The security development lifecycle (SDL) process is the “gold standard” used by large software development organizations to deliver secure software. But what about the rest of us? What if, instead, you work in a small-to-midsized dev shop lacking the resources of larger organizations?
Good news! SDL is for you too -- and it doesn’t have to break the bank.
There are a variety of approaches and free resources that can help smaller organizations create effective SDL programs. With management commitment to SDL fundamentals, and an investment of resources proportional to the size of the development organization and its products, it's possible for smaller organizations to get started and build an effective SDL program that delivers software that customers will find secure.
•Create a plan for rolling out an SDL program in their organization, know what management and stakeholder buy-in they need, and get moving on implementing an SDL.
•Access a variety of free and affordable resources to help create and sustain an SDL program.
•Recognize and address secure development concerns of importance to smaller organizations and ways that they can address those concerns.
RecordedOct 29 201959 mins
Your place is confirmed, we'll send you email reminders
Dr Adriana Sanford, Acting-Director of Executive Education & Senior Fellow at OU CINS, University of Oklahoma
Amid the coronavirus uncertainty, companies worldwide have been forced to move more of their professional routines online. As employees adapt to working from home using their private devices, sophisticated cyber attackers have ample opportunities to avoid employers' detection tools and exploit the "new normal." Also, among the pandemic-related legal issues is the mitigation of the Force Majeure contract clauses within the global supply chains, as the restrictions on the mobility of people and products continue to mount. Despite privacy restrictions set forth by the EU's General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), the effects of the current pandemic cause corporate boards to reconsider their views on data privacy and senior management to conduct workforce health checks to prevent the
further spread of COVID-19. This presentation will outline the dangers and legal risks that have arisen since the coronavirus first forced everyone to pivot to a more virtual workforce. –
1. Understand why confusion from the COVID-19 pandemic created long-term security, legal and privacy risks for businesses.
2. Learn top tips for ensuring data protection compliance in the age of the COVID-19 pandemic.
3. Learn what personal information employers may need to collect from employees in order to enforce coronavirus protocols and to best limit their risk of exposure during a health crisis.
Marinda Hamann, (ISC)²; Sanjana Mehta, (ISC)² EMEA; Chris Green, (ISC)² EMEA; Brian Alberti, (ISC)²
The (ISC)² Cybersecurity Workforce Study is one of the most highly-anticipated annual research reports each year. Not only has it come to be considered the industry standard for measurement of the global “skills gap” in cybersecurity, but it offers nuanced insights into subjects like job satisfaction rates, salaries, role alignment, the profile of the cybersecurity professional, diversity and how to strengthen teams and improve hiring practices. The 2020 edition of the study was released in early November and also includes data on the cybersecurity community’s response to COVID-19 and the transition to remote work environments. This panel discussion brings together several of the (ISC)² architects behind the research to provide a deeper look beyond the numbers and explore some of the key themes of this year’s findings.
- Learn about the cybersecurity community’s response to the COVID-19 pandemic and the shift to remote work
- Understand the landscape of the current cybersecurity workforce and the shortage that exists today
- Gain insights on how organizations can find, recruit and train new talent to better protect organizations from security threats
Michael F. Angelo, Chief Security Architect, Micro Focus Corporation
While a secure development lifecycle (SDLC) is centered around education, it goes much beyond the simple ‘how to program securely’ to include:
-Training, including an overview of the process
-Threat modeling, including both deployment and functionality
-Secure coding standards and reviews
-Testing / analysis such as static, dynamic, fuzz and penetration testing
-Supply chain security / monitoring that incorporates component tracking and build/development environment security
-Incident response to improve reaction times
This session will conclude with a discussion on how to measure your SDLC capability and maturity. As we delve into each of these areas, the attendee will gain insights into what is now required to be successful with an SDLC.
1. Discover the elements and definitions of the currently evolved secure development lifecycle (SDLC) you need to succeed.
2. Understand how to track the evolving SDLC, since a static one often spells doom.
3. Be introduced to usage and deployment models to determine threats and mitigate them appropriately during the development process.
