I have been tracking the software security market and publishing numbers since 2006. This year’s article is now available on InformIT: Software Security Crosses the Threshold.

See these past (mysteriously named) articles for data from previous years:

• InformIT (2008): Software Security Comes of Age: Space Approaches $500M threshold
• InformIT (2007): Software Security Demand Rising
• Darkreading (2006): Want Turns to Need

The Figure above shows in millions of US dollars how the four major segments of the space have grown since 2006, from a total of $293.9 million (2006) to a total of $554.4 million in 2009. Note that even stronger growth is evident midway through 2010.

Analysis and details are available in the informIT article.

On Wednesday July 14, 2010, US Cyber Security Coordinator Howard Schmidt convened a hastily called meeting of around 100 public and private sector security experts at the White House to explain the progress he has made in the six months since he joined the administration. I was there. In an unexpected and exciting surprise, President Obama stopped by the meeting and spoke for 15-20 minutes.

Here is a picture I took of President Obama addressing the meeting. Howard Schmidt is to the far left. Beside him is Department of Homeland Security (DHS) Deputy Undersecretary Phil Reitinger. The moment President Obama entered the meeting was electric. Attendees immediately stood and gave him an ovation. The room was energized, and the President’s charisma was palpable. I, for one, was proud to be there.

In addition to remarks from President Obama and Howard Schmidt, the meeting was addressed by two cabinet Secretaries—Janet Napolitano, Secretary of DHS, and Gary Locke, Secretary of Commerce. The invitation-only event included members of the Administration, state and local government officials, law enforcement officers, select industry executives, academics and representatives from privacy and civil liberties groups. Attendees who I know included Matt Blaze, Carl Landwehr, Ed Amoroso, Marc Rotenberg, Eugene Spafford, Mischel Kwon, and John Savage.

I wrote up my thoughts on the meeting in an informIT article “Obama Highlights Cyber Security Progress: Private Sector Security Experts Convene at the White House to Discuss the National Cyber Securiy Agenda.”

Howard described his impressions of the meeting and its purpose on the White House blog. An official progress report is also available there.

It’s hard to believe that the Silver Bullet Security Podcast has been running for 50 consecutive months! Silver Bullet has thousands of listeners, and it’s always fun to produce. Writing the script usually takes an hour or two, and requires some advance research from Brandi Ortega of IEEE S&P fame. Then we do recording (almost always over the phone) and post production mixing to add in the music.

For our 50th episode, we decided to shoot some HD video or our interview with Richard Clarke. Ryan and I bought some cheap digital cameras, (really importantly) some lights, and a “clapper” which we drove out to Arlington for the shoot. We recorded audio separately with boom mics and a USB mixer. Then came the video editing…

And the result? Check it out yourself here:

It amazes me what you can do for less than $1000 bucks with video these days. Shouts to Marcus Ranum for the photography advice. Thanks Ryan for the extra effort on this episode! And also thanks to IEEE Security & Privacy magazine for co-sponsoring the podcast.

We hope you like Silver Bullet, and we welcome your feedback on the Silver Bullet website. Subscribe today via RSS or on iTunes.

In March 2009 we announced the publication of the BSIMM—a measuring stick for software security. We’re pleased today to announce the publication of BSIMM2. We have tripled the size of the data set to thirty firms, including: Adobe, Aon, Bank of America, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, Google, Intel, Intuit, Microsoft, Nokia, QUALCOMM, Sallie Mae, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, VMware, and Wells Fargo.

BSIMM2 is available for free under the creative commons license from bsimm2.com. Download your copy today.

The BSIMM2 document itself is 53 pages. A concise treatment of the results can be found in this month’s informIT column in an article titled “BSIMM2: Measuring the Emergence of a Software Security Community.”

Our study represents the work of 635 people who are members of the 30 firms’ SSGs. Together, the firms have a collective 130 years of experience planning and executing 30 software security initiatives. Among other results, we have identified 15 core BSIMM activities.

We think the descriptive nature of the BSIMM study is an important characteristic of the work. We describe not what you should do for software security, but what successful software security initiatives are actually doing. Use BSIMM2 to measure your own software security initiative and compare it to others.

