surprises - misconfigurations, application rewrites, open data buckets
• Attack vectors - how they impact data flow and storage models
• Sunnier days - must-do’s for securing cloud software

Welcome to the first episode of The Security Series: Simplify, Secure, Strategise!

Employee productivity is at the heart of LastPass’ security measures. Having to manually remember passwords and credentials can cause lockouts and resets, causing distractions and reducing working time. According to LastPass, 80% of data breaches can be traced to weak, reused and stolen credentials. Data breaches and poor password management can be detrimental to employee productivity, and is another example of how effective security measures can enhance the work of your employees.

However, this is not to say that all security measures improve productivity. For example, adding overly complex security solutions can get in the way of employee productivity, and lots of security measures fail to meet user experience demands. Further, it is vital that security efforts are complementary across your organization, providing you with better insights into user behavior.

How can you implement security strategies that aid employee productivity, rather than hindering it?

In this session, we will discuss:
- Securing VPNs, and keeping productivity up amongst remote employees
- The benefits of an all in one authentication system, as well as a multi factor authentication system
- How to implement flexible authentication, and what this can do for your security and productivity

Regulatory compliance mandates have historically focused on IT & endpoint security as the primary means to protect data. However, as our digital economy has increasingly become software dependent, standards bodies have dutifully added requirements as they relate to development and deployment practices. Enterprise applications and cloud-based services constantly store and transmit data; yet, they are often difficult to understand and assess for compliance.

This webcast will present a practical approach towards mapping application security practices to common compliance frameworks. It will discuss how to define and enact a secure, repeatable software development lifecycle (SDLC) and highlight activities that can be leveraged across multiple compliance controls. Topics include:

* Consolidating security and compliance controls
* Creating application security standards for development and operations teams
* Identifying and remediating gaps between current practices and industry accepted "best practices”

Edna Conway (Microsoft) & Octavia Howell (Equifax) join us for an exclusive panel on avoiding supply chain burns. Supply chain risk is not going away, especially not software updates that fuels the IT-dependent enterprise. The SolarWinds hack has sowed doubts about the fidelity and security of 3rd-party tech. Despite significant damage, some organizations successfully thwarted the attacks despite using the vulnerable SolarWinds Orion appliance – how did they do it and what can we learn from it.

This Ed TALK brings respected cybersecurity and supply chain experts together to discuss what companies that build and use technology can do to protect themselves in this increasingly partner dependent world.

Topics include:
Knowing your ingredients – SBOMs (software bill of materials)
I spy – can we detect or prevent “tainted” software updates
Walking the walk – let’s talk effective defense-in-depth, incidence response, network segmentation, and “zero-trust”
Avoiding the recency trap – risk rating threats to avoid knee-jerk reactions
Robots to the rescue – can AI be the solution to real-time threat intelligence?

A replay of one of our most popular talks from the fall of 2020.

This talk will help you, as a decision maker or architect, to understand the risks of migrating a thick client or traditional web application to the modern web. In this talk I’ll give you tools and techniques to make the migration to the modern web painless and secure so you can mitigate common pitfalls without having to make the mistakes first. I’ll be doing demos, and telling lots of stories throughout.

Making some good architectural decisions up front can help you:

- Minimize the risk of data breach
- Protect your user’s privacy
- Make security choices easy the easy default for your developers
- Understand the cloud security model
- Create defaults, policies, wrappers, and guidance for developers
- Detect when developers have bypassed security controls

Software teams regularly deal with rapid release cycles, dozens of technologies, and relentless threats. They generally want to incorporate security ways but are often unsure how (or why.)

Regardless of the development process, there are common security activities and tools that need to be assimilated. In this edition of Ed TALKS, a panel of three industry experts provide practical tips on improving maturity and making security a natural part of software development.

Topics include:
- Practical automation throughout development and delivery
- How to motivate your team to care about security
- Assessing and benchmarking your SDLC maturity
- Not so fast: Activities to automate or skip at your own risk

Our panelists include:
Sasha Rosenbaum: Product Manager, GitHub
Throughout her career, Sasha has worked in development, operations, consulting, and cloud architecture. Sasha is an organizer of DevOpsDays Chicago, a chair of DeliveryConf, and a published author.

Sebastien Deleersnyder: Founder, Toren
Sebastien is the project leader for the OWASP SAMM maturity framework. He is a well-known instructor and threat modeling advocate. Earlier in his career, he served as a security architect for large telcos, banks, and logistics firms.

Dinis Cruz: CTO and CISO, Glasswall
Dinis is a well-known software security leader. He served on the OWASP board of directors for six years, has trained thousands of people globally, and has written books on cybersecurity and modern software development.