LASCON 2015

I've been building software security programs for nearly a decade, and continue to observe the same challenges. Adding security into the dev process relies heavily on dev's own processes which can make implementing a software security program difficult. This talk will communicate common challenges when building a software security program, tips and tricks for addressing them, and expectations you'll need to improve the security of your company's software.

Watch  the Talk Video

All security professionals commit preventable workplace mistakes: We trust our intuition when impaired by cognitive bias, and we interpret the words and actions of others incorrectly, leading to ineffective communication. These mistakes lead to poor, inconsistent relationships with everyone involved in the development lifecycle. We can address them by understanding the behavior of others and by learning to architect objective decisions.

In the rush to reap the benefits from Big Data projects, organizations frequent forget the importance of securing and protecting their "Crown Jewels". From a security and privacy perspective, Big Data differs from traditional data and requires a different approach. At the same time, it shares many commonalities. Existing methodologies and preferred practices can easily be extended to support Big Data. This talk will describe how and why Big Data is different, the data security and privacy challenges, and a set of best practices and recommended technical controls that will help you to secure and protect your organization's Crown Jewels.

Security is comprised of people, process and technology. As security professionals we are naturally drawn to the new shiny thing. Yet, how important is the culture of security to the overall security posture of an organization. Is your industry a bigger target than others? Lets brainstorm together with a hot cup of java and share nuggets of security stories from our lives to see what works and what does not.

iSEC Partners routinely carry out Attacker Modeled Penetration Tests that use any and all means possible to gain entry to a company. The goal is to test organizations against true-to-life attack and penetration activities that real attackers use in the breaches that make headline News (and the breaches that don't).
Organizations that use Cloud Services to provision an operating environment to support a product, or use Cloud Service Providers to outsource elements of traditional enterprise IT into the Cloud, can find those very aspects used against them in an attack. While the potential attack surface for a breach changes, in many ways the use of Cloud infrastructure can make it easier for an attacker to gain access to critical systems and data. In this session the speaker will describe methods of penetration used during recent tests, illustrating how Cloud Services are viable entry points that lead to significant compromises. The following areas will be discussed:
- Common mistakes in deploying Internet-facing Cloud infrastructure
- Replication and communication paths between Cloud and on-premises infrastructure
- Effective ways for attackers to gain access to the Cloud Service administration console
- How the use of Cloud Services is weakening enterprise IT security
- Methods for securing Cloud Services, closing vulnerabilities and protecting the company

How can we really automate secure coding? Agile, DevOps, Continuous Integration, Orchestration, Static, Dynamic - There's an endless feed of Buzzwords, but how can we turn this into a practice that really works? In this session we will review real world examples of building a successful automation process for delivery of secure software in fast paced development environments.