Why does security need to be part of the system design?
What are the principles for developing reliable and secure software?
Is application security more involved than simply writing good code?
What are the security issues in development?
What threats, vulnerabilities, and risks are most pressing for an organization?
Are there discussions on modeling techniques as well as secure programming concepts and implementation issues?
How important are security testing and code reviews?
- high - medium - low
Application Development
Architecture and Infrastructure
Business Applications
Security and Privacy
Businesses depend on robust, reliable, and secure software to ensure their continued operation. But with a lot of software, security is cobbled on as an afterthought. According to consultant Ted Demopoulos, security needs to be part of the system design, because adding it later can be difficult, if not impossible. In this program, he explains the principles for developing reliable and secure software, noting that they don’t depend on the underlying operating system, networking, or development language. Demopoulos opens the program with an introduction to application security principles, explaining that there is a lot more involved than simply writing good code. Next, he looks at security issues in development, focusing on balancing security requirements and practical considerations. Demopoulos continues by exploring threats, vulnerabilities, and risks, and paying special attention to threat modeling techniques. He also examines secure programming concepts and implementation issues. Demopoulos concludes with a look at security testing and code reviews.
After watching this program, you will:
~ Have an understanding of application security principles that apply to applications developed for any platform and in any language;
~ Have the necessary background to help determine how much effort should be spent on security; and
~ Know the importance of security testing and code reviews.
Viewers of the online and CD versions of the program have easy access to Web links that include: ‘Security and the Application Development Process’ and ‘The 80/20 Rule for Web Application Security.’ White papers include: ‘Web Application Security Consortium: Threat Classification’ and ‘Building Web Application Security Into Your Development Process.’
PROGRAM TOPICS:
INTRODUCTION
AGENDA
INTRODUCTION TO APPLICATION SECURITY PRINCIPLES
SECURITY ISSUES IN DEVELOPMENT
THREATS, VULNERABILITIES AND RISKS
Four Ways to Handle Risks
THREAT MODELING
Threat Modeling: Four Steps
Decomposing the Application
Determining the Threats
Ranking the Threats by Importance or Risk
Mitigating the Threats
SECURE PROGRAMMING CONCEPTS
Identify Assumptions and Document Them
Ask Questions
Think Like an Attacker
Keep Software Simple
Write Modular Code
Reuse Secure Code
Beware of Prototype Code
Use Defense in Depth
Applications Should Execute With the Least Privilege Necessary
Plan for Failure
Secure by Default
Security Through Obscurity
Users Must Be Accountable for Their Actions
Don’t Have Programmers Develop Cryptographic Algorithms
- high
- medium
- low
