(This is a guest post, contributed by Timothy Champagne, a consultant at Cigital.)

I have long been a fan of card games. During lunch breaks at work, my co-workers and I would often play such games to pass the time and socialize. I found myself thinking that this activity could not be unique to my office; countless others out there undoubtedly have similar routines. It occurred to me that there must be a way to harness this social gathering at work and turn it into a fun learning experience built around what I know best – software assurance and software security. After all, if people are going to play a card game, why not play one that can help ingrain the very ideas that Cigital has been trying to expound on for over a decade?

So I began designing Remediation, a card game that pits web application companies focused on generating revenue against the threat of malicious users focused on negatively impacting that revenue for their own nefarious motives. This is the very scenario that we encounter at Cigital on a regular basis and a theme that can easily transcend the commercial world and find relevance within the Federal space… an area of particular interest to me due to my work with the Application Software Assurance Center of Excellence (ASACoE) for the US Air Force.

Remediation has players compete to end up with the highest score while playing through real life software security scenarios. While taking on the role of either a company or a malicious user, the players take turns with the ultimate goal of playing the most revenue cards. The malicious users attack the company players with exploit cards, a SQL Injection attack for example, and score points in the form of revenue that the company loses by having their web application taken offline. The company players will then play cards, like a Database Restore, to recover from these attacks so their web applications return online and generate revenue for their own scores. Additionally, the company players can choose to spend some of that gained revenue to play cards that represent an investment into advanced security techniques that can prevent specific attacks against their applications, such as the game’s namesake, a Vulnerability Remediation card. At its heart, Remediation conceptualizes how various exploits could affect a web application and what measures would need to be taken in order to recover from these situations.

With its focus on software security themed gameplay, one of the primary goals for Remediation is for it to be useful as an educational tool. In today’s increasingly web-centric environment, it is more important than ever for developers to be able to think like an attacker and stay one step ahead of the threats that plague web applications every day; this game is designed to instill that mindset by presenting specific examples of how an attacker might target a system. As for managers, it is absolutely vital to understand how these risks might affect the successful conduction of business; the game works on this level by not only showing how these types of attacks can harm a company, but also how Cigital’s service offerings can help protect against these threats. By mirroring real life situations, Remediation strives to impart crucial skills that will help improve the players’ real world security posture outside the game.

Of course an additional goal would be to have a fun game with replay value so that the game could have a life of its own and introduce future players down the road to software security and how Cigital fits into this picture. Email us at remediationthegame@cigital.com if you’re interested in getting a copy of the game for yourself.

I have been tracking the software security market and publishing numbers since 2006. This year’s article is now available on InformIT: Software Security Crosses the Threshold.

See these past (mysteriously named) articles for data from previous years:

• InformIT (2008): Software Security Comes of Age: Space Approaches $500M threshold
• InformIT (2007): Software Security Demand Rising
• Darkreading (2006): Want Turns to Need

The Figure above shows in millions of US dollars how the four major segments of the space have grown since 2006, from a total of $293.9 million (2006) to a total of $554.4 million in 2009. Note that even stronger growth is evident midway through 2010.

Analysis and details are available in the informIT article.

Our internal discussion board brought up the topic of input validation last week. The discussion was around the regex for validating an email address. The message was that what seems like a very simple input validation can get complicated if the full standard is supported. As I read the discussion I started thinking about Data Dictionaries and their failed attempt to standardize data definitions within an enterprise.

The history lesson here is that around the time that database management systems were becoming commercialized (1980s) there were products called data dictionaries or data repositories. The idea was that metadata should be kept outside of the DBMS and shared by all of the application code. In the data dictionary nirvana, there would be ONE definition of EmployeeID for the entire enterprise and all applications and database would share this one definition.

Fast forward to 2010. Where are these products today? Just about every client I walk into has a commercial DBMS (Oracle, Microsoft or IBM), but nowhere do we encounter data dictionaries. Why? Because they never got deployed. What enterprises found out is that no one could agree on what an EmployeeID (or any other piece of data) looked like. Sometime it was politics; sometimes it was acquisitions; sometimes it was I18n. Whatever the reason, the bottom line is the same – there are precious few common data definitions in any enterprise.

So, how in the world does one expect to do input validation against data when there are only a precious few data definition that accurately describe data? This seems like a path that will only lead to the same quagmire that data dictionaries fell into.

For the curious, the regex for email addresses is:

(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|”(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*”)@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])

(from http://www.regular-expressions.info/email.html)

Thanks to David Lindsay for the reference.

