Security BSides Las Vegas organizers have reached the point of no return – in the best sense of the term the Calls for Presenter, volunteers, and Proving Ground mentors are all closed, the logo contest is over, and all that’s left is to find a few more sponsors.
BSides supporters, now is the time to get your wallets out and help ensure this show is one-hundred percent funded – click here to learn how: Sponsorship Kit.
With the pitch out of the way, time to get back to our series highlighting a few of the conference’s sessions. We have covered a session about a Windows web server tool called OMENS, a review of Fun with WebSockets Using Socket Puppet and a session on open source penetration testing and forensics.
We also took a look at a session on Vulnerabilities in Application Whitelisting and a session titled Never Mind Your Diet, Cut the Crap From Your Vocabulary, which outlined how security professionals can more clearly articulate their ideas with brevity.
This week we are reviewing a session called The Goodness is Baked In: Baking Assurance into Software which is begin presented by first-time speaker Ebony Pierce (@ESP_09), and takes on the subject of Software Assurance.
“In a world of Big Data, data mining, network breaches and the cloud, what is the first line of defense for your important, personal, private info?” Ebony asked in her session abstract, the answer of course being Software Assurance.
The talk will examine several definitions of Software Assurance, and will include information about the recent law that was passed National Defense Authorization Act of 2013 (NDAA) and what it means to software assurance and career developers. The session will also include some common vulnerabilities in software and suggestions for incorporating Software Assurance into coding and testing of applications.
Ebony is a Senior Software Engineer who began her career started working on a website that initiated a C&A process and inspired her deep interest in information security.
While she describes herself as being a “mediocre developer who uses common sense rather than expert technical skill to attack problems,” she holds a B.S. in Computer Science, an M.S.M. in Information Systems Security, and several certifications including Certified Ethical Hacker, Security+, as well as being a Certified Information Systems Auditor.
Software Assurance is of the utmost importance today because of the level of engagement between companies and their customers by way of applications, and companies need to take care that they are taking the necessary steps to ensure the security of the information collected with secure coding practices.
“Its also important from a developer/tester/business analyst standpoint, it isn’t enough to just understand the process, know the requirements or complete the coding according to syntax,” Ebony says. “We have to start incorporating security at all levels.”
Software Assurance today is essentially important to everyone: Users of systems need to understand how their information can be exposed; developers need to understand that secure coding consists of more than just programming syntax; and management needs to focus on hiring well-rounded developers who will improve their products’ security and not just maintain the status quo.
“I’ recently had to conduct interviews for developers, and one of the first questions that I ask is if the applicant is familiar with Sql injection and cross-site scripting attacks. Some had heard of it, some knew it was a threat, but few could explain how to incorporate protections into the code,” Ebony said.
“This is a major problem for developers, businesses and users because attackers have all the time they need to try to break your application, and if they do your customers lose their info, your company may lose business, and you could lose your job.”
Ebony hoping that BSidesLV attendees will come away with a better understanding of the importance of building robust and secure systems, and how Software Assurance affects everyone in ways that may not be readily apparent.
“We do a great deal of business over the Internet. We date, we bank, we buy, we sell, we job hunt, we job post,” Ebony said. “Most of our lives revolve around some type of information being stored or passed over the Internet, and most people don’t consider how that information is being saved, maintained, or protected until something bad happens like at Monster.com in 2009, at Gawker in 2010, at Strategic Forecasting in 2011, at Sony in 2012, and now American Express in 2013.”
Ideally, the software development life-cycle (SDLC) will continue to adapt and better incorporate security into the processes of creating and updating software, schools will start to teach built-in security as a baseline for software development, and companies will start to require developers to have secure coding knowledge and experience.
Unfortunately, businesses continue to come up with ingenious ideas that pull people in and there are no regulations for security in software releases, so this topic will continue to be of interest Ebony believes.
“With the expansive use of e-readers, smartphones and tablets, we’ve made information more mobile, widespread and easier to attack. If we could start at an educational level, we have a much better chance of narrowing the gap between progress, innovation, accessibility and security, Ebony said.
She says that one of the reasons she decided to submit for a speakers slot at BSideLV this year because of the disproportionate number of women presenter at information security events, and her desire to be a catalyst for more female participation.
“I want to see more women in tech, I want more women to try their hand and take a gamble. I want women to know that it’s OK, it’s not a boys club and that change I’m looking for and the message that I want to spread can only get out if it starts with someone,” Ebony said.
“Someone like me…”
- Your Enterprise Vulnerability Management Reality Check
- Consequences Matter, Assets Don’t – At First…
- Four Things You Should Teach Your CEO about IT Security
- Gene Kim: “The Phoenix Project” – Divided to Rugged DevOps
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock