Panel: Mitigating Risks to the Enterprise via Software Assurance
Panel: Mitigating Risks to the Enterprise via Software Assurance
Panel Leader: Joe Jarzombek (Department of Homeland Security)
Abstract
Developers and Cyber security specialists can make the mistake of focusing
on the technical aspects of software security when management is more
concerned about risk to the business or mission.
- Security investments are sometimes made for a given project without
consideration of the entire enterprise's investment portfolio and
risk appetite. This can result in important assets getting less
attention than non-critical applications. It can also result in
sub-optimized investments in security that does not achieve the maximum return possible.
- With today's global IT/software supply chain, enterprises must
explicitly address security risks posed by exploitable software.
Project management, quality assurance, and software development
processes should explicitly address software security risks that
can be passed from projects to the organization.
- Free resources are now available to assist in security-enhancing
project management, risk management, quality assurance, and
software testing in managing acquisition, outsourcing and development activities.
- They are bringing standardization to secure development; vulnerability,
configuration, and asset management, as well as threat, intrusion, and
incident management and remediation; thus they are able to eliminate
duplication and manual activities while providing flexibility and
nimbleness in product choice and criteria.
Members of the Software Assurance Forum will provide presentations
to facilitate discussions addressing the relevance of software
security assurance in reducing organizational risk exposure. Panel
presentations and discussions will provide a focus to enhance efforts to:
- Understand the industry-wide implications of standards-based
security architectures for measurement and management of
enterprise IT security risks.
- Recognize the importance of security standards for enabling
interoperability in security assessment, remediation, threat
identification, incident management, system certification,
and secure development.
- Realize how standards can make ground-truth reporting of
compliance efforts economical, real-time, and accurate.
- Obtain real security advantage while responding to OMB mandates on FISMA, FDCC, & S-CAP.
- Understand and gain access to free software assurance resources
for those in acquisition, development, sustainment and support of operations.
last updated 23 October 2010 - cgr