To view a recording of this session Get Adobe Flash player

Ken van WykKen van Wyk

Ken van Wyk is a CERT® Certified Computer Security Incident Handler, an internationally recognized information security expert and author of two popular O'Reilly books, Incident Response: Planning & Management and Secure Coding: Principles and Practices, as well as a monthly columnist for eSecurityPlanet. Ken is a Visiting Scientist at the Software Engineering Institute at Carnegie Mellon University, where he is a course instructor and consultant to the CERT® Coordination Center.

Ken has previously held senior information security technologist roles at Tekmark's Technology Risk Management practice, Para-Protect Services, Inc., and Science Applications International Corporation (SAIC). Ken was also the Operations Chief for the U.S. Defense Information Systems Agency's DoD-CERT incident response team, as well as a founding employee of the CERT® Coordination Center at Carnegie Mellon University's Software Engineering Institute.

Ken has previously served as the Chairman and as a member of the Steering Committee for the Forum of Incident Response and Security Teams (FIRST), a non-profit professional organization supporting the incident response community. He currently sits on their Steering Committee and Board of Directors.


 description

Secure development lifecycles compared

Objectives

  • Understanding of several available secure development methodologies (Microsoft's SDL, Cigital's "Touchpoints," and OWASP's CLASP)
  • Understanding of the strengths and weaknesses of each of these lifecycle models
  • Awareness of how to combine the best of each and put together one's own hybrid process that best suits each individual development organization
  • Awareness of pitfalls to avoid in trying to implement a secure development process in a development organization

Overview

Several secure software development processes have been published in the past few years. These include Microsoft's Secure Development Lifecycle, Cigital's "Touchpoints", and OWASP's own CLASP project. Which one is right for your organization, or would your needs be best served by taking the best of each and coming up with "your own" process? In this talk, we'll compare and contrast each of these approaches and talk about the practical aspects of putting them to maximum use, including pitfalls to avoid.

Partners:

Solvay Brussels School of Economics and Management Katholieke Universiteit Leuven

Affiliated organizations:

ISSA OWASP
Creative Commons

Contents of the secappdev.org website are licensed under a Creative Commons Attribution-NonCommercial 3.0 License.