Study of 300 applications the first application security review almost always (92%) resulted in failure. Typically my review was the first time the application had been reviewed for security. After a few weeks to implement process changes and fix bugs a second review resulted in reducing the failure rate to 20%.

A third round of reviews did show additional applications could pass, but it highlighted SDL and systematic issues in about 8% of all organizations.

Key take-aways 1) Applications that have not considered security are almost always insecure, this is what the press loves to report. 2) Most applications can readily adapt process changes to be secure, this is the security vendors little secret. 3) Around 10% of organizations have difficulty with implementing the required process changes, there are a variety of factors that I would be happy to disucss with you in more detail.

Original paper based on my work for Watchfire:

• "Addressing Application Security Challenges"

In 2005 I presented at the Microsoft Developer Conference an introduction to Application Security. The complete presentation is provided below, it is a quick read for those getting started with what the problems actually are, why they happen and at a high level what you should do about it.

The approach is to embrace security as a holistic process. When properly implemented this approach not only yields more secure applications but actually improves quality and drives down development costs. And in these economic times who does want to reduce costs?

Original presentation at the Microsoft Developer Conference in NYC:

• "Is Your Web Application Really Secure"

While most of our engagements are collaborative and process oriented, sometimes teams or individuals need to understand "that security stuff".

We have created and delivered training on a wide range of security topics to organizations worldwide. Class sizes have ranged from private 1-on-1 lessons to trade show sized rooms with hundreds of attendees. Class length can be short one hour webinars to seminars delivered over weeks. We currently provide the following standard training offerings:

Secure Web Application Design - Seminar

This is a 400 level class for web application architects. The seminar is a graduate level course delivered over 10 weeks. Complete description and agenda, TBD

How to test applications for vulnerabilities - One day

This is a 200 level class applicable to anyone involved in the creation, execution or management of web application testing. The class will show: what web application attacks are, how testing can find vulnerabilities before an attacker does and tool usage. Complete description and agenda, TBD

Introduction to Web Application Security - Half day

This is a 100 level class applicable to the entire application team. The class will show: what web application attacks are, why they happen, the progression an attacker will use and what you can do about it. Complete description and agenda, TBD

About our classes:

◊ The instructors have presented material to all knowledge levels, worldwide.

◊ Some of the better known clients have included: Microsoft, U.S. Army, Fidelity Investments, Hewlett Packard, GTE CyberTrust, Booz-Allen Hamilton, PriceWaterhouseCoopers, Hong Kong Post, Royal Bank of Scotland, Identrus, Girl Scouts and the New York State government.

◊ All training is informational, entertaining and lesson based.

◊ Customized (personalized) training is also available.

◊ We are not aligned with any product vendor. We provide unbiased vendor neutral information.

In 2005 I presented at the Microsoft Developer Conference an introduction to Application Security. The complete presentation is provided below, it is a quick read for those getting started with what the problems actually are, why they happen and at a high level what you should do about it.

The approach is to embrace security as a holistic process. When properly implemented this approach not only yields more secure applications but actually improves quality and drives down development costs. And in these economic times who does want to reduce costs?

Original presentation at the Microsoft Developer Conference in NYC:

• "Is Your Web Application Really Secure"