Play all

Intro

Requirements for secure code are implicitly and not explicitly stated

"Defacto" security requirements in NIST 800-53 do not explicitly require developers to produce secure code Technical

Technical controls in NIST 800-53 contribute to application security

Operational controls in NIST 800-53 contribute to application security

Key questions

Perspective on technology today

Malicious actors are taking advantage of abundant opportunities to tamper with and sabotage products...

SWA requires multi-disciplinary collaboration

Acquirers of IT products and services trust that suppliers are addressing cyber security without validating

Implementation lessons learned from some of the 1/100 companies that implement SwA successfully

Robust measurement does not happen overnight and requires foundational capabilities in place to be effective

Critical success factor - long-term management commitment, focus, and appropriate expectations

Critical success factor-realistic and well thought out data collection strategy

Critical success factor-effective use of the measures to improve security

Measurement for secure code requires understanding code level attributes...

Measurement for secure code involved understanding the effectiveness of implemented processes

Business functions rely on accurate and reliable information from technology that functions as intended (and only as intended)

SC22 - Programming Languages, ISO/IEC TR 24772, Programming Language Vulnerabilities

ISO/IEC 27036: Information technology - Security techniques - Information Security for Supplier Relationships

NIST IR 7622. Piloting Supply Chain Risk Management for Federal Information Systems

The Open Group Trusted Technology Provider Framework (TTPF) Purpose

What's next?

Why Do Developers Make Dangerous Software Errors?

Description:

Explore the reasons behind dangerous software errors in this 43-minute conference talk from LASCON 2012. Delve into the challenges of secure code development, including implicit security requirements and the limitations of existing standards. Examine technical and operational controls contributing to application security, and consider key questions about technology's current state. Learn about the multidisciplinary nature of software assurance and the importance of validating supplier cybersecurity practices. Discover implementation lessons from successful companies, critical success factors for effective measurement, and the complexities of measuring secure code. Gain insights into relevant standards and frameworks, such as ISO/IEC TR 24772 and NIST IR 7622. Understand the crucial role of accurate and reliable information in business functions and explore future directions in addressing software errors.

Why Do Developers Make Dangerous Software Errors

LASCON

Add to list

#Conference Talks #LASCON #Information Security (InfoSec) #Cybersecurity #Software Security #Application Security #Programming #Software Development #Secure Software Development

0:00 / 0:00