2 Day Pre-Conference Training: Running A Software Security Program On Open Source Tools presented at AppSec USA 2013

by Dan Cornell,

Summary : Abstract:
Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, Brakeman, Agnitio, w3af, OWASP Zed Attack Proxy (ZAP), and ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.
Outline: • So You Want To Roll Out A Software Security Program?
• The Software Assurance Maturity Model (OpenSAMM)
• ThreadFix: Overview
• Governance: Strategy and Metrics • ThreadFix: Reporting
• Governance: Policy and Compliance
• Governance: Education and Guidance • OWASP Development Guide
• OWASP Cheat Sheets
• OWASP Secure Coding Practices
• Construction: Threat Assessment
• Construction: Security Requirements
• Construction: Secure Architecture • ESAPI overview
• Microsoft Web Protection Library (Anti-XSS) overview
• Verification: Design Review • Microsoft Threat Analysis and Modeling Tool
• Verification: Code Review • FindBugs
• Brakeman
• Agnitio
• Verification: Security Testing • w3af
• OWASP Zed Attack Proxy (ZAP)
• Deployment: Vulnerability Management • ThreadFix: Defect Tracker Integration
• Deployment: Environment Hardening • Microsoft Baseline Security Analyzer (MBSA)
• Deployment: Operational Enablement • mod_security