Software Security Assurance is gaining attention and momentum at some of the most security-conscious firms in the world. Development teams build the systems that hold the most sensitive corporate data, yet in many cases there is an alarming lack of security awareness. Testing and scanning have become increasingly popular methods for finding vulnerabilities, but more needs to be done to improve the quality of system design and code before it reaches production. In an upcoming presentation for the Silicon Valley Chapter of Information Systems Security Association (ISSA), Safelight Security COO, Mike Maziarz, will discuss the role that development teams play in building secure systems and methods for engaging these teams in the process of security.

You can learn more about this event here: Silicon Valley ISSA

Overview

Date – Wednesday December 1
Time – 6:30 p.m.
Location – Microsoft Offices in Waltham, MA
Topic – Application Architecture Security Assessment – First Session

Presenter – Rob Cheyne, Safelight Security

In the December 1st session, Rob will conduct a sample architecture assessment against a real-world system, and in the process, teach participants how to conduct an architecture of their own. Brave volunteers will be welcome to share their own architectures and have them reviewed. This is an opportunity to get free consulting that typically costs thousands of dollars. There is limited time, so not every one will get chosen. If you are interested in this, please contact Rob Cheyne (rcheyne@safelightsecurity.com) directly.

Additional information:

Penetration testing is a common way to evaluate an application’s security. Yet a comprehensive architecture and design assessment can uncover critical security issues that often cost far less to resolve early on in a project. Many companies overlook this element of system design.

Rob was one of a select few at security consulting company @stake who regularly led and conducted full-blown enterprise-level architecture assessments for Fortune 500 companies. Drawing from his experience with dozens of real-world architecture assessments over the past 12 years, and his 20 years as a software developer, architect, and consultant, Rob teaches students to challenge assumptions that frequently lead to long-term security and reliability problems.

Location and Directions

Microsoft offices at the Waltham Weston Corporate Center, 201 Jones Rd., Sixth Floor Waltham, MA

John Carmichael and Rob Cheyne presented to over 150 attendees of the 2010 OWASP Boston Application Security Conference.

Coffee Shop Warfare:Protecting Yourself in Dark Territory

Presented by: John Carmichael
Time: 13:00-13:50
Track: 2

A lighthearted look at the real threats that people face in personal computing, specifically when connected to unknown network at coffee shops and airports. John will cover many of these threats and discuss tools and best practices everyone can engage in to ensure they protect their machine and information from these risks.

OWASP Basics 1 and 2

Presented by: Robert Cheyne
Time: 10:00-11:50
Track: 2

Rob presents a number of scenarios that walk participants through the basics of SQL injection, XSS and CSRF, along with a few other tricks he has up his sleeve. Participants will come away with a foundation for further security learning. Those already knowledgeable on application security issues will learn some new techniques for presenting and teaching this information in a clear, concise and effective manner.

Next meeting – Wed. Oct 6. Microsoft Waltham. This is the first of a 2 part session. The second part will be Wed. Dec. 1.

Overview:

In this highly interactive two-part workshop, Rob Cheyne of Safelight Security will show you the basics of conducting a real-world architecture & design review. This workshop draws from Safelight’s Security Architecture Fundamentals training course, a two-day course frequently used to teach Fortune 500 companies how to look at their system architectures from both the hacker’s and the designer’s point of view.

First session:

In the first session on October 6, Rob discusses a practical approach to architecture review and threat modeling using real-world examples. This session lays the foundation for participants to participate in a real-world architecture review in the December session.

Attendees will learn:

• How to holistically examine a system architecture for security issues from both the designer’s and the hacker’s point of view
• To identify frequently overlooked areas where security vulnerabilities commonly occur
• Tips for assessing a system at the host-level, network level, and application level
• Practical ways to apply threat modeling to help manage risk

Second session:

In the December 1st session, Rob will conduct a sample architecture assessment against a real-world system, and in the process, teach participants how to conduct an architecture of their own. Brave volunteers will be welcome to share their own architectures and have them reviewed. This is an opportunity to get free consulting that typically costs thousands of dollars. There is limited time, so not every one will get chosen. If you are interested in this, please contact Rob Cheyne (rcheyne@safelightsecurity.com) directly.

Who should attend?

Anyone can participate and learn from the discussion in this accessible and dynamic workshop. Whether you are an architect, a developer, or a manager, there will be something here for you. Come learn to challenge your assumptions.

Additional information:

Penetration testing is a common way to evaluate an application’s security. Yet a comprehensive architecture and design assessment can uncover critical security issues that often cost far less to resolve early on in a project. Many companies overlook this element of system design. Rob was one of a select few at security consulting company @stake who regularly led and conducted full-blown enterprise-level architecture assessments for Fortune 500 companies. Drawing from his experience with dozens of real-world architecture assessments over the past 12 years, and his 20 years as a software developer, architect, and consultant, Rob teaches students to challenge assumptions that frequently lead to long-term security and reliability problems.

http://www.owasp.org/index.php/Boston

We will still have a November meeting, featuring Pravir Chandra, project leader for OWASP Open SAMM. http://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model#tab=Main

In the second installment of Safelight’s Lightning Talk series, Rob Cheyne will present the basics of cross-site scripting (XSS) at OWASP Boston.

