Here is some information regarding this week’s Thursday OWASP – VA Local Chapter infosec meetup event. If you plan on attending, RSVP to Jeremy Epstein (email available in their post – linked below) so they can get your badge processing started.

• Who: Nadya Bartol, Booz Allen Hamilton & Paco Hope, Cigital
• What:
  • Bartol – Framework for Software Assurance: Nadya’s presentation will provide an update on the Software Assurance Forum efforts to establish a comprehensive framework for software assurance (SwA) and security measurement. The Framework addresses measuring achievement of SwA goals and objectives within the context of individual projects, programs, or enterprises. It targets a variety of audiences including executives, developers, vendors, suppliers, and buyers. The Framework leverages existing measurement methodologies, including Practical Software and System Measurement (PSM); CMMI Goal, Question, Indicator, Measure (GQ(I)M); NIST SP 800-55 Rev1; and ISO/IEC 27004 and identifies commonalities among the methodologies to help organizations integrate SwA measurement in their overall measurement efforts cost-effectively and as seamlessly as possible, rather than establish a standalone SwA measurement effort within an organization. The presentation will provide an update on the SwA Forum Measurement Working Group work, present the current version of the Framework and underlying measures development and implementation processes, and propose example SwA measures applicable to a variety of SwA stakeholders. The presentation will update the group on the latest NIST and ISO standards on information security measurement that are being integrated into the Framework as the standards are being developed.
  • Hope – The Web Security Testing Cookbook: The Web Security Testing Cookbook (O’Reilly & Associates, October 2008) gives developers and testers the tools they need to make security testing a regular part of their development lifecycle. Its recipe style approach covers manual, exploratory testing as well automated techniques that you can make part of your unit tests or regression cycle. The recipes cover the basics like observing messages between clients and servers, to multi-phase tests that script the login and execution of web application features. This book complements many of the security texts in the market that tell you what a vulnerability is, but not how to systematically test it day in and day out. Leverage the recipes in this book to add significant security coverage to your testing without adding significant time and cost to your effort.
• When: 11/13, 6:00 – 8:30 PM EST
• Where: Booz Allen, One Dulles Facility (13200 Woodland Park Road; Herndon, VA 20171)

For more information on the OWASP – VA Local Chapter, see its description in our NoVA Meetups section. View our Calendar for a complete list of infosec events in and around the NoVA area. Here is a link to the page with information on this meetup.

The OWASP – VA Local Chapter infosec meetup event last week featured a showing of the “The New Face of CyberCrime” documentary and a presentation titled “Integrating Security into the QA Group.” The video featured many prominent security luminaries and was very informative for the general audience that Fortify was marketing it to.It focused on the recent barrage of personal data losses from large companies (e.g., think TJX and others). One interesting note was that a featured company ended up having a data breach soon after Fortify released the documentary. During the movie a company executive continually stated how important privacy of customer data was to them. Of course, up to that point they did have a clean record. After the video, the group discussed various themes, likes, and dislikes.

Next, Robert Rachwald presented his talk “Integrating Security into QA.” Trying to get QA to do security is very similar to the more recent trend to integrating security into the development lifecycle by teaching developers how to design and code securely. Pushing security into QA has many of the same challenges so we can use what we learned to better succeed. The ultimate conclusion was that we need to incorporate security tests into the existing QA infrastructure/tools versus getting QA personnel to use security tools. Additionally, QA must start earlier in the development process to focus on root causes (i.e., scanning code) versus later effects (i.e., pen tests). Of course this is where the Fortify software fits in being geared for QAers and scanning code early in the development process.

See our original post for more information about the talks. Overall, this infosec meetup was another great success for the organizers of the OWASP – VA Local Chapter. Thanks to them for organizing it, Booz Allen for the facilities, and Fortify for dinner.

Here is some information regarding this week’s Thursday OWASP – VA Local Chapter infosec meetup event. Pizza is being provided by Fortify this month. If you need/want to provide a contribution, you can. If you plan on attending, RSVP so they can get you badge processing started.

• Who: Fredric Golding / Robert Rachwald
• What:
  • The New Face of CyberCrime Viewing: Attend a private viewing of the film, “The New Face of CyberCrime,” by Academy Award-nominated Filmmaker Fredric Golding. This revealing documentary features candid interviews with criminal hackers and those industry executives taking steps against their persistent attacks. The film is 20 minutes in length and we will follow up with discussion.
  • Integrating Security into the QA Group: Until recently, Web Application Testing was left to security teams and ethical hackers who used advanced tools, such as Web application scanners, to analyze running Web applications. However, security groups are becoming overburdened by product releases, and many organizations are attempting to move security testing earlier in the development cycle. The QA group is a natural candidate, since it generally has the infrastructure in place to test applications for quality issues. However, for many organizations, integrating security into the QA group has been incredibly difficult. The process of running a security test is a learned skill, and not something one can teach a QA tester in a matter of days. On top of that, most security testing tools were designed for penetration testers (since they require an in-depth knowledge of application security theory) and are not generally usable by QA professionals. As a result, very few QA groups have successfully adopted security testing.
• When: 5/8, 6:00 – 9:00 PM EST
• Where: Booz Allen, One Dulles Facility (13200 Woodland Park Road; Herndon, VA 20171)

For more information on OWASP – VA Local Chapter, see its description in our NoVA Meetups section. Here are links to the post about this meetup.