Every week there are new stories about information data breaches, hacker service disruptions, ransomware blackmailing, government spying, and disgruntled employee sabotage.
And yet most start-up software and mobile applications are rushed to market using the “Code, Release, and Hope” approach; which unfortunately leaves them vulnerable to malicious attackers and legal actions as a result of inadequate personal, financial, and health information protection.
This session will provide an overview of the Secure Software Development Life Cycle (SSDLC) process, along with some simple tools and techniques that can help improve application hardening and data protection.
Bio From Fortune 100 to start-up companies, Robert Grupe is an international professional with practitioner, leader, and consultant experience in information security, market strategy, development, and support for global leaders in information technology, health care, high tech industries.
Robert is a registered Certified Information Security Professional (CISSP), Certified Secure Software Lifecycle Professional (CSSLP), and Project Management Professional (PMP).
2013 Cost of Data Breach Study: Global Analysis, Ponemon Institute
Source: Verizon 2013 Data Breach Investigations Report
Praetorian Study Attacks 2016-08-22 - http://www.theregister.co.uk/2016/08/22/hacker_playbook/
NIST 2002 study - http://www.abeacha.com/NIST_press_release_bugs_cost.htm
Source: IBM Global Business Services industry standards
Broken Auth and Session Management moved up, we believe, because more consulting organizations were included in this data set, and they can find this better than automated tools can. We don’t believe the actual prevalence of this issue increased, just the measured prevalence.
CSRF dropped we believe because organizations are getting a handle on this new issue that was first added to the Top 10 in 2007. The awareness the Top 10 raised, has helped reduce the prevalence of this issue (we believe).
Policy (objectives) Principles to guide decisions and achieve acceptable outcomes. Minimizing profit loss (government fines, customer trust, etc.) SSDLC (Secure Software Development Life Cycle) Protocol/procedure for implementing policy Standards (ways of doing things) Governments, industry organizations Requirements (acceptance criteria: what and why) Compliance with policy and standards Training (how, what, why) Check Lists (reminders) Auditor Government (HIPAA) Industry (PCI) Customer (DoD) Legal (lawsuit discovery) Internal (Quality Improvement)