Posts Tagged ‘secure software development’

EMC’s Approach to Vulnerability Response

Reeny Sondhi

Reeny Sondhi

Reeny Sondhi is Sr. Director, Product Security Engineering at EMC Corporation. She is responsible for driving the strategy and execution of EMC’s software security program including EMC’s Security Development Lifecycle, a company-wide initiative to build secure products. She also leads EMC’s common security engineering technologies and the EMC Product Security Response Center, which is responsible for managing and resolving security vulnerabilities in EMC products. Additionally, she has responsibility to lead the security certification strategy and program for EMC products. More ...

Let’s face it – real software products have security vulnerabilities! While building strong secure software development practices goes a long way towards detecting and helping to eliminate security vulnerabilities during the development process, a strong product security program also needs to be prepared to properly handle and respond to security vulnerabilities found in the product after it has shipped. (more…)

Split-value Cryptographic Authentication: Building Advanced Threat Resistant Software

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

Advanced Threats are deeply impacting the way we develop secure products by fundamentally changing our working assumptions. We used to design and develop products to be attack resistant assuming that the environment where they will be deployed may be compromised. We now have to develop and design products assuming that every system in the customer environment, in the development environment and in the supply chain may be compromised. (more…)

Real Software Does Have Bugs (and Vulnerabilities Too)

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

I was recently interviewed by a business journalist at CNBC for a story on high-profile software glitches that impacted operations of a trading company and an airline. The interviewer was seeking insights into the relationship between these glitches and security.

These interviews are always a refreshing opportunity to explain complex concepts in simple terms and to educate our audience about assumptions that we typically take for granted.

This interview was no different. The reporter wanted to understand how an organization could guarantee “bug-free” software. (more…)

SAFECode Releases Software Security Guidance for Agile Practitioners

Reeny Sondhi

Reeny Sondhi

Reeny Sondhi is Sr. Director, Product Security Engineering at EMC Corporation. She is responsible for driving the strategy and execution of EMC’s software security program including EMC’s Security Development Lifecycle, a company-wide initiative to build secure products. She also leads EMC’s common security engineering technologies and the EMC Product Security Response Center, which is responsible for managing and resolving security vulnerabilities in EMC products. Additionally, she has responsibility to lead the security certification strategy and program for EMC products. More ...

In the Product Security Office, we often get questions from developers across the industry on how to apply EMC’s Security Development Lifecycle to an Agile development model. Software security practices have been traditionally considered as suitable for serial waterfall development methodologies and there has been a lot of debate in the industry on how to bring the best out of these practices to incorporate in today’s more iterative, agile development methodologies that are increasingly popular especially in the new cloud based, big data centric business models.

(more…)

Happy Anniversary to Microsoft Trustworthy Computing Initiative

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

Ten years ago this month, Bill Gates issued a memo to all Microsoft employees announcing the Trustworthy Computing Initiative. Development was halted for several weeks to review code and to train Microsoft software engineers on security. This memo was later followed by the publication of Microsoft’s Security Development Lifecycle, as well as the release of multiple security tools. Michael Howard from Microsoft recently provided in a blog post an insider view of this anniversary. Let me share with you my views on the impact of Microsoft’s security push on EMC and on the industry as a whole.

(more…)