Difference between revisions of "OWASP AppSec DC 2012/Teaching an Old Dog New Tricks Securing Development withPMD"

From OWASP
Jump to: navigation, search
(Created page with "<noinclude>{{:OWASP AppSec DC 2012 Header}}</noinclude> __NOTOC__ == The Presentation == rightWith the recent rise in high-profile corporate w...")
 
 
(2 intermediate revisions by one user not shown)
Line 2: Line 2:
 
__NOTOC__
 
__NOTOC__
 
== The Presentation  ==
 
== The Presentation  ==
[[Image:Owasp_logo_normal.jpg|right]]With the recent rise in high-profile corporate web application attacks, many organizations have made it a priority to build security into their internal software development lifecycle.  Using static analysis to identify software security bugs is a common element in virtually all software security programs.  While there are numerous commercial static analysis products that focus on security, they often involve high price tags, complex/unreasonable licensing models, steep learning curves, and can be cumbersome to integrate with existing processes.  <br>Luckily, using static analysis to identify software bugs is not a new paradigm.  For years, developers have used static analysis tools to identifying code quality issues. While these tools may not be specifically designed for identifying security bugs, in many cases their underlying analysis engine can be adapted to do so with custom rules. <br> This presentation will discuss how custom security rules can be added to existing code quality tools to identify potential software security bugs.  In many cases, developers are already familiar with these tools and run them during development on a regular basis.  Armed with security rulesets, the tools can also be valuable to security code auditors and penetration testers. Writing custom software security rules for the popular Java code scanning tool PMD will be the focus of the presentation.
+
With the recent rise in high-profile corporate web application attacks, many organizations have made it a priority to build security into their internal software development lifecycle.  Using static analysis to identify software security bugs is a common element in virtually all software security programs.  While there are numerous commercial static analysis products that focus on security, they often involve high price tags, complex/unreasonable licensing models, steep learning curves, and can be cumbersome to integrate with existing processes.  <br>Luckily, using static analysis to identify software bugs is not a new paradigm.  For years, developers have used static analysis tools to identifying code quality issues. While these tools may not be specifically designed for identifying security bugs, in many cases their underlying analysis engine can be adapted to do so with custom rules. <br> This presentation will discuss how custom security rules can be added to existing code quality tools to identify potential software security bugs.  In many cases, developers are already familiar with these tools and run them during development on a regular basis.  Armed with security rulesets, the tools can also be valuable to security code auditors and penetration testers. Writing custom software security rules for the popular Java code scanning tool PMD will be the focus of the presentation.
 
== The Speakers  ==
 
== The Speakers  ==
Joe Hemler
+
<table>
 +
<tr>
 +
<td>
 +
===Joe Hemler===
 +
[[Image:Owasp_logo_normal.jpg|left]]Joseph Hemler is a Co-Founder and Lead Security Engineer at Gotham Digital Science (GDS), an information security consulting firm that works with clients to identify, prevent, and manage security risks. Mr. Hemler has over 11 years experience working in the security industry performing penetration testing, security code review, and a variety of other secure development services. Prior to founding GDS in 2005, Mr. Hemler was a senior security engineer at Ernst & Young's Advanced Security Center.
 +
Mr. Hemler has authored source code analysis tools and written numerous scripts for identifying and exploiting network and web application vulnerabilities.  He is a contributing author to Network Security Tools (O'Reilly 2005) and SQL Injection Attacks and Defense (Syngress March 2009), frequently blogs on the GDS Security Blog, and often speaks at various information security conferences and training seminars.  Mr. Hemler graduated with a Bachelors of Business Administration from the University of Notre Dame.
 +
</td>
 +
</tr>
 +
</table>
 
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude>
 
<noinclude>{{:OWASP AppSec DC 2012 Footer}}</noinclude>

Latest revision as of 13:34, 25 March 2012

AppSecDC-468x60-banner-2012.jpg

Registration Now OPEN! | Hotel | Schedule | Convention Center | AppSecDC.org

The Presentation

With the recent rise in high-profile corporate web application attacks, many organizations have made it a priority to build security into their internal software development lifecycle. Using static analysis to identify software security bugs is a common element in virtually all software security programs. While there are numerous commercial static analysis products that focus on security, they often involve high price tags, complex/unreasonable licensing models, steep learning curves, and can be cumbersome to integrate with existing processes.
Luckily, using static analysis to identify software bugs is not a new paradigm. For years, developers have used static analysis tools to identifying code quality issues. While these tools may not be specifically designed for identifying security bugs, in many cases their underlying analysis engine can be adapted to do so with custom rules.
This presentation will discuss how custom security rules can be added to existing code quality tools to identify potential software security bugs. In many cases, developers are already familiar with these tools and run them during development on a regular basis. Armed with security rulesets, the tools can also be valuable to security code auditors and penetration testers. Writing custom software security rules for the popular Java code scanning tool PMD will be the focus of the presentation.

The Speakers

Joe Hemler

Owasp logo normal.jpg
Joseph Hemler is a Co-Founder and Lead Security Engineer at Gotham Digital Science (GDS), an information security consulting firm that works with clients to identify, prevent, and manage security risks. Mr. Hemler has over 11 years experience working in the security industry performing penetration testing, security code review, and a variety of other secure development services. Prior to founding GDS in 2005, Mr. Hemler was a senior security engineer at Ernst & Young's Advanced Security Center.

Mr. Hemler has authored source code analysis tools and written numerous scripts for identifying and exploiting network and web application vulnerabilities. He is a contributing author to Network Security Tools (O'Reilly 2005) and SQL Injection Attacks and Defense (Syngress March 2009), frequently blogs on the GDS Security Blog, and often speaks at various information security conferences and training seminars. Mr. Hemler graduated with a Bachelors of Business Administration from the University of Notre Dame.


Gold Sponsors

Aspect logo owasp.jpg AppSecDC2009-Sponsor-securicon.gif AppSecDC2009-Sponsor-mandiant.gif AppSecDC2012-ISC2.gif

Silver Sponsors

SPL-LOGO-MED.png

Small Business

AppSecDC2012-Sponsor-sideas.gif BayShoreNetworks.png

Exhibitors

link=http://www.codenomicon.com/ Codenomicon WhiteHat Logo.png AppSecDC2012-HP.jpg WSI - Logo.jpg