Virginia

Next Meeting
Due to holidays, etc., the December meeting is canceled. See you in January!

Directions
To Booz Allen's One Dulles facility:

13200 Woodland Park Road Herndon, VA 20171

From Tyson's Corner:


 * 1) Take LEESBURG PIKE / VA-7 WEST
 * 2) Merge onto VA-267 WEST / DULLES TOLL ROAD (Portions Toll)
 * 3) Take the VA-657 Exit (Exit Number 10 towards Herndon / Chantilly)
 * 4) Take the ramp toward CHANTILLY
 * 5) Turn Left onto CENTERVILLE ROAD (at end of ramp)
 * 6) Turn Left onto WOODLAND PARK ROAD (less than 1⁄2 mile)
 * 7) End at 13200 WOODLAND PARK ROAD

Past Meetings
To kick off 2009, our January meeting featured a discussion of the relationship between application security and CMMI, and an overview of the OWASP ASVS project.

Michele Moss, Booz Allen Hamilton: Evolutions In The Relationship Between Application Security And The CMMI Addressing new and complex threats and IT security challenges requires repeatable, reliable, rapid, and cost effective solutions. To implement these solutions, organizations have begun to align their security improvement efforts with their system and software development practices. During a “Birds of a Feather” at the March 2007 SEPG, a group of industry representatives initiated an effort which led to the definition of assurance practices that can be applied in the context of the CMMI. This presentation will provide an understanding how applying the assurance practices in the context of security contribute to the overall increased quality of products and services, illustrate how the a focus on assurance in the context of CMMI practices is related to application security practices, and present and approach to evaluate and improve the repeatability and reliability of assurance practices. Michele Moss, CISSP, is a security engineer with more than 12 years of experience in process improvement. She specializes in integrating assurance processes and practices into project lifecycles. Michele is the Co-Chair of the DHS Software Assurance Working Group on Processes & Practices. She has assisted numerous organizations with maturing their information technology, information assurance, project management, and support practices through the use of the capability maturity models including the CMMI, and the SSE-CMM. She is one of the key contributors in an effort to apply an assurance focus to CMMI.

Slides available: []

Mike Boberski, Booz Allen Hamilton: About OWASP ASVS

The primary aim of the OWASP ASVS Project is to normalize the range of coverage and level of rigor available in the market when it comes to performing application-level security verification. The goal is to create a set of commercially-workable open standards that are tailored to specific web-based technologies.

Mike Boberski works at Booz Allen Hamilton. He has a background in application security and the use of cryptography by applications. He is experienced in trusted product evaluation, security-related software development and integration, and cryptomodule testing. For OWASP, he is the project lead and a co-author of the OWASP Application Security Verification Standard, the first OWASP standard.

Slides available: []

For our November 2008 meeting, we had two great presentations on software assurance and security testing.

Nadya Bartol, Booz Allen Hamilton: Framework for Software Assurance

Nadya's presentation will provide an update on the Software Assurance Forum efforts to establish a comprehensive framework for software assurance (SwA) and security measurement. The Framework addresses measuring achievement of SwA goals and objectives within the context of individual projects, programs, or enterprises. It targets a variety of audiences including executives, developers, vendors, suppliers, and buyers. The Framework leverages existing measurement methodologies, including Practical Software and System Measurement (PSM); CMMI Goal, Question, Indicator, Measure (GQ(I)M); NIST SP 800-55 Rev1; and ISO/IEC 27004 and identifies commonalities among the methodologies to help organizations integrate SwA measurement in their overall measurement efforts cost-effectively and as seamlessly as possible, rather than establish a standalone SwA measurement effort within an organization. The presentation will provide an update on the SwA Forum Measurement Working Group work, present the current version of the Framework and underlying measures development and implementation processes, and propose example SwA measures applicable to a variety of SwA stakeholders. The presentation will update the group on the latest NIST and ISO standards on information security measurement that are being integrated into the Framework as the standards are being developed.

Slides available: []

Paco Hope, Cigital: The Web Security Testing Cookbook

The Web Security Testing Cookbook (O'Reilly & Associates, October 2008) gives developers and testers the tools they need to make security testing a regular part of their development lifecycle. Its recipe style approach covers manual, exploratory testing as well automated techniques that you can make part of your unit tests or regression cycle. The recipes cover the basics like observing messages between clients and servers, to multi-phase tests that script the login and execution of web application features. This book complements many of the security texts in the market that tell you what a vulnerability is, but not how to systematically test it day in and day out. Leverage the recipes in this book to add significant security coverage to your testing without adding significant time and cost to your effort.

Congratulations to Tim Bond who won an autographed copy of Paco's book. Get your copy here []

Slides available: []

For our October 2008 meeting, we had two fascinating talks relating to forensics.

Dave Merkel, Mandiant: Enterprise Grade Incident Management - Responding to Persistent Threats

Dave Merkel is Vice President of Products at Mandiant, a leading provider of information security services, education and products. Mr. Merkel has worked in the information security and incident response industry for over 10 years. His background includes service as a federal agent in the US Air Force and over 7 years experience directing security operations at America Online. He currently oversees the product business at Mandiant, and is in charge of building Mandiant Intelligent Response - an enterprise incident response solution. But no, he won't be selling you anything today.

Slides available: []

Inno Eroraha, NetSecurity: [Responding to the Digital Crime Scene: Gathering Volatile Data

Inno Eroraha is the founder and chief strategist of NetSecurity Corporation, a company that provides digital forensics, hands-on security consulting, and Hands-on How-To® training solutions that are high-quality, timely, and customer-focused. In this role, Mr. Eroraha helps clients plan, formulate, and execute the best security and forensics strategy that aligns with their business goals and priorities. He has consulted with Fortune 500 companies, IRS, DHS, VA, DoD, and other entities.

Slides available: [ ]