I’m happy to announce the launch of my new podcast, the Reality Check Security Podcast with Gary McGraw:

The Reality Check Podcast with Gary McGraw focuses directly on software security practitioners and practical software security. Reality Check’s sister podcast, the Silver Bullet Security Podcast with Gary McGraw, follows a free form interview style tailored highlight the ideas and experience of security gurus. By contrast, Reality Check is concerned with practical questions centered on running large-scale software security initiatives in the real world.

Reality Check targets experienced leaders working to solve software security problems in large organizations every day. We use a standard script to guide each conversation with questions about history, methodology, best practice, and measurement. We plan to interview leaders of mature software security programs and leaders of programs just getting started.

Your feedback is absolutely welcome. Please subscribe to the series through or RSS feed or through iTunes.

Brian Chess, Sammy Migues and I have been building a maturity model for software security. We decided to base our model on data gathered by interviewing 9 top software security programs. We developed a framework to guide a series of interviews for data acquisition.

Though we have not completed the maturity model (analysis continues apace), a number of surprises bubbled up from the data soup. We wrote them up in an article that we thought you might find interesting.

Though our approach is only “science-y” and may well be closer to anthropology than computer science, we do think it’s important to focus on what works in the real world. If you have any questions or comments about our study, we welcome contact.

Two of Cigital’s thought leaders, Paco Hope and Ben Walther, just published a new book from O’Reilly called the Web Security Testing Cookbook. I wrote the foreword for the book which is reprinted below. More information about the book can also be found on Facebook.

Web applications suffer more than their share of security attacks. Here’s why. Websites and the applications that exist on them are in some sense the virtual front door of all corporations and organizations. Growth of the Web since 1993 has been astounding, outpacing even the adoption of the television and electricity in terms of speed of wide spread adoption.

Web applications are playing a growing and increasingly prominent role in software development. In fact, pundits currently have us entering the era of Web 3.0. The problem is that security has frankly not kept pace. At the moment we have enough problems securing Web 1.0 apps that we haven’t even started on Web 2.0, not to mention Web 3.0.

Before I go on, there’s something I need to get off my chest. Web applications are an important and growing kind of software, but they’re not the only kind of software! In fact, considering the number of legacy applications, embedded devices, and other code in the world, my bet is that web applications make up only a small percentage of all things software. So when all of the software security attention of the world is focused solely on web applications, I get worried. There are plenty of other kinds of critical applications out there that don’t live on the Web. That’s why I think of myself as a software security person and not a Web application security person.

In any case, Web application security and software security do share many common problems and pitfalls (not surprising since one is a subset of the other). One common problem is treating security as a feature, or as “stuff.” Security is not “stuff.” Security is a property of a system. That means that no amount of authentication technology, magic crypto fairy dust, or service-oriented architecture (SOA) ws-* security API will automagically solve the security problem. In fact, security has more to do with testing and assurance than anything else.

Enter this book. Boy, do we need a good measure of web application security testing! You see, many “tests” devised by security experts for web app testing are not carried out with any testing rigor. It turns out that testing is its own discipline, with an entire literature behind it. What Paco and Ben bring to the table is deep knowledge of testing clue. That’s a rare combination.

One critical factor about tests that all testers worth their salt understand is that results must be actionable. A bad test result reports something vague like “You have an XSS problem in the bigjavaglob.java file.” How is a developer supposed to fix that? What’s missing is a reasonable explanation of what XSS is (cross-site scripting, of course), where in the bazillion-line file the problem may occur, and what to do to fix it. This book has enough technical information in it for decent testers to report actionable results to actual living developers.

Hopefully the lessons in this book will be adopted not only by security types but also by testing people working on web applications. In fact, Quality Assurance (QA) people will enjoy the fact that this book is aimed squarely at testers, with the notions of regression testing, coverage, and unit testing built right in. In my experience, testing people are much better at testing than security people are. Used properly, this book can transform security people into better testers, and testers into better security people. Another critical feature of this book is its clear focus on tools and automation. Modern testers use tools, as do modern security people. This book is full of real examples based on real tools, many of which you can download for free on the Net. In fact, this book serves as a guide to proper tool use since many of the open source tools described don’t come with built-in tutorials or how-to guides. I am a fan of hands-on material, and this book is about as hands-on as you can get.

An overly optimistic approach to software development has certainly led to the creation of some mind-boggling stuff, but it has likewise allowed us to paint ourselves into the corner from a security perspective. Simply put, we neglected to think about what would happen to our software if it were intentionally and maliciously attacked. The attackers are at the gates, probing our web applications every day.

Software security is the practice of building software to be secure and function properly under malicious attack. This book is about one of software security’s most important practices—security testing.

—Gary McGraw, July 2008

I have been known to take the Web application security community to task for a myopic focus on Web and Web only. Being constrained by HTTP does serve to make things pretty easy! Lately, I have adjusted my thinking.

Jeremiah Grossman and I cross paths out there on the evangelism circuit pretty often and have talked about Web app security versus software security many times. Jeremiah is a great guy, and always willing to listen and think carefully. It was only natural that he would end up as a Silver Bullet victim.

Episode 32 of the Silver Bullet Security Podcast features a chat with Web security guru Jeremiah. Among other things, we talk about the relationship between Web app security and software security.

