Back from the second OWASP Belgian Chapter meeting! This event had only one speaker but which one: Gary McGraw himself. What a wonderful speaker! He knows his topics and is able to keep the audience aware with a typical sense of humor. I liked!
Gary is the author of several books about software security. Actually in Belgium as a trainer for secappdev.org, he presented his view of today’s software security.
When he started to develop in Java in ’95, security was clearly not a hot topic as today. There was no place to look for information. That’s why he decided to write his first book. Today, working for Cigital, he explained during more than one hour, how to implement a good security model in the SDLC (“Software Development Life Cycle“). The goal is not to ask the developers to change their SDLC (what will be your reaction if you were asked to change your religion?) but to increase their security awareness.
Starting with a brain storming, it’s important to tell to the developers “how” to make things “right”. Don’t speak with negative terms like “We still found xxx vulnerabilites in your code” but “I suggest you to check this particular piece of code” (Gary spoke about the “Bug Parade” avoidance). Also, the security model must be driven by the company data. Right measures must be taken to protect them.
Gary also explained how he built its framework based on the input from 9 software security initiatives (major companies from several sectors of activity). From the interviews, several surprises emerged and were explained in a document. It’s really important to set up a Software Security Group inside the company to help the developers (statistics showed that the “SSG” size is in average 1% of the developers team size).
All the study was condensed in a new model called “Building Security in Maturity Model” (released today). More information about the framework is available in this document. That was a great talk. Thanks Gary!