OWASP AppSec USA 2013

2 Day Class running Monday Nov 18 and Tuesday Nov 19

Abstract:
Using the Software Assurance Maturity Model (OpenSAMM) as a framework, this course walks through the major components of a comprehensive software security program and highlights open source and other freely-available tools that can be used to help implement the activities involved in such a program. The focus of the course is on providing hands-on demonstrations of the tools with an emphasis on integrating tool results into the overall software security program. Featured tools include: ESAPI, Microsoft Web Protection Library, FindBugs, Brakeman, Agnitio, w3af, OWASP Zed Attack Proxy (ZAP), and ThreadFix as well as other educational resources from OWASP. Attendees should finish the course with a solid understanding of the various components of a comprehensive software security program as well as hands-on experience with a variety of freely-available tools that they can use to implement portions of these programs.
Outline: • So You Want To Roll Out A Software Security Program?
• The Software Assurance Maturity Model (OpenSAMM)
• ThreadFix: Overview
• Governance: Strategy and Metrics • ThreadFix: Reporting

• Governance: Policy and Compliance
• Governance: Education and Guidance • OWASP Development Guide
• OWASP Cheat Sheets
• OWASP Secure Coding Practices

• Construction: Threat Assessment
• Construction: Security Requirements
• Construction: Secure Architecture • ESAPI overview
• Microsoft Web Protection Library (Anti-XSS) overview

• Verification: Design Review • Microsoft Threat Analysis and Modeling Tool

• Verification: Code Review • FindBugs
• Brakeman
• Agnitio

• Verification: Security Testing • w3af
• OWASP Zed Attack Proxy (ZAP)

• Deployment: Vulnerability Management • ThreadFix: Defect Tracker Integration

• Deployment: Environment Hardening • Microsoft Baseline Security Analyzer (MBSA)

• Deployment: Operational Enablement • mod_security