Hi [[ session.user.profile.firstName ]]

Getting Started with SDL

The security development lifecycle (SDL) process is the “gold standard” used by large software development organizations to deliver secure software. But what about the rest of us? What if, instead, you work in a small-to-midsized dev shop lacking the resources of larger organizations?

Good news! SDL is for you too -- and it doesn’t have to break the bank.

There are a variety of approaches and free resources that can help smaller organizations create effective SDL programs. With management commitment to SDL fundamentals, and an investment of resources proportional to the size of the development organization and its products, it's possible for smaller organizations to get started and build an effective SDL program that delivers software that customers will find secure.

Learning Objectives:

•Create a plan for rolling out an SDL program in their organization, know what management and stakeholder buy-in they need, and get moving on implementing an SDL.

•Access a variety of free and affordable resources to help create and sustain an SDL program.

•Recognize and address secure development concerns of importance to smaller organizations and ways that they can address those concerns.
Recorded Oct 29 2019 59 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Steven B. Lipner, CISSP, Executive Director, SAFECode
Presentation preview: Getting Started with SDL

Network with like-minded attendees

  • [[ session.user.profile.displayName ]]
    Add a photo
    • [[ session.user.profile.displayName ]]
    • [[ session.user.profile.jobTitle ]]
    • [[ session.user.profile.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(session.user.profile) ]]
  • [[ card.displayName ]]
    • [[ card.displayName ]]
    • [[ card.jobTitle ]]
    • [[ card.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(card) ]]
  • Channel
  • Channel profile
  • Dangerous Security and Legal Risks Created by the Imperative to Work-From-Home Recorded: May 27 2021 76 mins
    Dr Adriana Sanford, Acting-Director of Executive Education & Senior Fellow at OU CINS, University of Oklahoma
    Amid the coronavirus uncertainty, companies worldwide have been forced to move more of their professional routines online. As employees adapt to working from home using their private devices, sophisticated cyber attackers have ample opportunities to avoid employers' detection tools and exploit the "new normal." Also, among the pandemic-related legal issues is the mitigation of the Force Majeure contract clauses within the global supply chains, as the restrictions on the mobility of people and products continue to mount. Despite privacy restrictions set forth by the EU's General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), the effects of the current pandemic cause corporate boards to reconsider their views on data privacy and senior management to conduct workforce health checks to prevent the

    further spread of COVID-19. This presentation will outline the dangers and legal risks that have arisen since the coronavirus first forced everyone to pivot to a more virtual workforce. –

    Learning objectives:

    1. Understand why confusion from the COVID-19 pandemic created long-term security, legal and privacy risks for businesses.

    2. Learn top tips for ensuring data protection compliance in the age of the COVID-19 pandemic.

    3. Learn what personal information employers may need to collect from employees in order to enforce coronavirus protocols and to best limit their risk of exposure during a health crisis.
  • Digging Into the 2020 (ISC)² Cybersecurity Workforce Study Recorded: May 27 2021 67 mins
    Marinda Hamann, (ISC)²; Sanjana Mehta, (ISC)² EMEA; Chris Green, (ISC)² EMEA; Brian Alberti, (ISC)²
    The (ISC)² Cybersecurity Workforce Study is one of the most highly-anticipated annual research reports each year. Not only has it come to be considered the industry standard for measurement of the global “skills gap” in cybersecurity, but it offers nuanced insights into subjects like job satisfaction rates, salaries, role alignment, the profile of the cybersecurity professional, diversity and how to strengthen teams and improve hiring practices. The 2020 edition of the study was released in early November and also includes data on the cybersecurity community’s response to COVID-19 and the transition to remote work environments. This panel discussion brings together several of the (ISC)² architects behind the research to provide a deeper look beyond the numbers and explore some of the key themes of this year’s findings.

