Company Blog
Cyber War and US Policy
I spent more time this year in Washington talking to policy makers than I have in past years. I’ve been to the White House, to the Pentagon, and to a think tank or two. One thing became clear, cyber security is a confusing field full of FUD and nonsense! Oh yeah, and the government is [...]
BSIMM Community Conference
We just hosted the first ever BSIMM Community Conference in Annapolis, MD this week. I’m proud to say it was a smash hit. The schedule was packed full of interesting talks from leaders among the BSIMM Community including Microsoft, Intel, Salie Mae, JP Morgan Chase, QUALCOMM, Fidelity, Adobe and Cigital, but by far the most [...]
Technology Transfer: Static Analysis Enters the Main Stream
At Cigital we have always been concerned with moving software security into the main stream. One obvious way to do this is through technology transfer. I am particularly proud of the role that Cigital has played getting security-focused static analysis out into the “main stream.” Now that IBM owns Ounce and HP owns Fortify we [...]
Stuxnet p0wns the Physical World
If the code here (courtesy of Ralph Langner) looks unfamiliar, that means you’re probably not a process control engineer familiar with the Siemens Step 7 programming language. And if you are, software security is probably unfamiliar territory! This code turns out to be the payload of the Stuxnet worm, meant to be injected into the [...]
Software Security Crosses the Threshold in 2009
I have been tracking the software security market and publishing numbers since 2006. This year’s article is now available on InformIT: Software Security Crosses the Threshold. See these past (mysteriously named) articles for data from previous years: InformIT (2008): Software Security Comes of Age: Space Approaches $500M threshold InformIT (2007): Software Security Demand Rising Darkreading [...]
Cigital Participates in White House Discussion on the Progress of the President’s Cybersecurity Efforts
On Wednesday July 14, 2010, US Cyber Security Coordinator Howard Schmidt convened a hastily called meeting of around 100 public and private sector security experts at the White House to explain the progress he has made in the six months since he joined the administration. I was there. In an unexpected and exciting surprise, President [...]
Silver Bullet Turns 50
It’s hard to believe that the Silver Bullet Security Podcast has been running for 50 consecutive months! Silver Bullet has thousands of listeners, and it’s always fun to produce. Writing the script usually takes an hour or two, and requires some advance research from Brandi Ortega of IEEE S&P fame. Then we do recording (almost [...]
BSIMM2
In March 2009 we announced the publication of the BSIMM—a measuring stick for software security. We’re pleased today to announce the publication of BSIMM2. We have tripled the size of the data set to thirty firms, including: Adobe, Aon, Bank of America, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, Google, Intel, Intuit, [...]
Is Cyber War Inevitable?
Turns out that Richard Clarke is a national security policy wonk. I guess that fact is not that surprising if you knew that Mr. Clarke was once an Assistant Secretary of State working on nuclear arms control issues during the Reagan years. The general public knows Dick best as a key figure in counter-terrorism who [...]
Smart Grid equals Dumb Security?
I recently had the pleasure of giving a keynote at the NRECA annual conference in Atlanta. The conference brings together senior management and Board members from rural electric cooperatives throughout the country. Some coops are large in terms of the number of subscribers, and some are large in terms of geographic area covered (those numbers [...]
