Posts Tagged ‘secure software development’

Secure Design in the Limelight

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

The launch last week of the IEEE Center for Secure Design is an opportunity to remind the industry of the prominent role of secure design in building secure IT products.

Security engineering requires three main technical activities: Secure design, secure coding and security testing. Much of emphasis has been put by the industry on secure coding and security testing and much less on secure design. That is unfortunate. (more…)

EMC Product Security Sessions at the RSA Conference

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

This week in San Francisco, tens of thousands of security professionals are gathering for the the RSA Conference. For the seventh year in a row, representatives from EMC’s Product Security Office have been selected by the conference program committee to speak in a session. If you are at the conference, come an meet one of us: (more…)

BSIMM-V: Software Security is Becoming Maintream

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

This week’s release of the fifth version of the Build Security In Maturity Model (BSIMM-V) reinforces a trend that many of us in the small world of software assurance are witnessing: Developing secure software is no longer the privilege of a few.

I have been closely involved with the BSIMM project since its first version in 2008: EMC was one of the nine companies that were surveyed to build the first version of the model. Five years later, the most astonishing data that BSIMM-V brings to light is 67: The number of firms that have contributed to building the model. The BSIMM-V document makes it clear; these firms have adopted advanced security practices as part of their software engineering process. Five years ago, I am sure that Gary McGraw and his team struggled to even find nine firms willing to share their software security practices.

The journey is far from over; the firms involved with the BSIMM project are large organizations with a well established software engineering process. We need software security to become more ubiquitous across organizations of all sizes and from all verticals. We also need software assurance to expand beyond preventing software vulnerabilities and look at the practices required to ensure the integrity and authenticity of the software code we are delivering as well as the security of the underlying engineering systems and processes that help create this code.

We still have a lot to do, but we are making good progress. Community initiatives like BSIMM provide a great vehicle to continue drive adoption of software assurance practices. Thank you to the BSIMM / Cigital team for continuously updating the model!

Software Security at EMC: The Journey So Far

Reeny Sondhi

Reeny Sondhi

Reeny Sondhi is Sr. Director, Product Security Engineering at EMC Corporation. She is responsible for driving the strategy and execution of EMC’s software security program including EMC’s Security Development Lifecycle, a company-wide initiative to build secure products. She also leads EMC’s common security engineering technologies and the EMC Product Security Response Center, which is responsible for managing and resolving security vulnerabilities in EMC products. Additionally, she has responsibility to lead the security certification strategy and program for EMC products. More ...

As the lead of the Product Security Assurance team at EMC, I am often asked to talk about our software security practices. While previously we have shared our practices with industry presentations, SAFECode papers, etc., I thought now is as good a time as ever to write a blog post to discuss software security evolution at EMC.

(more…)

Software Security Training for All

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

 Fifteen years ago, a common representation of the hacker was a computer science college student hacking systems from his or her dorm room. Nowadays hackers operate on a different scale; they are more often affiliated to criminal organizations or to nation states than to colleges or universities.

The only thing today’s cyber attackers have in common with college students from 15 years ago can be summarized in 2 words: SOFTWARE VULNERABILITY. Most recent days attacks involve the exploitation of a zero day software vulnerability that has certainly been created by software engineers who used to be computer science college students several years ago. Sadly, software security is not a significant part of most software engineering curricula, leaving it to the developers to learn defensive coding techniques by themselves or to their employers to invest in expensive security engineering training. (more…)