Koji Nakao – Distinguished Researcher, National Institute of Information and Communications Technology (NICT)
Recently, observed cyber-attacks have been often triggered by “malwares” and have been maliciously evolving and sometimes hidden from our monitoring countermeasures (FW, IDS/IPS). For achieving advanced security solution, utilizing passive monitoring technologies should be considered. In this presentation, passive monitoring technologies such as darknet and honeypot/sandbox are explained with practical use-cases to accurately observe and monitor ongoing threats (cyber-attacks). The use-cases may include detection of malware-infected IoT devices by means of darknet and honeypot monitoring. Furthermore, detection of cyber-attacks by passive monitoring can be utilized for cyber security proactive response as practical solutions.
Catherine Chapman, Security Journalist and Saskia Coplans, Digital Interruption
Anyone working in information security understands that communication is a crucial part to an incident response plan. But this conversation is missing collaboration from a key player: the media.
The mainstream media's role to inform audiences and sway public opinion has yet to be leveraged by the information security community to produce consistent and informed articles on topics of security. Infosec remains in a bubble, with the public stuck in an information loop of data breaches and outdated security patches. As the industry grows, how should these channels of communication develop?
This talk will explore the relationship between press and information security, presenting case studies of how technical topics are represented in the media. An analysis of "security" representations in both print and online media will be also included.
1. Understand the channels in which consumers learn about security.
2. Understand how security gets misconstrued in the media.
3. Get your research picked up, or covered, by a journalist.
Andrew Boyle, Director and Distinguished Cyber Technologist, Booz Allen Hamilton
We've migrated from Waterfall to Agile to DevOps and now, DevSecOps. Now that security is equality represented with development and operations, is everything good? Not at all! Broadly speaking, the Sec element has not (yet!) been fully embraced and is not on par with Dev and Ops. In fact, in many cases the Sec element amounts to a check in the security box.
Testing went through a similar struggle but emerged victorious with test-driven design and embedded testers. The inclusion of the Sec element in DevSecOps gives all cybersecurity practitioners an opportunity to elevate the impact and relevance to equal the Dev and Ops elements. We, as leaders in the cybersecurity industry, must understand how Sec engagement in DevSecOps works and what indicators predict failures.
1. Describe the critical role that security plays during DevSecOps and understand the critical nature of security to successful DevSecOps environments.
2. Conduct assessments of past/current/future DevSecOps environments to ensure that the 'Sec' element is of equal influence and impact.
3. Quantify and prioritize the attributes of the 'Sec' element of DevSecOps that are applicable to their organization, and recognize the Sec-specific signals related to successful and unsuccessful DevSecOps environments.
Do your developers understand enough about security to secure your applications properly? How do they fare against the OWASP Top 10? A large number of security problems bury developers. Do you know best how to help them?
Developers must gain security knowledge about how to secure everything they work on. Explore the ten things every developer must know about security and learn how to properly expose them to your developers, including the realms of security culture, hacking, OWASP, third-party software, GitHub, DevSecOps and Docker/Kubernetes.
Gain a perspective on security from the eyes of your developers. Realize a greater awareness of your application security risk, knowledge of the ten things, and perspective on how to asses and build application security culture in a programmatic fashion.
1. Gain a perspective on security from the eyes of your developers.
2. Realize a greater awareness of the application security risk you face.
3. Assess and build application security culture.
Joseph Carson, Chief Security Scientist & Advisory CISO, Thycotic
Imagine a nationwide blackout. The reality hit Ukrainian residents when their energy sector was hit by a massive cyber attack that caused a power outage for more than 86,000 homes. This session dives into the real-world hack of a power station that explains the planning, perimeter security, engines and SCADA controls behind the attack.
1. Gain a full understanding of the anatomy of a privileged account hack.
2. Learn the challenges of reporting to the board and lessons learned.
3. Develop a strategy to reduce your risk and prevent abuse of your critical information assets.
James Perry, Senior Director and Head of Incident Response, CrowdStrike Services
Stories of CrowdStrike incident response engagements and how we have changed the model for how companies respond to a breach. Learn the methods CrowdStrike uses to disrupt and ultimately remove bad actors from networks.
Daniel Kim, CISSP, CCSP, Chief Privacy Officer and Scott Hollar, CISO, Extended Stay America
A company can find it hard survive if they lose the faith of their loyal guests or business partners that drive new customers. This Billion-dollar hospitality company could see that the new Data Privacy regulations were beginning to create obstacles to business-as-usual and they needed to prepare accordingly. Their strategic mindset compelled them to assume that CCPA and GDPR were only just the beginning, with more regulations to follow. They wanted to implement a strategy of excellence that would focus on proactive data privacy and prevent the high cost of chasing each successive regulation.
