Software Security Assurance Summit



8:30am - Welcoming Remarks

Marci McCarthy

Marci McCarthy
CEO and President of T.E.N.
CEO and Chairman of ISE® Talent
Biography

8:40am - SSA Insights & Trends

Kelly Collins

Kelly Collins
President, Public Sector
Fortify
Biography

Download the Presentation (ppt)

9:15am - WikiLeaks, Stuxnet & Other Cyber Weapons – Trust, Treason or Terrorism?

name

Dr. Eugene Schultz
CTO
Emagined Security
Biography

Download the Presentation
Few events have crystallized U.S. fears over a cyber catastrophe, or brought on calls for a strategic response, more than the recent attacks against Google, the controversy and consequences of WikiLeaks and now the public demonstration of a cyber weapon’s capabilities via Stuxnet.

While these threats are well short of cyberwar, damage has already been done by a slew of cyber attacks that have resulted in the theft of terabytes of intellectual property data, trade secrets and classified military and government information. That information is now believed to be in the hands of overseas groups, many of which are thought to be state-sponsored.  And many believe that we are seeing the beginning of a new era of highly sophisticated deployment and arsenal of cyber weaponry to exploit an extensive range of circumstances to include compromise of confidentiality / theft of secrets, identity theft, web-defacements, extortion, system hijacking and service blockading.

10:30am - The Next Generation of Software Assurance Testing: The Marriage of Static and Dynamic Analysis

name

Matt Fisher
Security Consultant
Fortify, an HP Company
Biography

Download the Presentation
Static Application Security Testing (SAST) is one of the technology markets aimed at securing applications.  However, the evolution in the SAST market to incorporate Dynamic Application Security Testing (DAST) augments the ability to detect software vulnerabilities across all phases of the software development life cycle. The interaction and correlation of the two technologies provide a hybrid static-and dynamic solution that offers significant advantages.

11:00am - Mastering SSA: A Case Study of the US Air Force WarFighter's Edge Application

Lt. Col. Andy Berry
Director of Warfighter's Edge
U.S. Air Force
Biography

The WarFighter’s Edge (WEdge) team is dedicated to developing software applications that improve the mission effectiveness and daily operations of the warfighter.   Lt. Col. Andy Berry and his team of developers will discuss how they applied a rigorous set of application security standards to develop the WEdge application. WEdge, is designed to automate mission briefings for aircrews.  By using the mission planning central site on the Air Force Portal, users are able to retrieve the most current information about their specific mission such as routes, fuel requirements and integrate with Google Maps.  During this session, Lt. Col. Berry will share tips and techniques, challenges, standards as well as best practices.  He and his team will also field questions from attendees on lessons learned regarding his experience in developing the WarFighter’s Edge application. 

12:00pm - Luncheon Discussion: Cheating Required

Russell Spitler
Principal Product Manager
Fortify

Download the Presentation
Black-box analysis (DAST) solutions are reaching their technical limitations, too often providing false negatives and false positives. DAST results are also increasingly difficult to use as inputs to remediation.

"Real-Time Security Testing" (RAST), which correlates SAST and DAST issues, is extremely valuable in rooting out server-side injection bugs. Take a deep dive into how RAST works.

Users of DAST solutions will learn why black-box tools are reaching their technical limitations. The audience will learn about previous approaches to addressing these limitations and why they have met with limited success. Attendees will learn how DAST findings can be dramatically improved by adding a RAST component in the cycle.

1:00pm - Hot Topic Panel Discussion: The Realities and Secrets of Building Software Security Assurance into your SDLC

Building an SSA Program at a government agency encompasses comprehensive planning to include training, communication, monitoring activities as well as  integrating security testing throughout the delivery lifecycle.  In this hot-topic panel discussion, experienced SSA practitioners and experts will share their insights, best practices and real-world experiences of how they successful created, built, delivered and managed an SSA Program.

Robert Lentz

Robert Lentz
Former Deputy Assistant Secretary of Defense
for Information and Identity Assurance
U.S. Department of Defense
ISE® North America Government Executive Award Winner 2008
Biography

Lt. Col. Andy Berry
Director of Warfighter's Edge
U.S. Air Force
Biography

name

Steve Winterfield
Cyber Tech Lead
TASC
Biography

name

Shakeel Tufail
Managing Consultant
Fortify
Biography

Executive Roundtables

name

Shakeel Tufail
Managing Consultant
Fortify
Biography

From Security Assessment to Vulnerability Remediation: The Realities of Deploying a Cloud-Based Application Risk Management Solution

Robert Lentz

Robert Lentz
Former Deputy Assistant Secretary of Defense
for Information and Identity Assurance
U.S. Department of Defense
ISE® North America Government Executive Award Winner 2008
Biography

Making Application Security an Integral Part of Your Operations

name

Lora Woodworth
Research and Development Network Manager
TASC
Biography

Maintaining Trust in Mobile Platforms

3:45pm - Keynote: Software Security Matters - New Attacks Require Rethinking Software Assurance

name

Richard Stiennon
Security Expert and Analyst
IT-Harvest
Biography

Download the Presentation
Richard Stiennon, author of Surviving Cyberwar, recounts the deep and dark threatscape and how software vulnerabilities are the primary cracks in our defenses that are targeted by our adversaries. He defines those adversaries as well as the difference between cyber war and cyber espionage. Incorporating good software development practices into a cyber defense are key to defending critical infrastructure as well as IT business applications.