8:30am - Welcoming Remarks
Marci McCarthy
CEO and President of T.E.N.
CEO and Chairman of ISE® Talent
Biography
8:40am - SSA Insights & Trends
Kelly Collins
President, Public Sector
Fortify
Biography
Download the Presentation (pdf)
9:15am - Understanding Software Security in Support of Federal Compliance
Rob Roy
Federal CTO
Fortify
Biography
Download the Presentation (pdf)
The software layer has increasingly become the attack vector for the Advanced Persistent Threat - organized nation state players who employ "armies" to penetrate mission critical systems by exploiting the vulnerabilities in software systems. This year's National Defense Authorization Act NDAA, signed into law on January 7th, 2011, includes a section focused on software security titled, "Strategy on Computer Software Assurance." This new DOD law is designed to protect and defend the software layer by addressing the imbalance between the historical focus and emphasis on hardware and network security to the exclusion of the software layer. Rob Roy will discuss the details of this new law and other federal compliance regulations; and whether or not this will be the critical turning point for software security.
10:00am - Mastering SSA: A Case Study of the US Air Force Software Assurance Center of Excellence
Shakeel Tufail
Managing Consultant
Fortify
Biography
Download the Presentation (pdf)
Over the last three years, Shakeel Tufail has worked extensively in the Air Force Application Software Assurance Center of Excellence (ASACoE) as a subject matter expert aiding in their mission to incorporate software security into the development lifecycles of Air Force applications. During this session Shakeel will share the tips and techniques, challenges, standards as well as best practices associated with setting up and running a Software Assurance Center of Excellence. John Sykes, Program Manager for the US Air Force Software Assurance Center of Excellence, will join Shakeel to field questions from attendees regarding his lessons learned while running the ASACoE.
11:15am - Hot Topic Panel Discussion: The Realities and Secrets of Building Software Security Assurance into your SDLC
Building an SSA Program at an government agency encompasses comprehensive planning to include training, communication, monitoring activities as well as integrating security testing throughout the delivery lifecycle. In this hot-topic panel discussion, experienced SSA practitioners and experts will share their insights, best practices and real-world experiences of how they successful created, built, delivered and managed an SSA Program.
Robert Lentz
Former Deputy Assistant Secretary of Defense
for Information and Identity Assurance
U.S. Department of Defense
ISE® North America Government Executive Award Winner 2008
Biography
Benjamin McGee
Cyber Security Lead
SAIC
Biography
Michael Lyman
Information Security Engineer
SAIC
Biography
Shakeel Tufail
Managing Consultant
Fortify
Biography
12:30pm - Luncheon Discussion: Accelerating Your Software Security Programs
Rob Roy
Federal CTO
Fortify
Biography
Enjoy a delicious lunch while learning more about Fortify’s vision and roadmap in 2011.
Download the Presentation (pdf) Fortify SSA ROI whitepaper (pdf) HR 6523 Software Assurance (pdf)
Executive Roundtables
Shakeel Tufail
Managing Consultant
Fortify
Biography
Best Practices and Practical Applications of Software Security Models
Robert Lentz
Former Deputy Assistant Secretary of Defense
for Information and Identity Assurance
U.S. Department of Defense
ISE® North America Government Executive Award Winner 2008
Biography
Making Application Security an Integral Part of Your Operations
Benjamin McGee
Cyber Security Lead
SAIC
Biography
From Security Assessment to Vulnerability Remediation: The Realities of Deploying a Cloud-Based Application Risk Management Solution
3:15pm - Keynote: WikiLeaks, Stuxnet & Other Cyber Weapons – Trust, Treason or Terrorism?
Dr. Eugene Schultz
CTO
Emagined Security
Biography
Download the Presentation (pdf)
Few events have crystallized U.S. fears over a cyber catastrophe, or brought on calls for a strategic response, more than the recent attacks against Google, the controversy and consequences of WikiLeaks and now the public demonstration of a cyber weapon’s capabilities via Stuxnet.
While these threats are well short of cyberwar, damage has already been done by a slew of cyber attacks that have resulted in the theft of terabytes of intellectual property data, trade secrets and classified military and government information. That information is now believed to be in the hands of overseas groups, many of which are thought to be state-sponsored. And many believe that we are seeing the beginning of a new era of highly sophisticated deployment and arsenal of cyber weaponry to exploit an extensive range of circumstances to include compromise of confidentiality / theft of secrets, identity theft, web-defacements, extortion, system hijacking and service blockading
In this keynote presentation, Dr. Eugene Schultz will explore the following:
- Why the victims of cybersecurity lapses and attacks include many civilian systems, and for this reason the value of a purely military approach to cybersecurity defense is limited. The U.S. Military has a role in protecting their own systems and in developing potential offensive capabilities.
- The circumstances in which the world and individual nations face cybersecurity risks with substantial long term physical effects are likely to be dwarfed by other global threats in which information infrastructures play an apparently subordinate but nevertheless critical role.
- During many conventional catastrophes there is significant danger when supportive information infrastructure becomes overloaded, crashes and inhibits recovery. Counter-Measures need to be considered within an Information Assurance engineering framework, in which preventative and detective technologies are deployed alongside human-centered managerial policies and controls.
- Why government agencies need to proceed cautiously and incorporate a comprehensive Software Security Assurance(SSA) plan when implementing citizen-to-government and business- to-government services which will become available solely via the web.
- Limit spread of a sophisticated attack through careful analysis at the point of system design by proactively having mitigation measures for legacy applications in place.