Software Security Touchpoints
When All You Have is a Hammer…
We’ve probably all experienced organizations that rely principally on a single assessment technique (whether it be static or dynamic, manual or tool-based). Unfortunately, this is all too common for security practices. When this topic came up recently with the question (paraphrased), “Are there numbers that demonstrate the value of a security program making use of [...]
Moving to Mobile – New Threats
A ‘move to mobile’ represents an ideal opportunity to revisit threat modeling. The natural question: how do my threats change when I bring a model channel into my existing application?
Scrap Static Tools, just “Fix your code”?
Recently, Gary and I collaborated on an InformIT article on static analysis. you will find our observations regarding static analysis shared by others. It’s encouraging to note that Flash Sheridan observes many of the same difficulties and more formally treats them in his ISSRE ’10 publication. It’s worth a read. A few commentators shared some [...]
Increasing Static Visibility
Sometimes, people talk loosely about an important difference between static and dynamic analyzers. Static analyzers, they say, achieve 100% coverage. They may complain that dynamic tools struggle to get even double-digit statement coverage of an application under test. Dan Cornell wrote a blog post on static analysis coverage. He observed that while the static tool [...]
Strengthening Software Security through collaboration
This is a guest post from Brian Mizelle, a managing principal at Cigital. Today, Microsoft announced the launching of its SDL Pro Network. Cigital is proud to be part of this pilot offering, and pleased to continue to take the message (and the delivery) of software security to the market. As a network of independent [...]
Software security is growing
In April 2007, I published a darkreading article on the size of the software security space with some analysis of what was happening. It took me a bit longer to gather the numbers this year, but I finally got what I needed and published an informIT article recently explaining how software security is growing. I [...]
On Open Source
There has been a recent flurry of activity regarding security assurance on a hush-hush open source mailing list I lurk on. The debate recently has to do with formal methods versus code scanning… apples and oranges in my view. However, there’s a new flurry of press over Coverity’s use of their tool to analyze well-known [...]
Sharing architecture ideas with the community
We’re pleased to have a guest blogger for this Justice League entry. Michael Cohen is a Senior Security Consultant at Cigital where he is responsible for leading, assessing, architecting and implementing secure software for Fortune 500 companies. Michael also works with Cigital teams on enterprise-wide security solutions intended to improve an organization’s security posture and [...]
From the foreword to Secure Programming with Static Analysis
This is the foreword that I wrote for Brian Chess and Jacob West’s excellent new book Secure Programming with Static Analysis. I recommend this book for all software security practitioners. Developers, in particular, will find the book extremely helpful. For more on other books in the software security series, see http://www.buildingsecurityin.com. On the first day [...]
A Mini-Architecture for Security Guidance
Benjamin Tomhave wrote about “tiering” security guidance when I cross-posted a comment to my last blog entry on the SC-L mailing list. Quoting him: The higher up you are in the policy framework, the more general and time-enduring the content should be. The farther you progress down the framework to a more detailed level, the [...]
