The BSIMM study focuses attention on software security in large organizations and just at the moment covers the work of 1554 full time employees working every day in 26 software security initiatives. One phenomenon we observed consistently in the BSIMM is that every large initiative has a Software Security Group (SSG) to carry out and lead software security activities.

I wrote about our observations around SSGs in my December informIT article.

Simply put, an SSG is a critical part of a software security initiative in all companies with more than 100 developers. (We’re still not sure about SSGs in smaller organizations, but the BSIMM Begin data (now hovering at 75 firms) may be revealing.)

Cigital’s SSG was formed in 1997 (with John Viega, Brad Arkin, and me as founding members). Since its inception, we’ve helped plan, staff, and carry out ten large software security initiatives in customer firms. One of the most important first tasks is establishing an SSG.

Interacting with academia is an important part of what I do as CTO of Cigital. Though I have been known to lecture at Stanford, CMU, Cornell, Harvard, NC State, Purdue and a bunch of other places, I have a special place in my heart for the University of Virginia (where I studied Philosophy as an undergraduate) and Indiana University (where I earned a dual Ph.D. in computer science and cognitive science).

Alf Weaver, a CS professor at UVa recently asked me to lecture to his Electronic Commerce Technologies course. I was happy to oblige. When I asked what I should lecture about, I got back a one word answer—startups.

Not quite sure of what to do, I decided to draw on my own experience at Cigital. In 1995 when I joined Cigital, it was known as Reliable Software Technologies (or RST) and had a grand total of seven employees. I’m proud to say that today Cigital has over 120 employees and offices in Virginia, NY, Boston, Silicon Valley, India, and Amsterdam.

Helping Cigital evolve has been both hard work and a joy. Here is a list of seven lessons I’ve learned through my own startup years, each boiled down to four words or less:

1. Think and write.
2. Build a network.
3. Follow the Categorical Imperative.
4. Achieve the Buddha calm.
5. Develop a rhythm.
6. Follow your passion.
7. Build great stuff.

The original powerpoint from the CSCS 4753 “Electronic Commerce Technologies” lecture can be found here.

An article version of the talk can be found here.

I am the editor of the Addison-Wesley Software Security series. When Christian Collberg came to me with an idea for a book about software protection, I had a really hard time figuring out whether or not it belonged in the series. Christian is a brilliant researcher and an important guiding light in the field. But should we consider software protection part of software security? Good question! To make matters worse, half the software security people I polled said “yes” and the other half said “no.”

In the end, I held out to see what Christian and his co-authors (who eventually boiled down to one—Jasvir Nagra) came up with. The answer is the excellent book Surreptitious Software. It’s in the series.

I believe that software protection will play a larger and larger role in protecting software from certain security attacks. To name a few concrete cases, imagine these scenarios:

• you’re a game producer and you need to protect your intellectual property against pirates (at least for a month or two after your game is released so you can make some money)
• you’re charged with developing a music playback solution that protects both the player and (maybe) the content (iTunes anyone?)
• you’re a defense contractor storing important military secrets electronically in the very hardware that you fly over enemy territory on purpose. what happens when a predator drone is shot down in Pakistan? what about an American spy plane forced to land in China?
• you’re a smart card vendor making chip cards for payment systems, and the cards will be distributed to good guys and criminals alike
• you’ve built a new game console and you want to protect it from some kinds of tampering
• you’re a programmer with a hot new algorithm that you don’t want your competitors to have
• you want to crash any debuggers that attach to your code and thwart easy disassembly

These and many other problems are directly addressed in Surreptitious Software. The book covers software obfuscation, watermarking, birthmarking, tamperproofing and other aspects of software protection. And it covers them in an exhaustive, scientific, technically-thorough way.

Software protection in many ways turns software security on its head. Imagine a discipline that can be used to cloak virus code, put bugs into code on purpose (which are tripped when the code is tampered with), scramble things up so badly that they are much harder to understand than normal, slow things down (in certain cases), create vast swaths of meaningless nonsense in the middle of real code, and so on. How on earth could any of that be a good thing?

Read this book and find out.

John Pescatore from Gartner convened a virtual panel on the cybersecurity issue at the 2009 Gartner Information Security Summit. I provided a video for the panel answering two questions that John posed. The two questions get to the heart of the cybersecurity issue:

Question 1: What should the US government do to drive real improvements in the security level of internet use?

Question 2: What are things that you believe the US government should specifically not do in the name of increasing cybersecurity?

Click below to watch the video:

Press coverage:

• Gov’t Official: We’re Serious About Cybersecurity This Time
• Moving U.S. Cybersecurity Beyond Cyberplatitudes (InformIT)

IEEE S&P: Securing Online Games (vol.7, no.3)

IEEE Security & Privacy magazine remains the most important trade periodical on security published today. Though the content is on rare occasion esoteric, the magazine is always technically accurate and detailed. Only a peer reviewed publication can offer readers a look at computer security as a science. Think of it as applied academics.

I am pleased to announce that IEEE Security & Privacy magazine’s May/June 2009 edition was recently released. The issue (volume 7: number 3) covers Securing Online Games in a series of four peer reviewed articles that help define the state of the practice.

For more about the issue, see: http://www.computer.org/portal/site/security

Also in the same issue is a print transcript of Silver Bullet 36. That’s the episode where James McGovern turned the tables and interviewed me. That transcript is on the web here.