He will cover the two primary methods of XSS attack, reflected and persistent, as well as provide detailed demonstrations that show how an attacker would use these methods in the real world.

 

As part of the demo, Rob will go beyond proof of concept and present an example of a “weaponized” JavaScript that could be used to steal another user’s session information.

 

Rob will also offer practical tips for defending against cross-site scripting flaws in your own applications.

 

When: June 2, 2010

Time: 6:30 p.m.

Where: Microsoft offices at the Waltham Weston Corporate Center, 201 Jones Rd., Sixth Floor Waltham, MA

IT Security Education Key to Defending Against OWASP Top 10 Most Critical Web Application Vulnerabilities

In the first of the Safelight Security Advisors Lightning Talk Series, CEO Rob Cheyne will discuss “An Introduction to SQL Injection,” at the Open Web Application Security Project (OWASP) Boston chapter meeting, Monday, May 3.

Rob will cover the methodology used by professional attackers, along with detailed demonstrations of one of the most common and dangerous OWASP Top 10 issues.

After demonstrating how SQL injection can be used to run system commands and gain root access on a database server, Rob will provide practical tips for defending against SQL injection flaws.

Safelight’s Lightning talks are designed for members newer to OWASP interested in understanding the basics of web application security, although everyone should feel free to attend.

When: May 3, 2010, with subsequent meetings typically the first Wednesday of the month

6:30 – 7:00 p.m. Networking 7:00 – 9:00 p.m. Main Presentations Join the Boston mailing list.

RSA 2010 Conference

March 1-3

Moscone Center

San Francisco, CA

Join Safelight at Booth #2058 to see the latest in information security training, including our newest online learning programs. Attend our customer presentation, Banking on Security Education with State Street Bank’s Vice President Jeff Richard, and cocktail reception from 6:00 -8:00 p.m. at The St. Regis Hotel to hear how this leading financial institution rolled out a comprehensive security training program for thousands of developers worldwide. You must register for this event in advance in order to attend.

Safelight’s CEO Rob Cheyne will present a webcast for the Microsoft SDL Pro Network community on “New Technology Wearing Hand-Me-Down Vulns,” February 25, 2010 from 1:00-1:30 p.m. EDT.

Using a web service as an example, Rob will demonstrate how classic vulnerabilities can crop up in new technologies and how applying SDL principles can help build secure systems. Register for the Webcast.

At BlackHat DC 2010, Safelight Security Advisors today became a training member of Microsoft’s Security Development Lifecycle (SDL) Pro Network. Microsoft created the SDL Pro Network to help development organizations adopt the SDL and address the challenges of embedding security and privacy into their software and development culture. As one of seven new members and the only training company selected among the latest group, Safelight joins a select network of industry leaders specializing in application security with significant experience in secure development lifecycle methodologies.

“Microsoft is happy to have SafeLight join the SDL Pro Network.  We believe training is a cornerstone to the SDL and SafeLight can help train developers on secure coding practices,” said David Ladd, Principal Security Program Manager, Microsoft’s Trustworthy Computing Group.

As part of the SDL Pro Network, Safelight looks forward to continuing the mission of training students on a disciplined process that’s proven to reduce vulnerabilities and lower the total cost of development. Safelight’s instructor-led and online learning programs helps companies incorporate security best practices into their development initiatives, offering security education courses that cover all phases of the SDL:

• Introduction to the Microsoft Development Lifecycle
• Application Security Fundamentals
• Architecting Secure Systems
• Language-Specific & Language-Agnostic Secure Coding
• Testing for Secure Systems
• Managing a SDL (for project managers and team leaders)
• Risks of Insecure Applications (for business owners and executives)

Visit Safelight’s SDL Pro Network page at http://securityadvisors.com/sdl to learn more about our offerings.

Read Microsoft’s announcement on the new SDL Pro Network members in their press room.

Safelight’s CEO Rob Cheyne will present, “Banking on Education: A Case Study on Developer Security” at CSI 2009 on Tuesday, October 27, 2009 from 9:45-10:45 a.m.

Learn how Safelight Security Advisors helped a major U.S. bank create security training for its internal developers: both employees and contractors located in multiple countries. Attendees will learn ways to shift the mindset of this critical audience, leaving with ideas they can start to implement themselves.

CSI 2009 features a comprehensive program, covering 18 main topic areas, to provide the security knowledge needed to succeed in today’s environment. To attend, visit http://csiannual.com.