20 May 2011

Feedback on ISSD 2011 - Designing Security In

On Wednesday and Thursday 18th & 19th May 2011, I attended the 2nd International Secure Systems Development (ISSD) Conference in London. I had mentioned this previously in March.

Peter Wood presenting Security Testing in Critical Systems at the 2nd International Secure Systems Development (ISSD) Conference in London

Conference organiser Sarb Sembi (Enabled Security) had created an excellent programme, although it is a pity the track on SCADA and embedded systems had to be dropped due to lack of sponsorship. The remaining management and technical/coding tracks benefited from the high-quality chairmanships of Peter Wood (First Base Technologies) and Raj Samani (McAfee), and the strong keynote speakers Carlos Solari (CSC) and Merlin Hay, Earl of Erroll.

Panel session on getting board buy-in with Justin Clarke, Mat Bartoldus, Carlos Solari and Peter Wood

I particularly enjoyed the talks by Sebastian Schinzel (Virtual Forge) on "Secure SAP Coding" and "Making Best Use of Static Code Analysis", and by Peter Wood on "Security Testing in Critical Systems" and "Configuration Management Problems and Solutions". They provided practical guidance and advice from working in the field.

Carlos Solari, who authored the EURIM Security by Design Subgroup's paper on Can society afford to rely on security by afterthought not design?, provided an well thought-out, yet entertaining, description of the problems being faced. He outlined a four-layer model called the security stack to illustrate the need for actions at multiple levels, including national cyber response at layer 4.

Nigel Stanley presenting the risks and attacks against smart phones

Justin Clarke (Gotham Digital Science) presented a talk about application security metrics on behalf of OWASP, whilst at the same time I gave a presentation on building active defences into software using OWASP AppSensor. David Harper (HP Fortify) had preceded me and got everyone up-to-speed on secure development lifecycle using Open SAMM.

Photograph of delegates in the conference's break-out area

Raj Samani also presented on the concept and current status of the Common Assurance Maturity Model, an initiative I support and have contributed effort to by creating the security objectives and controls for the Acquisition and Development sub-domain.

As with the best of conferences, some of the most productive time is spent with other delegates in-between the formal sessions. The attendees were knowledgeable and I had a number of useful discussions on issues around designing security in. Keep an eye open for this one again next year.

Posted on: 20 May 2011 at 10:55 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Feedback on ISSD 2011 - Designing Security In
http://www.clerkendweller.com/2011/5/20/Feedback-on-ISSD-2011-Designing-Security-In
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2011/5/20/Feedback-on-ISSD-2011-Designing-Security-In
Requested by 38.107.179.222 on Thursday, 17 May 2012 at 23:04 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2011-2012 clerkendweller.com