SANS What Works in Application Security Summit 2011 (SANS AppSec 2011)
|Event Date/Time: Mar 07, 2011||End Date/Time: Mar 14, 2011|
- How Real World Software Security Programs Work - Panel
Security in the SDLC involves a lot of stakeholders and consists of activities like code reviews, threat modeling, risk analysis, penetration testing, and training to name just a few. Navigating the people, processes, and technology that are required to create secure software is a lot of work. Panelists will discuss how they made thsoftware security programs successful.
- Software Experts on Security - Expert Panel
Developers don't attend security conferences. Additionally, most software development conferences don't have a focus on software security. Often, developers are focused on learning new tools and only have time to meet deadlines. How can we bridge the gap between security and software development? Panelists, who are experts in software secure software.
- Software Security Architecture in Practice - Panel
The earlier you find a defect the cheaper it is to fix. Why then aren't more resources allocated to finding issues during design and architecture? Panelists from security architecture teams at large companies discuss their approaches to reducing application security risk.
- What Enterprises Should be Doing but Aren't - Panel
Many organizations recognize the value of software security and are proactively working on reducing critical software vulnerabilities. But, what's not being done? Panelists discuss what needs to be done now so that future.
- How to Scale Your AppSec Program - Panel
Imagine that you have hundreds of applications and thousands of developers in your organization. Now you need to apply secure development practices to all projects in your company. What do you do? Panelists from large enterprises discuss how they scaled their application security programs agrow their security capabilities.
- Meaningful Software Security Metrics - Expert Panel
How can we make software security metrics meaningful to business and technical application owners. Panelists will discuss metrics that are working today and metrics that we should and will be ufuture to measure the success of software security efforts.
- How to Detect Application Fraud - Panel
When attackers utilize legitimate functionality to abuse your application and defraud your organization how do you detect it? Panelists will discuss the challenges that their companieanalyzing attacks and preventing application fraud.
- The Future of Application Security Tools - Vendor Panel
Panelists from application security vendors will share their vision for the future of software security tools and discuss how commonly used tools (static analysis, black box testing, WAF, etc) can be best leveraged and integrated to provide the most value for customers. Post-Summit Courses:
Security 542: Web App Penetration Testing and Ethical Hacking
Developer 522: Defending Web Applications Security Essentials
Developer 541: Secure Coding in Java/JEE: Developing Defensible Applications
Developer 544: Secure Coding in .NET: Developing Defensible Applications
Developer 543: Secure Coding in C
Developer 304: Software Security Awareness
Summit Overview: Questions to Be Answered
1. What are the primary attack vectors criminals are using to compromise applications and which programming errors account for the vast majority of those attacks?
2. What attacks will do the most damage during 2011?
3. Which application security tools work best and what kind of challenges have users found in implementing them?
4. What is the most effective way to meet the PCI requirement for application security?
5. How can you gain confidence in the security of outsourced application development and how do you verify the skills of the outsourced programmers?
6. How do you embed application security testing into the outsourcer's process?
7. How do you ensure the outsourcer has adequate but tightly limited access to your own networks?
8. What are the essentials of a comprehensive website security program?
9. What are the most prevalent website vulnerabilities?
10. What do the hackers hack, how, and what is the end result?
11. What strategies work best to identify application vulnerabilities?
12. How can you gauge the strengths and weaknesses of your development team?
13. How will application security and application development environments evolve over time?
14. When will colleges ensure their computer sciences and information technology graduates know secure coding techniques?
What Will You Learn at the Web Application Security Summit?
1. The essentials of a comprehensive Web site security program and how to secure an insecure Web site.
2. The most current info on Web hacking techniques and how you can guard against them.
3. What the most prevalent Web vulnerabilities are and how hackers take advantage of them to hack into your Web site.
4. Unique procurement practices that will help you manage your application security outsourcing and improve application security.
5. The confessions of a professional Web app hacker.
6. What your peers are doing to secure their Web applications and what the best practices are in application security.
7. What tools are available and how do they compare? Which tools should you have in your security toolbox to ensure your applications are locked up tight.
Who Should Attend?
1. Application security managers and their teams who want to ensure their Web applications are secure
2. CIOs and CTOs who need to understand the myriad legal and PCI issues around Web apps
3. Web security consultants needing to be aware of the latest issues in the secure apps area
4. Development managers who want to be able to help their coders develop secure code
5. Software architects and developers tasked with building secure apps from the ground up
6. PCI or other compliance auditors
7. Test/QA professionals wanted to understand and be aware of the latest tools available
8. PCI project managers
Coming to the Summit will save you months of time in product evaluation, project planning, and just avoiding errors other companies have made. There's no better way to find out what others have tried and what works.
The National Secure Coding Assessment for Programmers
Invite your programmers to take the new GIAC Certified Secure Programmer examination. For more data on the certifications and exams, see GIAC Secure Software Programmer Certification Exam
How Good Are SANS Summits?
Hear from people who attended the last Summit:
"Great Summit! It gave the Who, the What, the Haws and the Knots from real-life experiences." - Rollo Guzman, Hess
"This Summit provides an excellent means to stay informed on what is available today; and what the current and emerging issues are." - Yong Chloe, SAIC
"Excellent presentations of practical experiences." - Rich Lansing, Bloomberg