Overview
Syllabus
Intro
Requirements for secure code are implicitly and not explicitly stated
"Defacto" security requirements in NIST 800-53 do not explicitly require developers to produce secure code Technical
Technical controls in NIST 800-53 contribute to application security
Operational controls in NIST 800-53 contribute to application security
Key questions
Perspective on technology today
Malicious actors are taking advantage of abundant opportunities to tamper with and sabotage products...
SWA requires multi-disciplinary collaboration
Acquirers of IT products and services trust that suppliers are addressing cyber security without validating
Implementation lessons learned from some of the 1/100 companies that implement SwA successfully
Robust measurement does not happen overnight and requires foundational capabilities in place to be effective
Critical success factor - long-term management commitment, focus, and appropriate expectations
Critical success factor-realistic and well thought out data collection strategy
Critical success factor-effective use of the measures to improve security
Measurement for secure code requires understanding code level attributes...
Measurement for secure code involved understanding the effectiveness of implemented processes
Business functions rely on accurate and reliable information from technology that functions as intended (and only as intended)
SC22 - Programming Languages, ISO/IEC TR 24772, Programming Language Vulnerabilities
ISO/IEC 27036: Information technology - Security techniques - Information Security for Supplier Relationships
NIST IR 7622. Piloting Supply Chain Risk Management for Federal Information Systems
The Open Group Trusted Technology Provider Framework (TTPF) Purpose
What's next?
Why Do Developers Make Dangerous Software Errors?
Taught by
LASCON