Tutorial: Bug Parades, Zombies, and the BSIMM: A Decade of Software Security (extended dance version)

Gary McGraw, CTO, Cigital, USA

Only ten years ago, the idea of building security in was brand new.  Back then, if system architects and developers thought about security at all, they usually concentrated on the liberal application of magic crypto fairy dust.  We have come a long way since then.  Perhaps no segment of the security industry has evolved more in the last decade than the discipline of software security.  Several things happened in the early part of the decade that set in motion a major shift in the way people build software: the release of my book Building Secure Software, the publication of Bill Gates's Trustworthy Computing memo, the publication of Lipner and Howard¹s Writing Secure Code, and a wave of high-profile attacks such as Code Red and Nimda that forced Microsoft, and ultimately other large software companies, to get religion about software security.  Now, ten years later, Microsoft has made great strides in software security and building security in---and they¹re publishing their ideas in the form of the SDL.

Right about in the middle of the last ten years (five years in) we all collectively realized that the way to approach software security was to integrate security practices that I term the "Touchpoints" into the software development lifecycle.  Now, at the end of a decade of great progress in software security, we have a way of measuring software security initiatives called the BSIMM < http://bsimm.com >.

Using the framework described in my book ³Software Security: Building Security In² I will discuss and describe the state of the practice in software security.  This tutorial is peppered with real data from the field, based on my work with several large companies as a Cigital consultant.  As a discipline, software security has made great progress over the last decade.  Of the many large-scale software security initiatives we are aware of, fifty-one---all household names---are currently included in the BSIMM study. Those companies among the fifty-one who graciously agreed to be identified include: Adobe, Aon, Bank of America, Box, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, F-Secure, Fannie Mae, Fidelity, Google, Intel, Intuit, JPMorgan Chase & Co., Mashery, McKesson, Microsoft, Nokia, Nokia Siemens Networks, QUALCOMM, Rackspace, Salesforce, Sallie Mae, SAP, Scripps Networks, Sony Mobile, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, Visa, VMware, Wells Fargo, and Zynga.   The BSIMM was created by observing and analyzing real-world data from leading software security initiatives. The BSIMM can help you determine how your organization compares to other real software security initiatives and what steps can be taken to make your approach more effective.  BSIMM is helping transform the field from an art into a measurable science.

This tutorial provides an entertaining review of the software security journey from its "bug of the day" beginnings to the multi-million dollar software security initiatives of today.

Gary McGraw is the CTO of Cigital, Inc., a software security consulting firm with headquarters in the Washington, D.C. area and offices throughout the world. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Software Security, Exploiting Software, Building Secure Software, Java Security, Exploiting Online Games, and 6 other books; and he is editor of the Addison-Wesley Software Security series.  Dr. McGraw has also written over 100 peer-reviewed scientific publications, authors a monthly security column for SearchSecurity and Information Security Magazine, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Dasient (acquired by Twitter), Fortify Software (acquired by HP), Wall + Main, Inc., and Raven White. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean¹s Advisory Council for the School of Informatics.  Gary served on the IEEE Computer Society Board of Governors and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine (syndicated by SearchSecurity).

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
personal www.cigital.com/~gem
twitter @noplasticshower