Secure Software Forum Spotlights Software Development to Bring Focus to Application Security as a Lifecycle Issue

Secure Software Forum Spotlights Software Development to Bring Focus to Application Security as a Lifecycle Issue

Software Industry Luminaries to Discuss Best Practices and the Critical Need for Application Security Assurance for More Secure Software

ATLANTA, Feb. 7 /PRNewswire/ -- S.P.I. Dynamics Incorporated announced today the Secure Software Forum in an effort to raise awareness of the critical need for software security assurance across the software development lifecycle. On February 15, 2005 in San Francisco, Calif., the Forum will bring together industry leaders, top analysts, industry spokespeople, notable academic leaders and the vendor community spanning all disciplines within the application lifecycle. Co-sponsored by Microsoft Corporation, Fortify Software, Mercury Interactive Corporation, and Information Systems Security Association (ISSA), Forum participants will share best practices and key issues that must be solved to ensure more secure software development.

"Security is of paramount importance at every stage of a product's life cycle," said Mary Ann Davidson, chief security officer at Oracle Corp. "It is crucial for the software industry and organizations purchasing software to make security part of their corporate DNA. Although these goals may not be achieved overnight, they will have a significant and lasting impact on multiple sectors of critical infrastructure."

For some time, industry visionaries have recognized that producing secure software is not a single event, and requires a program-level commitment to security throughout the software development lifecycle. From design through development, testing and deployment, a multi-disciplinary approach must be taken to deliver a quality software product that minimizes organizational risk. Leading organizations are already making substantial headway in the effort to build security into their underlying methodologies by creating internal programs to address security in all phases of the software development lifecycle. The goal of the Secure Software Forum is to provide a starting place for cross-industry discussions and education on how best to implement an Application Security Assurance Program (ASAP).

"Understanding how to better manufacture software that is free from defects and secure is fundamental to our economy," said Jim Reavis, Editor, CSOinformer, Vice President, ISSA, and Forum Moderator. "Only by collaboration between top thinkers representing all stakeholders can we solve this problem. I consider the Secure Software Forum to be a step towards that solution and one of the most important events of 2005."

There are a myriad of different software development lifecycle models and methodologies, each with an end goal of creating higher quality software. No matter how an organization chooses to develop software, the philosophy of the ASAP is to embrace a broad set of principles to improve the security of that software. Among these principles are:

- An executive level commitment to secure software;
- Security must be a consideration from the very beginning of the
software development lifecycle;
- Secure software development must encompass People, Process and
Technology;
- An adoption of metrics to measure security improvements and enforce
accountability; and,
- Education as a key enabler of security improvements.



Because of the wide variety of development models, languages and tools in use, no two organizations will secure their software development in exactly the same way. However, by increasing public awareness of the need for comprehensive, systemic approaches to secure software development, the Secure Software Forum champions an open dialogue between experts that all organizations can benefit from.

Forum participants to include:

- Mary Ann Davidson, CSO Oracle Corporation (Forum Keynote)
- Jim Reavis, Editor, CSOinformer and Vice President, ISSA (Forum
Moderator)
- Steve Lipner, Director of Security Engineering Strategy, Microsoft
Corporation
- Amit Yoran, Former National Cyber Security Division Director, U.S.
Department of Homeland Security
- Theresa Lanowitz, Research Director focusing on Application Testing and
Development, Gartner
- Ira Winkler, CISSP, CISM, Global Security Strategist, CSC Consulting
and Renowned Author and Industry Expert
- Brian Cohen, President and CEO, SPI Dynamics
- Brian Chess, Founder/Chief Scientist, Fortify Software
- Dave Cullinane, CISO Washington Mutual and ISSA International President
- Rajesh Radhakrishnan, Sr. Director, Product Marketing, Mercury
Interactive Corporation
- Fred Rica, PricewaterhouseCoopers National Partner, Threat &
Vulnerability Assessment Services
- Charles Steen, Chief Privacy and Data Security Administrator, Catholic
Healthcare West (CHW)



For more information on the Secure Software Forum, please visit www.securesoftwareforum.com .

