One of the core difficulties in ensuring your organisation’s software development process (whether in-house or outsourced) builds in an appropriate level of security is a lack of research, standards and accepted practice in this area. A multitude of approaches have been put forward by visionaries in this area, however these lack the body of empirical study needed to weed out the approaches that don't work in real practice.
All is not lost though - this session discusses the emergence of two new standards in this area – OpenSAMM (Software Assurance Maturity Model), and BSI-MM (Building Security In Maturity Model), how these can be used as a framework for evaluating the current state of an organisation’s development process, planning a future state, and as sources of leading practice in this area. Examples will be drawn from work Justin has performed in this area at several large UK financial services organisations, and the lessons learnt in applying these approaches.
Justin Clarke is an information security consultant years of experience in assessing the security of networks, web applications, and wireless infrastructures for large financial, retail, technology and government clients in the United Kingdom, the United States and New Zealand.
Justin is the the technical editor and lead author of “SQL Injection Attacks and Defense” (Syngress 2009), co-author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools" (O’Reilly 2005), a contributing author to "Network Security Assessment: Know Your Network, 2nd Edition" (O’Reilly 2007), as well as a speaker at a number of conferences and events on security topics, including Black Hat USA, EuSecWest, OSCON, ISACA, RSA, SANS, OWASP, and the British Computer Society. He is the author of the open source SQLBrute blind SQL injection testing tool, and is the Chapter Leader for the London chapter of OWASP as well as a member of the OWASP Global Connections Committee.