August 16, 2016 at 6:30 PM
ISSA National Capital Chapter August meeting topic:
Enumerating software security design flaws throughout the SSDLC
by John Willis
PLEASE NOTE CHANGE OF VENUE
The security challenges we face today are numerous. Yet, we just can’t seem to produce software without including countless security vulnerabilities. About one-third (1/3rd) of all software security vulnerabilities are due to design errors. To further compound the problem, nonfunctional security requirements often do not get translated to real technical security design features, or controls. To make matters worse, security design features have their own dependencies. Bundle this with design errors that may or may not be uncovered through threat modeling, and it is no surprise that we have the perfect storm. Worse yet, any security functionality implemented to address nonfunctional requirements is unlikely to receive attention during testing. Unfortunately, if we don’t address these security design flaws the testers may never notice anyway!
A methodology and evolving mock-up/prototype is introduced to address these problems. A graphical tool that is SysML compatible is the ultimate goal. The hypothesis is that by employing the above methodology/tool we should be able to establish order where there is currently chaos regarding the identification and satisfaction of security requirements, not only in the solution space—but throughout the SSDLC as well.
About the Speaker
John M. Willis is a Senior Information Security Architect with a history of electronics engineering, programming, and configuration management. John’s first computer was a wire-wrap Z80 board he programmed in assembly.
John has been a consultant to commercial and government clients for over 30 years. He holds a number of professional certifications, including CISSP-Information Systems Security Architecture Professional (CISSP-ISSAP), Certified Secure Software Lifecycle Professional (CSSLP), and Certified Ethical Hacker (CEH). In addition, John completed the Advanced Computer Security Professional Certificate program at Stanford University in 2015. Nowadays, John seeks to build security in by coming up with new and different ways of looking at things.
Please RSVP if you plan to attend.
Non-members are welcome without charge! Light refreshments will be served.
Tuesday, August 16, 2016 6:30 PM