FISMA News

Ounce Labs Enlists Leading Security Experts to Raise Awareness of Software Security and Develop Best Practices

(July 17, 2007)-- Ounce Labs, pioneer in software risk management, announced the formation of an Advanced Research Team (ART), a team of leading security experts dedicated to raising the awareness of software security and the development of best practices for incorporating application security into the software development lifecycle. The team will conduct research and develop practical methods that organizations can use to analyze and eliminate software security vulnerabilities and strengthen enterprise security.

Enterprises today depend on software applications to run their businesses, but many applications contain vulnerabilities that can be exploited by hackers to gain access to private and sensitive information. With application-level attacks on the rise, organizations are looking for expert advice and guidance on how to proactively identify and eliminate existing security vulnerabilities and prevent future vulnerabilities from being created.

"Understanding and managing risk in application software takes deliberate effort. We've brought together industry-leading software security experts to play a key role in increasing the security of today and tomorrow's business critical software," said Hugh Scandrett, CEO of Ounce Labs. "The Advanced Research Team is focused on helping organizations implement best practices, catch common mistakes, and make the security process more efficient and consistent."

The Advanced Research Team members include:

Ryan Berg, Co-Founder and Chief Scientist for Ounce Labs. In addition to advancing the state of the art in application security technologies, Ryan is also an instructor and author in the fields of security, risk management, and secure development processes. He holds patents and has patents pending in multi-language security assessment, kernel-level security, intermediary security assessment language, and secure remote communication protocols. In the late 1990s, Ryan also designed and developed the infrastructure for GTE Internetworking/Genuity's appliance-based managed firewall and security services.

Dinis Cruz. With an extensive career in source code security, penetration testing and security curriculum development, Cruz is one of the world's foremost consultants on application security. He has achieved prominence with his role in OWASP, the Open Web Application Security Project, as a board member and their Chief Security Evangelist. He also acts as a senior security consultant and trainer for companies such as Foundstone, Vigilar and Infosys.

Cristian Borlovan. Borlovan's extensive experience in the successful design and implementation of complex enterprise J2EE systems gives him a comprehensive perspective on the software development lifecycle and how it relates to security. He applies risk management and proactive security principles to assist clients in all stages of the software development lifecycle in the analysis, refinement, and creation of software development artifacts and processes. Borlovan has experience developing enterprise security frameworks and his research background includes efforts for the Air Force Research Laboratory (AFRL), Wright-Patterson around software reverse engineering.

Bruce Mayhew. Mayhew has 20 years of software development experience, focusing for the last 8 years on application security. Mayhew created an application security practice and training curriculum for large financial institutions and has been a Web Application Security Course instructor for the SANS Institute, as well as other corporate training environments. He was instrumental in bringing WebGoat, a training application used to teach web application security principles to individuals that are new to web application security, to OWASP and currently leads the WebGoat project.

Ounce Labs solutions enable organizations to identify, prioritize and eliminate business risk to the enterprise caused by software security vulnerabilities. With Ounce Labs, organizations strengthen application security, protect confidential information and verify compliance with both internal policies and industry mandates such as PCI, FISMA, HIPAA and others.

Share or bookmarklet this web page at: