Software Integrity

Archive for the 'Security Metrics' Category


Gary McGraw’s Shmoocon keynote recaps security career with advice

Gary McGraw provided this year’s keynote address at Shmoocon, held January 13-15 at the Washington Hilton in Washington, D.C. His talk, “Seven Things: Frank Zappa, T. Coraghassen Boyle, and 21 Years in Security,” touches upon valuable insights gleaned over McGraw’s more than 21 years in software security. It also reflects his many interests. Watch the […]

Continue Reading...

Posted in Security Conference or Event, Security Metrics, Security Training, Software Architecture and Design, Software Development Life Cycle (SDLC), Software Security Program Development


Get executive support for your software security journey

According to Osterman Research, 60% of IT and security leaders say that the information they provide on cyber risk is NOT actionable. To add to that alarming finding, SearchSecurity reports that 12% of CISOs include NO metrics in their reports to senior executives. Software security is one of many competing priorities demanding the attention of […]

Continue Reading...

Posted in Application Security, Security Metrics


7 elements of a successful software security journey

A successful software security journey is an exercise in endurance. As you travel you’ll build strength and skills that make the process more streamlined and efficient. If you make, manage, or purchase software, you need to address software security. Prepare for the adventure by making sure you have the right things in your pack. In […]

Continue Reading...

Posted in Security Metrics, Security Training, Software Security Program Development, Software Security Testing


Benefits of application security training: Moving beyond compliance

The official organizational response to a data breach almost always includes the statement: “We met all regulatory and legal requirements for data protection.” Training is required for many compliance regimes, and it might just be good enough as a compliance control. However, as a security control it’s inadequate. There are multiple major retailers that were […]

Continue Reading...

Posted in Data Breach, Maturity Model (BSIMM), Security Metrics, Security Training, Software Security Testing


How effective are your software security metrics?

Many firms present metrics in a vastly oversimplified way, calculating too few measurements to share. Many other firms barrage the audience with a variety of highly detailed metrics. This often overwhelms the reader. Both approaches are weak. If you want to share key software security metrics, it’s critical to focus on the impact that the metrics […]

Continue Reading...

Posted in Application Security, Security Conference or Event, Security Metrics


What story do your mobile metrics tell?

As people become more reliant on their smartphones, mobile applications become an important focus for many organizations. There are many articles about adapting your software security group (SSG) to handle the new risks posed by new technology. But, are you confident that you are tracking your organization’s progress and performance effectively? What story do your […]

Continue Reading...

Posted in Mobile Application Security, Security Metrics


The 3 fundamentals of a software security initiative

You take calculated risks every day. Just this morning, say you decided to walk across the street against the light because no cars were in sight and you had to get to work on time. But had that street been a highway—or if you had been with your child—you quite possibly would have made a […]

Continue Reading...

Posted in Application Security, Security Metrics, Security Standards and Compliance, Software Security Program Development, Software Security Testing


Building meaningful security metrics

Many people in various security disciplines are looking to metrics as a way to demonstrate the efficacy of their efforts and show continuous process improvement. Unfortunately, poorly constructed metrics usually create more confusion than insight. If I told you that testing discovered nine critical vulnerabilities last month, what knowledge have I imparted? Does it clarify […]

Continue Reading...

Posted in Security Metrics, Software Security Program Development


Why a software security group is needed

As software security evolves it becomes more difficult to manage, making a Software Security Group (SSG) a necessity for your organization. Without a core group of individuals fighting to keep the security of the firm strong, it will be nearly impossible to stay safe in today’s environment. 5 models for enterprise software security management teams […]

Continue Reading...

Posted in Maturity Model (BSIMM), Security Metrics, Software Security Testing


Open source and software maturity models

I’m at the BSIMM3 Conference, in an open source breakout session. The context: you’re an organization with a reasonable application security program. The question, “How to apply that same process maturity to open source where no ‘throat to choke’ exists?” Your organization and its software-providing vendors may not be perfect but at least you can […]

Continue Reading...

Posted in Maturity Model (BSIMM), Open Source Security, Security Metrics, Web Application Security