Dear all,
We are pleased to announce SecAppDev Leuven 2013, an intensive one-week course in secure application development. The course is organized by secappdev.org, a non-profit organization that aims to broaden security awareness in the development community and advance secure software engineering practices. The course is a joint initiative with KU Leuven and Solvay Brussels School of Economics and Management.
SecAppDev 2013 is the 9th edition of our widely acclaimed course, attended by an international audience from a broad range of industries including financial services, telecom, consumer electronics and media and taught by leading software security experts including
The course takes place from March 4th to 8th in the Faculty Club, Leuven, Belgium.
For more information visit the web site: http://secappdev.org.
I hope that we will be able to welcome you or your colleagues to our course.
Kind regards,
Lieven
We are pleased to announce SecAppDev Leuven 2013, an intensive one-week course in secure application development. The course is organized by secappdev.org, a non-profit organization that aims to broaden security awareness in the development community and advance secure software engineering practices. The course is a joint initiative with KU Leuven and Solvay Brussels School of Economics and Management.
SecAppDev 2013 is the 9th edition of our widely acclaimed course, attended by an international audience from a broad range of industries including financial services, telecom, consumer electronics and media and taught by leading software security experts including
- Prof. dr. ir. Bart Preneel who heads COSIC, the renowned crypto lab.
- Ken van Wyk, co-founder of the CERT Coordination Center and widely acclaimed author and lecturer.
- Dr. Steven Murdoch of the University of Cambridge Computer Laboratory's security group, well known for his research in anonymity and banking system security.
- Jim Manico, an OWASP board member.
- John Steven, a sought-after architect for high-performance, scalable JEE systems.
The course takes place from March 4th to 8th in the Faculty Club, Leuven, Belgium.
For more information visit the web site: http://secappdev.org.
- Places are limited, so do not delay registering to avoid disappointment.
- Registration is on a first-come, first-served basis.
- A 25% discount is available for Early Bird registration until January 15th.
- Alumni, public servants and independents receive a 50% discount.
I hope that we will be able to welcome you or your colleagues to our course.
Kind regards,
Lieven
Conjecture: BSIMM and Touchpoints are harmful to developers and organizations seeking cost effective application security based risk reduction.
Let’s start with the flaws of Touchpoints:
1. Touchpoints make security separate from development
2. Touchpoints are all verification, not build secure apps
3. Touchpoints are only SDLC (one app), not full boar appsec program planning across an entire application portfolio
4. Touchpoints makes security a cost, not an opportunity for improvement in other aspects of software dev
5. Touchpoints are negative vulnerability focused, not positive controls centric thinking
6. Touchpoints are basically hacking ourselves secure, not assurance evidence based
7. Touchpoints are trivial in the sense that they are just a concept with no backing... just a picture and a book. No meat!
8. Touchpoints are designed to sell tools - not totally, but somewhat
9. Touchpoints are not free and open (creative commons anyone?)
BSIMM continues with this tradition.
Does your organization really care if the software you are writing is secure, or is it a burden and a chore? No amount of process will fix not caring. BSIMM does almost nothing to create a culture of good security practices for developers. It’s again, 80% verification activities. It extends the tradition of the Touchpoints model which was 100% verification.
BSIMM and touchpoints do not go down and dirty to figure out how to actually make software secure.
And frankly, that’s what the entire world really needs right now.