By Fran Broderick
On Friday afternoon in the Golisano Hall Auditorium, software security expert and Cigital, Inc. CTO Dr. Gary McGraw gave a freewheeling and highly entertaining talk dedicated to reviewing the past decade of development in the software security field and how he and other security leaders are helping IT executives better understand what each other’s firms are doing to help protects valuable digital assets.
McGraw’s talk, titled “Bug Parades, Zombies, and the Building Security in Maturity Model (BSIMM)” began with a humorous overview of some of the earliest days of computer programming when “high priests were the only ones allowed in the room with the computer and you would write a program and have to wait three days to find out it didn’t work.” As the Internet boom of the nineties ushered in an era of ever-increasing threats McGraw noted that there were “network security guys on one end [of a company’s IT infrastructure] and then these super rad developer dudes on the other end, and no one in between.”
McGraw, not one to mince words, reveled in slaying some of computing’s most sacred cows, including the C programming language and penetration testing. On penetration testing, McGraw explained, “penetration testing is the worst by far. You hire reformed hackers – and you know they’re reformed because…well they told you they’re reformed – and they attack your system and find six bugs. They tell you about four and you fix two.”
McGraw’s approach has been one of gathering increasing amounts of data and finding ways for persons working across the software development life cycle to better work together, “or as we call it in the industry, “science””. McGraw and his colleagues researched the security practices of some of the world’s leading companies in varying sectors and than published results showcasing what percentage of firms use different security practices. The results are anonymous, so for example, you cannot read an overview of the exact security infrastructure of Goldman Sachs, however, McGraw hopes that by providing this type of information, other firms can make decisions about what they should be doing. The data are presented at bsimm.com.
McGraw emphasized “people are trained to think of security as features and functions, but security is a property, like quality. The BSIMM observes 111 activities and examples of those activities used in firms. It tells you what top companies are doing, but it doesn’t mean you should do it. It’s descriptive not prescriptive. You use it to see where you stand.”
McGraw elucidated the fact that while more code will equal more bugs the defect density ratio is going down – which is to say that the number of bugs present in a given area of code is shrinking, while at the same time the ballooning volume of code will usher in additional bugs. McGraw presented his own system that utilizes “touchpoints” or steps in the software development life cycle to help build software security into programs during their development rather than as a reaction to threats that develop in the future. Nevertheless he emphasized that the best defense is information and that there is no panacea when it comes to software security.
McGraw’s talk was the 46th in the distinguished Golisano College Dean’s Lecture Series and also doubled as a recruiting event for McGraw’s company Cigital, Inc. Cigital, Inc. is a leading software security firm headquartered in Washington, DC and their interest in RIT students reflects RIT’s growing reputation as leader in the field of computing security education. Earlier this fall, RIT announced the launch of a new computing security department, one of the first of its kind in the nation.
For more information on Dr. Gary McGraw please visit the following:
The Building Security in Maturity Model: bsimm.com
By Fran Broderick