In a recent post titled Should the Government Stop Outsourcing Code Development?, Bruce Schneier dismisses the connection between where code is written and, instead, rightly focuses attention on how code is written. Specifically, he describes assurance as being "less about developing new security techniques than about using the ones we already have."

At Fortify, we couldn't agree more. Our Software Security Assurance (SSA) program is all about helping organizations bring together their people, process, and technology to deliver software that has security built-in from the ground up. As Schneier points out, security can't just be a requirement, it needs to be a priority! Give the blog post a read and see if it doesn't leave you agreeing that security has more to do with how your software is built than where it is built.

If you're a Fortify customer you already know we released updates in three main areas at the end of February (we always release the last business day of the second month of the quarter). If you haven't seen these updates, I decided to post a summary of what we've been up to here. As of this release, the Fortify Secure Coding Rulepacks detect 439 unique categories of vulnerabilities across 18 languages and over 650,000 individual APIs. In brief, our latest releases include:

Fortify Secure Coding Rulepacks

Oracle Application Framework – Support for Oracle Application Framework (OA Framework), the Oracle Applications development and deployment platform for HTML-based business applications.

CakePHP – Support for the CakePHP rapid development framework, which includes the model-view-controller framework and simplifies database interaction.

SANS/CWE, OWASP, FISMA Standards Support – Vulnerabilities generated by this rulepack now include a reference to like issues found in the 2009 SANS/CWE Top 25, OWASP 2010 Top 10, and FISMA (specifically FIPS-200).

4 New Categories – New categories include Race Condition: Format Flaw, Process Control: Invoker Servlet, and CakePHP Misconfiguration vulnerabilities.

50+ Enhancements – Over 50 internally and externally requested minor enhancements.

Fortify RTA Rulepack Kit

Spring Security 2 – Provides support for identifying brute force logins and report Spring Security authorization failures and privilege changes at runtime.

Premium Content

Microsoft SDL – Process templates for Fortify 360 Governance users implementing the four security maturity models in the Microsoft Security Development Lifecycle (MS SDL): Basic, Standardized, Advanced, and Dynamic.

CVSS – Project templates for auditors using Fortify SCA and Audit Workbench to annotate vulnerabilities using the Common Vulnerability Scoring System (CVSS).

Planning a software security initiative can benefit from understanding and analyzing real-world software security initiatives. That is exactly the purpose of the BSIMM project which gathers data from leading software security initiatives. The number of initiatives studied thus far reached 30 which means that applying statistical analysis on the data makes sense. But before going that route, can’t there be anything simpler derived from the data that gives a useful insight in to it? Well, I think that ranking the activities by what was observed the most is simple and very useful. The top 15 activities can be found in the latest informIT column on the BSIMM and is definitely worth a read!