Speaking of Security – The RSA Blog and Podcast

Ten years ago this month, Bill Gates issued a memo to all Microsoft employees announcing the Trustworthy Computing Initiative. Development was halted for several weeks to review code and to train Microsoft software engineers on security. This memo was later followed by the publication of Microsoft’s Security Development Lifecycle, as well as the release of multiple security tools. Michael Howard from Microsoft recently provided in a blog post an insider view of this anniversary. Let me share with you my views on the impact of Microsoft security push on EMC and on the industry as a whole.

This week, SAFECode announced the addition of Siemens as its newest member. SAFECode, the Software Assurance Forum for Excellent in Code was co-founded by EMC and other leading technology providers in 2007, to advance the adoption of effective software assurance methods. Siemens joins Adobe, EMC, Juniper Networks, Microsoft, Nokia, SAP and Symantec in SAFECode membership.

An updated version (version 3) of the Building Security In Maturity Model was released this week by Cigital. BSIMM started in 2008, as an inventory and classification of the software security practices used by practitioners across multiple industries. The updated version includes measurement from 42 firms, including 11 that have been measured twice. As a result, the inventory of software security activities has increased to 109, demonstrating that software security is an evolving field and that there is not one single way to skin the software security cat.

This week at the RSA Conference in San Francisco, California, securing the cloud is on everybody’s mind. Not surprisingly, many are still outlining a piecemeal approach to cloud security using the same recipes that have not worked in the past several decades. However, several credible and powerful voices are emerging from the noise to offer a much more compelling approach to accelerating the adoption of cloud services. The idea is to build a new comprehensive cloud trust model that exploits the unique characteristics of cloud and virtualization. Now, the good news: Leaders in cloud computing are making trust the centerpiece of their strategy and the technology to build this trust model is available now.

When I started EMC’s product security initiative more than eight years ago, useful information on the topic was scarce and my technical bookshelf was limited to “Writing Secure Code” by Microsoft’s Michael Howard and David LeBlanc, some work form Cigital’s Gary McGraw and an interview of Oracle’s MaryAnn Davidson.

A lot of work has been published since and anyone with the mission to start a software security initiative in a technology company today is overwhelmed with the amount of resources available. However, little information has been published on what works and on the most effective secure software development practices used by the more mature organizations.

Survey after survey, security and more specifically the lack of control and visibility around what is happening to your information on service provider premises, is listed as the number one barrier to cloud adoption.

For years, the security industry has been complacent, using complex concepts to keep security discussions isolated from mainstream IT infrastructure conversation. We all know that this time is over. The industry consolidation, initiated by EMC’s acquisition of RSA in 2006 and now well on its way with the recent acquisition of McAfee by Intel and Arcsight by HP, is demonstrating that the security and IT infrastructure conversation are one in the same.

On May 12th, Gary McGraw and his teams from Cigital and Fortify Software released version 2 of the Building Security in Maturity Model (BSIMM). It triples the size of the software security practices analyzed by the study to a total of 30. EMC was part of the nine…

A couple of recent incidents are shedding some light on the complexity of ensuring software code integrity throughout the supply chain.

I have practiced information security on both sides of the Atlantic Ocean and I have always been fascinated by the differences between the European and the North American approaches to security.