What do you get when you have renowned authors, engineers, a product manager, and a CTO in one room together? You get an expert-filled four hour software security workshop—and that is exactly what we had on September 29.
In the heart of Silicon Valley, our expert panel, hosted by us and in partnership with our sponsors Polarion Software and Security Innovation gathered experts from Intel Security and Qualcomm Technologies to present to our audience with knowledge about software security.
Intel – becoming security champions
Hosted by Rich Nass, executive VP of OpenSystems Media, the event started off on a great note with a lot of active audience participation, so our presenters focused on addressing those burning questions and concerns.
Some questions from our audience included:
• How do you prioritize vulnerabilities when you develop code?
• How do you prepare the proper documentation for security?
• Fixing vulnerabilities is expensive, how do you decrease the cost of finding and fixing vulnerabilities without slowing down the development process and release to market?
Brook Schoenfield, director of product security architecture at Intel and author of “Securing Systems: Applied Security Architecture and Threat Models” along with Dr. James Ransome, senior director, Product Security at Intel and author of “Core Software Security: Security at the Source” launched into their presentation, revved and ready to share their knowledge of creating an established product security architecture. Whether or not you have a security plan now—it is vital to understand that “software security is a complex puzzle,” Schoenfield shared, “that must be pieced together.” Three main actions that people need to take are:
• Simplify and optimize the process of engagement so that complexities can be addressed by experts.
• Make the SDLC relevant to the stakeholders.
• Build trust with and empower developers.
One part of Ransome’s role at Intel is to mentor others to become product security champions. He says that “creating a plan to mentor people in security is essential in passing the knowledge along to others in the company so that all people in the company are likeminded in focusing on security to protect their company.”
Ransome and Schoenfield continued on with their presentation, focusing on secure Agile development, threat modeling, and organizational management. They provided their methods, tips, and tricks to developing a system at their organization that functions to protect all parties involved in the software development lifecycle.
Qualcomm – hunting for actual security bugs
Our Qualcomm experts stepped up to launch their code-based presentation. Brian Rosenberg, director of security engineering, and Murali Somanchy, staff engineer, delved into their presentation, “Product security activities: From cradle to grave,” focusing on the complications and difficulties of building a security program that addresses a variety of software development efforts. Rosenberg set the stage with an overview of each phase of the software development lifecycle and discussed all the activities involved in those stages. He made a poignant statement that resonated with the audience “effective product security must interact with all phases of development.”
Somanchy took a deeper dive into the codebase of development and showed some bad code—allowing the audience time to hunt for the bug. He showed how static analysis and fuzzing dominate bug finding in code development. The presentation emphasized how earlier activities such as risk analysis can provide valuable guidance to static analysis and fuzzing.
Will Heartbleed happen again?
|With all of that knowledge in mind, we launched into the final and most interactive activity of the workshop. The Intel and Qualcomm experts were joined by Rod Cope, our very own CTO, Paul Albee, security engineer of Security Innovation, and Mike Borse, product manager of Polarion Software.The most popular questions coming from the audience for our expert panel were focused around open source software (OSS), vulnerabilities, and product security:
• How do you deal with open source bugs?
Do you know the recipe to
software security success
for your company?
Schoenfield spoke about open source in his presentation, specifically referencing one of the biggest open source bugs of this time saying “Heartbleed was a big, big fire drill.” The other experts chimed in speaking about how open source software can be useful in development because it allows developers to use code that already exists but Rod Cope said “developers need to use OSS safely, ensuring they have the proper tools to scan the code and ensure it is in compliance before dropping it in their codebase for development.”
With two savvy technologists from Qualcomm, two renowned book authors from Intel, Polarion Software, Security Innovation, and our own CTO, Rod Cope, this made for an educational and insightful afternoon in Palo Alto.
We look forward to seeing you at our next expert workshop!