The Experts below are selected from a list of 117750 Experts worldwide ranked by ideXlab platform
Daniela S. Cruzes - One of the best experts on this subject based on the ideXlab platform.
-
Building an Ambidextrous Software Security Initiative
Advances in Systems Analysis Software Engineering and High Performance Computing, 2021Co-Authors: Daniela S. Cruzes, Espen Agnalt JohansenAbstract:Improving Software Security in Software development teams is an enduring challenge for Software companies. In this chapter, the authors present one strategy for addressing this pursuit of improvement. The approach is ambidextrous in the sense that it focuses on approaching Software Security activities both from a top-down and a bottom-up perspective, combining elements usually found separately in Software Security initiatives. The approach combines (1) top-down formal regulatory mechanisms deterring breaches of protocol and enacting penalties where they occur and (2) bottom-up capacity building and persuasive encouragement of adherence to guidance by professional self-determination, implementation, and improvement support (e.g., training, stimulating, interventions). The ambidextrous governance framework illustrates distinct, yet complementary, global and local roles: (1) ensuring the adoption and implementation of Software Security practices, (2) enabling and (3) empowering Software development teams to adapt and add to overall mandates, and (4) embedding cultures of improvement.
-
Measuring Developers' Software Security Skills, Usage, and Training Needs
Exploring Security in Software Architecture and Design, 2019Co-Authors: Tosin Daniel Oyetoyan, Martin Gilje Jaatun, Daniela S. CruzesAbstract:Software Security does not emerge fully formed by divine intervention in deserving Software development organizations; it requires that developers have the required theoretical background and practical skills to enable them to write secure Software, and that the Software Security activities are actually performed, not just documented procedures that sit gathering dust on a shelf. In this chapter, the authors present a survey instrument that can be used to investigate Software Security usage, competence, and training needs in agile organizations. They present results of using this instrument in two organizations. They find that regardless of cost or benefit, skill drives the kind of activities that are performed, and secure design may be the most important training need.
-
a lightweight measurement of Software Security skills usage and training needs in agile teams
International Journal of Secure Software Engineering, 2017Co-Authors: Tosin Daniel Oyetoyan, Martin Gilje Jaatun, Daniela S. CruzesAbstract:Although most organizations understand the need for application Security at an abstract level, achieving adequate Software Security at the sharp end requires taking bold steps to address Security practices within the organization. In the Agile Software development world, a Security engineering process is unacceptable if it is perceived to run counter to the agile values, and agile teams have thus approached Software Security activities in their own way. To improve Security within agile settings requires that management understands the current practices of Software Security activities within their agile teams. In this study, the authors have used a survey instrument to investigate Software Security usage, competence, and training needs in two agile organizations. They find that 1 The two organizations perform differently in terms of core Software Security activities, but are similar when secondary activities that could be leveraged for Security are considered 2 regardless of cost or benefit, skill drives the kind of activities that are performed 3 Secure design is expressed as the most important training need by all groups in both organizations 4 Effective Software Security adoption in agile setting is not automatic, it requires a driver.
-
ISC - Software Security Maturity in Public Organisations
Lecture Notes in Computer Science, 2015Co-Authors: Martin Gilje Jaatun, Daniela S. Cruzes, Inger Anne Tøndel, Karin Bernsmed, Lillian RøstadAbstract:Software Security is about building Software that will be secure even when it is attacked. This paper presents results from a survey evaluating Software Security practices in Software development lifecycles in 20 public organisations in Norway using the practices and activities of the Building Security In Maturity Model BSIMM. The findings suggest that public organisations in Norway excel at Compliance and Policy activities when developing their own code, but that there is a large potential for improvement with respect to Metrics, Penetration testing, and Training of developers in secure Software development.
Martin Gilje Jaatun - One of the best experts on this subject based on the ideXlab platform.
-
IT Security Is From Mars, Software Security Is From Venus
IEEE Security & Privacy, 2020Co-Authors: Inger Anne Tøndel, Martin Gilje Jaatun, Daniela Soares CruzesAbstract:The divide between IT Security and Software Security can result in the neglect of proper Software Security. This divide can be bridged by establishing a formal Security champion role in the development team and conducting collaborative risk-based Security activities.
