Ever since the publication of Building Secure Software in 2001 (and really even before that), we have emphasized the importance of focusing on software security design flaws (in the architecture). Of course finding bugs in code is lots easier, and we have made some great progress with static analysis in the last decade. (Don’t forget that we invented static analysis and was instrumental in transferring the technology to the commercial world along with HP/Fortify.) But flaws remain a challenge.
Here’s a paper from the Wayback Machine explaining why bugs and flaws divide the software security defect space 50/50 (On Bricks and Walls: Why Building Secure Software is Hard).
Jim DelGrosso is the Principal spearheading the Architecture Analysis practice at Synopsys. Del and I wrote an article for Search Security outlining the software security design analysis problem and our decades-in-the-making approach to solving it which we call Architecture Risk Analysis. Then, knowing that Architecture Risk Analysis can be a challenge for some organizations, we wrote about our Security Architecture Survey offering. Want to scale architecture analysis? Well we know how and we would love to help.
Read the two SearchSecurity articles here:
Incidentally, watch this space (and the RSA Conference) for more on scaling software security practices. Turns out that we know what to do when it comes to software security, now we need to focus on scalability, efficiency, and effectiveness. 2014, here we come.