Denim Group, Ltd. Blog

By John Dickson

Perhaps one of the more interesting discussions at last month’s SANS AppSec conference was with Mary Ann Davidson, Chief Security Officer at Oracle Corporation. Mary Ann’s session drew on several military analogies to the software security world, but the section of her presentation that got my strongest interest dealt with higher education. In a nutshell, Mary Ann has been trying to influence colleges and universities to graduate better developers, specifically developers who understand basic concepts of secure software development and design. She speaks frequently – as she did at SANS – about how she sent letters to the top 12 hiring universities demanding that they teach secure development concepts. I’ve characterized this as a great example of a “stick” approach to affecting change, namely “you had better change or else.” This might have an impact if you’re Oracle (or Microsoft or Google). This will likely have less of an effect if you’re Denim Group or any other company with less market footprint. 

At the SANS conference, I found out that Mary Ann only received one response out of her 12 letters. This is a surprise to me, given her high-profile position at Oracle. If these universities could be so indifferent to Oracle, how will they respond when lesser giants squawk? 

I learned two things:

1. Professors might perceive themselves to be impervious to outside threats, even from one of the 800-pound Silicon Valley gorillas. (Tenure trumps all, I guess)
2. Indifference might be involved. Perhaps the universities have so many competing requests that Mary Ann’s letter fell on deaf ears.

Regardless, receiving one out of twelve letters speaks volumes. Others in the software security community have met with similar results. Undergrad students rarely understand secure development concepts – at best they took one elective that skimmed the highest-level concepts of secure system design and software security. At worst, they had one lecture on SSL. In spite of the rise of college security programs, the development of software security courses has lagged significantly.

I’ve been told this is because of the sheer amount of classes Computer Science programs force their undergraduates to complete for their degree plans. How can you justify bumping a class on operating systems to insert a secure programming class? Fair enough, but those of us in industry are still forced to train software developers in the skills they need for secure development - a process that can take two years.

The status quo is bad, and universities are cranking out new coders who will learn how to make the same mistakes, and will learn the hard way to create more secure code.

Coming up – Ideas for “carrots” for higher education to encourage them to teach more software security.

Contact us for help teaching your developers about software security.

John

--

john _at_ denimgroup.com

@johnbdickson

Posted via email from Denim Group's Posterous

By Dan Cornell

Denim Group’s John Dickson will be giving a keynote at the inaugural ACM CODASPY conference this week.  He’ll be discussing the current state of the software security industry and look at why current approaches to get businesses to justify have fallen short and will examine how at attempts at government regulation might and might not apply to regulating the security of software.

The press release is online here and you can also see some BizJournals.com coverage here.

Contact us for help creating the business case for your software security program.

--Dan

dan _at_ denimgroup.com

@danielcornell

PRESS RELEASE 

Agency Contact:                                                                                                               Denim Group Contact: 

Alan Weinkrantz                                                                                                               John Dickson 

210.820.3070                                                                                                                  210.572.4400 

alan@weinkrantz.com                                                                                   john@denimgroup.com  

John Dickson to Keynote ACM Conference

First ever ACM Conference on Data Application Security and Privacy

San Antonio, TX – February 17, 2011 - Denim Group, an IT consultancy that develops secure software and helps organizations assess and mitigate risks with their existing software, announced that John Dickson, CISSP will be delivering a keynote address to the first-ever Association for Computing Machinery, Special Interest Group on Security, Audit and Control (SIGSAC) conference on Data and Application Security and Privacy. The conference, organized by the Institute for Cyber Security (ICS) at the University of Texas at San Antonio (UTSA), will include many leading worldwide scholars in the field of privacy and security.

The keynote, titled “Software Security: Is OK good enough?” will address the existing state of application security and the struggles for business justification when securing software applications.  “I want to convey to this gathering of top academic talent the genuine state of software security in enterprise clients,” said John Dickson, Principal, Denim Group and keynote speaker.  “The reality is that most buyers do not demand their software to be secure, and many suppliers are focused purely on features and functionality – we need to look at different justification models to enhance the perceived need of security in software.”

The conference will include top researchers in security and privacy in academia today.  “We are excited to host this group of world-wide leaders who are advancing the state of security for applications and privacy,” said Jeff Reich, CISSP, the Director of Operations at UTSA’s ICS. “San Antonio is the perfect backdrop for this ACM Conference given the heightened level of security activity in the region associated with the Air Force and San Antonio’s emerging recognition as a cyber security center of excellence.

About Denim Group

Denim Group develops secure software, helps organizations assess and mitigate risk with existing software, and provides training on best practices in software security. Denim Group has worked with a range of Fortune 500 companies and public sector organizations, bringing a focused software development approach to the world of software security. Denim Group is a strong contributor to the larger application security community, and has been involved with the Open Web Application Security Project (OWASP) since shortly after its inception. Additionally, Denim Group was ranked 1,925 in Inc. Magazine's 5000 Fastest-Growing Private Companies in America in 2010. For more information about Denim Group, visit www.denimgroup.com.

About ACM

ACM is an educational and scientific society uniting the world's computing educators, researchers and professionals to inspire dialogue, share resources and address the field's challenges. ACM strengthens the profession's collective voice through strong leadership, promotion of the highest standards, and recognition of technical excellence. ACM supports the professional growth of its members by providing opportunities for life-long learning, career development, and professional networking. ACM carries out its mission through conferences, publications, educational programs, public awareness activities, and special interest groups. It sponsors over 150 conferences annually, including conferences on computer graphics (SIGGRAPH); data communications (SIGCOMM); mobile computing (SIGMOBILE); knowledge discovery and data mining (KDD);software engineering (SIGSOFT); high performance computing (SC); human computer interaction (SIGCHI); object-oriented programming (OOPSLA); and freedom and privacy (CFP).

Reader Contact Information:

Denim Group, 3463 Magic Drive, Suite 315; San Antonio, TX 78229, Tel: 210-572-4400, Fax: 210-572-4401, www.denimgroup.com, john@denimgroup.com.

# # #

Posted via email from Denim Group's Posterous

By Dan Cornell

MySA.com recently interviewed Denim Group’s John Dickson for the article “Mobile Applications A Cybersecurity Concern for 2011”  In the article, John discusses smartphone and mobile application security risks, what to expect from app stores, how cloud computing impacts security and other trends for 2011.

For more information on emerging threats, check out some guidance we recently provided on application security trends for 2011 and contact us for help managing mobile and cloud security risk.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous