Key Note Speakers

Above all else, Secure Development World offers its Attendees the invaluable opportunity to learn from the industry's most accomplished and skilled presenters. Our Speakers boast a wealth of expertise in secure development and will be available to share their insight with you throughout the duration of the Conference. Register now to become part of the ultimate Meeting of the Minds.

Our roster of Speakers is growing exponentially. Secure Development World will post their respective biographies as we receive them.

Gary McGraw, CTO, Cigital Gary McGraw is the CTO of Cigital, Inc. (www.cigital.com) , a software security and quality consulting firm with headquarters in the Washington, D.C. area. He is a globally recognized authority on software security and the author of six best selling books on this topic. The latest, Software Security: Building Security In was released in 2006 (www.swsec.com), with Exploiting Online Games slated for release this year. His other titles include Java Security, Building Secure Software, and Exploiting Software; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 90 peer-reviewed scientific publications, authors a monthly security column for darkreading.com, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean's Advisory Council for the School of Informatics. Gary is an IEEE Computer Society Board of Governors member and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine (www.cigital.com/silverbullet).

Software Security: Building Security In, Gary McGraw Software security has come a long way in the last few years, but we’ve really only just begun. I will present a detailed approach to getting past theory and putting software security into practice. The three pillars of software security are applied risk management, software security best practices (which I call touch points), and knowledge. By describing a manageably small set of touch points based around the software artifacts that you already produce, I avoid religious warfare over process and get on with the business of software security. That means you can adopt the touch points without radically changing the way you work. The touch points I will describe include: Code review using static analysis tools Architectural risk analysis Penetration testing Security testing Abuse case development Security requirements Like the yin and the yang, software security requires a careful balance-attack and defense, exploiting and designing, breaking and building-bound into a coherent package. Create your own Security Development Lifecycle by enhancing your existing software development lifecycle with the touch points.

John Viega, VP & Chief Security Architect, McAfee, Inc. John Viega is vice president and chief security architect at McAfee, Inc. In this role he is responsible for McAfee Avert Labs’ engineering efforts, including tools, automation and the technology of the anti-virus engine. In addition to Viega’s work with the company’s world-class security threat and research organization, Viega is also in charge of product security strategy, leading security audits of code, and helping to shape the technical directions for the product lines at McAfee. Viega is a well known security expert and cryptographer and has co-authored several books, including Building Secure Software, Secure Programming Cookbook, Network Security with OpenSSL and The 19 Deadly Sins of Software Security. Prior to joining McAfee, Viega was founder and chief technology officer of Secure Software.

Building a Cost-Effective Application Security Capability, John Viega Companies that produce software inevitably produce insecure software. Such organizations are worried that, if their dirty laundry airs, they will suffer brand damage, and possibly even legal exposure. But they have no good guidance for building an application security program, particularly one that is both cost-effective and provides demonstrable results. This talk will leverage real world examples of application security programs. It will illustrate the most common activities organizations attempt, and show which ones are best practices, and which ones tend to provide little return on investment (including popular activities, such as Threat Modeling). It will explore tools and technologies that can be applied, focusing not only on the value, but also the hidden costs and pitfalls. We will show how to roll out a program incrementally, starting with a single task. We will place great focus on measuring success for your program, and introducing accountability for the people who are responsible for implementing it. We will show how to build that capability into a world-class capability in a short time, and on a tight budget. We will start by examining the seven application security best practice areas, and evaluating the costs, benefits, prerequisites and risks in each area. After dissecting application security best practices, we will look at how to build a reasonable, effective strategic plan around them, and look at how to sell the plan, both before and during execution.

Mary Ann Davidson, Chief Security Officer, Oracle Corporation Mary Ann Davidson is the Chief Security Officer at Oracle Corporation, responsible for Oracle product security, as well as security evaluations, assessments and incident handling. She represents Oracle on the Board of Directors of the Information Technology Information Security Analysis Center (IT-ISAC), is a member of the Global Chief Security Officer Council and the editorial advisory board of SC Magazine. She was recently named one of Information Security's top five "Women of Vision" and is 2004 Fed100 award recipient from Federal Computer Week. Ms. Davidson has a B.S.M.E. from the University of Virginia and a M.B.A. from the Wharton School of the University of Pennsylvania. She has also served as a commissioned officer in the U.S. Navy Civil Engineer Corps, during which she was awarded the Navy Achievement Medal.

State of the Art in Secure Development, Mary Ann Davidson Over the past few years, secure development has morphed from a "want to do" to a "must do," and many organizations have made changes accordingly to embed security within product development lifecycles. How successful has this been, and what remains to be done? Have we achieved true structural change in the IT industry, or just hired a clever interior decorator? What is working, and is effective in changing minds and mores? Can we truly make security measurable, and if so, how can metrics help us manage, rather than tyrannize us into managing by numbers? Have we reached are goal or are wel like Xeno of the paradox, half way to the goal line but never actually there?

Michael Howard, Senior Security Program Manager, Microsoft Michael Howard is a senior security program manager in the Security Engineering team at Microsoft, and an architect of the security-related process improvements at the company. He is the co-author of many security books including the award-winning Writing Secure Code, 19 Deadly Sins of Software Security, The Security Development Lifecycle and Writing Secure Code for Windows Vista.