bug parades, zombies, and the bsimmbenefits of architecture analysis by seeing real results for a...
TRANSCRIPT
![Page 1: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/1.jpg)
© 2012 Cigital
Bug Parades, Zombies, and the BSIMM:
A Decade of Software Security
Gary McGraw, Ph.D. Chief Technology Officer, Cigital
![Page 2: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/2.jpg)
© 2012 Cigital
Cigital n Founded in 1992 to provide software security and software
quality professional services n Recognized experts in software security and software quality
n Widely published in books, white papers, and articles n Industry thought leaders
![Page 3: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/3.jpg)
© 2012 Cigital
in the beginning
![Page 4: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/4.jpg)
© 2012 Cigital
n IBM unbundles software and services from hardware in late 1960s
n Unbundling created inequality in system security
n Security shifts from consumers to producers
4
software industry blooms in 1970s
![Page 5: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/5.jpg)
© 2012 Cigital
ß Network security ops guys
NOBODY IN THE MIDDLE
Super rad developer dudes à
5
who should DO software security?
![Page 6: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/6.jpg)
© 2012 Cigital
the bug parade
![Page 7: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/7.jpg)
© 2012 Cigital
bug: the dreaded buffer overflow n Overwriting the bounds of data
objects n Allocate some bytes, but the
language doesn’t care if you try to use more
n char x[12]; x[12] = ‘\0’ n Why was this done? Efficiency!
n (remember in the 70’s when code had to be tight?)
n The most pervasive security problem today in terms of reported bugs in the ‘90s
![Page 8: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/8.jpg)
© 2012 Cigital
eleven years of CERT data
0
5
10
15
20
25
30
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
Security Problems (CERT)
CERT AlertsBuffer overflows
![Page 9: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/9.jpg)
© 2012 Cigital
a classic error in C void main() {
char buf[1024]; gets(buf);
} n How not to get input
n Attacker can send an infinite string! n Chapter 7 of K&R (page 164)
![Page 10: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/10.jpg)
© 2012 Cigital
calls to avoid in C n Very risky:
n gets,strcpy,strcat,sprintf,scanf, sscanf,fscanf,vfscanf,vsprintf,vscanf, vsscanf,streadd,strecpy,realpath,syslog, getopt,getopt_long,getpass
n Risky: n strtrns,getchar,fgetc,getc,read
n Be wary: n bcopy,fgets,memcpy,snprintf,
strccpy,strcadd,strncpy,vsnprintf
Big 1999 idea: Why not make a tool to find these for you??!
![Page 11: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/11.jpg)
© 2012 Cigital
bug: race condition n Time makes all the difference n Atomic operations that are not atomic
Attack
![Page 12: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/12.jpg)
© 2012 Cigital
bugs: Java security
![Page 13: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/13.jpg)
© 2012 Cigital
a chronology Java of attack applets n February 96: DNS flaw in JDK
1.0.1 n March 96: Path name bug n March 96: Princeton Class
Loader bug n May 96: type casting attack n June 96: Array type
implementation error n July 96: More type casting
problems n August 96:Flaw in Microsoft’s
Java VM
n February 97: Invasion of Privacy attack applets
n March 97: JVM hole n April 97: Code signing flaw n May 97: Verifier problems
discovered in many VMs n July 97: Vacuum bug n August 97: redirect bug n July 98: ClassLoader bug n March 99: Verifier hole n August 99: Race condition n October 99: Verifier hole 2 n August 2000: Brown Orifice n October 2000: ActiveX/Java
All of these bugs have been fixed.
