Description: https://deepsec.net/docs/Slides/DeepSec_2010_Developers_are_from_Mars_Compliance_Auditors_are_from_Venus.pdf
Neelay S. Shah, Rudolph Araujo, Foundstone Inc., A Division of McAfeeIn this day and age multitudes of regulations exist and many of them have a direct impact on the applications developed and used within organizations. These regulations are often written by lawyers and people with not a whole lot of software development experience. What.s perhaps worse is that often the people who assess compliance have little to no such experience either. Unfortunately all of this leads to a difficult situation wherein the expectations of software development teams are often vague and unclear. In working with numerous developers over the years we have found that in spite of spending countless hours trying to comprehend them, developers still end up misinterpreting them and designing and developing their applications in a non-compliant manner. And while the requirements maybe ambiguous, the consequences of failing to comply { ranging from fines to public relations disasters and even jail time { are crystal clear. No developer wants to be in a position where their code is responsible for the company being out of compliance. In this talk, the primary focus is to provide developers, testers, project managers and software security personnel with a best practice based framework to think about compliance with major regulations such as the PCI-DSS, HIPAA, SOX and GLBA. We focus on key considerations both from a longer term strategic software engineering perspective but also from a more tactical day-to-day basis. Our goal is to enable a development team to quickly understand when specific regulations are applicable; the underlying intent of the regulatory requirement as well as what processes / technologies the developers can leverage to ensure that their applications are in compliance. While we will provide examples based on the current regulatory environment, the lessons we include are intended to help the development community apply the same analysis framework to any regulations that might come in the future as well.Neelay is a Senior Software Security Consultant and a lead instructor at Foundstone, where he specializes in performing threat modeling and security code reviews for a variety of enterprise products ranging from user mode applications to complex hardware virtualization software, file system device drivers and custom kernels. Neelay developed the Writing Secure Code { C++ class and is responsible for delivering the class as well as maintaining current content for it. Neelay is the author of multiple software and network security tools and whitepapers such as Foundstone Socket Security Auditor, DIRE, CredDigger and the HacmeTravel. Neelay was awarded the Microsoft Most Valuable Professional (MVP) - Developer Security Award in 2009 in recognition of his technical leadership and significant contributions to the developer community. Neelay also holds the Payment Card Industry { Data Security Standard (PCI-DSS) Qualified Security Assessors (QSA) certification.Rudolph serves as a Technical Director responsible for leading the software and application security service lines. He also leads the content creation and training delivery for Foundstone.s software security classes. Rudolph.s experience at Foundstone is varied and includes helping secure custom operating system kernels, hardware virtualization layers, device drivers as well as user-mode standalone, client / server and web applications. Rudolph is an experienced C / C++ and C\#/.NET developer and the author of a number of Foundstone.s free tools. He is also a contributor to MSDN.s webcast series and to multiple industry journals such as Software Magazine, where he writes a column on secure software engineering. Rudolph has been honored for the last five years in a row with the Microsoft Visual Developer { Security MVP Award in recognition of his thought leadership and contributions to the security and developer communities. He has also written the foreword for the Microsoft Patterns and Practices Group.s Web Services Security Guide and is a contributing author to the book Developing More-Secure Microsoft ASP.NET 2.0 Applications. Rudolph is a speaker at security and developer conferences such as OWASP, Microsoft Tech-Ed, SD West and SD Best Practices.
Tags: securitytube , Confidence , hacking , hackers , information security , convention , computer security , deepsec-10 , deepsec-2010 ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.