Make more Secure Code! - Overview of Security Development Lifecycle and Static Code Analysis
Tuesday 2:30 p.m.–3 p.m.
Target audience: Developer
It would seem that, despite the exponential growth in security products, security services, security companies, security certifications, and general interest in the security topic; we are still bombarded with a constant parade of security vulnerability disclosures on a seemingly daily basis. It turns out that we in the Open Source community can no longer shake a disapproving finger at the closed-source giants without also pointing to ourselves and asking what we can do better. In this era of increasingly modular code development and reuse of common libraries, we need to be considering the impact of potential flaws in code we assume to be secure due simply to its widespread use and Open Source nature. So, what do we do? Although it’s not a magical solution or panacea to the problem; implementing Security Development Lifecycle best practices and principles for each and every software development endeavor we undertake (whether it is for your job or for an Open Source Project) can go a long way to reducing the potential for common security flaws. In addition, there is no reason that Static Code Analysis should not be part of every development effort. We are still seeing obvious, easy to fix flaws in modern source code. Input sanitization issues, Cross-Site-Scripting, buffer overflows, and many other known issues still represent the bulk of security issues present. Static Code Analysis can help catch many of these unnoticed issues before code makes it out of the developer’s hands. In addition, we can perform our own analysis on libraries that we wish to leverage to help determine risk ourselves. In this talk, we will explore some common best practice Security Development Lifecycle theory and how we can integrate this into modern code development schemes. We will also look at how to integrate Static Code analysis tools into the development process, to include a demo.
Dr. Jason Cohen is a senior technology consultant at Hewlett Packard Enterprise, with over 15 years of industry experience in the area of enterprise information technology for the US public sector with a focus on complex systems integration and security solutions. He has extensive expertise in IT architecture, security, secure application design, distributed systems, trusted computing, and secure cross-domain solutions. Jason has several published research articles related to the application of Trusted Computing technology in distributed systems to combat advanced threats. Jason holds a Doctor of Science in Information Technology from Towson University, a Master’s degree from Towson University in Applied Information Technology, and a Bachelor’s degree in Computer Science from Goucher College.