Tutorial T7 – Multi-perspective Application Security Risk Analysis: A Toolbox Approach

Mr. Sean Barnum, Cigital, Inc (Coordinator)

Jacob West, Fortify Software
Ray Lintner, IBM/Rational/Watchfire
Anthony Vicinelly, Application Security Inc.
Maj Michael Kleffman, USAF

Tuesday, December 9th, Half Day

NOTE: This session is tightly focused on concept and execution of the approach discussed here rather than specific products or services and will avoid marketing language from any of the participants. Examples may be leveraged using individual tools but the focus will be on the example content and not on selling the tool.

Today, most people no longer need to be convinced of the criticality of application software security. The focus has moved from simple awareness to identification and deployment of effective methods and tools to assess and mitigate application software security risk. Much has been said recently about the limitations of individual tools and the importance of a toolbox approach. Unfortunately, this discussion has been almost exclusively regarding the use of multiple tools within one individual perspective, such as static code analysis. This tutorial introduces the importance of a true toolbox approach where sets of tools supporting differing perspectives of analysis are used together in an integrated fashion to yield a more comprehensive and actionable assessment of application security risk. Specifically, this tutorial will discuss a recommended baseline for multi-perspective analysis leveraging static source code analysis, application scanning & penetration testing and application data security analysis tools along with a real-world case study where this baseline is being leveraged today.

This session offers attendees an opportunity to learn about a best-practice approach to application security risk analysis from a unified team of the industry's leading practitioners in software security professional services (Cigital), static source code analysis (Fortify Software), web application scanning and penetration testing (IBM/Rational/Watchfire) and application data security analysis (Application Security, Inc.). In addition, they will hear from a representative of the USAF Application Software Assurance Center of Excellence (ASACoE) regarding the current use of this approach to assess Air Force software applications.

What will attendees gain from this session?

  • An understanding of the various potential perspectives of application security risk analysis
  • An understanding and appreciation of the value of integrated multi-perspective application security risk analysis
  • An understanding of the challenges and mechanisms for integrating multiple perspectives of application security risk analysis
  • An understanding of an actionable baseline approach for pursuing multi-perspective application security risk analysis
  • A confidence that multi-perspective application security risk analysis is real, practical and something that they should consider today

Outline

  1. Overview of Multi-perspective Application Security Risk Analysis: Cigital
  2. Role of static code analysis as an element of integrated multi-perspective risk analysis: Fortify Software
  3. Role of application scanning and penetration testing as an element of integrated multi-perspective risk analysis: IBM/Rational/Watchfire
  4. Role of application data security analysis as an element of integrated multi-perspective risk analysis: Application Security Inc.
  5. Real-world case study - Air Force Application Software Assurance Center of Excellence (ASACoE) Triage Risk Assessments: AF ASACoE
  6. Integrated example: Cigital
  7. Summary and Conclusion: Cigital

Prerequisites

Knowledge of software development technologies and processes; Familiarity with software risk analysis (including one or more of static code analysis, application scanning & penetration testing or application data security analysis) would be useful

About the Instructors

Mr. Sean Barnum is a Principal Consultant at Cigital and is technical lead for their federal services practice. He has over 23 years of experience in the software industry in the areas of development, software quality assurance, quality management, process architecture & improvement, knowledge management and security. He is a frequent contributor, speaker and trainer for regional and national software security and software quality publications, conferences & events. He is very active in the software assurance community and is involved in numerous knowledge standards-defining efforts including the Common Weakness Enumeration (CWE), the Common Attack Pattern Enumeration and Classification (CAPEC), and other elements of the Software Assurance Programs of the Department of Homeland Security and the Department of Defense. He is coauthor of the book "Software Security Engineering: A Guide for Project Managers", recently published by Addison-Wesley. He is also the lead technical subject matter expert for the Air Force Application Software Assurance Center of Excellence.

Mr. Jacob West manages Fortify Software's Security Research Group, which is responsible for building security knowledge into Fortify's products. Jacob brings expertise in numerous programming languages, frameworks and styles together with knowledge about how real-world systems can fail. In addition, he recently co-authored a book, "Secure Programming with Static Analysis," which was published in June 2007. Before joining Fortify, Jacob worked with Professor David Wagner, at the University of California at Berkeley, to develop MOPS (MOdel Checking Programs for Security properties), a static analysis tool used to discover security vulnerabilities in C programs. When he is away from the keyboard, Jacob spends time speaking at conferences and working with customers to advance their understanding of software security.

Mr. Ray Lintner is a senior technical resource for IBM/Rational/Watchfire in the field of application scanning and penetration testing.

Mr. Anthony Vicinelly is the Federal Systems Engineer for Application Security Inc, with responsibility for assisting with product evaluation, implementation, and integration of DbProtect, the company's industry-leading database security suite. He is also the technical resource for customers within the federal government and helping them achieve their individual database compliance and security goals. He brings with him experience as a Software Engineer for Raytheon Company, where he was responsible for the development, deployment, integration, and training of database and web-based applications. Mr. Vicinelly holds a B.S in Computer Science from Westminster College.

Maj. Michael D. Kleffman is the Chief Technical Officer (CTO) for the Application Software Assurance Center of Excellence (ASACoE), 754ELSG at Maxwell AFB-Gunter Annex, AL. As CTO, he integrates software assurance tools and processes into A.F. software development and new acquisitions. Maj. Kleffman has also managed the Air Force Incident Response Team who handled an average of 100 network intrusions per year. In addition, Capt Kleffman led a team of 20 analysts who monitored over 1000 real-time incidents per day. Maj. Kleffman has a BS from McMurry University and an MS in Information Assurance from the Air Force Institute of Technology.