About S.P.I. Dynamics Incorporated

SPI Dynamics, the expert in business application security testing and assessment, provides products that empower organizations to address flaws in the application layer throughout the lifecycle, and assess the risk associated with current business applications that are already in active use within the corporate environment. The company's flagship product line, WebInspect, assesses the security of an organization's critical applications and web services. SPI Dynamics' internal research and development group, SPI Labs, is recognized as the unequivocal authority on web application security. Software developers, quality assurance professionals, corporate security auditors, compliance officers and security operations experts use WebInspect products throughout the application lifecycle to identify security vulnerabilities that would otherwise go undetected by traditional corporate Internet security measures. SPI Dynamics is privately held with headquarters in Atlanta, Georgia. For more information, visit www.spidynamics.com or call (678) 781-4800.

Trademarks

Oracle is a registered trademark of Oracle Corporation and/or its affiliates.

SPI Dynamics is a trademark of S.P.I. Dynamics Incorporated. All other companies and products mentioned are trademarks or registered trademarks of their respective owners and/or affiliates.

Microsoft Corporation ( www.microsoft.com )

"Through our Trustworthy Computing initiative, Microsoft is continuously designing and implementing new and better processes for developing more secure code and we are committed to sharing our learnings with the industry," said Steve Lipner, Director of Security Engineering Strategy at Microsoft Corp. "Application security is a top priority for the IT community and we're pleased that SPI Dynamics brought us together in this forum to discuss best practices."

SPI Dynamics ( www.spidynamics.com )

"Application security is truly a lifecycle requirement. SPI Dynamics is committed to a continuous effort to raise awareness that security best practices require dedication and focus throughout an entire software development organization and cannot be solely the responsibility of security professionals. Developers and testers must be held ultimately accountable for their share of security best practices, and to do so, they require a combination of comprehensive automated tools and education. Security professionals alone cannot sufficiently patch security defects or fully prevent the exploitation of application level vulnerabilities," said Brian Cohen, president and CEO of SPI Dynamics. "We are very pleased that this diverse group of industry leaders has come together to share their experiences and emphasize the fundamental importance of developing an ASAP to address application security across the software development lifecycle."

Fortify Software ( www.fortifysoftware.com )

"Software security problems must be addressed at the root cause to effectively protect core assets and private information," said John M. Jack, CEO of Fortify Software. "It is essential that security is seamlessly integrated throughout the software development lifecycle. The Secure Software Forum is assembling an impressive group of influential thought leaders to turn the theory of building secure software into practice."

Mercury Interactive Corporation ( www.mercury.com )

"Mercury is committed to helping customers deliver high quality business applications, while minimizing organizational risk," said Rajesh Radhakrishnan, senior director of product marketing at Mercury. "By integrating security-testing solutions with Mercury Quality Center, we enable our customers to ensure that all aspects of application quality are addressed across the application lifecycle."

Information Systems Security Association (ISSA) ( www.issa.org )

"The Information Systems Security Association (ISSA), the largest not-for- profit association of information security professionals, strongly supports the Secure Software Forum. The impact of insecure software is felt by virtually everyone, and as such it is incumbent upon the security practitioner to reach outside of the security function of their organization and work with other stakeholders to help improve the inherent quality of software development."

Center for Internet Security ( www.cisecurity.org )

"Software vulnerabilities are a fundamental part of the information security problems we face today. The Center for Internet Security (CIS), devoted to helping organizations around the world effectively manage the risks related to information security, is proud to join other industry leaders in supporting the Secure Software Forum. The Center supports the concept of the Application Security Assurance Program (ASAP), and encourages industry participation in the Secure Software Forum and in subsequent events."


Source: SPI Dynamics, Inc.

CONTACT: Todd Craig of Porter Novelli, +1-404-995-4530, or
Todd.Craig@porternovelli.com , for SPI Dynamics; or Ashley Vandiver of SPI
Dynamics, +1-678-781-4841, or mobile, +1-404-432-8657, or
avandiver@spidynamics.com

Web site: http://www.securesoftwareforum.com/
http://www.spidynamics.com/
http://www.fortifysoftware.com/
http://www.mercury.com/
http://www.issa.org/
http://www.cisecurity.org/


-------
Profile: intent