Bug Parades, Zombies, and the BSIMM: A Decade of Software Security
Abstract
Only ten years ago, the idea of building security in was brand new.
Back then, if system architects and developers thought about
security at all, they usually concentrated on the liberal
application of magic crypto fairy dust. We have come a long way
since then. Perhaps no segment of the security industry has evolved
more in the last decade than the discipline of software security.
Several things happened in the early part of the decade that set in
motion a major shift in the way people build software: the release
of my book Building Secure Software, the publication of Bill Gates's
Trustworthy Computing memo, the publication of Lipner and Howard’s
Writing Secure Code, and a wave of high-profile attacks such as Code
Red and Nimda that forced Microsoft, and ultimately other large
software companies, to get religion about software security. Now,
ten years later, Microsoft has made great strides in software
security and building security in---and they’re publishing their
ideas in the form of the SDL. Right about in the middle of the last
ten years (five years in) we all collectively realized that the way
to approach software security was to integrate security practices
that I term the "Touchpoints" into the software development
lifecycle. Now, at the end of a decade of great progress in
software security, we have a way of measuring software security
initiatives called the BSIMM
Gary is on the Advisory Boards of Dasient, Fortify Software
(acquired by HP), Invincea, and Raven White. His dual PhD is in
Cognitive Science and Computer Science from Indiana University where
he serves on the Dean’s Advisory Council for the School of
Informatics. Gary served on the IEEE Computer Society Board of
Governors and produces the monthly Silver Bullet Security Podcast
for IEEE Security & Privacy magazine (syndicated by informIT)