    Learning Objectives:

    - Learn about the cybersecurity community’s response to the COVID-19 pandemic and the shift to remote work

    - Understand the landscape of the current cybersecurity workforce and the shortage that exists today

    - Gain insights on how organizations can find, recruit and train new talent to better protect organizations from security threats
  • Implementing SDL and Surviving Recorded: May 25 2021 74 mins
    Michael F. Angelo, Chief Security Architect, Micro Focus Corporation
    While a secure development lifecycle (SDLC) is centered around education, it goes much beyond the simple ‘how to program securely’ to include:

    -Training, including an overview of the process
    -Threat modeling, including both deployment and functionality
    -Secure coding standards and reviews
    -Testing / analysis such as static, dynamic, fuzz and penetration testing
    -Supply chain security / monitoring that incorporates component tracking and build/development environment security
    -Incident response to improve reaction times

    This session will conclude with a discussion on how to measure your SDLC capability and maturity. As we delve into each of these areas, the attendee will gain insights into what is now required to be successful with an SDLC.

    Learning objectives:
    1. Discover the elements and definitions of the currently evolved secure development lifecycle (SDLC) you need to succeed.
    2. Understand how to track the evolving SDLC, since a static one often spells doom.
    3. Be introduced to usage and deployment models to determine threats and mitigate them appropriately during the development process.
  • IoT Use Cases - Security Solution Based on Passive Monitoring Technologies Recorded: May 25 2021 62 mins
    Koji Nakao – Distinguished Researcher, National Institute of Information and Communications Technology (NICT)
    Recently, observed cyber-attacks have been often triggered by “malwares” and have been maliciously evolving and sometimes hidden from our monitoring countermeasures (FW, IDS/IPS). For achieving advanced security solution, utilizing passive monitoring technologies should be considered. In this presentation, passive monitoring technologies such as darknet and honeypot/sandbox are explained with practical use-cases to accurately observe and monitor ongoing threats (cyber-attacks). The use-cases may include detection of malware-infected IoT devices by means of darknet and honeypot monitoring. Furthermore, detection of cyber-attacks by passive monitoring can be utilized for cyber security proactive response as practical solutions.
  • The Hack and the Hacker Recorded: May 25 2021 78 mins
    Catherine Chapman, Security Journalist and Saskia Coplans, Digital Interruption
    Anyone working in information security understands that communication is a crucial part to an incident response plan. But this conversation is missing collaboration from a key player: the media.

    The mainstream media's role to inform audiences and sway public opinion has yet to be leveraged by the information security community to produce consistent and informed articles on topics of security. Infosec remains in a bubble, with the public stuck in an information loop of data breaches and outdated security patches. As the industry grows, how should these channels of communication develop?

    This talk will explore the relationship between press and information security, presenting case studies of how technical topics are represented in the media. An analysis of "security" representations in both print and online media will be also included.

    Learning objectives:
    1. Understand the channels in which consumers learn about security.
    2. Understand how security gets misconstrued in the media.
    3. Get your research picked up, or covered, by a journalist.
  • The DevSecOps Sandwich: How to Ensure the 'Sec' Element Has Real Bite! Recorded: May 25 2021 76 mins
    Andrew Boyle, Director and Distinguished Cyber Technologist, Booz Allen Hamilton
    We've migrated from Waterfall to Agile to DevOps and now, DevSecOps. Now that security is equality represented with development and operations, is everything good? Not at all! Broadly speaking, the Sec element has not (yet!) been fully embraced and is not on par with Dev and Ops. In fact, in many cases the Sec element amounts to a check in the security box.

    Testing went through a similar struggle but emerged victorious with test-driven design and embedded testers. The inclusion of the Sec element in DevSecOps gives all cybersecurity practitioners an opportunity to elevate the impact and relevance to equal the Dev and Ops elements. We, as leaders in the cybersecurity industry, must understand how Sec engagement in DevSecOps works and what indicators predict failures.

    Learning objectives:
    1. Describe the critical role that security plays during DevSecOps and understand the critical nature of security to successful DevSecOps environments.
    2. Conduct assessments of past/current/future DevSecOps environments to ensure that the 'Sec' element is of equal influence and impact.
    3. Quantify and prioritize the attributes of the 'Sec' element of DevSecOps that are applicable to their organization, and recognize the Sec-specific signals related to successful and unsuccessful DevSecOps environments.
  • Ten Things I Wish Every Developer Knew About Security Recorded: May 25 2021 83 mins
    Christopher Romeo, CEO, Security Journey
    Do your developers understand enough about security to secure your applications properly? How do they fare against the OWASP Top 10? A large number of security problems bury developers. Do you know best how to help them?