-
Measuring Developers' Software Security Skills, Usage, and Training Needs
Exploring Security in Software Architecture and Design, 2019Co-Authors: Tosin Daniel Oyetoyan, Martin Gilje Jaatun, Daniela S. CruzesAbstract:Software Security does not emerge fully formed by divine intervention in deserving Software development organizations; it requires that developers have the required theoretical background and practical skills to enable them to write secure Software, and that the Software Security activities are actually performed, not just documented procedures that sit gathering dust on a shelf. In this chapter, the authors present a survey instrument that can be used to investigate Software Security usage, competence, and training needs in agile organizations. They present results of using this instrument in two organizations. They find that regardless of cost or benefit, skill drives the kind of activities that are performed, and secure design may be the most important training need.
-
a lightweight measurement of Software Security skills usage and training needs in agile teams
International Journal of Secure Software Engineering, 2017Co-Authors: Tosin Daniel Oyetoyan, Martin Gilje Jaatun, Daniela S. CruzesAbstract:Although most organizations understand the need for application Security at an abstract level, achieving adequate Software Security at the sharp end requires taking bold steps to address Security practices within the organization. In the Agile Software development world, a Security engineering process is unacceptable if it is perceived to run counter to the agile values, and agile teams have thus approached Software Security activities in their own way. To improve Security within agile settings requires that management understands the current practices of Software Security activities within their agile teams. In this study, the authors have used a survey instrument to investigate Software Security usage, competence, and training needs in two agile organizations. They find that 1 The two organizations perform differently in terms of core Software Security activities, but are similar when secondary activities that could be leveraged for Security are considered 2 regardless of cost or benefit, skill drives the kind of activities that are performed 3 Secure design is expressed as the most important training need by all groups in both organizations 4 Effective Software Security adoption in agile setting is not automatic, it requires a driver.
-
ISC - Software Security Maturity in Public Organisations
Lecture Notes in Computer Science, 2015Co-Authors: Martin Gilje Jaatun, Daniela S. Cruzes, Inger Anne Tøndel, Karin Bernsmed, Lillian RøstadAbstract:Software Security is about building Software that will be secure even when it is attacked. This paper presents results from a survey evaluating Software Security practices in Software development lifecycles in 20 public organisations in Norway using the practices and activities of the Building Security In Maturity Model BSIMM. The findings suggest that public organisations in Norway excel at Compliance and Policy activities when developing their own code, but that there is a large potential for improvement with respect to Metrics, Penetration testing, and Training of developers in secure Software development.
-
ICST Workshops - Learning from Software Security Testing
2008 IEEE International Conference on Software Testing Verification and Validation Workshop, 2008Co-Authors: Inger Anne Tøndel, Martin Gilje Jaatun, Jostein JensenAbstract:Software Security testing tools and methodologies are presently abundant, and the question no longer seems to be "if to test" for Security, but rather "where and when to test" and "then what?". In this paper we present a review of Security testing literature, and propose a Software Security testing scheme that exploits an intra-organisational repository of discovered vulnerabilities that closes the loop after the testing of one application is complete, providing useful input to the next application to be tested.
Gary Mcgraw - One of the best experts on this subject based on the ideXlab platform.
-
Four Software Security Findings
Computer, 2016Co-Authors: Gary McgrawAbstract:Analyzing data from 78 firms using the Building Security In Maturity Model (BSIMM) revealed four truths about Software Security that will help firms protect and secure their assets.
-
Software Security and the building Security in maturity model (BSIMM)
Journal of Computing Sciences in Colleges, 2015Co-Authors: Gary Mcgraw, Gary McgrawAbstract:Using the framework described in my book "Software Security: Building Security In" I will discuss and describe the state of the practice in Software Security. This talk is peppered with real data from the field, based on my work with several large companies as a Cigital consultant. As a discipline, Software Security has made great progress over the last decade. Of the many large-scale Software Security initiatives we are aware of, sixty-seven --- all household names --- are currently included in the BSIMM study. Those companies among the sixty-seven who graciously agreed to be identified include: Adobe, Aetna, Bank of America, Box, Capital One, Comerica Bank, EMC, Epsilon, F-Secure, Fannie Mae, Fidelity, Goldman Sachs, HSBC, Intel, Intuit, JPMorgan Chase & Co., Lender Processing Services Inc., Marks and Spencer, Mashery, McAfee, McKesson, Microsoft, NetSuite, Neustar, Nokia, Nokia Siemens Networks, PayPal, Pearson Learning Technologies, QUALCOMM, Rackspace, Salesforce, Sallie Mae, SAP, Sony Mobile, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, TomTom, Vanguard, Visa, VMware, Wells Fargo, and Zynga. The BSIMM was created by observing and analyzing real-world data from leading Software Security initiatives. The BSIMM can help you determine how your organization compares to other real Software Security initiatives and what steps can be taken to make your approach more effective.
