BigFix CTO Amrit Williams and White Hat Security CTO Jeremiah Grossman conclude their discussion on web application security by looking at ways organizations can build in security features and resistance to attack over the life cycles of in-house developed web applications. While design-for-security should start in the initial spec and coding processes, security mindedness needs to continue throughout an application’s life cycle as the application evolves to meet changing technical and business requirements.

Podcast

BigFix CTO Amrit Williams and White Hat Security CTO Jeremiah Grossman continue their discussion on web application security by looking at what kinds of operational controls organizations can institute to enable more effective management and protection of web applications over their life cycles. As many web applications are in-house efforts, this often requires organizations to make decisions and enforce policies that would otherwise be the domain of third-party application vendors.

Podcast

Amrit Williams, BigFix CTO begins a three-part discussion with Jeremiah Grossman, CTO of White Hat Security on web application security. In the first part, Amrit and Jeremiah review the nature, severity, and spread of threats to the security and integrity of web applications. Web applications differ from commercial applications and system software as the majority of them are developed in-house. Not only are there no external resources to provide patches, updates and vulnerability fixes, web applications may not be fully documented or designed for easy updating.

Podcast

Part III of the conversation with Amrit Williams, Michael Smith and Dan Philpott moves on to look at private sector adoption of government-developed IT security standards and policies, a field guide to current NIST FISMA documents, and which private organizations—mostly government contractors–must comply with government security standards. The discussion concludes on increasing government IT security spending and how the government will spend it. In particular, will the new spending emphasize tools and capital goods and relatively neglect developing human expertise in the field.

Podcast

Part II of this discussion involving Amrit Williams, Michael Smith and Dan Philpott focuses on recent policy developments in the US, in particular legislation currently in the US Congress to modify or replace the Federal Information Security Management Act with new laws, whether the establishment of a US Military Cyber Command is a military necessity or a maneuver to attract funding, and whether the intense effort to legislate and regulate represents an effort to compensate for a shortage of human cybersecurity expertise.

Podcast

Begins a three part discussion with Michael Smith, self-described Guerilla CISO and Dan Philpott, the instigator of the www.fismapedia.org wiki site on latest thinking on the rapidly developing fields of cyberdefense and cyberwarefare. Planners, policy makers and practitioners face multi-faceted dilemmas in this field. Key topics include the relationship of government and civilian organizations, the blurred line between warlike and criminal attacks on cyber assets, the questions whether cyberwarfare includes “kinetic” attacks on enemy cyber assets, the collateral necessity of using neutral nation IT infrastructure as a channel for cyberwarfare actions among many other issues.

Podcast