David Coffey & John Viega: Building an Effective Application Security Practice on a Shoestring Budget


Manage episode 152211979 series 1053194
Player FM과 저희 커뮤니티의 Black Hat Briefings, USA 2007 [Video] Presentations from the security conference. 콘텐츠는 모두 원 저작자에게 속하며 Player FM이 아닌 작가가 저작권을 갖습니다. 오디오는 해당 서버에서 직접 스트리밍 됩니다. 구독 버튼을 눌러 Player FM에서 업데이트 현황을 확인하세요. 혹은 다른 팟캐스트 앱에서 URL을 불러오세요.
Software companies inevitably produce insecure code. In 2006 alone, CERT has recognized over 8,000 published vulnerabilities in applications. Attackers were previously occupied by the weaker operating systems and have moved on to easier targets: applications. What makes this situation worse, is the weaponization of these exploits and the business drivers behind them. Some organizations struggle to deal with this trend to try to protect their products and customers. Other organizations have nothing in place, and need to create measures as soon as possible.
This talk will raise several issues that global enterprise organizations currently face with application security and how to overcome them in a cost-effective manner. Some of the issues that will be discussed are software development lifecycle integration, global policy and compliance issues, necessary developer awareness and automated tools, and accurate metrics collection and tracking to measure the progress. Attendees will be introduced to best practices which have worked for McAfee and other large scale global enterprises, and be shown which practices to avoid. If you're only going to invest in a single activity to start, this talk will help you figure out what it should be, and how to measure its success.
David Coffey is the manager of product security at McAfee. At McAfee, David is responsible for assessing the current state of security of the products, development process, and architecture. David is also responsible for leading a geographically distributed team to provide guidance and education to McAfee employees on security measures, process, integration as well as industry best practices.
David has been a professional in the technology field for over a decade, providing for strong computer fundamentals and is proficient in both NIX and Windows environments. Prior to joining McAfee, David spent several years working as either an employee or a consultant in financial institutions around the New York area. David later concentrated on architecting, developing and securing multi-tiered, high traffic, dynamic websites, with the largest one doing 92 million hits per day. David served as the sole Application Security Engineer in the 4th largest cable company in the US, performing duties ranging from code audits to architecting IDS deployments to assisting in the securing of network architectures. Most recently, David had the role of Principle Consultant at a security consulting company, managing the security process integration and adoption for a large financial institution which handles a little over 1 quadrillion dollars a year.
John Viega is Vice President and Chief Security Architect at McAfee, Inc. In this role he is responsible for McAfee Avert Labs' engineering efforts, including the anti-virus engine. In addition to Viega is also in charge of product security strategy, leading security audits of code, and helping to shape the technical directions for the product lines at McAfee. Viega is a well known security expert and cryptographer and has co-authored several books, including Building Secure Software, Secure Programming Cookbook, Network Security with OpenSSL and The 19 Deadly Sins of Software Security. Prior to joining McAfee, Viega was founder and chief technology officer at Secure Software.

89 에피소드