As part of my work on the Trust Cloud Initiative, I’ve had so discussions with they folks at PGP about their Key Management Server. At first, I was “ho-hum, key management”, but there’s more going on here than I had assumed. The way this software manages keys is more like a key ring. The implication is that an identity can then have a set of additional keys associated with it and the server will manage these “identity encapsulated” keys. The notion of “identity encapsulation” is actually that of Liam Lynch from eBay who is heading up the TCI.

On Wednesday July 14, 2010, US Cyber Security Coordinator Howard Schmidt convened a hastily called meeting of around 100 public and private sector security experts at the White House to explain the progress he has made in the six months since he joined the administration. I was there. In an unexpected and exciting surprise, President Obama stopped by the meeting and spoke for 15-20 minutes.

Here is a picture I took of President Obama addressing the meeting. Howard Schmidt is to the far left. Beside him is Department of Homeland Security (DHS) Deputy Undersecretary Phil Reitinger. The moment President Obama entered the meeting was electric. Attendees immediately stood and gave him an ovation. The room was energized, and the President’s charisma was palpable. I, for one, was proud to be there.

In addition to remarks from President Obama and Howard Schmidt, the meeting was addressed by two cabinet Secretaries—Janet Napolitano, Secretary of DHS, and Gary Locke, Secretary of Commerce. The invitation-only event included members of the Administration, state and local government officials, law enforcement officers, select industry executives, academics and representatives from privacy and civil liberties groups. Attendees who I know included Matt Blaze, Carl Landwehr, Ed Amoroso, Marc Rotenberg, Eugene Spafford, Mischel Kwon, and John Savage.

I wrote up my thoughts on the meeting in an informIT article “Obama Highlights Cyber Security Progress: Private Sector Security Experts Convene at the White House to Discuss the National Cyber Securiy Agenda.”

Howard described his impressions of the meeting and its purpose on the White House blog. An official progress report is also available there.

I’m speaking at the 2010 Colloquium in Baltimore on Tuesday 6/8 on Cloud Security. Here’s the abstract.

Cloud Security: Don’t Be Late to the Party

Cloud computing is here to stay. No amount of security whining will stop the cloud, and yet as the cloud revolution sweeps IT it behooves us to pay close attention to security and privacy concerns. If, as everyone says, security is a process and not a thing, what processes and procedures do we need to put in place to secure cloud computing? How do you build security in to something that you don’t entirely control? These and other important questions are the focus of this talk. I will discuss: how cloud computing changes the nature of software design and development, the cloud security threat-scape, different flavors of cloud implementation and their security ramifications. Whether your organization is just kicking the tires or moving into more serious pilot projects, it’s never too early to begin addressing the changes cloud computing will impose. I will discuss what can be done today in terms of both technical and contractual mechanisms.

It’s hard to believe that the Silver Bullet Security Podcast has been running for 50 consecutive months! Silver Bullet has thousands of listeners, and it’s always fun to produce. Writing the script usually takes an hour or two, and requires some advance research from Brandi Ortega of IEEE S&P fame. Then we do recording (almost always over the phone) and post production mixing to add in the music.

For our 50th episode, we decided to shoot some HD video or our interview with Richard Clarke. Ryan and I bought some cheap digital cameras, (really importantly) some lights, and a “clapper” which we drove out to Arlington for the shoot. We recorded audio separately with boom mics and a USB mixer. Then came the video editing…

And the result? Check it out yourself here:

It amazes me what you can do for less than $1000 bucks with video these days. Shouts to Marcus Ranum for the photography advice. Thanks Ryan for the extra effort on this episode! And also thanks to IEEE Security & Privacy magazine for co-sponsoring the podcast.

We hope you like Silver Bullet, and we welcome your feedback on the Silver Bullet website. Subscribe today via RSS or on iTunes.

In March 2009 we announced the publication of the BSIMM—a measuring stick for software security. We’re pleased today to announce the publication of BSIMM2. We have tripled the size of the data set to thirty firms, including: Adobe, Aon, Bank of America, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, Google, Intel, Intuit, Microsoft, Nokia, QUALCOMM, Sallie Mae, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, VMware, and Wells Fargo.

BSIMM2 is available for free under the creative commons license from bsimm2.com. Download your copy today.

The BSIMM2 document itself is 53 pages. A concise treatment of the results can be found in this month’s informIT column in an article titled “BSIMM2: Measuring the Emergence of a Software Security Community.”

Our study represents the work of 635 people who are members of the 30 firms’ SSGs. Together, the firms have a collective 130 years of experience planning and executing 30 software security initiatives. Among other results, we have identified 15 core BSIMM activities.

We think the descriptive nature of the BSIMM study is an important characteristic of the work. We describe not what you should do for software security, but what successful software security initiatives are actually doing. Use BSIMM2 to measure your own software security initiative and compare it to others.