Beautiful Security

Also of note is a book of thoughtful essays on security put together by John Viega (once a Cigitalite) and Andy Oram. Here’s my original blurb from the back cover:

“This collection of thoughtful essays catapults the reader well beyond deceptively shiny security FUD (the drum major of the bug parade) toward the more subtle beauty of building security in. Security is an essential emergent property for all modern systems—something that most people implicitly expect and few people explicitly receive. This book demonstrates the yin and the yang of security, and the fundamental creative tension between the spectacularly destructive and the brilliantly constructive. Read. Learn. Emulate.”

I’m still working my way a second time through the assembled essays from security stars including mudge, Betsy Nichols, Phil Zimmermann, Mark Curphy, and Jim Routh. This is a must read for 2009.

I just published a little ditty on Twitter security that is bound to get some interesting feedback. My bet is that much of the feedback is less than 140 characters long!

My friend Joe Faber (of Spaghettios fame) sent me this Youtube video, which I think sums up Twitter nicely:

Your longer feedback is welcome below!

For the past three years, I have collected and published revenue numbers from tools and services in the software security space. Here are pointers to the three resulting articles, including this year’s NEW article (for 2008):

• informIT (2008): Software Security Comes of Age: Space approaches $500M threshold
• informIT (2007): Software Security Demand Rising
• Darkreading (2006): Want Turns to Need

Before some observations, here is a pretty picture showing growth over time, divided among tools, services, and pizza boxes. Cigital remains the largest independent software security services company. For more details, see my informIT report.

Probably the most important development in 2008 is that the space as a whole is nearing a very important $500M threshold. At this level of business activity, the technology analysts start to take a big interest. This creates a feedback loop of sorts as the middle market engages. Some evidence of this effect:

• Gartner analyst Joseph Fieman published the FIRST Gartner magic quadrant for the tools part of the software security space this year.
• Chenxi Wang from Forrester published a Q4 report on the future of software security (registration supposedly required)

Other analysts of note include:

• Ramon Krikken from Burton Group
• Charles Kolodgy from IDC
• Nigel Stanley from Bloor Research

I will continue to track growth and development of software security over time, but I am very pleased that the analysts are pitching in. As software security matures and the middle market emerges, we will start to have an important impact on the rest of computer security.

Yesterday we released the second episode of the Reality Check Podcast. This month’s victim is Jim Routh, CISO of Depository Trust Clearing Corporation (DTCC). DTCC has a very advanced software security initiative that is well worth learning about. We talk about that in this interview. Have a listen!

I’m also pleased to announce that CSO online has syndicated Reality Check and will be distributing the podcast to their CSO audience. You can find the first episode with Steve Lipner here.

And Jim’s episode here.

OWASP just posted an interview with me as part of their budding podcast series. It’s nice to have the tables turned after doing all the Silver Bullet (and Reality Check) interviews! It’s also nice to be able to answer some of the questions that OWASP types have about Cigital’s approach to software security.

Download the podcast here.

The OWASP interviewer is Jim Manico, and he did a great job. He was a little worried about some of the questions he asked. In fact, off the record he kept saying he was sorry and telling me that I did not have to address certain questions. Personally, I enjoyed the questions he asked immensely. Though some of his questions were loaded, I do hope that my answers may serve to clarify our position and eliminate OWASP concerns.

Here are a few of the many more questions I address in the podcast:

• Why do you insist on use of the term “software security” as opposed to “application security”?
• What is static analysis good for and what is it no good for?
• What is the exact relationship between Cigital and Fortify?
• Why do you think your “top 19” is any better than the OWASP top 10 or the CWE top 25? (Special note, the 19 Sins work is Mike Howard’s and John Viega’s…I was not involved.)
• Why does Cigital have a proprietary approach to IP?
• What makes the Touchpoints any better than the SDL or CLASP?
• What is your relationship with Allan Paller and SANS?
• Who picked the “porn music” theme for Silver Bullet?

As an extra bonus, the theme music for this episode is a song written and recorded by my band Where’s Aubrey.

Anyway, enjoy the podcast, and let me know what you think about my answers!

More links:

• Show notes
• MP3
• OWASP Podcast RSS Feed
• Direct iTunes link

On January 12th, the CWE/SANS Top 25 Most Dangerous Programming Errors list was released. Sean Barnum (a Principal Consultant) participated in the creation of the list, and I did some off the record review myself (not for attribution).

There are some important good things about top ten lists that are worthy of mention. The notion of knowing your enemy is essential in security (as it is in warfare), and top ten lists can help get software people started thinking about attacks, attackers, and the vulnerabilities they go after. These days almost any attention paid to the problem is good attention, and the fact that the technical media is paying attention to software security at all is a good thing. Top ten lists help in that respect.

But I have some serious concerns about these kinds of lists that I wrote about in my informIT article this month:

Top Eleven Reasons Why Top 10 (or Top 25) Lists Don’t Work

Here are the reasons, stripped of history and commentary which you can find in the article:

1. Executives don’t care about technical bugs.
2. Too much focus on bugs.
3. Vulnerability lists help auditors more than developers.
4. One person’s top bug is another person’s yawner.
5. Using bug parade lists for training leads to awareness but does not educate.
6. Bug lists change with the prevailing technology winds.
7. Top ten lists mix levels.
8. Automated tools can find bugs–let them.
9. Metrics built on top ten lists are misleading.
10. When it comes to testing, security requirements are more important than vulnerability lists.
11. Ten is not enough.