I was excited about Gary McGraw’s opening speech and he did not disappoint me. Gary—the Vice President of Security Technology at Synopsys—taught me the three fundamental touch-points to scaling a Software Security Initiative (SSI) company-wide. Sound topic, for I was helping my team at work with an SSI project. Coincidently, I owned Gary’s book Software Security: Building Security In and had the opportunity to request his autograph by the end of his talk—which he politely signed—as well as taking pictures with me.
In his Scaling a Software Security Initiative: Lessons from the BSIMM presentation, Gary discussed why companies adopt the BSIMM model, which traces the evolution of different SSIs in many participant organizations and it provides fact-based visualizations from security trends among them. In other words: BSIMM reveals what is actively happening in the world of Software Security so that professionals developing an SSI have a foundation to build upon.
Gary described three activities from the Secure Software Development LifeCycle SSDL/SSDLC) that strengthen application security:
Architecture Analysis (AA)
Code Review (CR)
Security Testing (ST)
According to Gary, when these are enforced—sadly not always the case—they advance an SSI further.
Agreeing with Gary, Code Review should be mandatory across Software Development teams. Manual Static Analysis tools (like SecureAssist) can fulfill training and reporting goals simultaneously because of built-in secure coding guidance, in addition to other features (i.e. SecureAssist Enterprise Portal) for centralized reports and team progress tracking. However, automating SecureAssist is not feasible; this is where RIPS, FindBugs and more sophisticated, proprietary products (such as Synopsys’ Coverity) move beyond the basics.
Gary later suggested that Penetration Testing nowadays is a “commodity,” given the ever growing list of Cybersecurity vendors adopting it as one of the various services they offer. Eventually, third-party Penetration Testing drills scheduled as part of Security Testing are now more affordable than they were a decade ago, while other SSDL areas lack of comparable coverage.
Precisely, one of these critical areas lacking coverage due to a shortage of expertise is Architecture Analysis. Besides cooperation from all the developers, Architecture Analysis requires active knowledge of the existing software components and dependencies, their corresponding security vulnerabilities and flaws. Gary explained that many exercises fail since there is “no institutional knowledge or consistency” regarding what to do; not all the experts engage in every exercise and—for these and other reasons—an effective audit of the Security Architecture is not accomplished. Thus, building a Threat Model that accurately depicts the potential hazards a product faces in “the wild,” is unlikely. Gary recommended the Architecture Risk Analysis (ARA) from Synopsys and from the Institute of Electrical and Electronics Engineers (IEEE), the Avoiding The Top 10 Software Security Design Flaws guide. I surely took note and resolved digging deeper into Architecture Analysis.
After leaving Pedro’s talk, I swiftly headed to the Marion Davies Guest House to watch Rod Cope’s presentation Continuous security: Bringing agility to the secure development lifecycle . I hoped to gain insight into pipeline-based security strategies, considering that I wanted to automate Security Testing within my team’s Continuous Integration (CI) environment at work. So, during the Q&A session I asked Rod and the guests for their recommendations—based on my intentions. They validated what I knew from individual research and previous experimentation: that trying the OWASP’s Zed Attack Proxy (ZAP) would my best choice. ZAP is free, open-source, and neatly versatile.
AppSec California, I am so eager to “see” you again!
About Arleena Faith
Arleena Faith studies Computer Science at the Harvard University Extension School, Harvard University, Cambridge, Massachusetts. Twice NASA intern and graduate from the NASA Community College Aerospace Scholar (NCCAS) workshop (Fall 2014), Arleena is interested in a diversity of Technology topics that range from CyberSecurity to Data Science. She focuses on Software Security since 2010, when she started her cyber-journey as a Junior Web Developer for a small company in Manhattan Beach, California.