    Developers must gain security knowledge about how to secure everything they work on. Explore the ten things every developer must know about security and learn how to properly expose them to your developers, including the realms of security culture, hacking, OWASP, third-party software, GitHub, DevSecOps and Docker/Kubernetes.

    Gain a perspective on security from the eyes of your developers. Realize a greater awareness of your application security risk, knowledge of the ten things, and perspective on how to asses and build application security culture in a programmatic fashion.

    Learning objectives:
    1. Gain a perspective on security from the eyes of your developers.
    2. Realize a greater awareness of the application security risk you face.
    3. Assess and build application security culture.
  • Lights Out: Inside the Mind of a Utility Hacker Recorded: May 25 2021 77 mins
    Joseph Carson, Chief Security Scientist & Advisory CISO, Thycotic
    Imagine a nationwide blackout. The reality hit Ukrainian residents when their energy sector was hit by a massive cyber attack that caused a power outage for more than 86,000 homes. This session dives into the real-world hack of a power station that explains the planning, perimeter security, engines and SCADA controls behind the attack.

    Learning objectives:
    1. Gain a full understanding of the anatomy of a privileged account hack.
    2. Learn the challenges of reporting to the board and lessons learned.
    3. Develop a strategy to reduce your risk and prevent abuse of your critical information assets.
  • From the Front Lines – Incident Response at Scale Recorded: May 25 2021 79 mins
    James Perry, Senior Director and Head of Incident Response, CrowdStrike Services
    Stories of CrowdStrike incident response engagements and how we have changed the model for how companies respond to a breach. Learn the methods CrowdStrike uses to disrupt and ultimately remove bad actors from networks.
  • Agile Data Protection in a GDPR Mandated World Recorded: May 25 2021 66 mins
    Daniel Kim, CISSP, CCSP, Chief Privacy Officer and Scott Hollar, CISO, Extended Stay America
    A company can find it hard survive if they lose the faith of their loyal guests or business partners that drive new customers. This Billion-dollar hospitality company could see that the new Data Privacy regulations were beginning to create obstacles to business-as-usual and they needed to prepare accordingly. Their strategic mindset compelled them to assume that CCPA and GDPR were only just the beginning, with more regulations to follow. They wanted to implement a strategy of excellence that would focus on proactive data privacy and prevent the high cost of chasing each successive regulation.

    Their CISO joins us to talk about their journey and discuss:
    • The building blocks for successful automation
    • Integrations for enterprise support and successful business integration
    • GDPR and CCPA drivers for rapid response and resolution
    • What success looks like going forward Learning Objectives:
    • Gain an understanding how success is highly influenced by the time spent planning.
    • Learn alternative approaches to meet compliance and gain business buy in.
    • Define success and strategies to ensure a sustainable program.
  • Burning the Candle with a Blowtorch - Helping Keep Burnout at Bay Recorded: May 24 2021 75 mins
    Rob Ayoub, FireEye; Sharon Smith, Verizon; John Esparza, Schneider-Electric; Deidre Diamond, CyberSN & Erik Von Geldern, FXCM
    It is well known that malware outbreaks, security breaches and other security-related incidents can cause times of extreme anxiety and pressure. Anecdotal evidence indicates that stress and mental health issues within information security profession are not limited to incident responders. Join panelists from a wide variety of security career areas of focus as they discuss burnout in general and how it has affected them as individuals. These professionals will offer insights and perspective on how they perceived burnout in their career and among coworkers. They'll also talk about how to recognize the signs and maintain mental health in a challenging career field. Learning objectives: 1. Recognize potential stressors and mental health triggers in the course of Information security work. 2. Gain insights into managing stressful situations, work environments and careers. 3. Reflect on the need for changes in schedule, balance, hobbies or other activities to manage stress throughout the course of an information security career.
  • What Attorneys Can Do For Your InfoSec Team Recorded: May 24 2021 75 mins
    Scott M. Giordano, Spirion; John G. Bates, DocuSign; John Bandler, Bandler Law Firm PLLC
    What qualifies as a breach vs. an incident? When does an investigation need attorney-client privilege? Do I need to make a bitstream copy, or is an image enough? If these questions have ever come up in your department, you likely had to call someone in Legal, or even outside counsel. Over the past five years, the need for legal insight in information security has gone from a nice-to-have to a must-have. Just some of the areas where attorneys can assist you include incident response/breach notification, contract negotiations, policy writing and review, and working with insurance carriers. In this presentation, information security legal veterans will explain what attorneys can do for your team and how they can advance your department’s mission.

