14th Semi-Annual Software Assurance Forum - February 28-March 4, 2011
Presentations from Speakers, Panels, and Tutorials
All presentations are available below by express permission of the presenters.
Day 1 – Monday, February 28, 2011
Day 2 – Tuesday, March 1, 2011
Day 3 – Wednesday, March 2, 2011
Day 4 – Thursday, March 3, 2011
Day 5 – Friday, March 4, 2011
Day 1 – Monday, February 28, 2011
Tutorials
Enterprise Cybersecurity Ecosystem
The Cybersecurity Ecosystem & Making Security Measurable
Supporting Training & Education and Software Security Engineering
Training & Software Security Engineering: CWE
The Cybersecurity Ecosystem SCAP, SwAAP, et al.
Standards Activities
CWSS Domains and Archetypes
Robert A. Martin, MITRE
Understanding How They Attack Your Weaknesses: CAPEC
Supporting Secure Software Acquisition and Software Assurance Analysis
Supporting Secure Software Operations
Sean Barnum, MITRE
Common Weakness Scoring System (CWSS)
Steve Christey, MITRE
Emerging Threats in Mobile Computing
Adam Meyers, SRA
Security of Medical Device Applications
Dennis Seymore, Ellumen
2011 Global Security Statistics and Trends
Charles Henderson, SpiderLabs at Trustwave
Day 2 – Tuesday, March 1, 2011
Overview of NIST Information Technology Laboratory
James St. Pierre, NIST
Rugged Software – One Year Later
Joshua Corman, The 451 Group
Software Assurance Forum for Excellence in Code (SAFECode)
Stacy Simpson, SAFECode
Panel: Identify synergies between SwA/SCRM and Cyber Workforce Transformation
Dan Shoemaker, University of Detroit Mercy – Panel Facilitator
Ernest McDuffie, NIST
Lance Kelson, DoI
Brenda Oldfield, DHS
Susan Hansche, Avaya
Understanding Challenges Presented to Industry in Outsourcing (HW and SW)
Don Davidson, DoD
Cyber Supply Chain Security and Software Assurance
Jon Oltsik, Enterprise Strategy Group
The IT Supply Chain: Research on Industry Perspectives
Sandy Boysen, University of Maryland
Software Supply Chain Risk Management: From Products to Systems of Systems
Carol Woody, Software Engineering Institute
Critical Code Model for Preventative and Supply Chain Issues
Bill Scherlis, Carnegie Mellon University
Mobile Applications and Application Framework Security
Dan Cornell, Denim Group
Cracking the Code on the Mobile Software Supply Chain
David Maxwell, Coverity
Cloud Security in the Federal Sector: FedRAMP (Federal Risk and Authorization Management Program)
Rex Booth, Grant Thorton
Life in the Cloud, a Service Provider’s View
Mike Smith, Akamai
Day 3 – Wednesday, March 2, 2011
Introduction of Government Efforts with SwA Equities
Whitehouse Led IPC on Cybersecurity Standardization
DoD Countering Counterfeits Tiger Team (C2T2)
Don Davidson, DoD
Addressing Federal Agencies’ Engagement in Standards
Ajit Jillavenkatesa, NIST
Intellectual Property Enforcement Coordinator (IPEC)
Mike Powers, NASA
Global Community’s Response to ICT Supply Chain Risk Challenge
Software Asset Management
Larry Wagoner, NSA
Piloting Supply Chain Risk Management Practices for Federal Information Systems
Jon Boyens, NIST
ICT SCRM –ISO Standards Update
Nadya Bartol, Booz Allen Hamilton
Open Trusted Technology Forum Overview (OTTF)
Andras Szakal, The Open Group
Business Risks of Insecure Software in the Cloud
Andrew Murren, Deloitte & Touche
Business Risk Management
Joshua Stabiner, Ernst and Young
Strategies for Securing the Enterprise
Paul Croll, CSC
Panel: Advanced Persistent Threat
Michele Moss, Booz Allen Hamilton – Panel Facilitator
Rick Doten, Lockheed Martin
Ryan Kazanciyan, Mandiant
Sean Barnum, MITRE
Panel: SwA and the Technology Stack
Michele Moss, Booz Allen Hamilton – Panel Facilitator
Thresa Lang, Dell
Steve Adegbite, Adobe
Greg Piper, Intel
Ben Calloni, Lockheed Martin
Day 4 – Thursday, March 3, 2011
Public-Private Partnerships
Bob Dix, PCIS
OMG: Not Your Father’s CORBA Organization Any Longer
Ben Calloni, Lockheed Martin
Licensing Software Engineers
Phil Laplante, PSU
CSSLP
Hart Rossman, SAIC on behalf of (ISC)2 Application Security Advisory Board
The Information Security Forum
Greg Nowak, PWC
ITU/CYBEX (CWE)
Bob Martin, MITRE
CWSS: Using CWE to Provide Consistent Measures for Prioritizing Risk Mitigation Efforts
Joe Jarzombek, DHS
CWE Coverage Claims Schema
Richard Struse, DHS
Software Labeling
Paul Black, NIST
National Defense Industrial Association (NDIA)
Dave Chesebrough, AFEI/NDIA
Panel: Working Group Co-chairs
Processes and Practices
Michele Moss, Booz Allen Hamilton
Acquisition and Outsourcing
Don Davidson, DoD
Workforce Education and Training
Carol Woody, SEI
Measurement
Bob Martin, MITRE
Technology, Tools and Product Evaluation Working Group
Mike Kass, NIST
Malware
Penny Chase, MITRE
SwA Program
Joe Jarzombek, DHS
Tutorials
Trusted Software Development
Ben Calloni, Lockheed Martin
Smart Phones with Dumb Apps: Security for Mobile Applications
Dan Cornell, Denim Group
Lost in Translation: Understanding the Hacker Mindset in Application Security
Paul Nguyen and Ryan Stinson, Knowledge Consulting Group