Speaking of Security – The RSA Blog and Podcast

Ten years ago this month, Bill Gates issued a memo to all Microsoft employees announcing the Trustworthy Computing Initiative. Development was halted for several weeks to review code and to train Microsoft software engineers on security. This memo was later followed by the publication of Microsoft’s Security Development Lifecycle, as well as the release of multiple security tools. Michael Howard from Microsoft recently provided in a blog post an insider view of this anniversary. Let me share with you my views on the impact of Microsoft security push on EMC and on the industry as a whole.

This week, SAFECode announced the addition of Siemens as its newest member. SAFECode, the Software Assurance Forum for Excellent in Code was co-founded by EMC and other leading technology providers in 2007, to advance the adoption of effective software assurance methods. Siemens joins Adobe, EMC, Juniper Networks, Microsoft, Nokia, SAP and Symantec in SAFECode membership.

An updated version (version 3) of the Building Security In Maturity Model was released this week by Cigital. BSIMM started in 2008, as an inventory and classification of the software security practices used by practitioners across multiple industries. The updated version includes measurement from 42 firms, including 11 that have been measured twice. As a result, the inventory of software security activities has increased to 109, demonstrating that software security is an evolving field and that there is not one single way to skin the software security cat.

Threat modeling isn’t all that’s required in engineering built-in security, not by a long shot. You need to have effective design principles to ensure security (threat modeling is one), effective secure coding practices and effective testing.

When I started EMC’s product security initiative more than eight years ago, useful information on the topic was scarce and my technical bookshelf was limited to “Writing Secure Code” by Microsoft’s Michael Howard and David LeBlanc, some work form Cigital’s Gary McGraw and an interview of Oracle’s MaryAnn Davidson.

A lot of work has been published since and anyone with the mission to start a software security initiative in a technology company today is overwhelmed with the amount of resources available. However, little information has been published on what works and on the most effective secure software development practices used by the more mature organizations.

The news: there is a smartcard / symmetric key vulnerability that potentially affects RSA SecurID® 800 Authenticator. This was first discovered by a group of third-party security researchers; and to be clear, it only affects symmetric keys (not digital certificates) and it only affects a specific type of symmetric key. To date, there are no known instances of breach or loss of data (and no other RSA authenticators affected), and there is a non-disruptive fix (software only – no hardware / firmware changes) available through RSA SecurCare Online.

On May 12th, Gary McGraw and his teams from Cigital and Fortify Software released version 2 of the Building Security in Maturity Model (BSIMM). It triples the size of the software security practices analyzed by the study to a total of 30. EMC was part of the nine…

A couple of recent incidents are shedding some light on the complexity of ensuring software code integrity throughout the supply chain.

Last Thursday, a six-institution team of scientists (Kleinjung et al.) announced the successful factorization of RSA-768. RSA-768 is a 768-bit (232 decimal-digit) RSA public key created in 2001 by RSA Laboratories as a cryptanalytic challenge number. The fall of RSA-768 is a landmark result, but no surprise. It reflects a consistent pace of growth in computing power, and continuing scientific interest in the problem of factoring, not an algorithmic breakthrough.

About a month ago, Reeny Sondhi from EMC’s Product Security Office presented EMC’s approach to securing products. She explained how SQL Slammer, IP storage, regulations and EMC’s acquisition strategy have influenced our approach to product security.