Software Integrity Blog

Author Archive

John Steven

jsteven

John Steven is a former senior director at Synopsys. His expertise runs the gamut of software security—from threat modeling and architectural risk analysis to static analysis and security testing. He has led the design and development of business-critical production applications for large organizations in a range of industries. After joining Synopsys as a security researcher in 1998, John provided strategic direction and built security groups for many multinational corporations, including Coke, EMC, Qualcomm, Marriott, and FINRA. His keen interest in automation contributed to keeping Synopsys technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine and as the leader of the Northern Virginia OWASP chapter. John speaks regularly at conferences and trade shows.


Posts by John Steven:

 

Threats threatening with threats

By now, everyone has heard of the Mandiant report. Many of you have taken the time to read it. This report and the discussion it generated refers to ‘threat’ so frequently that it’s worth discussing how its use of the word differs from what you commonly see here.

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Threats threatening with threats

 

Securing password digests -or- How to protect lonely unemployed radio listeners

As we’re prone to say, “much ink has been spilt over the release of password digests” from LinkedIn and others. I’m, as is typical, profoundly disappointed in that amount of misinformation I’ve heard in security folks’ commentary on the problem and the underlying workings of digests, HMACs, and so forth. This blog entry represents a roll-up of a great discussion we had internally on our Software Security Group mailing list. A Few Caveats

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Securing password digests -or- How to protect lonely unemployed radio listeners

 

Caching security architecture knowledge with design patterns

We have always done architecture work. In the past clients replaced their legacy systems with ‘new-fangled’ JavaEE. As they explored platform features, an ecosystem of web frameworks, and related commercial products (Netegrity’s SiteMinder). Realizing they needed help, they looked to us for:

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Caching security architecture knowledge with design patterns

 

Open source software maturity activities

Practice these open source software maturity activities to help ensure the open source you use and contribute to becomes as secure as your proprietary code.

Continue Reading...

Posted in Open Source Security | Comments Off on Open source software maturity activities

 

An OWASP interaction model

Out at AppSec USA, the OWASP board met and decided that it was valuable to support a partnership model with private industry. The aim: figure out a way to allow private (or federal) organizations to shape existing OWASP assets to better meet their needs. Better meeting an organization’s needs will likely involve:

Continue Reading...

Posted in Security Standards and Compliance | Comments Off on An OWASP interaction model

 

What is threat modeling? A vocabulary of threat model terms.

A few posts back, we begun a series on Threat Modeling. As we begun writing the second installment in this series, it occurred to me that I’m using a lot of threat modeling vocabulary. When I speak on threat modeling I always warn my audience that ambiguity exists in some of the (even fundamental or common) terms used here.

Continue Reading...

Posted in Software Architecture and Design | Comments Off on What is threat modeling? A vocabulary of threat model terms.

 

When all you have is a hammer

We’ve probably all experienced organizations that rely principally on a single assessment technique (whether it be static analysis or dynamic analysis, manual or tool-based). Unfortunately, this is all too common for security practices. When this topic came up recently with the question (paraphrased), “Are there numbers that demonstrate the value of a security program making use of static, dynamic, and manual assessment techniques?” I thought some of our experience might apply.

Continue Reading...

Posted in Static Analysis (SAST), Web Application Security | Comments Off on When all you have is a hammer

 

Increasing static visibility

Sometimes, people talk loosely about an important difference between static analysis and dynamic analysis. Static analyzers, they say, achieve 100% coverage. They may complain that dynamic tools struggle to get even double-digit statement coverage of an application under test.

Continue Reading...

Posted in Static Analysis (SAST), Web Application Security | Comments Off on Increasing static visibility

 

Improving software security (maturity models and their ilk?)

Ben Worthen broke the BSIMM story on wsj.com as was posted earlier.

Continue Reading...

Posted in Maturity Model (BSIMM), Security Standards and Compliance | Comments Off on Improving software security (maturity models and their ilk?)

 

Gartner and static analysis

James McGovern recently wrote a post on Gartner’s static analysis (SA) report. Among other things, he lamented the lack of actionable guidance within the report. A lack of implementation guidance doesn’t shock me from Gartner, I can’t say I expect that from them.

Continue Reading...

Posted in Static Analysis (SAST) | Comments Off on Gartner and static analysis