SnowFROC Cornell Dickson Abstract
The Presentation: Vulnerability Management in an Application Security World
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities.
This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.
The Speakers: Dan Cornell & John Dickson
Dan Cornell has over ten years of experience architecting and developing web-based software systems. He leads Denim Group’s security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.
Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and is currently the San Antonio chapter leader of the Open Web Application Security Project (OWASP). He is a recognized expert in the area of web application security for SearchSoftwareQuality.com and the primary author of Sprajax, OWASP’s open source tool for assessing the security of AJAX-enabled web applications.
John Dickson is a principal at Denim Group, Ltd.and a Certified Information Systems Security Professional (CISSP) whose technical background includes hands-on experience with intrusion detection systems, telephony security and application security. He has consulted with Fortune 500 clients, Department of Defense organizations and numerous Chief Information Officers regarding their organizations’ security programs and has served as Chief Information Security Officer for a major healthcare organization.
John regularly speaks in front of numerous security groups including the Information Systems Security Association (ISSA) and the Information Systems Audit and Control Association (ISACA). He has also presented at several conferences including CSI 2007, the annual Computer Security Institute Conference, the Texas Regional Infrastructure Security Conference (TRISC) and ConSec 2006. He is a founder and chairman of the San Antonio Technology Accelerator Initiative (SATAI), a founder of the Alamo Chapter of ISSA and the Chairman Elect of the North San Antonio Chamber of Commerce.