Positive Technologies in Software Development 2009

The conference Software Development 2009 under Central and Eastern European Software Engineering Conference CEE-SECR 2009 took place in Moscow. Since 2005, the conference is regularly attended by over 500 leading members of programming industry from Central and Eastern Europe. The CEE-SECR Program Committee consists of recognized software engineering experts from academia and industry of 12 countries.The list of key conference speakers includes well-known specialists from the global programming industry, international and regional experts, and the heads of high-tech companies.During the “Information security of computer-based systems” round table, Sergey Gordeychik, the Head of Consulting and Audit Department, Positive Technologies, made a speech. In the report “Application system security: Developer, auditor, user,” Sergey made a review of widespread application vulnerabilities and consequences of their exploitation by attackers.“Many vulnerabilities are detected by vendors at the stage of development, testing, and supporting, but some of them are detected by system owners, independent investigators, and auditors,” – Sergey noticed. In the speech, the questions of compliance with requirements of regulators in the terms of application system security (PCI DSS, federal statute 152 “About private data,” etc.) were raised. Sergey has told about existing practices of secure development, purchasing, and maintenance of application systems and approaches to interaction of vendors or resource owners with investigators discovering vulnerabilities. In the speech, Web Application Security Consortium Threat Classification version 2 was announced.