This talk will attempt to convince the audience about the need to build security into software from the ground up rather than resorting to either just penetration tests to catch all problems or worse still on a patch mentality. The focus would be on efficient approaches for improving security during each phase of the software development lifecycle. Topics ranging from threat modeling to security code review and penetration testing will be covered. Using real world examples such as the improved security quality of large software systems, the speaker will attempt to convince the audience about both the need and the most efficient way to achieve security goals.

Dean H. Saxe - Managing Consultant, Foundstone Professional Services (a Division of McAfee) Dean is a Managing Consultant at Foundstone. He is responsible for conducting web application penetration testing, threat modeling, code reviews, secure software development lifecycle (S-SDLC) design and implementation, and project management. Dean also provides client education services as a lead instructor of these Foundstone courses: Building Secure Software, Writing Secure Code: Java/J2EE, and Writing Secure Code: ColdFusion.

Dean has nine years of software development experience in a variety of industries, including banking, education, and quality control. Since 2001, he has focused on secure software development and web application security. Prior to working at Foundstone, Dean held the position of manager of web application security for a corporate cash-management application service provider. In this position, he implemented the company’s first secure software development and deployment guidelines, development frameworks to support secure coding paradigms, tools used for the semi-automated remediation of application vulnerabilities, and static code analysis tools to expedite conducting secure code reviews. Dean co-founded and remains active in the Atlanta ColdFusion User Group (ACFUG) and is an active member of the Open Web Application Security Project (OWASP) Atlanta Chapter. At Foundstone, Dean has worked with multinational telecommunications providers, utility companies, and software manufacturers to perform threat modeling and code reviews of numerous business critical applications. He has identified the lack of developer training and the lack of formalized secure software development and deployment practices as the root cause of many critical application vulnerabilities. Dean’s findings have led to an ongoing effort at many organizations to incorporate security into the software development lifecycle (SDLC). Key factors of success in this effort include developer training on secure development practices through Foundstone courses, the addition of threat modeling to all phases of the SDLC, and the identification of “security evangelists” within each development organization.

Dean attained the Certified Ethical Hacker (CEH) designation in 2004 and the Certified Information Systems Security Professional (CISSP) designation in 2006. Dean holds a BA in biology from The Johns Hopkins University in Baltimore, Maryland.