Software Integrity Blog

Author Archive

Jim DelGrosso

jdelgrosso

Jim DelGrosso is a senior principal consultant at Synopsys. In addition to his overarching knowledge of software security, he specializes in architecture analysis, threat modeling, and secure design. Jim is the Executive Director for IEEE Computer Society Center for Secure Design (CSD). He also predicts that “OpenSSL will have at least one new vulnerability found in the next 12 months. You can pick the start date—it’s the ‘12 months’ that matters.” Jim relaxes and decompresses from work by playing with the dogs, listening to music, or just chilling out with a beer and a movie.


Posts by Jim DelGrosso:

 

How to scale your threat modeling capability

So, you have one or two, maybe tens, or maybe even hundreds of applications already built and deployed. You want to create threat models for those applications. But, why? Come on, you know why—to identify potential flaws that have been there since the applications were created. And of course you also want to create threat models for new applications that are being built as we speak.

Continue Reading...

Posted in Software Architecture and Design | Comments Off on How to scale your threat modeling capability

 

Goal-oriented security threat modeling approaches

When it comes to security, the vast majority of firms take measures to discover and remediate implementation-level software defects (i.e., bugs) in code. While this is a great start to securing software and data, it’s just that—a start. Bugs are only half the problem. It’s a necessary practice to look beyond squashing bugs, and into the design-level flaws (i.e., architectural defects) within software.

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Goal-oriented security threat modeling approaches

 

4 threat modeling questions to ask before your next Agile sprint

Creating a threat model for a moderately complex application can take several weeks and requires a certain level of software security expertise. Just because you’re following an Agile development methodology doesn’t mean that you can ignore potential flaws in the design of the application. The way in which you look for those flaws may need a bit of adjusting in order to fit into your Agile SDLC, but thinking about design flaws cannot be ignored.

Continue Reading...

Posted in Agile, CI/CD & DevOps, Software Architecture and Design | Comments Off on 4 threat modeling questions to ask before your next Agile sprint

 

Finding software security flaws at scale

So you know the difference between bugs and flaws and you know you can use techniques like threat modeling and architecture risk analysis to find those flaws. But those techniques can be difficult to scale across the enterprise as they require deep design and software security expertise.

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Finding software security flaws at scale

 

Understanding architecture analysis and secure design review

So you understand the difference between bugs and flaws and that the defect universe is roughly a 50/50 split of bugs and flaws. Awesome! (If you don’t yet understand the difference, here’s a great read about software flaws in application architecture that will explain it.)

Continue Reading...

Posted in Software Architecture and Design, Web Application Security | Comments Off on Understanding architecture analysis and secure design review

 

Cloud storage security storm: When it rains, it pours

What’s the state of cloud storage security? Not great. Cloud storage vulnerability research found 56 million records of unprotected data in cloud databases.

Continue Reading...

Posted in Cloud Security, Mobile Application Security | Comments Off on Cloud storage security storm: When it rains, it pours

 

The IEEE Computer Society Center for Secure Design

The IEEE Computer Society Center for Secure Design (CSD) has launched and released its first title: Avoiding the Top 10 Software Security Design Flaws.

Continue Reading...

Posted in Software Architecture and Design | Comments Off on The IEEE Computer Society Center for Secure Design

 

What the Heartbleed bug should be teaching us

What a difference a few weeks makes in the software security world. When the Heartbleed bug was publicly disclosed a short while ago, the reaction was swift and fairly consistent. It was identified as a real problem, not FUD, and systems were being patched VERY quickly. Often time when a security vulnerability is announced we try to answer questions such as:

Continue Reading...

Posted in Fuzz Testing, Web Application Security | Comments Off on What the Heartbleed bug should be teaching us