Explore the reasons behind dangerous software errors in this 43-minute conference talk from LASCON 2012. Delve into the challenges of secure code development, including implicit security requirements and the limitations of existing standards. Examine technical and operational controls contributing to application security, and consider key questions about technology's current state. Learn about the multidisciplinary nature of software assurance and the importance of validating supplier cybersecurity practices. Discover implementation lessons from successful companies, critical success factors for effective measurement, and the complexities of measuring secure code. Gain insights into relevant standards and frameworks, such as ISO/IEC TR 24772 and NIST IR 7622. Understand the crucial role of accurate and reliable information in business functions and explore future directions in addressing software errors.
Overview
Syllabus
Intro
Requirements for secure code are implicitly and not explicitly stated
"Defacto" security requirements in NIST 800-53 do not explicitly require developers to produce secure code Technical
Technical controls in NIST 800-53 contribute to application security
Operational controls in NIST 800-53 contribute to application security
Key questions
Perspective on technology today
Malicious actors are taking advantage of abundant opportunities to tamper with and sabotage products...
SWA requires multi-disciplinary collaboration
Acquirers of IT products and services trust that suppliers are addressing cyber security without validating
Implementation lessons learned from some of the 1/100 companies that implement SwA successfully
Robust measurement does not happen overnight and requires foundational capabilities in place to be effective
Critical success factor - long-term management commitment, focus, and appropriate expectations
Critical success factor-realistic and well thought out data collection strategy
Critical success factor-effective use of the measures to improve security
Measurement for secure code requires understanding code level attributes...
Measurement for secure code involved understanding the effectiveness of implemented processes
Business functions rely on accurate and reliable information from technology that functions as intended (and only as intended)
SC22 - Programming Languages, ISO/IEC TR 24772, Programming Language Vulnerabilities
ISO/IEC 27036: Information technology - Security techniques - Information Security for Supplier Relationships
NIST IR 7622. Piloting Supply Chain Risk Management for Federal Information Systems
The Open Group Trusted Technology Provider Framework (TTPF) Purpose
What's next?
Why Do Developers Make Dangerous Software Errors?
Taught by
LASCON
