Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...
This week’s release of the fifth version of the Build Security In Maturity Model (BSIMM-V) reinforces a trend that many of us in the small world of software assurance are witnessing: Developing secure software is no longer the privilege of a few.
I have been closely involved with the BSIMM project since its first version in 2008: EMC was one of the nine companies that were surveyed to build the first version of the model. Five years later, the most astonishing data that BSIMM-V brings to light is 67: The number of firms that have contributed to building the model. The BSIMM-V document makes it clear; these firms have adopted advanced security practices as part of their software engineering process. Five years ago, I am sure that Gary McGraw and his team struggled to even find nine firms willing to share their software security practices.
The journey is far from over; the firms involved with the BSIMM project are large organizations with a well established software engineering process. We need software security to become more ubiquitous across organizations of all sizes and from all verticals. We also need software assurance to expand beyond preventing software vulnerabilities and look at the practices required to ensure the integrity and authenticity of the software code we are delivering as well as the security of the underlying engineering systems and processes that help create this code.
We still have a lot to do, but we are making good progress. Community initiatives like BSIMM provide a great vehicle to continue drive adoption of software assurance practices. Thank you to the BSIMM / Cigital team for continuously updating the model!
Fifteen years ago, a common representation of the hacker was a computer science college student hacking systems from his or her dorm room. Nowadays hackers operate on a different scale; they are more often affiliated to criminal organizations or to nation states than to colleges or universities.
The only thing today’s cyber attackers have in common with college students from 15 years ago can be summarized in 2 words: SOFTWARE VULNERABILITY. Most recent days attacks involve the exploitation of a zero day software vulnerability that has certainly been created by software engineers who used to be computer science college students several years ago. Sadly, software security is not a significant part of most software engineering curricula, leaving it to the developers to learn defensive coding techniques by themselves or to their employers to invest in expensive security engineering training. (more…)
Year after year, studies such as the Verizon Data Breach Investigation Report show software vulnerabilities and misconfiguration among the main data breach causes. At EMC, we operate under the assumption that securing a product in a customer environment is a team sport between the product vendor and the customer deploying the product. The vendor plays a greater role upstream with a focus on adopting secure development practices and in properly handling and responding to vulnerabilities reported on the product. The customer takes the baton from the vendor and plays a larger role downstream by taking the necessary steps to securely deploy and maintain the product. (more…)
The English saying “You are what you eat”, just like many other aspects of culinary history, has its origin in France and more precisely from Jean Anthelme Brillat-Savarin’s “The Physiology of Taste: Or Meditations on Transcendental Gastronomy” who first wrote
“Tell me what you eat, and I shall tell you what you are.”
In French: “Dis-moi ce que tu manges, je te dirai ce que tu es.”
Today, SAFECode announced the appointment of Howard Schmidt as its new Executive Director. At a time when Cybersecurity has become a top priority for governments in the US and around the world, Howard’s experience and reputation will help SAFECode be more effective in promoting proven software assurance practices across the industry and with governments across the world. (more…)
The opinions and interests expressed on EMC employee blogs are the employees' own and do not necessarily represent EMC's positions, strategies or views. EMC makes no representation or warranties about employee blogs or the accuracy or reliability of such blogs. When you access employee blogs, even though they may contain the EMC logo and content regarding EMC products and services, employee blogs are independent of EMC and EMC does not control their content or operation. In addition, a link to a blog does not mean that EMC endorses that blog or has responsibility for its content or use.