The Application Development group in any enterprise is critical to IT’s mission. However, at the same time, the security risks associated with software development are legendary. We see continual examples of successful attacks on production code by intruders, exploiting known vulnerabilities, such as buffer overflows, use of non-secure code libraries, directory traversing, untested paths in the code, and more. In addition, development shops often do not have security policies related to the development process and lack tools such as code analyzers to automate the process of discovering security vulnerabilities before code is deployed into production.
Given these risks and the business risk related to software development, it is critical for you to understand the issues in a development shop and assess the related business risk.
This session is intended to provide you with the knowledge and tools to be able to assess critically the levels of security and risk inherent in a corporate software development shop.
We will discuss:
- How attackers exploit vulnerabilities due to software defects
- Why network defenses are no longer enough
- Salient differences between secure and non-secure development methodologies
The software assurance maturity model
- Software security metrics
- Security requirements in the design, secure software architecture, code reviews, design analysis, code reviews, security testing, and vulnerability management
- Identify application vulnerabilities
- Identify metrics to evaluate secure development
- Apply a maturity model to the evaluation of development security
Overview of software development lifecycle and security
- Why do we need to assess App Development shop?
- What is the objective of the review?
- Demonstration: How attacker exploit App vulnerabilities
- Why network defenses are no longer enough?
- Why security is different from other requirements?
- Workshop: Take a vocation vacation – be a hacker or a developer for a day
- Results of a security review of an App Development shop
Measuring security maturity in software development lifecycle
- A survey of development methodologies
- A survey of secure development models
- A detailed look into a software assurance maturity model by measuring these security practices
- Strategy & Metrics
- Policy & Compliance
- Education & Guidance
- Threat Assessment
- Security Requirements
- Secure Architecture
- Design Analysis
- Code Review
- Security Testing
- Vulnerability Management
- Environment Hardening
- Operational Enablement
Setting maturity levels in the software development lifecycle
- How to set a goal for app development maturing level
- Workshop: Setting the goal for an online retailer and a car rental company
- How to plan a successful path to achieve the maturity goal
- How to estimate the cost of achieving the maturity goal
Who Should Attend
Audit managers and audit staff involved with assessing audit risk associated with a software development shop and conducting an operational audit of that function.
Group-Live & Group Internet-Based
General understanding of IT development methodologies
Online: Four 3 hour sessions
On Site: 2 day
CPE Credits: 14