LASCON 2017 has ended
Thursday, October 26 • 10:00am - 11:00am
It Was Broken When It Got Here! Security in your Software Procurement Process

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
In 2017, Software Security is reasonably well understood. Thanks to the hard work of organizations like MITRE, OWASP, BSIMM, Microsoft, OpenSAMM and others, we have moved to a much better software security landscape when compared to 10+ years ago. Of course vulnerabilities still exist, and are found with regularity, but these are typically addressed quickly and competently by the big software vendors. For example a new critical vulnerability in Windows will be fixed by Microsoft and patched efficiently in most enterprises in a matter of days to weeks. Most recently Google managed to fix an OAUTH vuln being exploited in a mass-phishing exercise in a matter of hours! But what about everything else you install in your company or use as a service? Not all product vendors have the same level of understanding or approach to security, and not all software is under the constant scrutiny of an operating system or widespread authentication mechanism.

As organizations we buy and install lots of third party software, ranging from desktop applications through to entire platforms or appliances. Who is checking that software is free of simple vulnerabilities? This issue of security for Commercial Off-The-Shelf (COTS) software, or Free and Open Source Software (FOSS), is often a complicated one. In this talk, we'll look at some case-studies of vulnerabilities found during penetration tests that were then used to forge compromises of companies. In each case, the flaws discovered and exploited had been within the products for a significant amount of time, providing a potential back-door into the company's internal network or data.

The session will culminate in advice and guidance for how to ensure that security is not an after-thought when purchasing new enterprise products for your company.

avatar for Kevin Dunn

Kevin Dunn

Senior Vice President for Consultancy, NCC Group
Kevin Dunn is Senior Vice President for Consultancy for NCC Group. Kevin has been a professional security consultant for over 15 years, working on diverse projects and challenging technologies for the world’s largest and most demanding companies. His current responsibilities include... Read More →

Thursday October 26, 2017 10:00am - 11:00am
Security Innovation Room

Attendees (8)