Sunday, September 16, 2012

2012 (ISC)2 Security Congress/ASIS

I just got back from Philadelphia, Pa where I gave my poster session about creating a foundation for secure coding.

Here is my abstract and Introduction...


Teaching secure coding in the Enterprise requires more than giving lectures to programmers about SQL injection, XSS and string vulnerabilities. It requires a new foundation and culture to be put in place for the IT Enterprise. This paper describes what foundation and culture changes need to take place before teaching secure coding.

            Despite technological advancements, software vulnerabilities have continued to grow at an alarming rate, with the cost of data breaches becoming more significant to all stakeholders, regardless of if they are public or private, large or small.  Because of the increased cost this situation has placed on the enterprise, security has moved from firewalls, IPS, IDC, et al, to include enterprise programmers to create more secure code.  There are many sources, both online and in print, that have coding guidelines, best practices, suggestions and tips for creating secure coding; however, as good as this information is, it is worthless if secure coding practices are not integrated into the framework of the enterprise.  Not integrating these practices into the framework of the enterprise could result in the loss of data, compromise to the system, loss of productivity, and financial loss.
            The purpose of this paper is not to present another secure coding guideline for developers or another methodology such as Microsoft Trust Computing SDLC or ALM, but rather to show how a layered approach is necessary so that the complete infrastructure is firmly in place before the enterprise moves to secure coding.  Part of this layered approach will be emphasizing the need for creating a culture that will place emphasis on secure coding in the first place.  I am well aware that what I am proposing is not new; it has been suggested before many times.  However, what is being taught today in the field of secure coding does not include the attendant infrastructure that an engineer would encounter in the real world; in short, secure coding is being taught in a vacuum, devoid of the complexities of the environment in which it will operate.  My objective for this paper is to bring teaching secure coding and the practice of creating secure coding out of the classroom and shows how to integrate it into the software development lifecycle (SDLC) of the enterprise.  Software development is no longer an individual task; it is now a very large and complex process involving several teams and team members.  Understanding these basic principles and applying them to the best practices of secure coding is the aim of my paper.

Download entire paper at