Most of you know SANS is spending a lot of time an effort focused on software and application security. If you think there is a role we can play in this specific area and would like to talk to me about that, please feel free to connect with me offline.
If not, we'll stay head down on the current initiatives. Paco, it's probably too late for us to help much with your event but we can chat about that. Mase Mason Brown, Director SANS Institute (www.sans.org) 865-692-0978 (w) SANS Network Security 2007 in Las Vegas, September 22-30. 39 courses, SANS top instructors. http://www.sans.org/info/9346 "SANS remains the gold standard in security training - technical, hands on and immediately useful and relevant." Robin Stuart, eBay -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Wysopal Sent: Thursday, September 06, 2007 12:48 PM To: McGovern, James F (HTSC, IT); sc-l@securecoding.org Subject: Re: [SC-L] Security Testing track: Software TestingConference:Washington DC There has been some movement in this direction and I think you are correct that that we need to educate the mainstream QA audience just as we must educate the mainstream developer audience. I am giving a keynote on software security testing at Practical Quality and Software Testing in Minneapolis next week: http://www.psqtconference.com/. I am also speaking at STPCon on prioritizing security testing. There are also speakers from SPI Dynamics and Ounce Labs at that conference. If you know of other QA conferences please post them here as I am interested at speaking to this audience and I have found them bery receptive to security testing topics. Another educational approach is to target this community when we write books and magazine articles on software security. One of the goals of my book, "The Art of Software Security Testing" was to bring the concepts of security testing to a traditional QA audience. To that end I teamed up with Elfriede Dustin, an author of several QA books, and an organizer of the Verify conference to make sure the book spoke to the right audience. I know Joseph Feiman at Gartner has software security testing as a focus area. He has written a few research notes on the topic. -Chris -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McGovern, James F (HTSC, IT) Sent: Tuesday, August 28, 2007 10:39 AM To: sc-l@securecoding.org Subject: Re: [SC-L] Security Testing track: Software Testing Conference:Washington DC Upon reading this, I had several thoughts come to mind: 1. If we are to truly solve the last mile, we need to also choose more mainstream conferences such as STPCon (http://www.stpcon.com) since they also have an associated magazine (Software Test and Performance) which may stimulate more magazine articles on the topic. I did a quick run upstairs to our QA folks and asked them what magazines do they read as well as awareness of certain conferences. 2. What do you think we can do as a unified group of individuals in terms of a listserv to encourage various industry analyst firms such as Gartner, Forrester and The Burton Group to talk about Secure Software Testing as a research area? Many CIOs and other IT executives put lots of value into what they say. We need more top down. 3. What would it take to get more speaker diversity? We have to figure out how to get more end-customers telling their own stories vs vendors and consulting firms -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paco Hope Sent: Thursday, August 16, 2007 1:41 PM To: Secure Coding Subject: [SC-L] Security Testing track: Software Testing Conference:Washington DC Hey folks, One of my strong beliefs is that we're never going to close the loop on "Building Security In" until we get the QA side of the house involved in security. To that end, I'm co-chairing VERIFY 2007, a software testing conference where we have a security testing track. (In addition to more typical QA issues like test automation) I thought some folks on this list may be interested in attending, or passing it on to your colleagues in QA organizations. Conference web site is http://verifyconference.com/ and you can get a 2-page "Conference in a Nutshell" PDF here: http://verifyconference.com/images/verify/verify2007.pdf Please help me spread the word. Thanks, Paco -- Paco Hope, CISSP Co-Chair, VERIFY 2007 http://verifyconference.com/ * +1.703.606.1905 ************************************************************************ * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************************ * _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
