Global OWASP AppSec LatAm 2011 videos are now available on YouTube! I had the pleasure of acting as the host from
beginning to
end. Here are some of my favorite presentations:
After almost 10 year at Symantec leading the company’s global application security initiative, I decided it was time for a change.
Today I’m thrilled to announce that I joined Intuit’s Corporate Information Security Team as a security Business Partner working with
Intuit Financial Services (IFS) and Intuit’s
Payment Solutions Division (PSD).
Why Intuit? To answer this questions, I'd lke to steal the quote attributed to Willie Sutton, the prolific bank robber: “because that's where the money is”.
Intuit owns 79% of all the retail
tax preparation software market. If all customers that use Intuit Financial Services
(IFS) solutions were
added up, Intuit would be the 5th largest bank in the nation. Securing such solutions is fundamental to the company success. Defending
small business against targeted attacks is a task we don’t take lightly.
Sounds like a good deal? Come join me at Intuit! Click
here for a list of open positions on my team and my extended team.
Send me
an email if you’d like to chat about it.
The Great Cypher, Mightier than the Sword
David Ladd (Principal Security Program Manager, Microsoft Corporation), Gary McGraw (Chief Technology Officer, Cigital, Inc.)
Kyle Randolph (Senior Manager, Security & Privacy, Adobe) and I will be serving at a RSA Panel titled "Making Sense of Software Security
Advice: Best vs. Practiced Practices". Reeny Sondhi (Director, Product Security, EMC Corporation) will be the moderator.
Join me from February 27- March 2 in San Francisco for five days of learning, sharing and networking. I’ve seen the agenda and the
week promises to be a busy one! As a selected speaker for 2012, I’m pleased to be able to extend a discount of $200 off the current
registration rate when you use my personal discount registration code. Simply enter the following code when you register online:
My personal discount registration code: ZSPDdJaIoqK
This offer cannot be combined with any other discounts and is valid for new registrations from December 6, 2011 through January 27, 2012.
The code cannot be used retroactively. To find out more about RSA Conference and the packed agenda, visit:
http://www.rsaconference.com/events/2012/usa/index.htm. Be sure to
register using the discount registration code above to receive the $200 savings.
Saturday, December 3, 2011
Secure Software Programming: One of the Three Best Security Career Bets
SC Magazine published a really nice article about the need for security last month. According to the latest edition of Foote Partners,
developers who posses security certifications can earn pay premiums averaging eight to 12 percent of base pay and even more with
additional experience.
Secure coding (and security testing) are hard to do, and market demand far exceeds the available talent supply. It takes
years of hands-on practice, as well as training, to develop the skills.
Sunday, November 13, 2011
The right tool for the right job (SAFECode and BSIMM)
After listening to a number of talks at different conferences around the world, I’m convinced that even experts are confused about the various security initiatives, particularly SAFECode and BSIMM. As a consequence organizations are confusing prevalent practices with effective ones. Some of the results of this misunderstanding are organizations trying to choose the most popular BSIMM practices and use them as criteria for suppliers or adopting BSIMM
as a Secure Development Lifecycle framework.
This week SAFECode released “A SAFECode Perspective on Leveraging Descriptive Software Security Initiatives“. This
brief paper addresses common questions on the differences between BSIMM’s descriptive model and SAFECode’s prescriptive guidance.
If you are responsible for a large software security initiative, I highly recommend reading
this paper.
Thursday, October 20, 2011
The Gold Standard
Software Development has changed considerably from a decade or two ago. While writing secure code (secure programming) is still a critical component of the secure software lifecycle, there is a great deal more to consider. Formal and structured software development methodology became a necessity for any organization that develops code.
Despite its known flaws, certifications are a great way to attest outsourced development can build solutions with the same level of quality practiced in large and well established enterprises. Certifications are a good way to verify a certain level of expertise has been reached among team members and to provide a meaningful measurement to customers. Engineers, especially in developing countries, should ponder the recognition a credible certification can bring to their work. I recently provided
a quote to (ISC)2 about the value of CSSLP. The certification has reached the 1,000 certified professionals milestone this year and I wonder if it will eventually replace CISSP, known by many as the industry gold standard.