-
Software Security
Datenschutz und Datensicherheit - DuD, 2012Co-Authors: Gary McgrawAbstract:Software Security is the idea of engineering Software so that it continues to function correctly under malicious attack. Plenty of progress has been made in the field of Software Security since its inception in 2001. A number of best practices including the Touchpoints have been identified and put into common use. In addition, the BSIMM1 project has devised a way to measure and compare large scale Software Security initiatives.
-
Technology Transfer: A Software Security Marketplace Case Study
IEEE Software, 2011Co-Authors: Gary McgrawAbstract:This paper presents the Software Security (application Security) solutions. It is an idea of engineering Software so that it continues to function correctly under malicious attack. Although as a discipline Software Security is relatively young, much progress has been made on ways to integrate Security best practices into the Software development life cycle. Microsoft, for example, has helped spearhead soft ware Security through its Trustworthy Computing Initiative and the resulting Security Development Lifecycle (SDL). Cigital has also been instrumental in bringing Software Security to the wider market through its professional services.
-
Interview: Software Security in the Real World
Computer, 2010Co-Authors: Ann E. Kelley Sobel, Gary McgrawAbstract:In an interview conducted by Computer editorial board member Ann E.K. Sobel, Cigital CTO Gary McGraw discusses the state of Software Security and the BSIMM—a data-driven research project describing and measuring what successful organizations are doing to ensure Software Security.
Paul E. Black - One of the best experts on this subject based on the ideXlab platform.
-
effect of static analysis tools on Software Security preliminary investigation
Proceedings of the 2007 ACM workshop on Quality of protection, 2007Co-Authors: Vadim Okun, William F Guthrie, Romain Gaucher, Paul E. BlackAbstract:Static analysis tools can handle large-scale Software and find thousands of defects. But do they improve Software Security? We evaluate the effect of static analysis tool use on Software Security in open source projects. We measure Security by vulnerability reports in the National Vulnerability Database.
-
QoP - Effect of static analysis tools on Software Security: preliminary investigation
Proceedings of the 2007 ACM workshop on Quality of protection - QoP '07, 2007Co-Authors: Vadim Okun, William F Guthrie, Romain Gaucher, Paul E. BlackAbstract:Static analysis tools can handle large-scale Software and find thousands of defects. But do they improve Software Security? We evaluate the effect of static analysis tool use on Software Security in open source projects. We measure Security by vulnerability reports in the National Vulnerability Database.
Titus Barik - One of the best experts on this subject based on the ideXlab platform.
-
VL/HCC - A Case Study of Software Security Red Teams at Microsoft
2020 IEEE Symposium on Visual Languages and Human-Centric Computing (VL HCC), 2020Co-Authors: Justin Smith, Christopher Theisen, Titus BarikAbstract:The modern Software Security adversary employs persistent and evasive attack techniques, for example—using zero-day exploits that have not been disclosed publicly—to target high-profile companies for political and economic espionage or to exfiltrate sensitive data or intellectual property. To combat these threats, large organizations are adopting an emerging practice of staffing full-time offensive Security teams, or red teams. To understand the workflows, culture, and day-to-day practices of Software Security engineers in red teams, we conducted 17 interviews with informants across five red teams within Microsoft. We found that Software Security engineers have substantial impact in the organization as they harden Security practices, drawing from their diverse backgrounds. Software Security engineers are both agile yet specialized in their activities, and closely emulate malicious adversaries—subject to some reasonable constraints. Although Software Security engineers are in some respects Software engineers, they also have several consequential differences in how they write, maintain, and distribute Software. The results of this work are applicable to practitioners, researchers, and toolsmiths who wish to understand how offensive Security teams operate, situate, and collaborate with partner teams in their organization.
