The Five Most Dangerous Application Security Vulnerabilities - and How to Test for Them
Ed Adams
CEO of Security Innovations and Founder of AppSIC

The most difficult problems of IT security are found at the application layer and exploitability of applications due to poor design has reached epidemic levels. Perimeter/network defenses are not enough to protect organizations from attacks and many software teams possess neither the tools nor expertise to properly secure their applications. This presentation by a security expert will highlight The Top Five security vulnerabilities that testers face today and offer practical how-to tips for testing their applications with a security mindset.  In the first part of the talk, we examine the fundamental (and often misunderstood) difference between functional and security testing:

• Describe (and provide examples) of how security bugs are different from functional bugs and how to quickly identify symptoms of security vulnerabilities.
• Introduce a fault model to help testers conceptualize security vulnerabilities and recognize the range of vulnerabilities and threats to which an organization's information assets may be exposed.
• Discuss the difference between a user or functional tester looking to ensure all specified functionality has been completed as specified versus the abuser or security tester looking to discover “extra functionality” that could be leveraged by an attacker to compromise the system

The session will also touch upon a few other critical aspects of application security testing:

• Why security is so necessary, from a purely cost analysis standpoint as well as public opinion of the company
• Why it's much harder to address security problems after the application has shipped
• Functionality and Performance vs. Security – is it necessary to have trade offs?

Ed Adams is a seasoned software executive with successful business experiences in various-sized organizations that serve the IT security and quality assurance industries. As CEO, Mr. Adams leverages his technical and business skills, as well as his pervasive industry experience, to direct renowned application security experts and deliver world-class services, technology and intelligence to many of the most recognizable technology companies in the world, including Microsoft, IBM, Symantec, SAP and HP. Mr. Adams is also the founder and business owner of the Application Security Industry Consortium, Inc. (AppSIC), an association of industry technologists and leaders to help establish and define cross-industry application security guidance and metrics.

Prior to Security Innovation, Mr. Adams was senior vice president at Ipswitch, Inc., where he directed more than half of the company to substantial revenue growth and major structural and strategic direction shifts. Mr. Adams was also vice president of marketing and certification for VeriTest, a division of Lionbridge Technologies, and held a senior management role at Rational Software (now IBM), where he derived many of the software quality and business concepts that add significant value and credibility to the initiatives he brings to Security Innovation. Mr. Adams also held senior management positions with Logistic Solutions, MathSoft, Foster-Miller and two US Army Research Labs.

Mr. Adams has presented at thousands at seminars and software industry conferences, as well as to numerous universities and private companies. He has contributed written and oral commentary for media outlets such as SC Magazine, CIO Update magazine and New England Cable News.  He has also written numerous whitepapers on Software Quality & Security, including “Security by Design”, “Why is Application Security so Elusive”, “Achieving Quality by Design” and "The Business Argument for Investing in Test Automation.”

Mr. Adams earned his MBA degree with honors from Boston College and has B.A. degrees in Mechanical Engineering and English Literature from the University of Massachusetts and has been an active member of the software quality industry for more than a decade.