Planning a software security initiative can benefit from understanding and analyzing real-world software security initiatives. That is exactly the purpose of the BSIMM project which gathers data from leading software security initiatives. The number of initiatives studied thus far reached 30 which means that applying statistical analysis on the data makes sense. But before going that route, can’t there be anything simpler derived from the data that gives a useful insight in to it? Well, I think that ranking the activities by what was observed the most is simple and very useful. The top 15 activities can be found in the latest informIT column on the BSIMM and is definitely worth a read!

Props to Marcus Ranum and Gunnar Peterson for a brilliant rendition of this YouTube standard.

Recently, Microsoft welcomed seven additional companies to join their Microsoft SDL Pro Network. We’re excited to announce that Fortify has joined the SDL Pro Network as a Tools provider.

So, what exactly does this mean to Fortify users? Well, it means that Fortify along with the Fortify 360 product suite can be used to help an organization manage and comply with Microsoft’s prescribed SDL.

Specifically, the seven portions of the MS SDL are addressed by Fortify in the following ways:

*: The roll-out and deployment of the MS SDL can be managed through the Fortify 360 Governance module. Fortify user’s simply need to use the Fortify created MS SDL process template that best models their organizations security maturity level (Fortify provides support for Advanced level down to Basic level maturity), load the process template into Fortify 360, and follow the prescribed requirements and activities.

Training: Fortify Training provides comprehensive secure development practices which address all phases of the Security Development Lifecycle.

Requirements: Fortify 360 Governance module prescribes the proper MS SDL Requirements steps. The Governance module also stores and artifacts produced from the Requirements phase.

Design: The Governance module also directs users of what MS SDL design activities are required for the organizations security maturity level. The resulting design artifacts are stored in the 360 server for review.

Implementation: Fortify SCA performs static analysis for an organization’s code base. Fortify 360 consumes the static analysis results and warn of banned function violations.

Verification: Fortify 360 is capable of consuming and reporting upon dynamic testing results from multiple vendors. The Governance module stores relevant threat model/attack surface analysis.

Release: The Governance module along with the accompanying MS SDL process template, enforce a proper release strategy.

Response: Once again, the Governance module serves as a repository for response artifacts.

In essence, Fortify 360 provides a comprehensive solution for rolling out the MS SDL throughout an organization.

It's that time of year again--RSA is just around the corner. When the conference folks put up the speaker list this year I was pleased to see a little red star next to my name, which I learned means I'm a "Top Rated Speaker" from past years. Yay, me :P

This year I'll be speaking with Jeremiah Grossman from WhiteHat Security on Correlating Static and Dynamic Security Results. This is a topic we've both been interested in for years (along with half the security community, it seems), but this is the first time we both feel like we have some significant contributions to share. In particular, we're excited to talk about real-world examples of correlation we've seen in the context of Fortify on Demand.

If you just can't wait until March, Jeremiah and I recorded a podcast with RSAConference.com Editor-in-Chief Jeanne Friedman where we preview the session.