Turns out that Richard Clarke is a national security policy wonk. I guess that fact is not that surprising if you knew that Mr. Clarke was once an Assistant Secretary of State working on nuclear arms control issues during the Reagan years. The general public knows Dick best as a key figure in counter-terrorism who famously testified before the 9-11 commission and then became enmeshed in partisan battles. Those of us on the front lines cyber security know Dick best as one of the first political types to focus real attention on computer security. For that, we owe Dick a major thank you.

In his new book Cyber War, co-authored by foreign policy expert Robert Knake, Mr. Clarke confronts an important topic too often swept under the rug with the burgeoning pile of security FUD—the notion of cyber war. US citizens have every right to worry about cyber war given our risk exposure. The risks of cyber war and some of the potential consequences are impressively covered in the book and even include doomsday scenarios that are getting Dick into hot water with the hipsters at Wired. Consider how little North Korea depends on the Internet (ok, they are only barely scraping by as a society), then consider the same dependency in the US. See the problem?

One of the challenges of discussing computer security rationally in the Internet Age is that devastating consequences always seem hyperbolic, even when they’re not. Turns out that taking down the power grid with a cyber attack is not outside the realm of possibility. I’ve been told by people who actually engineer and run the grid for a living that inflicting permanent damage taking years to fix is more than possible given current design. Nor is the notion of an Information Warfare attack preceding “kinetic” involvement with explosive chunks of metal some kind of idea from Mars. One of the coolest stories in the book involves the Israeli destruction of the ill-fated Syrian nuclear facility. Scary? Yes. Hyperbolic? Not so much.

There are a few technical nits to pick, of course. Calling out the Estonian dDOS attack (most likely perpetrated by the Russians) as some kind of major cyber attack is a bit over the top. dDOS attacks are the stuff of script kiddies and solutions that thwart them are over a decade old. Most problematic of all is the overemphasis on network security mechanisms and ISPs as proposed technical solutions to the problem. I know Ed Amoroso (CSO of AT&T) believes that security defenses and monitors need to be put in place in the tier1 ISPs, and it’s very clear that he has convinced Dick of that. But as a computer security expert, I am skeptical of that solution. In my view, the only way we can properly address the cyber war problem is by attacking software security head on. Fortunately Dick says the right things about software vulnerability, demonstrating a nuanced understanding all too rare among politicals.

From a policy perspective, the ideas in Cyber War are fresh, new, and important. Dick’s mastery of arms control strategy comes to the fore when he discusses various ideas about cyber war non-proliferation. I must confess that my knowledge of such things is rudimentary at best. I wonder, probably naïvely, how we can think of controlling something as invisible as cyber attack capability (not to mention Trojan Horses and logic bombs) when we can’t even stop Iran from refining uranium like the complete nut-jobs that they are. But SALT II and START came from somewhere, and they have been a very good thing for the world.

Some of my foreign colleagues in computer security (but not all, see this posting from Italy for example) wonder why we are so obsessed with cyber war in the States. They are not sure why we are the only society openly discussing these things. Perhaps they hear the drums of war beating again as they did in the impressively-orchestrated and utterly-delusional run up to the Iraq war. More likely I think the answer to that question lies in understanding just how vulnerable we are in the States. We may not be the most wired country in the world from a consumer perspective, but we’re the most wired country in the world from a critical infrastructure perspective. Cyber war is a serious problem that calls out for serious solutions.

In final analysis, I think it behooves every computer security person to read this book and think through its points carefully. Even if you disagree with some parts of the book (as I do), we must do what we can as technically adept citizens to involve ourselves in the political discourse around cyber war. Dick does an excellent job getting the conversation started.

I recently had the pleasure of giving a keynote at the NRECA annual conference in Atlanta. The conference brings together senior management and Board members from rural electric cooperatives throughout the country. Some coops are large in terms of the number of subscribers, and some are large in terms of geographic area covered (those numbers often run opposite to each other). My job as keynoter was to introduce some thinking about computer security to business people who operate power grids for a living. This is a big challenge for a geek like me.

Of course I ended up touching on software security, especially the fact that power meters for the “smart grid” are little IP-enabled computers hung on the outside of your house. Given known attacks against this new breed of meters, the question is how many rooted smart grid meters in a botnet could cause a really serious problem?

Here is my talk in its entirety. Your feedback is welcome.

Download audio [mp3]
Download presentation [pdf]

I’m pleased that Cigital is directly involved in working to make smart grid security a reality. We’re working directly with NRECA to bring electric cooperatives up to speed with cyber risk management.