    Learning objectives:
    1. Discern which information security and privacy problems require legal involvement.
    2. Learn the latest trends in information security that have legal implications.
    3. Understand how to work with counsel to achieve the best results.
  • You Say 'Eether' and I Say 'Eyether': Privacy Regulations from 2 Points of View Recorded: May 24 2021 69 mins
    Andrew Neal, VP - Research, Gartner and Jenifer Sosa, Director, Information Security & Compliance Services, TransPerfect
    The business world is full of data privacy regulations and obligations. The legal community is full of lawyers with lots of advice about compliance. The information security world is full of techies who must operationalize data privacy regulations. What lies at the intersection of these three things? Is it chaos? Or could it be that success in the ever-changing world of data privacy regulations is best achieved by combining the viewpoints of the legal and technical experts? This presentation will explore the contrasting, but not necessarily conflicting, viewpoints of two experienced data privacy and governance professionals from very different backgrounds. An attorney and a technology professional, each with decades of experience, will present attendees the differing viewpoints necessary for a successful data privacy and governance program. Learning objectives: 1. Describe the perspectives of the various stakeholders in the data privacy and governance process. 2. Compare and contrast the focus and emphasis of legal and IT when addressing data privacy concerns. 3. Discuss the necessary cooperation between legal and IT, and the benefits that such a team confers on compliance efforts.
  • Aligning the Modern Cybersecurity Strategy with the Business Priorities Recorded: May 24 2021 72 mins
    Shawn A. Harris, Director, Starbucks Coffee Company; Jim Turchek, Manager, Progressive Casualty Insurance
    Aligning the Modern Cybersecurity Strategy with the Business Priorities
    Description
    We're currently living through a time of great change that requires security teams to adapt to an ever-shifting landscape of business prioritization. This talk will focus on the migration of our respective teams to align our goals with business priorities to create greater engagement that helps fulfill larger organizational goals. Security traditionally has a mandate to limit risk; however, we must transform to enabling business agility. Both speakers have a history of making such security transformations within their teams. Financial services and retail have different regulatory requirements and business models, and their juxtaposition here will illustrate that each organization's approach could work in other industries too. Learning objectives: 1. Use the business alignment methods to invoke real-world change and migrate their teams to an enablers of business agility. 2. Understand a new people-centric approach to risk mitigation using business consultation techniques. 3. Take real-world architectural foundations back to their own organizations and align cybersecurity strategy with business goals and vision.
  • Town Hall Recorded: May 24 2021 90 mins
    Dr. Kevin Charest, CISSP; Zachary Tudor, CISSP; Clar Rosso, (ISC)²; Dr. Casey Marks, (ISC)²; Wes Simpson, (ISC)²
    The panel will consist of members from (ISC)² Management and (ISC)² Board of Directors who will be ready to answer any questions that you may have regarding membership, certifications, information security, etc. This meeting is open to both members and non-members. Dr. Kevin Charest, CISSP - Board of Directors Chairperson Zachary Tudor, CISSP - Board of Directors Vice Chairperson Clar Rosso - CEO, (ISC)² Dr. Casey Marks - Chief Products Office and Vice President, (ISC)² Moderated by Wes Simpson - COO, (ISC)²
  • How I Am Surviving the Apocalypse - Information Security In The Time of a Virus Recorded: May 24 2021 74 mins
    Michael D. Weisberg, Caroline E. Saxon, James Packer, Brandon Dunlap
    As the COVID 19 pandemic continues its hold on societies around the world, will business as we know it ever return? Should it? Which of our new ways of working will stick? Let’s get together, 6 feet (2m) apart, wear a mask, and discuss how the pandemic has not only changed our relationship to work and how we get things done; how it has affected the demands on information security? What strategies did you and your organizations use to function through the Covid-19 crisis? We will discuss what went well, badly, and sideways as we tried to maintain security and normalcy in challenging times. Will security return to the old way of doing things or have employers and employees expectations changed forever?
  • Hiring and Being Hired: How To Be And Get the Right People in Infosec Recorded: May 21 2021 75 mins
    Brandon Dunlap, Managing Director, Brightfly, Inc and John Carnes, Executive Adviser, Anthem, Inc
    In this discussion we will be talking about how do we, as professionals, both give and get interviews that focus on getting the right mindset of people in information security. Are we focusing on the right factors? Are we looking toward the right level of skills? We will discuss what questions work, what are a waste of time, and what we are potentially doing wrong as an industry. If you're looking to be interviewed, we'll talk about what skills you need to focus on and what skills you should be both working on and showing.

