Software Integrity

Author Archive

Jim DelGrosso

jdelgrosso

Jim DelGrosso is a Senior Principal Consultant at Synopsys. In addition to his overarching knowledge of software security, he specializes in architecture analysis, threat modeling, and secure design. Jim is the Executive Director for IEEE Computer Society Center for Secure Design (CSD). He also predicts that “OpenSSL will have at least one new vulnerability found in the next 12 months. You can pick the start date—it’s the ‘12 months’ that matters.” Jim relaxes and decompresses from work by playing with the dogs, listening to music, or just chilling out with a beer and a movie.


Posts by Jim DelGrosso:

 

How to scale your threat modeling capability

So, you have one or two, maybe tens, or maybe even hundreds of applications already built and deployed. You want to create threat models for those applications. But, why? Come on, you know why—to identify potential flaws that have been there since the applications were created. And of course you also want to create threat […]

Continue Reading...

Posted in Software Security Testing, Threat Modeling | Comments Off on How to scale your threat modeling capability

 

Goal-oriented security threat modeling approaches

When it comes to security, the vast majority of firms take measures to discover and remediate implementation-level software defects (i.e., bugs) in code. While this is a great start to securing software and data, it’s just that—a start. Bugs are only half the problem. It’s a necessary practice to look beyond squashing bugs, and into the […]

Continue Reading...

Posted in Code Review, Software Security Testing, Threat Modeling | Comments Off on Goal-oriented security threat modeling approaches

 

4 threat modeling questions to ask before your next Agile sprint

Creating a threat model for a moderately complex application can take several weeks and requires a certain level of software security expertise. Just because you’re following an Agile development methodology doesn’t mean that you can ignore potential flaws in the design of the application. The way in which you look for those flaws may need […]

Continue Reading...

Posted in Agile Methodology, Software Architecture and Design, Threat Modeling | Comments Off on 4 threat modeling questions to ask before your next Agile sprint

 

Finding software security flaws at scale

So you know the difference between bugs and flaws and you know you can use techniques like threat modeling and architecture risk analysis to find those flaws. But those techniques can be difficult to scale across the enterprise as they require deep design and software security expertise. And yet, doing no type of design analysis […]

Continue Reading...

Posted in Security Architecture, Software Security Testing | Comments Off on Finding software security flaws at scale

 

Understanding architecture analysis and secure design review

So you understand the difference between bugs and flaws and that the defect universe is roughly a 50/50 split of bugs and flaws. Awesome! (If you don’t yet understand the difference, here’s a great read about software flaws in application architecture that will explain it.) You’ve also decided you want to start actively doing some […]

Continue Reading...

Posted in Penetration Testing, Software Architecture and Design, Software Security Testing | Comments Off on Understanding architecture analysis and secure design review

 

Cloud storage security storm: When it rains it pours

This week was particularly newsworthy regarding mobile [in]security. Three different cloud storage vulnerabilities were announced affecting users and platforms in various ways. We had the Samsung+Swift keyboard that was not a single problem but a chain of failures. We also heard from researchers from Indiana University, Peking University, and the Georgia Institute of Technology that […]

Continue Reading...

Posted in Cloud Security, Mobile Application Security | Comments Off on Cloud storage security storm: When it rains it pours

 

Software security and the user interface

We had an internal discussion the other day about the pros and cons of connecting professionally with random folks. During that discussion a separate thread was started about how to hide who you are connected to from your other connections. The idea was that it is OK to connect with someone but not allow that […]

Continue Reading...

Posted in Software Security Testing, Web Application Security | Comments Off on Software security and the user interface

 

The IEEE Computer Society Center for Secure Design

The IEEE Computer Society Center for Secure Design (CSD) has officially launched! The initial document created by the center is called “Avoiding the Top 10 Software Security Design Flaws”. This document represents the most common flaws identified at the initial CSD workshop held earlier this year. Everyone remember the difference between bugs and flaws? If […]

Continue Reading...

Posted in Software Architecture and Design, Software Security Testing | Comments Off on The IEEE Computer Society Center for Secure Design

 

What the Heartbleed bug should be teaching us

What a difference a few weeks makes in the software security world. When the Heartbleed bug was publicly disclosed a short while ago, the reaction was swift and fairly consistent. It was identified as a real problem, not FUD, and systems were being patched VERY quickly. Often time when a security vulnerability is announced we […]

Continue Reading...

Posted in Fuzz Testing, Web Application Security | Comments Off on What the Heartbleed bug should be teaching us