Central Iowa Software Symposium - August 3 - 5, 2007 - No Fluff Just Stuff
NFJS2025

Roman Hustad

Central Iowa Software Symposium

Des Moines · August 3 - 5, 2007

You are viewing details from a past event
Roman Hustad

Software Security Consultant at Foundstone

Roman is a Principal Software Security Consultant at Foundstone, a small division of McAfee that provides security assessment, training, and software design services to corporate and government organizations around the world. After spending most of his life building software, now he figures out ways to break it through penetration testing, threat modeling, and code review. On the proactive side, he leads software design sessions, teaches Java security courses, and participates in the Hacme Books open-source project. In his ever-dwindling spare time Roman enjoys mountaineering, scuba diving, and other outdoor pursuits.

Presentations

Web Application Hacking

See the hacker's toolbox in action as various web applications are ripped open by exploiting simple software bugs. Common problems such as Cross-Site Scripting (XSS) and SQL Injection will be demonstrated and explained, along with more subtle vulnerabilities including privilege escalation, data tampering, and Cross-Site Request Forgery.

How to Do a Security Code Review

This session is a hand-on exercise in Java code review that will cover both manual and automated techniques. If you envision code review as a line-by-line slog through thousands of programs, you will be surprised to learn some effective techniques that reduce the tedium and increase your enjoyment of this activity (well, maybe not the enjoyment part). Familiar methods such as pair programming and peer reviews are a great place to start and will immediately increase the security of your code base.

Application Security Part 1: Stop the Bleeding

This session is geared for those who are ready to take the first steps towards securing their applications with minimal cost and effort. Most development teams know that they have not given security the attention it deserves, but also don't know where to begin. Should you run a scanning tool, go to security training, or just bury your head in the sand and pretend everything is OK?

Application Security Part 2: Building a Software Security Program

This session provides a comprehensive, flexible plan for baking security into the software development lifecycle. First off, we will talk about why you would want to do such a thing and how to get support for it. Then the discussion will turn to the practical aspects of planning and implementing a secure SDLC, covering all aspects of people, process, and technology.