Brian Chess and I just published an article on the Software Security Framework displayed below.

Our plan is to use this framework to build a maturity model for software security by interviewing executives running many of the top ten large-scale software security initiatives. Please check out the article, and stay tuned for more.

My last project for my former employer (Software AG) was a study of what software vendors do to achieve software assurance. The goal of the study was to see whether we (Software AG) were at, above, or below the norm, and to adjust investments in assurance accordingly. All but one of the vendors who participated are household names - these weren’t mom & pop shops, but major multi-national ISVs, most of them with sales of a billion dollars a year or more.

I presented a brief summary of the study results at the recent “Making the Business Case for Software Assurance” workshop hosted by Carnegie Mellon’s Software Engineering Institute, and sponsored by the US Department of Homeland Security. I’ll also be presenting an even briefer summary of the results at the 24th Annual Computer Security Applications Conference in December.

In my new role at Cigital, I’m hoping to be able to expand the survey beyond software vendors into e-commerce vendors, embedded software suppliers, financial institutions, etc., as well as to systematize the survey so it can be done by filling out a web form instead of as an interview. I welcome your suggestions as to how to make this project more relevant to vendors and software purchasers - and also welcome your participation in the survey, as well as suggestions on how to fund the ongoing work!

And finally, thanks to the (anonymous) vendors who participated in the first phase of the project. While I can’t thank them by name, I very much appreciate their input.

Greetings! I’m Jeremy Epstein, the newest member of the Cigital blogging team. I’ve joined Cigital after nearly 9 years with Software AG (and webMethods, before it was acquired by Software AG), and will be focused on software security in the federal space. Software security is a passion of mine – I’ve been talking about it, and occasionally practicing it, even longer than Gary McGraw, and that’s a loooooong time. I’m also very active in the voting technology field, and hope to bring some of Cigital’s software security expertise to the voting world.

I joined Cigital because I’m passionate about software security, and because of the great people at Cigital, many of whom I’ve known for a decade or more. I hope to help improve security at Cigital’s customers, and to raise awareness more broadly of security issues in government and commercial systems. Look for my occasional postings and rants here, on my personal blog at abqordia.blogspot.com, and on the RISKS digest at www.risks.org.