![Page 14: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/14.jpg)
© 2012 Cigital
bug: SQL injection n Enables an attacker to execute arbitrary SQL
commands on back-end database n Example:
n PHP code inputs USERNAME and PASSWORD and passes to MySQL back-end
n USERNAME is entered as bob n PASSWORD is entered as ’ or
USERNAME=‘bob n Back-end executes Select ID from USERS
where USERNAME=‘bob’ and PASSWORD=‘’ or USERNAME=‘bob’
n Instead of Select ID from USERS where USERNAME=‘bob’ and PASSWORD=‘password’
![Page 15: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/15.jpg)
© 2012 Cigital
bug: XSS n Unaltered user-‐controlled content in a Web
server response gives an a5acker the opportunity to insert HTML and scripts
n This code gets rendered in a vic=m's browser n Reflected (malicious links) n Stored (by website)
n OWASP top ten bug
![Page 16: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/16.jpg)
© 2012 Cigital
seven pernicious kingdoms (of bugs) n Input validation and
representation n API abuse n Security features n Time and state
n Error handling n Code quality n Encapsulation n Environment
![Page 17: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/17.jpg)
© 2012 Cigital
![Page 18: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/18.jpg)
© 2012 Cigital
the bug parade FAIL IMPLEMENTATION BUGS
n Buffer overflow n String format n One-stage attacks
n Race conditions n TOCTOU (time of check to
time of use) n Unsafe environment variables n Unsafe system calls
n System() n Untrusted input problems
ARCHITECTURAL FLAWS n Misuse of cryptography n Compartmentalization
problems in design n Privileged block protection
failure (DoPrivilege()) n Catastrophic security failure
(fragility) n Type safety confusion error n Insecure auditing n Broken or illogical access
control (RBAC over tiers) n Method over-riding problems
(subclass issues) n Signing too much code
50% 50%
![Page 19: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/19.jpg)
© 2012 Cigital
software security zombies
![Page 20: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/20.jpg)
© 2012 Cigital
zombie ideas need repeating n Software security seems
obvious to us, but it is still catching on
n The middle market is just beginning to emerge
n Time to scale! ZOMBIE n Network security FAIL n More code more bugs n SDLC integration n Bugs and flaws n Badness-ometers
Experts in software security take things for granted. That’s OK, but don’t forget how far behind some firms are.
![Page 21: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/21.jpg)
© 2012 Cigital
zombie: old school security is reactive n Defend the “perimeter” with a
firewall n To keep stuff out
n Promulgate “penetrate and patch”
n “Review” products when they’re complete n Throw it over the wall
testing n Too much weight on
penetration testing n Over-rely on security functions
n “We use SSL”
The “network guy with keys” does not really understand software testing. Builders are only recently getting involved in security.
![Page 22: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/22.jpg)
© 2012 Cigital
zombie: more code, more bugs
Windows Complexity
05
1015202530354045
Win3.1
(1990)
WinNT
(1995)
Win 95(1997)
NT 4.0(1998)
Win 98(1999)
NT 5.0(2000)
Win2K
(2001)
XP(2002)
Mill
ions
of
Line
s
1090 2437
4129 3784 3780
5690
8064 7236
0 1000 2000 3000 4000 5000 6000 7000 8000 9000
10000
2000 2001 2002 2003 2004 2005 2006 2007
Software Vulnerabilities
![Page 23: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/23.jpg)
© 2012 Cigital
zombie: SDLC integration n Integrating best practices into large organizations
n Microsoft’s SDL n Cigital’s touchpoints n OWASP CLASP/SAMM
![Page 24: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/24.jpg)
© 2012 Cigital
zombie: bugs AND flaws
BUGS FLAWS
n Customized static rules (Fidelity) n Commercial SCA tools: Fortify,
Ounce Labs, Coverity
n Open source tools: ITS4, RATS, grep()
n Architectural risk analysis
gets() attacker in the middle
![Page 25: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/25.jpg)
© 2012 Cigital
zombie: badness-ometer
badness-ometer
![Page 26: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/26.jpg)
© 2012 Cigital
zombie baby: fix the dang software n Software security and application
security today are about finding bugs
n The time has come to stop looking for new bugs to add to the list
n Which bugs in this pile should I fix?