    Learning objectives:
    1. Learn what questions work for interviews and what questions are potentially going to mislead you into hiring the wrong people.
    2. Learn the factors of thinking that make for a successful information security professional.
    3. Learn how to grow at a personal level to be the best professional you can be.
  • Anatomy Of A Targeted Industrial Ransomware Attack Recorded: May 21 2021 66 mins
    Elad Ben-Meir, BA, CEO, SCADAfence
    In this presentation, we review malicious activity that involved SCADAfence's incident response team, which assists companies during industrial cybersecurity emergencies. Attendees will learn how ransomware infected the victim organization's network and how the incident response team gathered evidence, including where to look first. Then, we'll explain how the evidence was analyzed; what the initial findings were; and how the attackers were caught. Finally, we'll discuss additional attack methods used by the cyber criminals so everyone can take appropriate steps to prevent such attacks within their organizations.

    Learning objectives:
    1. Learn how industrial networks get infected with targeted ransomware.
    2. Discover where to look for evidence; how to analyze it; and how to find attackers hiding in the network.
    3. Understand additional types of attack methods used by cyber criminals in industrial networks, as well as best practices to protect those and all other networks.
  • Build for Cybersecurity: Creating a Culture of Cybersecurity Recorded: May 21 2021 64 mins
    Dr. Keri Pearlson - MIT and Robbie Meitler - Liberty Mutual Insurance Company
    Product developers design for manufacturability, ease of use, quality and a host of other design criteria. Rarely, though, do we hear something is "designed for cybersecurity," Why is that? We know that it’s much more costly to bolt on security after a product is released; however, rarely does an MVP include the necessary cybersecurity. With supply chain cybersecurity increasingly urgent, your customers are already concerned about how secure your products and services are. Recent research at MIT has focused on this problem. In this session, we will share the latest thinking on building a culture of cybersecurity for product and service development teams. We will then discuss Liberty Mutual’s experiences in secure development by extending cybersecurity values, beliefs and attitudes to its product developers.
  • It Is Time to Allow Your Security Solutions to SOAR Recorded: May 21 2021 47 mins
    Alan Rynarzewski, Undergraduate Faculty, Purdue Global University
    We have all seen the numbers when asked about the cybersecurity skills gap. The gap continues to widen, and our reliance on digital networks is not showing any signs of slowing down. Cybersecurity vacancies are often left open for months, or closed and utilized elsewhere in the company. Some companies have shifted to automation; however, it's time for companies to realize the skills gap is not going to decrease in a timely business manner. Companies need to start adopting Security Orchestration, Automation and Response to augment their senior-level employees.

    Learning objectives:
    1. Define SOAR and how it differs from other solutions.
    2. Describe how this solution could benefit companies, or what specific business items would prevent them from utilizing this technology.
    3. Demonstrate to management how SOAR works and where it can be beneficial to businesses.
(ISC)² Security Congress sessions, locations and sponsors.
(ISC)² Security Congress channel contains digital content of activities at (ISC)2's Flagship conference event. You'll find keynotes, sessions and related items.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Getting Started with SDL
  • Live at: Oct 29 2019 5:35 pm
  • Presented by: Steven B. Lipner, CISSP, Executive Director, SAFECode
  • From:
Your email has been sent.
or close