Dean H. Saxe - Managing Consultant at Foundstone

Dean H. Saxe is a Managing Consultant at Foundstone, A Division of McAfee, where he is responsible for conducting web application penetration testing, threat modeling, code reviews, secure software development lifecycle (S-SDLC) design and implementation, and project management. Prior to joining Foundstone, Dean spent more than 8 years developing web application in Java and ColdFusion in a variety of industries. While working in the banking sector, Dean's interest in application security was sparked and has grown steadily over the past five years. Dean also provides client education services as a lead instructor of these Foundstone courses: Building Secure Software, Writing Secure Code: Java/J2EE, and Writing Secure Code: ColdFusion. Dean holds the CISSP and Certified Ethical Hacker designations. When not working, Dean enjoying hiking, cooking, homebrewing and traveling the world.

• What you Don't Know About Crypotography
• Application Security Part 2: Building a Software Security Program
• How to Do a Security Code Review
• Application Security Part 1: Stop the Bleeding

What You Don't Know About Cryptography
This session provides a gentle introduction to cryptography then covers the many subtle mistakes that even experienced developers make when writing cryptographic code.

Attendees will learn about proper implementation of the Java Cryptography Extension, Java Secure Sockets Extension, and jarsigner. Special attention is given to the challenges of key management and Public Key Infrastructure. No prior knowledge of cryptography is necessary.

Application Security Part 2: Building a Software Security Program
This session provides a comprehensive, flexible plan for baking security into the software development lifecycle. First off, we will talk about why you would want to do such a thing and how to get support for it. Then the discussion will turn to the practical aspects of planning and implementing a secure SDLC, covering all aspects of people, process, and technology.

Last and probably most important, we present ideas to help you avoid having your shiny new program ignored by the development team. If you are serious about producing secure software, this talk is for you.

How to Do a Security Code Review
This session is a hand-on exercise in Java code review that will cover both manual and automated techniques. If you envision code review as a line-by-line slog through thousands of programs, you will be surprised to learn some effective techniques that reduce the tedium and increase your enjoyment of this activity (well, maybe not the enjoyment part). Familiar methods such as pair programming and peer reviews are a great place to start and will immediately increase the security of your code base.

Other approaches will also be examined, ranging from the use of IDE-integrated tools to formal code review exercises and everything in between. In particular, threat modeling is presented as a means to identify sections of the code that have the highest security risks. Enforcing a code review policy is the last (and most contentious) topic that will be covered in this session.

Application Security Part 1: Stop the Bleeding
This session is geared for those who are ready to take the first steps towards securing their applications with minimal cost and effort. Most development teams know that they have not given security the attention it deserves, but also don't know where to begin. Should you run a scanning tool, go to security training, or just bury your head in the sand and pretend everything is OK?

A few simple activities are introduced that will pay big dividends for the security of your applications. One size does NOT fit all, and this session will enable you to spend your time and money where it will make the most difference. Peripheral issues are also addressed, such as obtaining management support and working with your IT security department.