Home  >  ASQ Washington, DC &...  >  Events  >  Events & Networking  >  Event Archives  >  Software SIG: Secure SDLC –...     Printable Version Tell a friend

Software SIG: Secure SDLC – SW Assurance  

Where
Patrick Henry Library, Vienna; FDA Silver Spring; MITRE Bedford MA; MITRE Eatontow; MITRE Aberdeen,
Patrick Henry Library, 101 Maple Ave E, Vienna, VA 22180
FDA, Bld 66, room G512, 10903 New Hampshire Avenue, Silver Spring, MD
Various, Maryland
703-983-6127

When
Aug 30, 2012    5:30 pm - 7:00 pm (GMT -5:00) EST

Software Security Assurance:  

Enabling Security Automation and Software Supply Chain Risk Management

by: Joe Jarzombek, PMP, CSSLP

Director for Software Assurance, National Cyber Security Division

U.S. Department of Homeland Security

Thursday, August 30, 2012

5:30 PM – Networking and Pizza(*)

5:50 – 6:50 PM – Program

 

Driven by challenges with software putting several missions at risk from a security perspective the US Government and industry are addressing means to mitigate exploitable software before it is used as an attack vector to breach enterprises or compromise systems.   Processes, measurement, and automation are needed to provide software assurance:  "the level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle, and that the software functions in the intended manner." With today’s global IT software supply chain, project management and software/systems engineering processes must explicitly address security risks posed by exploitable software.  Software security assurance processes and practices, complemented with relevant security automation, span development and acquisition and can be used to enhance project management and quality assurance activities.  Mr. Jarzombek explains the critical need for adherence to the practices, guidelines, principles, and automation used to build security into every phase of software development.

 

The National Cyber Security Division (NCSD) of the U.S. Department of Homeland Security (DHS) works collaboratively with public, private, and international entities to secure cyberspace and America’s cyber assets.  To protect the cyber infrastructure, NCSD has identified two overarching objectives:

         To build and maintain an effective national cyberspace response system

         To implement a cyber-risk management program for the protection of critical infrastructure

In his role as Director for Software Assurance, Joe Jarzombek leads government interagency public/private collaboration efforts with industry, academia, and standards organizations to shift the security paradigm away from patch management by addressing security needs in work force education and training, more comprehensive diagnostic capabilities, software security automation, and security-enhanced development and acquisition practices.

Joe served in the U.S. Air Force as a Lieutenant Colonel in program management.  After retiring from the Air Force, he worked in the cyber security industry as vice president for product and process engineering.  Joe also served in two software-related positions within the Office of the Secretary of Defense prior to accepting his current DHS position.

Joe Jarzombek addresses DHS Cyber Security initiatives focused on mitigating risks attributable to exploitable software and how public/private collaboration is necessary to improve cyber security.

Joe speaks to the relevance of software security assurance in reducing organizational risk exposure.  With today’s global IT software supply chain, project management and software/systems engineering processes must explicitly address security risks posed by exploitable software.  Traditionally, these disciplines have not clearly and directly focused on software security risks that can be passed from projects to the organization.  Software security assurance processes and practices span development and acquisition and can be used to enhance project management and quality assurance activities.  Joe explains the critical need for adherence to the practices, guidelines, rules, and principles used to build security into every phase of software development. 

He addresses how the Common Weakness Enumeration (CWE) provides the characterization of exploitable software constructs, and he discusses why this is needed to advance software security assurance.   He discusses free resources that are available to assist project and engineering personnel in managing contracted, outsourcing, and development activities.  He also discusses the Software Assurance Forum that DHS co-sponsors with the Department of Defense (DoD) and the National Institute for Standards and Technology (NIST) to provide the public/private collaboration to mitigate software security risks and encourage proactive and preventative security practices.  Collaboratively developed and peer-reviewed material is made publicly available through on-line resources, such as:

In 2009 Joe Jarzombek was recognized by (ISC)2 as Senior Information Security Manager of the Year.

 

Registration: To register for this event, click here.

 

For details and driving directions see the full announcement flyer. 

Locations:

The presentation will originate at the McLean facility, with video tele-conferencing (VTC) between:

MITRE-2, room 1N100

7515 Colshire Drive

McLean, VA 22102

host: Scott Ankrum

cell: 240-731-7581

FDA, Bld 66, room G512

10903 New Hampshire Ave

Silver Spring, MD 20993
host: James Simpson

cell: 301-996-4976

 

 

MITRE, room 2503

260 Industrial Way West

Eatontown, NJ 07724

host: Aaron Dagen

desk: 732-578-6301

MITRE, room 1M306

202 Burlington Rd (Rt. 62)

Bedford, MA 01730

host: Tim Rice

cell: 978-758-2704