Software Integrity Blog

Author Archive

Jim DelGrosso

jdelgrosso

Jim DelGrosso is a senior principal consultant at Synopsys. In addition to his overarching knowledge of software security, he specializes in architecture analysis, threat modeling, and secure design. Jim is the Executive Director for IEEE Computer Society Center for Secure Design (CSD). He also predicts that “OpenSSL will have at least one new vulnerability found in the next 12 months. You can pick the start date—it’s the ‘12 months’ that matters.” Jim relaxes and decompresses from work by playing with the dogs, listening to music, or just chilling out with a beer and a movie.


Posts by Jim DelGrosso:

 

How to scale your threat modeling capability

So, you have one or two, maybe tens, or maybe even hundreds of applications already built and deployed. You want to create threat models for those applications. But, why? Come on, you know why—to identify potential flaws that have been there since the applications were created. And of course you also want to create threat models for new applications that are being built as we speak.

Continue Reading...

Posted in Software Architecture and Design | Comments Off on How to scale your threat modeling capability

 

Goal-oriented security threat modeling approaches

When it comes to security, the vast majority of firms take measures to discover and remediate implementation-level software defects (i.e., bugs) in code. While this is a great start to securing software and data, it’s just that—a start. Bugs are only half the problem. It’s a necessary practice to look beyond squashing bugs, and into the design-level flaws (i.e., architectural defects) within software.

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Goal-oriented security threat modeling approaches

 

4 threat modeling questions to ask before your next Agile sprint

Creating a threat model for a moderately complex application can take several weeks and requires a certain level of software security expertise. Just because you’re following an Agile development methodology doesn’t mean that you can ignore potential flaws in the design of the application. The way in which you look for those flaws may need a bit of adjusting in order to fit into your Agile SDLC, but thinking about design flaws cannot be ignored.

Continue Reading...

Posted in Agile, CI/CD & DevOps, Software Architecture and Design | Comments Off on 4 threat modeling questions to ask before your next Agile sprint

 

Finding software security flaws at scale

So you know the difference between bugs and flaws and you know you can use techniques like threat modeling and architecture risk analysis to find those flaws. But those techniques can be difficult to scale across the enterprise as they require deep design and software security expertise. And yet, doing no type of design analysis for a large percentage of your applications because it’s difficult to scale just means you are unaware of the numerous security architecture flaws that likely exist in your software.  Fortunately, there is something you can do that can not only scale across your enterprise, but can also provide valuable feedback about the flaws that exist in the software you are building. Where do I begin? If you are not specifically looking for flaws in your software, you probably don’t know what flaws exist in your software. And if you don’t know what flaws exist in the software you are building, how do you know what to look for? One option is to look inside your own organization for clues. Identify the common defects found by other techniques (e.g., code review or penetration testing) and see if a change in the design of the software could avoid some or all of those defects. Here’s a real-life example of what one organization did to reduce the frequency of cross-site scripting bugs.

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Finding software security flaws at scale

 

Understanding architecture analysis and secure design review

So you understand the difference between bugs and flaws and that the defect universe is roughly a 50/50 split of bugs and flaws. Awesome! (If you don’t yet understand the difference, here’s a great read about software flaws in application architecture that will explain it.)

Continue Reading...

Posted in Software Architecture and Design, Web Application Security | Comments Off on Understanding architecture analysis and secure design review

 

Cloud storage security storm: When it rains, it pours

What’s the state of cloud storage security? Not great. Cloud storage vulnerability research found 56 million records of unprotected data in cloud databases.

Continue Reading...

Posted in Cloud Security, Mobile Application Security | Comments Off on Cloud storage security storm: When it rains, it pours

 

The IEEE Computer Society Center for Secure Design

The IEEE Computer Society Center for Secure Design (CSD) has launched and released its first title: Avoiding the Top 10 Software Security Design Flaws.

Continue Reading...

Posted in Software Architecture and Design | Comments Off on The IEEE Computer Society Center for Secure Design

 

What the Heartbleed bug should be teaching us

What a difference a few weeks makes in the software security world. When the Heartbleed bug was publicly disclosed a short while ago, the reaction was swift and fairly consistent. It was identified as a real problem, not FUD, and systems were being patched VERY quickly. Often time when a security vulnerability is announced we try to answer questions such as:

Continue Reading...

Posted in Fuzz Testing, Web Application Security | Comments Off on What the Heartbleed bug should be teaching us