Speaking of (ISC)2, Caleb Sima, Tony UcedaVelez, Mikhael Felker, Stuart Schwartz and I will be speaking at the
(ISC)² SecureSDLC 2011 – SoCal November 1st in Anaheim, CA. This should be a great one day event.
Monday, October 10, 2011
OWASP AppSec LatAm 2011
It took more than a year to organize OWASP AppSec LatAm 2011 but the results worth the effort. Equipped with numerous auditoriums that can accommodate up to 800 participants, PUC-RS provides a world class infrastructure. The variety and quality of PUC-RS’s main restaurant is comparable to some Buffets in Las Vegas. In addition, many professors supported the event and were actively engaged in conversations on how to include application security education in the curriculum.
Bryan Sullivan and Michael Craigue, our two keynotes, delivered more than security knowledge in their presentations, they delivered wisdom. Bryan delivered a polished presentation that mixed big picture concepts with hard core technical demos. Bryan’s unique mixture of skills makes his presentations interesting to all sorts of audiences. Michael Craigue conversational style and candidness made his presentation a must see for everyone who wants to jump start a security initiative at an enterprise. I highly recommend both.
The local organization worked incredibly hard to deliver a solid conference and great entertainment! Kudos to Alexandre Balestrin Correa (aka ABC), Jerônimo Zucco, L. Gustavo C. Barbato, Lucas C. Ferreira, Rafael Dreher, Gustavo Simon, Leonardo Goldim, Luiz Gava, Sarah Baso, Carolina Nogueira, Mauricio Pegoraro, Luciano Madeira, Adriene Barbato, Maximiliano Soler, Luis Otavio (aka LOD) and Ricardo Makino for a well done job! Argentina now has big shoes to fit for OWASP AppSec LatAm 2012!
Thursday, September 29, 2011
BSIMM 3 is out
Every craftsman needs a set of tools to
perform its duties and security practitioners are no different.
Released this past Tuesday, the Building Security In Maturity
Model (BSIMM, pronounced “bee simm”) is one of the essential
tools security professionals need to know about. BSIMM is an
inventory of existing security practices from over forty
large-scale, IT dependent organizations across seven business
vertical categories.
Reviewing BSIMM data over the years is a
great way to compare and contrast how the industry is evolving.
In addition, BSIMM provides a considerable list of activities
organizations with an established security initiative should
consider to adopt next.
Thursday, September 22, 2011
A Pleasant Surprise!
(ISC)² Americas Information Security Leadership Awards 2011 took place yesterday. To my complete surprise, I received a
special recognition award for community services! Wow, have you ever had the feeling you realized something about yourself just because someone told you?
There is nothing more enjoyable in life than being surrounded by highly motivated and passionate individuals. Performing community services is fulfilling and important: we all know there is a lot to do in application security and I believe we, the practitioners, have a social responsibility to help our communities.
Unfortunately sometimes I see people leaving not for profit organizations because their bosses actively discourage this type of “distraction”. My personal experience as a manager and a practitioner is that this community services and work for an enterprise is symbiotic. In fact all my staff at Symantec is encouraged to engage in this type of activity. This is a great way to retain, train and acquire talented employees. It’s good for the individual, the business and the community. I hope other companies start to see things this way.
Symantec released
Norton Internet Security 2012
(NIS 2012) this
week. According to independent research, the product is both the
fastest antivirus solution and the product with the highest
detection rate on the market.
Be sure to check the new product advertisement campaign
titled "Protect The Stuff That Matters".
In my opinion this is hands down the best marketing campaign the
company ever did.
Tuesday, September 6, 2011
An Interview with Cassio Goldschmidt
The Pontifícia Universidade Católica do Rio Grande do Sul's (Pontifical Catholic University of Rio Grande do Sul, often abbreviated as PUCRS) magazine featured an interview with me this month. I'm an alumnus of the school of Informatica and a big fan of the university.
As of 2009 the university had 10 courses with 5 stars,
computer science being one of them. There are also 21
courses with 4 stars according to the the Guia do Estudante: Computing and Mathematical sciences and Engineering and Production.
The magazine is in Portuguese. Click on the picture to download and read the article on page 40.
Monday, August 22, 2011
Registrations for OWASP Global AppSec Latin America are now open!
