Difference between revisions of "OWASP AppSec DC 2012/Risk Analysis and Measurement with CWRAF"

From OWASP
Jump to: navigation, search
(The Speakers)
(The Speakers)
Line 20: Line 20:
 
</td>
 
</td>
 
</tr>
 
</tr>
 +
<tr>
 +
<td>
 
===Joe Jarzombek===
 
===Joe Jarzombek===
 
[[Image:AppSecDC12-JoeJarzombek.jpg|left]]Joe Jarzombek is the Director for Software Assurance within the National Cyber Security Division of the Department of Homeland Security. In this role he leads government interagency efforts with industry, academia, and standards organizations in addressing security needs in work force education and training, more comprehensive diagnostic capabilities, and security-enhanced development and acquisition practices. Joe served in the U.S. Air Force as a Lieutenant Colonel in program management. After retiring from the Air Force, he worked in the cyber security industry as vice president for product and process engineering. Joe also served in two software-related positions within the Office of the Secretary of Defense prior to accepting his current DHS position. He is a Project Management Professional (PMP) and a Certified Secure Software Lifecycle Professional (CSSLP)  As an active member of Toastmasters International, Joe Jarzombek has served as International Director, and he is currently serving as Region Advisor Marketing.
 
[[Image:AppSecDC12-JoeJarzombek.jpg|left]]Joe Jarzombek is the Director for Software Assurance within the National Cyber Security Division of the Department of Homeland Security. In this role he leads government interagency efforts with industry, academia, and standards organizations in addressing security needs in work force education and training, more comprehensive diagnostic capabilities, and security-enhanced development and acquisition practices. Joe served in the U.S. Air Force as a Lieutenant Colonel in program management. After retiring from the Air Force, he worked in the cyber security industry as vice president for product and process engineering. Joe also served in two software-related positions within the Office of the Secretary of Defense prior to accepting his current DHS position. He is a Project Management Professional (PMP) and a Certified Secure Software Lifecycle Professional (CSSLP)  As an active member of Toastmasters International, Joe Jarzombek has served as International Director, and he is currently serving as Region Advisor Marketing.

Revision as of 19:44, 12 March 2012

AppSecDC-468x60-banner-2012.jpg

Registration Now OPEN! | Hotel | Schedule | Convention Center | AppSecDC.org

The Presentation

To better enable software stakeholders to reduce risks attributable to the most significant exploitable software weaknesses relevant to specific business/mission domains and technologies, DHS NCSD SwA program sponsored the development of the Common Weakness Risk Analysis Framework (CWRAF) that uses the Common Weakness Scoring System (CWSS) scoring criteria with CWE to provide consistent measures for prioritizing risk mitigation efforts and focusing secure coding practices; enabling better informed decision-making and acquisition of more resilient software products and services. CWRAF enables targeted "Top-N" CWE lists that are relevant to the technologies used within specific business domains. Past Top 25 CWE lists have represented community collaboration efforts to prioritize the most exploitable constructs that make software vulnerable to attack or failure. Now, with CWRAF business domains can use the scoring criteria with CWE to identify the exploitable weaknesses that are most significant to them given what their software does for their business.
The Common Weakness Enumeration (CWE) defines a unified, measurable set of software weaknesses that is enabling more effective discussion, description, selection, and use of software security tools and services that detect weaknesses in software. To encourage and recognize use of CWEs, MITRE has established the CWE Compatibility and Effectiveness Program. Phases 1 and 2 of the program establish that tool warnings accurately map to CWEs. Phase 3 establishes which CWEs a tool (or capability) can identify and locate via testing. In this session, we propose (1) ideas on what constitutes acceptable fundamental and broad test sets for Phase 3, and (2) that the SAMATE Reference Dataset (SRD) be the repository and access for such test sets.
The CWE Coverage Claims Representation (CCR) is a lightweight schema that allows a software analysis tool and/or service provider to state claims as to those CWEs that their technology or process can discover. This session is targeted to tool/service vendors and tool/service consumers with the goal of refining the CCR model for public release. Issues to be addressed include the specificity of claims, _anti-claims,Ó and key use-cases for CCR.

The Speakers

Tom Brennan

AppSecDC12-Brennan.jpg
Tom's colossal cave adventure started the same year as WarGames armed with a Televideo 802H, Commodore and Atari 8-Bit machines and a set of lock-picks. The hobby moved quickly from handles to mainstream. Tom took a front row seat on the architecture, development, administration and security of computer-controlled systems with experiences ranging from the financial trading floor of Wall Street to the United States Marines Corps

- OWASP Foundation, 2007-Current International Board of Directors / Chapter Leader / Project Leader - FBI Infragard 2002-2004 Board of Directors, New Jersey Ð Secure Member - American Bar Association - Science & Technology Law Committee - ISO CS1 Ad Hoc Meeting Participant - Marine Corps League - Member - American Legion - Member - IEEE - Member Tom is the Director of Strategic Initiatives, at Trustwave SpiderLabs and to clients the largest red team in the world focused on response and investigation, analysis and testing, research and development. <Blog> Trustwave with over 700 employees is headquartered in the United States in Chicago, Ill. with offices throughout Africa, Asia, Australia, Europe, North America and South America more info.. A father of four children, Tom is frequent and entertaining speaker at information security conferences on the convergence of physical and software security risks, threats and suggestions on a better approach.

Joe Jarzombek

AppSecDC12-JoeJarzombek.jpg
Joe Jarzombek is the Director for Software Assurance within the National Cyber Security Division of the Department of Homeland Security. In this role he leads government interagency efforts with industry, academia, and standards organizations in addressing security needs in work force education and training, more comprehensive diagnostic capabilities, and security-enhanced development and acquisition practices. Joe served in the U.S. Air Force as a Lieutenant Colonel in program management. After retiring from the Air Force, he worked in the cyber security industry as vice president for product and process engineering. Joe also served in two software-related positions within the Office of the Secretary of Defense prior to accepting his current DHS position. He is a Project Management Professional (PMP) and a Certified Secure Software Lifecycle Professional (CSSLP) As an active member of Toastmasters International, Joe Jarzombek has served as International Director, and he is currently serving as Region Advisor Marketing.

Bob Martin

AppSecDC12-BobMartin.jpg
Robert A. Martin is a Principal Engineer at MITRE, a company that works in partnership with the government to address issues of critical national importance. For the past 18 years, Robert's efforts focused on the interplay of risk management, cyber security, and quality assessment. The majority of this time has been spent working on the CVE, OVAL, MAEC, CAPEC and CWE security standards initiatives in addition to basic quality measurement and management. Robert is a frequent speaker on the various security and quality issues surrounding information technology systems and has published numerous papers on these topics. Robert joined MITRE in 1981 with a BS and MS in EE from RPI, later he earned an MBA from Babson College. He is a member of the ACM, AFCEA, IEEE, and the IEEE Computer Society.

Gold Sponsors

Aspect logo owasp.jpg AppSecDC2009-Sponsor-securicon.gif AppSecDC2009-Sponsor-mandiant.gif AppSecDC2012-ISC2.gif

Silver Sponsors

SPL-LOGO-MED.png

Small Business

AppSecDC2012-Sponsor-sideas.gif BayShoreNetworks.png

Exhibitors

link=http://www.codenomicon.com/ Codenomicon WhiteHat Logo.png AppSecDC2012-HP.jpg WSI - Logo.jpg