Their CISO joins us to talk about their journey and discuss:
• The building blocks for successful automation
• Integrations for enterprise support and successful business integration
• GDPR and CCPA drivers for rapid response and resolution
• What success looks like going forward Learning Objectives:
• Gain an understanding how success is highly influenced by the time spent planning.
• Learn alternative approaches to meet compliance and gain business buy in.
• Define success and strategies to ensure a sustainable program.
Rob Ayoub, FireEye; Sharon Smith, Verizon; John Esparza, Schneider-Electric; Deidre Diamond, CyberSN & Erik Von Geldern, FXCM
It is well known that malware outbreaks, security breaches and other security-related incidents can cause times of extreme anxiety and pressure. Anecdotal evidence indicates that stress and mental health issues within information security profession are not limited to incident responders. Join panelists from a wide variety of security career areas of focus as they discuss burnout in general and how it has affected them as individuals. These professionals will offer insights and perspective on how they perceived burnout in their career and among coworkers. They'll also talk about how to recognize the signs and maintain mental health in a challenging career field. Learning objectives: 1. Recognize potential stressors and mental health triggers in the course of Information security work. 2. Gain insights into managing stressful situations, work environments and careers. 3. Reflect on the need for changes in schedule, balance, hobbies or other activities to manage stress throughout the course of an information security career.
Scott M. Giordano, Spirion; John G. Bates, DocuSign; John Bandler, Bandler Law Firm PLLC
What qualifies as a breach vs. an incident? When does an investigation need attorney-client privilege? Do I need to make a bitstream copy, or is an image enough? If these questions have ever come up in your department, you likely had to call someone in Legal, or even outside counsel. Over the past five years, the need for legal insight in information security has gone from a nice-to-have to a must-have. Just some of the areas where attorneys can assist you include incident response/breach notification, contract negotiations, policy writing and review, and working with insurance carriers. In this presentation, information security legal veterans will explain what attorneys can do for your team and how they can advance your department’s mission.
1. Discern which information security and privacy problems require legal involvement.
2. Learn the latest trends in information security that have legal implications.
3. Understand how to work with counsel to achieve the best results.
Andrew Neal, VP - Research, Gartner and Jenifer Sosa, Director, Information Security & Compliance Services, TransPerfect
The business world is full of data privacy regulations and obligations. The legal community is full of lawyers with lots of advice about compliance. The information security world is full of techies who must operationalize data privacy regulations. What lies at the intersection of these three things? Is it chaos? Or could it be that success in the ever-changing world of data privacy regulations is best achieved by combining the viewpoints of the legal and technical experts? This presentation will explore the contrasting, but not necessarily conflicting, viewpoints of two experienced data privacy and governance professionals from very different backgrounds. An attorney and a technology professional, each with decades of experience, will present attendees the differing viewpoints necessary for a successful data privacy and governance program. Learning objectives: 1. Describe the perspectives of the various stakeholders in the data privacy and governance process. 2. Compare and contrast the focus and emphasis of legal and IT when addressing data privacy concerns. 3. Discuss the necessary cooperation between legal and IT, and the benefits that such a team confers on compliance efforts.
Shawn A. Harris, Director, Starbucks Coffee Company; Jim Turchek, Manager, Progressive Casualty Insurance
Aligning the Modern Cybersecurity Strategy with the Business Priorities
We're currently living through a time of great change that requires security teams to adapt to an ever-shifting landscape of business prioritization. This talk will focus on the migration of our respective teams to align our goals with business priorities to create greater engagement that helps fulfill larger organizational goals. Security traditionally has a mandate to limit risk; however, we must transform to enabling business agility. Both speakers have a history of making such security transformations within their teams. Financial services and retail have different regulatory requirements and business models, and their juxtaposition here will illustrate that each organization's approach could work in other industries too. Learning objectives: 1. Use the business alignment methods to invoke real-world change and migrate their teams to an enablers of business agility. 2. Understand a new people-centric approach to risk mitigation using business consultation techniques. 3. Take real-world architectural foundations back to their own organizations and align cybersecurity strategy with business goals and vision.