I just moderated a panel on security within Cloud Computing environments. Many of the questions from the audience were about how to trust cloud computing environments. Trust is such a loaded word and I couldn’t tell from the participants if they were looking for a bunch of bolt-on controls or something more holistic.

At RSA, the Cloud Security Alliance announced the Trust Cloud Initiative (TCI). The purpose of the TCI is to take the CSA guidance a couple of steps forward in defining trust by defining both a reference architecture as well as a way to certify cloud services.

There are three sub-groups working on the distinct areas of trust we believe are needed:

• Architecture – definition of the required security controls as well as the relationships, constraints and patterns of usage
• Certification – ways of discovering the security controls provided by particular cloud computing environment and measuring their ongoing usage
• Reference Implementation – working prototypes and demos of the architecture to prove out the architecture

More information the TCI can be found on the CSA website.

Anyone interested in volunteering their time to work in one of the subgroups can contact me and I’ll help you get hooked into TCI effort.

Turns out that Richard Clarke is a national security policy wonk. I guess that fact is not that surprising if you knew that Mr. Clarke was once an Assistant Secretary of State working on nuclear arms control issues during the Reagan years. The general public knows Dick best as a key figure in counter-terrorism who famously testified before the 9-11 commission and then became enmeshed in partisan battles. Those of us on the front lines cyber security know Dick best as one of the first political types to focus real attention on computer security. For that, we owe Dick a major thank you.

In his new book Cyber War, co-authored by foreign policy expert Robert Knake, Mr. Clarke confronts an important topic too often swept under the rug with the burgeoning pile of security FUD—the notion of cyber war. US citizens have every right to worry about cyber war given our risk exposure. The risks of cyber war and some of the potential consequences are impressively covered in the book and even include doomsday scenarios that are getting Dick into hot water with the hipsters at Wired. Consider how little North Korea depends on the Internet (ok, they are only barely scraping by as a society), then consider the same dependency in the US. See the problem?

One of the challenges of discussing computer security rationally in the Internet Age is that devastating consequences always seem hyperbolic, even when they’re not. Turns out that taking down the power grid with a cyber attack is not outside the realm of possibility. I’ve been told by people who actually engineer and run the grid for a living that inflicting permanent damage taking years to fix is more than possible given current design. Nor is the notion of an Information Warfare attack preceding “kinetic” involvement with explosive chunks of metal some kind of idea from Mars. One of the coolest stories in the book involves the Israeli destruction of the ill-fated Syrian nuclear facility. Scary? Yes. Hyperbolic? Not so much.

There are a few technical nits to pick, of course. Calling out the Estonian dDOS attack (most likely perpetrated by the Russians) as some kind of major cyber attack is a bit over the top. dDOS attacks are the stuff of script kiddies and solutions that thwart them are over a decade old. Most problematic of all is the overemphasis on network security mechanisms and ISPs as proposed technical solutions to the problem. I know Ed Amoroso (CSO of AT&T) believes that security defenses and monitors need to be put in place in the tier1 ISPs, and it’s very clear that he has convinced Dick of that. But as a computer security expert, I am skeptical of that solution. In my view, the only way we can properly address the cyber war problem is by attacking software security head on. Fortunately Dick says the right things about software vulnerability, demonstrating a nuanced understanding all too rare among politicals.

From a policy perspective, the ideas in Cyber War are fresh, new, and important. Dick’s mastery of arms control strategy comes to the fore when he discusses various ideas about cyber war non-proliferation. I must confess that my knowledge of such things is rudimentary at best. I wonder, probably naïvely, how we can think of controlling something as invisible as cyber attack capability (not to mention Trojan Horses and logic bombs) when we can’t even stop Iran from refining uranium like the complete nut-jobs that they are. But SALT II and START came from somewhere, and they have been a very good thing for the world.

Some of my foreign colleagues in computer security (but not all, see this posting from Italy for example) wonder why we are so obsessed with cyber war in the States. They are not sure why we are the only society openly discussing these things. Perhaps they hear the drums of war beating again as they did in the impressively-orchestrated and utterly-delusional run up to the Iraq war. More likely I think the answer to that question lies in understanding just how vulnerable we are in the States. We may not be the most wired country in the world from a consumer perspective, but we’re the most wired country in the world from a critical infrastructure perspective. Cyber war is a serious problem that calls out for serious solutions.

In final analysis, I think it behooves every computer security person to read this book and think through its points carefully. Even if you disagree with some parts of the book (as I do), we must do what we can as technically adept citizens to involve ourselves in the political discourse around cyber war. Dick does an excellent job getting the conversation started.