Near the end of our conversation, we raised the idea of whether all Web security problems have analogs in the software security space and what that might mean. After thinking more about that issue, I made it the subject of this month’s informIT column.

In the end, Web application security is important, but we must be careful not to overemphasize the solutions that work only for Web apps and forget about the rest of software out there. In the meantime, we have plenty to learn from each subdomain.

Brian Chess and I just published an article on the Software Security Framework displayed below.

Our plan is to use this framework to build a maturity model for software security by interviewing executives running many of the top ten large-scale software security initiatives. Please check out the article, and stay tuned for more.

As Justice League readers know, I have been writing a security column since October 2004. I started with Network Magazine, and stayed with CMP through the launch of darkreading.com. In April, I moved the column to informIT. All of the columns can be found here.

Many of my columns end up being about issues in software security. In particular, the articles I point to below may be of interest to blog readers. Note that some of them are appropriate for business leadership.

To make things easy going forward, we just set up an RSS feed set up for my writings. You can subscribe to that here.

Software Security Columns

Is Application Security Training Worth the Money? [2/06]

Want Turns to Need (software security market size 2006) [4/07]

JSON, Ajax & Web 2.0 [6/07]

Software Security Strategies (4 ways to start an enterprise program) [1/08]

Paying for Secure Software (using total cost of ownership for software projects) [4/08]

Application Assessment as a Factory [7/08]

Software Security Demand Rising (software security market size 2007) [8/08]

Getting Past the Bug Parade (the importance of addressing architecture) [9/08]

In April 2007, I published a darkreading article on the size of the software security space with some analysis of what was happening. It took me a bit longer to gather the numbers this year, but I finally got what I needed and published an informIT article recently explaining how software security is growing.

I am very optimistic about the growth of the software security field over the last few years. Things are certainly moving in the right direction (toward white box analysis instead of outside->in black box, out of the myopic focus on Web apps, and toward full-lifecycle programs based on the touchpoints). The numbers show this growth and these trends objectively.

On a top secret mailing list I participate in, there was some recent discussion about a recent article published by Fortify slamming the Open Source community for failing to adopt software security (you can find the article on the Fortify website). Here’s what I posted to the list (identities masked to preserve secret identities):

I just downloaded and read the Fortify study. It’s more of a white paper than it is science, but it is reasonably well presented and seems not to be too terribly fluffy. You can download a copy for yourself from the Fortify website. In the end what we have is some evidence that there are some open source projects that are behind the curve from a security perspective. I don’t think this should come as a surprise to anyone.

Some specifics based on other postings:

[DoD open source guy] sez>> First, it’s Java-heavy.

This is true. As far as I know, all of Fortify’s open source work has been Java-based (see the Java Open Review project). I don’t see why this impacts the results very much. Though open source Java projects may be a bit less responsive to security, the conclusions in the report are clear about just what set of projects were considered. Then again, I am not at all sure what methods were used to pick 11 out of 101 JOR projects.

[Apache leader] sez>> My experience on the security team at Apache…

Incidentally, when it comes to the results reported, Apache (Tomcat) is the only one of the eleven projects that is reported to have security-specific email, links to security info and access to security experts. One the other hand Apache (Struts) is reported not to have these things, which [DoD open source guy] argues is misleading since the Apache ASF page has these things.

[crypto open source guy] sez >> A better summary would have been “Many developers still don’t care about security.”

Sadly this is true. However as an evangelist in the space I will point out that the commercial world appears to be making much better headway in software security than the open source community (present company excepted of course but I am donning my asbestos suit anyway). I think many of the reasons why commercial software has an unfair advantage were covered in a panel on open source and security that Peter Neumann, Fred Schneider, and I all participated in at Oakland in 2000 (I can dig up e-copies if anybody cares).

One project was singled out for good software security practice: Mozilla. Should we all try to be more like Mozilla?

The debate did not rage on on the top secret list, but it must be raging on somewhere, because Roger Thornton just posted a response to the Fortify blog which you cab read here.

Frankly I was hoping that we killed this thing dead at Oakland in 2000. Guess again!

I’ve written before about how useful comics can be in security training. See a previous blog entry here.

In that brief article, I called out some of Markus Schumacher’s training animations. I’m pleased to report that Markus has asked Cigital to host some of his material. Here are some links:

Example 1: Car Auction

Example 2: Online Application

Cross Site Request Forgery

Forceful Browsing

You can also find these links together in one place on our resources page.

At RSA this year, I did a quick video interview with Dennis Fisher an old friend who is now the lead editor of Search Security. The resulting video is here

Here are the questions I answered during the interview (along with some bonus pointers that I’ll include in this posting). As you can see, we mostly talked about software security:

• Let’s talk about where things stand with the state of software security in the industry today. Are you optimistic?
• I’ve heard a lot of people say that solving the software security problem is going to cost a lot of time and money in the development process. Is that true?

  See this informIT article.

• I know there’s a lot of training that goes on in the professional world in terms of software security for developers, but is that happening more in colleges and universities right now compared to five years ago?

  See this IT Architect article.

• What about the commercial software vendors. How much progress are they making on this problem?
• Are there one or two problems that really worry you in software security right now?

  See this IEEE S&P article.

If you like this video, please let the Search Security people know so they feel compelled to do more.