Company Blog
If it’s so hard why bother?
Recently, internal and external discussion hit on the topic of static tool comparison. The difficulty of this topic caused me to write up my thoughts as what became an InformIT article. This prompted some to respond, If selecting and adopting a tool is so hard, even for experts, why should I bother? Good question. The [...]
Wait, my mom’s driving innovation–not me?
A short one ‘real quick’: I get simultaneously nostalgic and aspirational as holidays and year-end planning bear down on me. Wondering how to innovate and how to get that innovation into use takes a fair amount of my attention. I wrote a blog post in ’07 on how to get some of that innovation stuff [...]
Machinations Over O2
As I drove Dinis to the final day of AppSecDC he (as often is the case) had his laptop open. We traded ideas regarding the future of O2, support, and other broader issues about the future of software security. As we discussed or machinated over word choice, I found myself in near-complete agreement with him: [...]
Vendors in an Open-Source Security Community
I’ve been thinking about this for a while and the tone of this year’s OWASP Global Summit has brought the topic to the forefront. OWASP, as many of you know, is a fiercely open source community. At times, participants defend its open and freeness a bit aggressively for my taste. Sure, open and free are [...]
AppSec DC ’09
After what must have been an incredible amount of leg-work a cabal of folk from the DC OWASP chapter are putting on the AppSec DC conference. The conference will also play host to the ’09 OWASP Global Summit. I hope to see you there. Especially those of you practitioners from within organizations’ security groups–I feel [...]
Security and ‘time’
Ben Tomhave wrote a decent post musing “Which came first: The Software or The Security?”. In particular, Ben asks whether the response an organization has to its security problems should possess a time component. “Yes”, he answers his own question emphatically. I agree, and for a few reasons worth expounding on. …the only difference between [...]
Follow-up: Integrating Assessment Tools
My last post spawned some questions, which I responded to in turn. Here was my response: [Adapters] Adapters for assessment results can take a few forms, but let’s address three specific scenarios that fan-in to an assessment results/presentation step and a few that fan-out. [Fan in] Fan in typically comes from three sources: 1) static [...]
Maturity Models vs. Top 10 Lists
A few back, I wrote about Maturity Models vs. ASVS. On SC-L, a ‘discussion’ broke out regarding Maturity Models (MM) vs. Top N lists. Like ASVS, Top 10 lists target a different problem than MMs. In particular, the discussion focused around how one should enhance their assessment practices. I’ve edited and reproduced my SC-L post [...]
Security folk often carry Macs, is that an endorsement?
The Geekonomics blog is often good. A new post indicates Appleās veneer of more secure than Microsoft is cracking. It was only a matter of time. I wanted to clarify that though you see a lot of security consultants carrying Macs, in Cigital’s case, it’s not an endorsement. Again, in the interest of disclosure: though [...]
Improving Software Security (Maturity Models and Their Ilk?)
Ben Worthen broke the BSIMM story on wsj.com as was posted earlier. I was shocked when someone said, “Oh and ASVS is also available, great” on an OWASP list. Super, I thought, but I don’t understand the connection. When I looked at the WSJ site, I noticed Jim Manico (of OWASP, Aspect, and ASVS fame) [...]
