Currently, federal government organizations are not particularly focused on application layer security. The major reason behind this is that federal organizations are driven primarily by compliance related pressures. While FISMA presents a comprehensive approach to managing risk from information security, the actual security controls defined within the NIST FISMA guidelines stress traditional network and platform security far more than application security. During this presentation, we will present the NIST Special Pub 800-53 security controls (a subset of those controls required to support FISMA compliance) that directly or indirectly imply the need to implement and assess application security. We will also present the components of the NIST Security Content Automation Program (S-CAP) that support application security. Finally, we will identify the gaps that remain in the drivers for federal government implementation of effective application security programs and provide recommendations on how to close the gap.
Dr. Sarbari Gupta has been active in the information security industry for over twenty years as an entrepreneur, executive, architect, researcher, and software engineer. She is the Founder and President of Electrosoft, a technology company providing services to federal and commercial customers in the areas of identity management and information security. Dr. Gupta has written many technical papers and holds four patents. She has a PhD in EE and holds CISSP, CISA and CAP certifications.