Cyber-Assurance Ecosystem - Automation Activities for Securing the Enterprise



Registration | Hotel | Walter E. Washington Convention Center

The presentation
Whether you manage internal development activities, work with third party developers or are developing a COTS application for enterprise, your mandate is clear - safeguard your code and make it resistant to exploitation. DHS’s Software Assurance Program sponsors via funding and tasking the Common Vulnerabilities and Exposures (CVE®), the Common Weakness Enumeration (CWE)™, Open Vulnerability and Assessment Language (OVAL®), Common Attack Pattern Enumeration and Classification (CAPEC), and Malware Attribute Enumeration and Characterization (MAEC™) programs through MITRE. The Common Weakness Enumeration (CWE™) initiative is a dictionary of the common software weaknesses in architecture, design, or code for developers and security practitioners and to serve as a standard measuring stick for software security tools targeting these weaknesses, and to provide a common baseline standard for weakness identification, mitigation, and prevention efforts. Like the OWASP Top Ten, the 2010 SANS/CWE list of the Top 25 Most Dangerous Software Errors, is discussed by many as the "standard" of due-diligence for developing secure applications in many large enterprises. Based on a sub-set of the CWE, the Top 25 is used by government and industry in procurement language mandating application security.

Joe Jarzombek
Joe Jarzombek is the Director for Software Assurance in the National Cyber Security Division of the U.S. Department of Homeland Security (DHS). He leads government interagency efforts with industry, academia, and standards organizations to shift the security paradigm away from patch management by addressing security needs in work force education and training, more comprehensive diagnostic capabilities, and security-enhanced development and acquisition practices. (see https://buildsecurityin.us-cert.gov and http://www.us-cert/swa) After retiring from the U.S. Air Force as a Lt. Col. in program management, Joe Jarzombek worked in the cyber security industry as vice president for product and process engineering. He served in two software-related positions within the Office of the Secretary of Defense prior to accepting his current DHS position. Throughout his career he has actively lead process improvement initiatives, including serving on the CMMI Product Development Team and later on the CMMI Steering Group. He has continued to co-lead efforts to integrate safety and security into integrated Capability Maturity Models (CMMs).