I was on vacation when I read that multiple fiber lines had been cut around the Bay Area; thankfully the Internet connection in my apartment in Paris was unaffected. However, upon my return I was amazed to hear just how scary the events that occurred should be to all of us. One of the best accounts begins with the following paragraphs (read the rest here):

"Just after midnight on Thursday, April 9, unidentified attackers climbed down four manholes serving the Northern California city of Morgan Hill and cut eight fiber cables in what appears to have been an organized attack on the electronic infrastructure of an American city. Its implications, though startling, have gone almost un-reported.

That attack demonstrated a severe fault in American infrastructure: its centralization. The city of Morgan Hill and parts of three counties lost 911 service, cellular mobile telephone communications, land-line telephone, DSL internet and private networks, central station fire and burglar alarms, ATMs, credit card terminals, and monitoring of critical utilities. In addition, resources that should not have failed, like the local hospital's internal computer network, proved to be dependent on external resources, leaving the hospital with a "paper system" for the day.

Commerce was disrupted in a 100-mile swath around the community, from San Jose to Gilroy and Monterey. Cash was king for the day as ATMs and credit card systems were down, and many found they didn't have sufficient cash on hand. Services employees dependent on communication were sent home. The many businesses providing just-in-time operations to agriculture could not communicate."

Gary McGraw put out an article last week detailing the revenue generated by the software security industry for 2008. It’s nice to see our industry growing at a steady clip, but as Gunnar Peterson pointed out after Gary published 2007’s numbers, the software security market is dwarfed by the network security market. Gunnar’s numbers are a bit fuzzy, however, I think it’s safe to say we spend billions on network security (firewall, VPN, IDS, services, etc.), but only a fraction of that amount is spent on software security. The thing that worries me is that spending is a reflection on awareness, so even though increased spending in the software security sector indicates expanded awareness about software security I don’t think awareness is growing nearly fast enough. These days everyone knows about firewalls, but frequently people in IT know very little about software security. What do you guys think will help growing awareness? What would you like to see consultants and vendors like Fortify do to drive software security awareness?

During a recent off-site, a few of us in SRG whipped up this brief video demonstrating how a fictitious company might use Fortify 360 v2.0 to enforce an enterprise-wide policy forbidding cross-site scripting vulnerabilities. This is just a taste of what Fortify 360 is capable of and shows how the product can be employed to enforce very specific policies.