Los Angeles/2010 Meetings/September 22

Jump to: navigation, search


Topic: Secure Coding Practices and Procedures

Speaker: Mike O. Villegas, CISA, CISSP, GSEC

Miguel (Mike) O. Villegas is the Director of Information Security at Newegg, Inc. and is responsible for Information Security, Business Continuity Management, and PCI DSS (Payment Card Industry Data Security Standard) compliance. Newegg, Inc. is a PCI Level 1 Merchant and Service Provider. It is one of the fastest growing E-Commerce companies established in 2001 and exceeded revenues of over $2.6 Billion in 2009.

Mike has over 30 years of Information Systems security and IT audit experience. Mike was previously Vice President & Technology Risk Manager for Wells Fargo Services responsible for IT Regulatory Compliance and was previously a partner at Arthur Andersen and Ernst & Young for their information systems security and IS audit groups over a span of nine years. Mike is a CISA, CISSP, and GSEC.

Mike is the current LA ISACA Chapter President and was the SF ISACA Chapter President during 2005-2006. He was the SF Fall Conference Co-Chair from 2002–2007 and also served for two years as Vice President on the Board of Directors for ISACA International.

Abstract: Secure Coding Practices and Procedures

Secure Coding Practices and Procedures: Organizations process information over web applications that can be often classified as sensitive, confidential, or considered intellectual property. Web Application Firewalls (WAF) provide protection for business critical data and web applications with an automated and transparent approach to monitor and protect enterprise data as it is accessed and transacted through applications.

To augment WAF filtering and vulnerability monitoring, many organizations have developed or outsource secure code reviews and development. Information Security at Newegg established their own .NET C# secure coding standard, train and test our developers on secure coding, and do their own secure code reviews with WebInspect and manual code reviews. They started to develop a web application threat modeling approach but it is still in its infancy. This presentation focuses on the secure coding standard, satisfying PCI requirements for such, and training / testing of developers in secure coding practices using OWASP Top 10 Vulnerabilities as its foundation.

Topic: Threat Modeling at Symantec

Speaker: Edward Bonver, CISSP, CSSLP

Edward Bonver is a principal software engineer on the product security team, which is part of Symantec Research Labs under the Office of the CTO at Symantec Corporation. In this capacity, Edward is responsible for working with software developers and quality assurance (QA) professionals across Symantec to continuously enhance the company’s software security practices through the adoption of methodologies, procedures and tools for secure coding and security testing. Within Symantec, Edward teaches secure coding and security testing classes for Symantec engineers, and also leads the company’s QA Security Task Force, which he founded. Prior to joining Symantec, Edward held software engineering and QA roles at Digital Equipment Corporation, and small networking companies.

Edward is a Certified Information Systems Security Professional (CISSP), a Certified Secure Software Lifecycle Professional (CSSLP), and is a professional member of the Institute of Electrical and Electronics Engineers (IEEE) and the Association of Computing Machinery (ACM). He holds a masters degree in computer science from California State University, Northridge, and a bachelors degree in computer science from Rochester Institute of Technology. Edward is a Ph.D. student at NOVA Southeastern University.

Abstract:Threat Modeling at Symantec

Threat Modeling at Symantec: Threat Modeling is one of the most important security activities that a development/QA team needs to perform as part of a Security Development Lifecycle. This activity allows the team to build a complete security profile of the system being built. Threat Modeling is not always easy to get going for a team that has little or no security experience. In this presentation we’ll take a look at why Threat Modeling is so important; we’ll explore the process behind it, and how the process is being implemented and followed across Symantec.