Dr. Kevin Charest, CISSP; Zachary Tudor, CISSP; Clar Rosso, (ISC)²; Dr. Casey Marks, (ISC)²; Wes Simpson, (ISC)²
The panel will consist of members from (ISC)² Management and (ISC)² Board of Directors who will be ready to answer any questions that you may have regarding membership, certifications, information security, etc. This meeting is open to both members and non-members. Dr. Kevin Charest, CISSP - Board of Directors Chairperson Zachary Tudor, CISSP - Board of Directors Vice Chairperson Clar Rosso - CEO, (ISC)² Dr. Casey Marks - Chief Products Office and Vice President, (ISC)² Moderated by Wes Simpson - COO, (ISC)²
Michael D. Weisberg, Caroline E. Saxon, James Packer, Brandon Dunlap
As the COVID 19 pandemic continues its hold on societies around the world, will business as we know it ever return? Should it? Which of our new ways of working will stick? Let’s get together, 6 feet (2m) apart, wear a mask, and discuss how the pandemic has not only changed our relationship to work and how we get things done; how it has affected the demands on information security? What strategies did you and your organizations use to function through the Covid-19 crisis? We will discuss what went well, badly, and sideways as we tried to maintain security and normalcy in challenging times. Will security return to the old way of doing things or have employers and employees expectations changed forever?
Brandon Dunlap, Managing Director, Brightfly, Inc and John Carnes, Executive Adviser, Anthem, Inc
In this discussion we will be talking about how do we, as professionals, both give and get interviews that focus on getting the right mindset of people in information security. Are we focusing on the right factors? Are we looking toward the right level of skills? We will discuss what questions work, what are a waste of time, and what we are potentially doing wrong as an industry. If you're looking to be interviewed, we'll talk about what skills you need to focus on and what skills you should be both working on and showing.
1. Learn what questions work for interviews and what questions are potentially going to mislead you into hiring the wrong people.
2. Learn the factors of thinking that make for a successful information security professional.
3. Learn how to grow at a personal level to be the best professional you can be.
In this presentation, we review malicious activity that involved SCADAfence's incident response team, which assists companies during industrial cybersecurity emergencies. Attendees will learn how ransomware infected the victim organization's network and how the incident response team gathered evidence, including where to look first. Then, we'll explain how the evidence was analyzed; what the initial findings were; and how the attackers were caught. Finally, we'll discuss additional attack methods used by the cyber criminals so everyone can take appropriate steps to prevent such attacks within their organizations.
1. Learn how industrial networks get infected with targeted ransomware.
2. Discover where to look for evidence; how to analyze it; and how to find attackers hiding in the network.
3. Understand additional types of attack methods used by cyber criminals in industrial networks, as well as best practices to protect those and all other networks.
Dr. Keri Pearlson - MIT and Robbie Meitler - Liberty Mutual Insurance Company
Product developers design for manufacturability, ease of use, quality and a host of other design criteria. Rarely, though, do we hear something is "designed for cybersecurity," Why is that? We know that it’s much more costly to bolt on security after a product is released; however, rarely does an MVP include the necessary cybersecurity. With supply chain cybersecurity increasingly urgent, your customers are already concerned about how secure your products and services are. Recent research at MIT has focused on this problem. In this session, we will share the latest thinking on building a culture of cybersecurity for product and service development teams. We will then discuss Liberty Mutual’s experiences in secure development by extending cybersecurity values, beliefs and attitudes to its product developers.
Alan Rynarzewski, Undergraduate Faculty, Purdue Global University
We have all seen the numbers when asked about the cybersecurity skills gap. The gap continues to widen, and our reliance on digital networks is not showing any signs of slowing down. Cybersecurity vacancies are often left open for months, or closed and utilized elsewhere in the company. Some companies have shifted to automation; however, it's time for companies to realize the skills gap is not going to decrease in a timely business manner. Companies need to start adopting Security Orchestration, Automation and Response to augment their senior-level employees.
1. Define SOAR and how it differs from other solutions.
2. Describe how this solution could benefit companies, or what specific business items would prevent them from utilizing this technology.
3. Demonstrate to management how SOAR works and where it can be beneficial to businesses.