12–14 March 2014 • Bergen, Norway
A software conference for the whole team
Keynote - in English
Only ten years ago, the idea of building security in was brand new. Backthen, if system architects and developers thought about security at all,they usually concentrated on the liberal application of magic crypto fairydust. We have come a long way since then. Perhaps no segment of thesecurity industry has evolved more in the last decade than the disciplineof software security. Several things happened in the early part of thedecade that set in motion a major shift in the way people build software:the release of my book Building Secure Software, the publication of BillGates's Trustworthy Computing memo, the publication of Lipner and Howard¹sWriting Secure Code, and a wave of high-profile attacks such as Code Redand Nimda that forced Microsoft, and ultimately other large softwarecompanies, to get religion about software security. Now, ten years later,Microsoft has made great strides in software security and buildingsecurity in---and they¹re publishing their ideas in the form of the SDL.Right about in the middle of the last ten years (five years in) we allcollectively realized that the way to approach software security was tointegrate security practices that I term the "Touchpoints" into thesoftware development lifecycle. Now, at the end of a decade of greatprogress in software security, we have a way of measuring softwaresecurity initiatives called the BSIMM <http://bsimm.com>. BSIMM ishelping transform the field from an art into a measurable science. Thistalk provides an entertaining review of the software security journey fromits "bug of the day" beginnings to the multi-million dollar softwaresecurity initiatives of today.