BSIMM2 is the 30 firm version of BSIMM. I wrote up an article with Brian Chess and Sammy Migues (my BSIMM co-creators) called “Software [In]security: What Works in Software Security — Fifteen Common Activities from BSIMM2.” In addition to highlighting the fifteen most common BSIMM activities, the article also provides the 30 firm data for all 110 activities in public for the first time.

We’re unveiling some statistical results at RSA this week that will enhance and expand the dataset published in the article. We’ll do an official BSIMM2 launch within the next couple of months.

Apparently the time has come to re-release the SANS/CWE 25 — something that we can expect annually. The good news is that exercises like this do plenty to hype up software security and its importance. In fact, in many ways the target of these lists is “the reporters who cover software security.” So hype = good.

So why am I not a big fan of these lists? Well, I wrote that down a year ago and what I said then still applies. Sure would be nice to see a reasoned response to my criticisms instead of repetition of the same tired ideas. If you haven’t had a chance yet, go read my January 2009 informIT column “Top 11 Reasons Why Top 10 (or Top 25) Lists Don’t Work.”

There are some important improvements in this year’s top25 list that have been discussed on sc-l. But there is also a problem that really bothers me. The SANS guys are trying to tie the top25 list to software liability (?!) and apparently think they can hold developers accountable for their bugs..well, 25 of them at least. I think this is a wrongheaded approach to software security. I would much rather talk about the real progress the field has made than to hype up yet another list and make the list a critical aspect of software contracts?! Can you imagine what such a move (if it succeeded) would do to the price of software and to the hourly rates of developers? Developers would be compensated like lawyers!

Top-n lists do have their place. In the BSIMM we note 10 firms (of 30) who follow activity [CR1.1]. Here is the activity cut from the BSIMM:

Create a top N bugs list (real data preferred). The SSG maintains a list of the most important kinds of bugs that need to be eliminated from the organization’s code. The list helps focus the organization’s attention on the bugs that matter most. A generic list could be culled from public sources, but a list is much more valuable if it is specific to the organization and built from real data gathered from code review, testing, and actual incidents. The SSG can periodically update the list and publish a “most wanted” report. (For another way to use the list, see [T2.2] Create/ use material specific to company history.)

In my view, a tailored top-n bugs list is way more useful than a generic “world list” like the SANS/CWE25. To think about why this is, consider the differences between code bases from Intel, Microsoft, Symantec, and Nokia (not to mention Wells Fargo)…all BSIMM participants. Whose bugs do you want to eradicate? Yours? Or your neighbors?

Press coverage of the “controversy”:

• SANS Institute, MITRE release new top 25 dangerous coding errors list, TechTarget.
• Top 25 Programming Errors: Should Software Developers be Liable?, Bank Info Security.
• Hold vendors liable for buggy software, group says, ComputerWorld.
• 25 ways to better secure software from cyber attacks, Scientific American Observations.
• Security agencies release Top 25 programming errors, Washington Technology.
• Proposal Would Hold Software Developers Accountable For Security Bugs, Dark Reading.
• Group Proposes Suits Over Faulty Code, Gov Info Security.

The BSIMM study data set has more than tripled in size and now includes data from 30 firms. We are busy working with Betsy Nichols to crunch the numbers now that we have a statistically significant data set. The plan is to announce our results at RSA.

One question that comes up in the BSIMM work fairly consistency is the difference between BSIMM and other maturity models for software security. To answer that question, I wrote an article for informIT entitled “Cargo Cult Computer Security: Why we need more description and less prescription.”

Download audio [mp3]

David Rice, the author of Geekonomics (as well as the 46th Silver Bullet Security podcast victim), and I discuss the BSIMM in a webcast about the upcoming SANS software security event in San Francisco.

The time for science is upon us. And the first step in any scientific approach is measurement.

Our sincere congratulations to Howard Schmidt for taking on one of the most important jobs in computer security—US Cybersecurity Coordinator for the White House. Howard knows what he’s getting into, because he already did it once. (You’re crazy Howard!)

Here’s what the White House has to say.

Back in July I talked about what I would like to see in the position in a Justice League post and a video for Gartner. I stand by my statements from July. However, I am psyched that Howard is taking the job. He understands the importance of building security in and will be a powerful advocate for software security.

What a great way to start 2010!