Datasäkerhet och Informationssäkerhet

Robert Malmgren AB

“Trust is good, control is better.”


OWASP AppSec Research, day #2

The keynote for day #2 where Steve Lippner from Microsoft. He started out with a quick overview over the history of computer security from the 70's and onward, described how PC's and Internet changed the rules, before reaching the "Secure Windows Initiative" at 1999. During the Microsoft Security push era they did alot, besides the day-to-day work trying to secure the products, they tried to do some more strategic work including implementing the "security science" as an in-house research area. He described that the executive buy-in was surprisingly easy to get, when thinking about it in retrospective. Getting executive in, is essential if you gonna launch a programme that affects 30,000 developers in a large organization.

One of the most interesting things that described was that several thing in the initial SDL book didnt really work well in reality. They have reiterate and come up with several updates and have a programme where there are annual major updates of the method. The version 4.1 came out 2009, a version 5 came out early 2010, and version 5.1 of the SDL is planned to go live in october 2010. Other interesting news that Mr Lippner talked about was the "Simplified SDL" which focus on how to implement SDL in new organisations, and the refocusing of SDL to work better in Agile environment. I'm really thankful to Microsoft to beeing so openminded to make the SDL method non-proprietary and platform agnostic. Mr Lippner described that Adobe was one of the organizations that have adopted SDL. One of the questions from the public was "why does Adobe then have a really bad track record at security?". Mr Lippner's answer, which I see as honest and well balanced, was that Microsoft started to implement SDL in the beginning of 2000, but still was struck by code red and alot of more attacks - it was a long time from starting the initiative and harvesting the fruits from the labour. Comparing with Adobe, they just started in 2009, so they have a long road ahead.

One can read more on the SDL on the Microsoft on their SDL portal, MSDN description of the SDL process, or the SDL blog, a more in-depth description of the Simplified SDL

Pravir Chandra from Fortify software had an interesting presentation entitled "The Anatomy of Real-World Software Security Programs" on different secure development processes. Besides describing some of the step any security officer have to do to be able to sucessfully implement a program, he had some interesting comparisons on different models like Software Assurance Maturity Model - OpenSAMM, Microsoft's SDL, and the Building Security In Maturity Model BSIMM2

Some other guy managed to have a network sniffer running for the whole conference. Again, its really amazing to hear how much sensitive data that gets captured at a SECURITY conference......

Written by Robban @ 2010-06-24