The organization committee truly went out of its way to keep prices down and provide great deals for people who really want to take advantage of this event. One example of the great discounts the organization is giving way is the conference full package deal: for R$1,000 (approximately US$625) you can attend two classes and the conference. The deadline for early bird registration discounts is August 31st.
Check out the videos about Brazil and Porto Alegre in
the conference visitor's guide.
If you attend the conference, don't miss Richard Tychansky, Hart Rossman and Symantec's Edward Bonver presenting case studies of large enterprises that have successfully integrated security engineering best practices into their Software Development Life Cycle (SDLC) to reduce defects and increase software resiliency and reliability. You can read more about this session
here.
Saturday, July 16, 2011
OWASP Global AppSec Asia 2011
Sebastien Deleersnyder, Mano Paul and I will be the keynote speakers at
OWASP Global AppSec Asia 2011. Last year the conference had more than 500 attendants and this year the organization expects over 800 people coming from various verticals including government, information technology, services and consulting, telecommunications, finance, e-commerce, Internet, universities and research institutes. Major news media will be covering the event.
There is a very high demand today for application security professionals in Asia. I have the privilege of working with many individuals in People’s Republic of China I respect so much their technical knowledge, work ethics and humbleness I could only wish we were fewer time zones apart! I hope to meet a lot more people alike in November. Please don’t be shy to come and chat if you see me around the conference floor.
SANS and MITRE released today the "Top 25 Most Dangerous Software Errors". This list ranks the most widespread and critical errors that can lead to serious vulnerabilities in software
and is a great educational tool to help programmers to prevent the kinds of vulnerabilities that plague the software industry.
I've been a
contributor of this list since the first release in 2009. It
amazes me to see vulnerabilities such as CWE-120 ('Classic
Buffer Overflow') still on the top of list for the following
reasons:
Programmers really have to go out of their way to create
classic buffer overflows in modern languages such as C# and
Java. These languages, not C/C++, are the language of choice
for many developers nowadays creating new systems.
Static code analysis tools do an excellent job finding
instances of buffer overflows.
Modern compilers offer several ways to prevent
exploitation of this type of flaw without changing a single
line of code.
Some companies did an outstanding job bringing awarness
to this issue and providing great security training to their
development teams, including QA.
Without necessarily producing better software, the industry
in general found a way to innovated itself out of a widespread
problem. Buffer overflow flaws are still prevalent out there
because we use a lot of legacy systems. I just don't find a lot
of new instances being discovered, at least in our tests. If
anything, this type of flaw is identified and fixed during the
development phase using static source code analysis tools that
are integrated to build systems.
I just came back from the ISSA speaker dinner and I'm really excited about tomorrow's event! ISSA clearly outgrew UCLA and the organization will need to deal with the growing pains of what is without a doubt going to be an outstanding conference. I’ll be
serving at a panel with Steve Lipner (Microsoft), Gary McGraw (Cigital) and Jeremiah Grossman (WhiteHat). John Dickson (Denim Group) will be the moderator.
Other
speakers include Marc Maiffret (eEye), Robert Brown (Western Bridge Corporate Federal Credit Union), Dan Cornell (Denim Group), Barbara Danzi (Garda Cash Logistics), Ariel Silverstone (Expedia), John Steven (Cigital), Mike Villegas (NewEgg, Inc.) and Tin Zaw (AT&T).
As much as I love to manage a global team that is as passionate about Software Security as Symantec's Product Security, I'm still a software developer at heart. Needless to say, I had a real blast
presenting at Better Software. "Cosmic Truths about Software Quality" by Karl Wiegers was a very insightful presentation about the real meaning of quality and how to achieve it. Backed by facts and research, Michael Mah made a very persuasive presentation on the real cost of offshoring and why geography matters.
According to the official conference numbers, my presentation about secure coding had one of the top ratings from all the 65+ speakers. Who said developers don't care about security?
Monday, February 14, 2011
Valentine's day
Valentine's this year will be a bit different... I'm returning to Berkeley to present a talk about
my book, this time to the NetEcon group. Next, I'll head to RSA Conference and finally end the day at a business dinner with my boss and
a Symantec business partner.
Thursday, January 20, 2011
Black Hat
One of the best things about being
one of the first speakers to present at a conference is that it's possible to actually pay attention to the the other talks. ;-)
