Jedi mind tricks for building application security programs

No ratings

Presented at BSidesLondon 2010 by

Software serves as the very fabric of how the world communicates and fuels 21st century business. Software infrastructure runs an organisations critical financial processes and the transactions between customers, partners and employees. Software is also the primary target of criminal hackers who steal and sell information assets on the information black market. With 75% of new attacks (CERT) and 80% of attacks (SANs Top 20) targeting applications, combined with regulatory requirements, it is unsurprising application security has risen to the top of security professionals agendas. Unfortunately despite the risks and elevated awareness, application security programmes are usually under funded or sadly nonexistent. From the perspective of both an employee of a financial transaction provider and a security vendor, this presentation will focus on how to effectively sell the business value of application security to executives, middle management, and development groups. David Rook and Chris Wysopal will share how they have successfully obtained the resources necessary for an effective application security programme where others have failed. Their experience with reveal key real-world techniques that help unify an organization around an application security and what common pitfalls to avoid that every security professional should be aware of. These techniques involve engagement with key business resources and convincing developers for the need for application security using real world examples.