![Page 27: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/27.jpg)
© 2012 Cigital
© 2004, Cigital & KRvW Associates
software security touchpoints
![Page 28: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/28.jpg)
© 2012 Cigital
rise of the software security group n Cigital SSG turned fifteen in 2012 n Microsoft adopts the Secure Development Lifecycle n Many companies have a group devoted to software security
n microsoft n dtcc n emc n fidelity n adobe n wells fargo n goldman sachs n google n qualcomm n morgan stanley n usaf n dell n pershing n the hartford n barclays capital n bank of tokyo n ups n bank of montreal n sterling commerce n time warner
n cisco n bank of america n walmart n finra n vanguard n college board n oracle n state street n omgeo n motorola n general electric n lockheed martin n intuit n vmware n amex n bank of ny mellon n harris bank n paypal n symantec
n visa europe n thomson/reuters n BP n SAP n nokia n ebay n mckesson n ABN/amro n ING n telecom italia n swift n standard life n cigna n AON n coke n mastercard n apple n AOL n CA
![Page 29: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/29.jpg)
© 2012 Cigital
from philosophy to HOW TO circa 2006 n Integrating best practices into large organizations
n Microsoft’s SDL n Cigital’s touchpoints n OWASP adopts CLASP
![Page 30: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/30.jpg)
© 2012 Cigital
software security touchpoints
![Page 31: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/31.jpg)
© 2012 Cigital
the BSIMM
![Page 32: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/32.jpg)
© 2012 Cigital
n Real data from (42) real initiatives
n 81 measurements n McGraw, Chess, &
Migues
BSIMM: software security measurement
PlexLogic
![Page 33: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/33.jpg)
© 2012 Cigital
33
+ 14 anonymous firms
Intel
![Page 34: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/34.jpg)
© 2012 Cigital
monkeys eat bananas n BSIMM is not about
good or bad ways to eat bananas or banana best practices
n BSIMM is about observations
n BSIMM is descriptive, not prescriptive
34
![Page 35: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/35.jpg)
© 2012 Cigital
n Four domains n Twelve practices n An “archeology grid” n See informIT article at http://bsimm2.com
software security framework
![Page 36: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/36.jpg)
© 2012 Cigital
architecture analysis practice skeleton
![Page 37: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/37.jpg)
© 2012 Cigital
example activity [AA1.2] Perform design review for high-risk
applications. The organization learns about the benefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform an in-depth architecture analysis, it uses consultants to do this work. Ad hoc review paradigms that rely heavily on expertise may be used here, though in the long run they do not scale.
![Page 38: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/38.jpg)
© 2012 Cigital
n Initiative age n Average: 5.5 years n Newest: 1 n Oldest: 16 n Median: 4
n SSG size n Average: 19.2 n Smallest: 0.5 n Largest: 100 n Median: 8
38
Average SSG size: 1.99% of dev group size
n Satellite size n Average: 42.7 n Smallest: 0 n Largest: 350 n Median: 15 n Dev size
n Average: 5183 n Smallest: 11
n Largest: 30,000 n Median: 1675
real-world data (42 firms)
![Page 39: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/39.jpg)
© 2012 Cigital
n 109 Activities n 3 levels n Top 12 activities
n 69% cutoff n 29 of 42 firms
n Comparing scorecards between releases is interesting
BSIMM3 scorecard
![Page 40: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/40.jpg)
© 2012 Cigital
BSIMM3 as a measuring stick n Compare a firm
with peers using the high water mark view
n Descriptive (not prescriptive)
n Incredible insight for planning
![Page 41: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/41.jpg)
© 2012 Cigital
n Top 12 activities n green = good? n red = bad?
n “Blue shift” practices to emphasize n activities you
should maybe think about in blue
![Page 42: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/42.jpg)
© 2012 Cigital
BSIMM3 to BSIMM4 n BSIMM3 released September 2011
under creative commons n http://bsimm.com n Italian and German translations n BSIMM is a yardstick n Use it to see where you stand n Use it to figure out what your
peers do n BSIMM3àBSIMM4
n BSIMM is growing n Target of 50 firms/100 measures
![Page 43: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/43.jpg)
© 2012 Cigital
where to learn more
![Page 44: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/44.jpg)
© 2012 Cigital
SearchSecurity & justice league
n www.searchsecurity.com n No-nonsense monthly security
column by Gary McGraw debuts in April
n www.cigital.com/~gem/writing
n www.cigital.com/justiceleague n In-depth thought leadership
blog from the Cigital Principals n Scott Matsumoto n Gary McGraw n Sammy Migues n Craig Miller n John Steven
![Page 45: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/45.jpg)
© 2012 Cigital
IEEE security & privacy + silver bullet
n www.cigital.com/silverbullet
n Building Security In n Software Security Best
Practices column edited by John Steven
n www.computer.org/security/bsisub/
![Page 46: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/46.jpg)
© 2012 Cigital
Software Security: the book n How to DO software security
n Best practices n Tools n Knowledge
n Cornerstone of the Addison-Wesley Software Security Series
n www.swsec.com
![Page 47: Bug Parades, Zombies, and the BSIMMbenefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the SSG is not yet equipped to perform](https://reader036.vdocuments.us/reader036/viewer/2022081523/5fd310c67acde67c97322d2d/html5/thumbnails/47.jpg)
© 2012 Cigital
Build Security In n http://bsimm.com
n WE NEED GREAT PEOPLE
n See the Addison-Wesley
Software Security series
n Send e-mail: [email protected]
“So now, when we face a choice between adding features and
resolving security issues, we need to choose security.”
-Bill Gates