Bug Parades, Zombies, and the BSIMM: A Decade of Software Security (extended dance version)

Gary McGraw (Cigital)

Half-day workshop - in English

Approved_talk approved

Only ten years ago, the idea of building security in was brand new.  Back
then, if system architects and developers thought about security at all,
they usually concentrated on the liberal application of magic crypto fairy
dust.  We have come a long way since then.  Perhaps no segment of the
security industry has evolved more in the last decade than the discipline
of software security.  Several things happened in the early part of the
decade that set in motion a major shift in the way people build software:
the release of my book Building Secure Software, the publication of Bill
Gates's Trustworthy Computing memo, the publication of Lipner and Howard¹s
Writing Secure Code, and a wave of high-profile attacks such as Code Red
and Nimda that forced Microsoft, and ultimately other large software
companies, to get religion about software security.  Now, ten years later,
Microsoft has made great strides in software security and building
security in---and they¹re publishing their ideas in the form of the SDL.
Right about in the middle of the last ten years (five years in) we all
collectively realized that the way to approach software security was to
integrate security practices that I term the "Touchpoints" into the
software development lifecycle.  Now, at the end of a decade of great
progress in software security, we have a way of measuring software
security initiatives called the BSIMM <http://bsimm.com>.

Using the framework described in my book ³Software Security: Building
Security In² I will discuss and describe the state of the practice in
software security.  This tutorial is peppered with real data from the
field, based on my work with several large companies as a Cigital
consultant.  As a discipline, software security has made great progress
over the last decade.  Of the many large-scale software security
initiatives we are aware of, sixty-seven---all household names---are
currently included in the BSIMM study. Those companies among the
sixty-seven who graciously agreed to be identified include: Adobe, Aetna,
Bank of America, Box, Capital One, Comerica Bank, EMC, Epsilon, F-Secure,
Fannie Mae, Fidelity, Goldman Sachs, HSBC, Intel, Intuit, JPMorgan Chase &
Co., Lender Processing Services Inc., Marks and Spencer, Mashery, McAfee,
McKesson, Microsoft, NetSuite, Neustar, Nokia, Nokia Siemens Networks,
PayPal, Pearson Learning Technologies, QUALCOMM, Rackspace, Salesforce,
Sallie Mae, SAP, Sony Mobile, Standard Life, SWIFT, Symantec, Telecom
Italia, Thomson Reuters, TomTom, Vanguard, Visa, VMware, Wells Fargo, and
Zynga.   The BSIMM was created by observing and analyzing real-world data
from leading software security initiatives. The BSIMM can help you
determine how your organization compares to other real software security
initiatives and what steps can be taken to make your approach more
effective.  BSIMM is helping transform the field from an art into a
measurable science.

This tutorial provides an entertaining review of the software security
journey from its "bug of the day" beginnings to the multi-million dollar
software security initiatives of today.


Primarily for: Developers, Architects, Security professionals

Participant requirements: