Software Integrity

Archive for 2011

 

Open source and software maturity models

I’m at the BSIMM3 Conference, in an open source breakout session. The context: you’re an organization with a reasonable application security program. The question, “How to apply that same process maturity to open source where no ‘throat to choke’ exists?” Your organization and its software-providing vendors may not be perfect but at least you can […]

Continue Reading...

Posted in Maturity Model (BSIMM), Open Source Security, Security Metrics, Web Application Security | Comments Off on Open source and software maturity models

 

An OWASP interaction model

Out at AppSecUSA, the OWASP board met and decided that it was valuable to support a partnership model with private industry. The aim: figure out a way to allow private (or federal) organizations to shape existing OWASP assets to better meet their needs. Better meeting an organization’s needs will likely involve: Integration with standard-fare open […]

Continue Reading...

Posted in OWASP, Software Security Testing | Comments Off on An OWASP interaction model

 

Improving smart grid cyber security

Over the last couple of years we have become more involved helping companies in the Energy sector get security right. As our nation’s traditional electric grid is modernized and upgraded to the smart grid, the associated cyber security challenges continue to increase and consequences of not addressing them systematically become more significant. Smart grid technologies […]

Continue Reading...

Posted in Smart Grid Security | Comments Off on Improving smart grid cyber security

 

What is threat modeling? A vocabulary of threat model terms.

A few posts back, we begun a series on Threat Modeling. As we begun writing the second installment in this series, it occurred to me that I’m using a lot of threat modeling vocabulary. When I speak on threat modeling I always warn my audience that ambiguity exists in some of the (even fundamental or […]

Continue Reading...

Posted in Threat Modeling | Comments Off on What is threat modeling? A vocabulary of threat model terms.

 

When all you have is a hammer

We’ve probably all experienced organizations that rely principally on a single assessment technique (whether it be static analysis or dynamic analysis, manual or tool-based). Unfortunately, this is all too common for security practices. When this topic came up recently with the question (paraphrased), “Are there numbers that demonstrate the value of a security program making […]

Continue Reading...

Posted in Application Security, Dynamic Analysis (DAST), Static Analysis (SAST) | Comments Off on When all you have is a hammer

 

Automate security tests and build security in from day one

Or: The ugly baby phenomenon and why you should not focus on false positives Dr. Markus Schumacher has served as CEO and Co-Founder of Virtual Forge GmbH since 2006. The company specializes in the security of SAP applications. Dr. Schumacher was previously a representative of the Fraunhofer Institute for Secure Information Technology (SIT) and worked […]

Continue Reading...

Posted in Application Security, Financial Services Security, Maturity Model (BSIMM), Software Security Testing | Comments Off on Automate security tests and build security in from day one

 

Marching for ‘false positives’ or ‘focusing on what to fix’

‘A short but important one, while I hop a train. Static analysis proponents, myself especially, have taken up the flag of “visibility” and paraded chanting “Customize to reduce False Positives”; I apologize. This provides tremendous benefit but misleads. Discussing the topic with @Wh1t3Rabbit, it occurred to me: time to change perception. So, why talk about […]

Continue Reading...

Posted in Static Analysis (SAST) | Comments Off on Marching for ‘false positives’ or ‘focusing on what to fix’

 

Increasing static visibility

Sometimes, people talk loosely about an important difference between static analysis and dynamic analysis. Static analyzers, they say, achieve 100% coverage. They may complain that dynamic tools struggle to get even double-digit statement coverage of an application under test. Dan Cornell wrote a blog post on static analysis coverage. He observed that while the static […]

Continue Reading...

Posted in Dynamic Analysis (DAST), Static Analysis (SAST) | Comments Off on Increasing static visibility