Company Blog
BSIMM2: The Magic Number 30
BSIMM2 is the 30 firm version of BSIMM. I wrote up an article with Brian Chess and Sammy Migues (my BSIMM co-creators) called “Software [In]security: What Works in Software Security — Fifteen Common Activities from BSIMM2.” In addition to highlighting the fifteen most common BSIMM activities, the article also provides the 30 firm data for [...]
I Repeat Myself When Under Stress, I Repeat Myself When Under Stress
Apparently the time has come to re-release the SANS/CWE 25 — something that we can expect annually. The good news is that exercises like this do plenty to hype up software security and its importance. In fact, in many ways the target of these lists is “the reporters who cover software security.” So hype = [...]
BSIMM update
The BSIMM study data set has more than tripled in size and now includes data from 30 firms. We are busy working with Betsy Nichols to crunch the numbers now that we have a statistically significant data set. The plan is to announce our results at RSA. One question that comes up in the BSIMM [...]
Howard Schmidt Cybersecurity Czar
Our sincere congratulations to Howard Schmidt for taking on one of the most important jobs in computer security—US Cybersecurity Coordinator for the White House. Howard knows what he’s getting into, because he already did it once. (You’re crazy Howard!) Here’s what the White House has to say. Back in July I talked about what I [...]
You Need a Software Security Group (SSG)
The BSIMM study focuses attention on software security in large organizations and just at the moment covers the work of 1554 full time employees working every day in 26 software security initiatives. One phenomenon we observed consistently in the BSIMM is that every large initiative has a Software Security Group (SSG) to carry out and [...]
Startup Lessons
Interacting with academia is an important part of what I do as CTO of Cigital. Though I have been known to lecture at Stanford, CMU, Cornell, Harvard, NC State, Purdue and a bunch of other places, I have a special place in my heart for the University of Virginia (where I studied Philosophy as an [...]
Is “Software Protection” Software Security?
I am the editor of the Addison-Wesley Software Security series. When Christian Collberg came to me with an idea for a book about software protection, I had a really hard time figuring out whether or not it belonged in the series. Christian is a brilliant researcher and an important guiding light in the field. But [...]
Moving Cybersecurity Past Cyberplatitudes
John Pescatore from Gartner convened a virtual panel on the cybersecurity issue at the 2009 Gartner Information Security Summit. I provided a video for the panel answering two questions that John posed. The two questions get to the heart of the cybersecurity issue: Question 1: What should the US government do to drive real improvements [...]
New Security Reads
IEEE S&P: Securing Online Games (vol.7, no.3) IEEE Security & Privacy magazine remains the most important trade periodical on security published today. Though the content is on rare occasion esoteric, the magazine is always technically accurate and detailed. Only a peer reviewed publication can offer readers a look at computer security as a science. Think [...]
Twitter Security
I just published a little ditty on Twitter security that is bound to get some interesting feedback. My bet is that much of the feedback is less than 140 characters long! My friend Joe Faber (of Spaghettios fame) sent me this Youtube video, which I think sums up Twitter nicely: Your longer feedback is welcome [...]
