POLL - What is your experience with security in the Software Development LifeCycle?

Errata Security is conducting a survey on the real world usage of software development methodologies such as Microsoft SDL, OWASP's SAMM, and BSIMM. We are interested in learning which organizations are successfully implementing these methods, and also the reasons companies are abstaining from using these methods. The survey went live over the weekend, and already we are collecting some very interesting experiences. The most noteworthy observation is how varied the responses have been. There appears to be no one correct solution for any two organizations. We will have this survey up through the RSA Conference and the following week, and see if any patterns emerge.

To participate in this short survey, go to http://bit.ly/ErrataSurvey. If you would like a copy of the results of this survey, there is a request button at the end of the survey where you can enter your email address.

In order to encourage participation in this survey, and to explain the reasons behind it, I will be giving a lightning talk at Security B-Sides in San Francisco on March 3 at 12:00 PST.

Please share the survey link with software developers, security experts, product managers, or anyone involved in product development. Thanks!

RSA 2009

I was trying to figure out the mood at the RSA security conference. Due to the recession, attendance is down 30%.

First of all, it appears that the recession affects cybersecurity less than other parts of IT. I would personally describe cybersecurity as a luxury, but compliance (HIPAA, SOX, PCI, etc.) make it a non-luxury. Companies cannot cut back on security and stay within compliance.

Second of all, it seems there has been a shift from products to consulting/services. Companies are encouraged to shed full-time employees (which commit the companies to things like health insurance and severance packages), so they fill the gaps by hiring part time employees (aka. consultants). Likewise, companies may find that if they can’t hire more people to manage more firewalls, they will stop buying firewalls, so hiring freezes can indirectly freeze product spending.

Thirdly, it appears that federal government sales are up. It appears that government departments are flush with cash. Any company that does a substantial amount of business with the government is going to post good earnings this quarter.

Fourth, it seems that when analysts go up to a booth, they are looking for work ("can I advise your on your marketing strategy") rather than information ("tell me about your product"). I've heard about a lot of layoffs in the analyst community. This is part of the larger trend that companies are trying to figure out how to do more with the products they already have, rather than buy new products. I know from experience that companies only use 20% of the functionality of their security products. I'd suggest to analysts looking for work that they write reports on how companies can use that 80% of other functionality of the products they already own.

George Ou's hack gets a marketing name...

http://www.infoworld.com/article/07/02/01/HNvistaspeechbug_1.html

SHOUT HACKING!!!

I know, I know it seems like the kinda name a trendy techno club with a line of pretty people waiting outside would have. Give it a chance, say it a few times, SHOUT HACKING! Or better yet George Ou presents SHOUT HACKING! (it must be in all caps)

I am taking a bullhorn to RSA, who is with me?

Sales Guy:"Today I will be demoing a brand new product to stop.."
From the crowd: "START LISTENING"
Sales Guy:"all forms of 0day attacks..."
From the crowd: "START"
Sales Guy:"There is not an attack that can get around this..."
From crowd: "SHUTDOWN"

The demo machine shuts down

Sales Guy: "Uuuhh...The battery must have died..."

RSA...

I, along with Rob Graham, will be in San Francisco next week for RSA. If you want to meet up, grab a drink and chat, let me know.