March 2009 - Issue 7

View Online

Tell a Friend

Top Banner
Editorial Corner

BSIMM ... NIST’s SHA-3 Competition ... Governing Appsec ... Sneaky Boss (Pointy Hair)


Brian Chess

On March 5, we released the Building Security in Maturity Model (BSIMM), the industry's first-ever set of benchmarks for developing and growing an enterprise-wide software security program. Based on in-depth interviews with leading enterprises such as Adobe, EMC, Google, Microsoft, QUALCOMM, Wells Fargo and Depository Trust Clearing Corporation (DTCC), the BSIMM pulls together a set of activities practiced by nine of the most successful software security initiatives in the world. The BSIMM is available under a creative commons license, so look for ways to incorporate it into your work! Hereís the BSIMM site

The cryptographic community is so good at weeding out the less secure algorithms and choose from the remainder, that The National Institutes of Standards and Technology (NIST) is holding a competition to choose a design for the Secure Hash Algorithm version 3 (SHA-3). A few members of Fortify's Security Research group decided to weigh in. Visit our blog to read about vulnerabilities and other bugs we found in the SHA-3 reference implementations. 

Also, donít miss this monthís feature article, Governing Appsec Effectively. Barmak Meftah discusses compliance, development and application security. 

Have you ever had a boss who played the blame game? Our readers give their thoughts and opinions on how to address this in "How to handle a sneaky boss?"

Developers a security problem? This software engineer would like you to share your top three security tips when you teach developers about security.

Please let us know how successful we are at including articles relevant to you by taking a one-minute reader survey. You could win a complimentary copy of Secure Programming with Static Analysis. Congratulations to Debbie Christofferson, information security manager at the Apollo Group, for being this issue's winner! 

If you would like to unsubscribe from this newsletter, please click on link at the bottom of the page.

Feature Story

Feature
Governing Appsec Effectively

How to prevent a security debacle

by Barbara Morris, Editor, Secure Software Advisory

In February, President Obama ordered the National Security Agency and Department of Homeland Security advisors to conduct an immediate 60-day review of the U.S. government's cyber-security plans, programs and activities. He remarked, "We need to build the capacity to identify, isolate and respond to any cyber-attack. And we need to develop new standards for the cyber-security that protects our most important infrastructure, from electrical grids to sewage systems, from air traffic control to our markets." The cyber-security initiative comes on the heels of major security breaches at the Pentagon, in the Department of Justice and in the State Department. Read more

CISO Guide to Application Security

A CISO's Guide to
Application Security

Learn why application security is more critical than ever to your business, and the six steps to secure applications.

Fortify Software Lands in Leaders Quadrant of Magic Quadrant

New Data on Leading Software Security Initiatives

Reader Survey

Complete our one-minute reader survey, and you could win the book Secure Programming with Static Analysis.

Subscribe here or manage your subscription.

RSA ConferenceUSA 2009
April 20-24, 2009
Infosecurity Europe
April 28-30, 2009

OWASP

CERT

More ...

Off by On: The latest on Software Security Assurance

Software Security

Security & Privacy

darkREADING

More ...

 

Complimentary White Paper
Fortify

A CISOís Guide to Web 2.0 Security

Web 2.0 has made the Web a livelier and friendlier place, with social Web sites, wikis, blogs, mashups and interactive services that are fun as well as useful. There are two Web 2.0 concepts that change the game for CISOs and that they need to understand. The first is the introduction of rich client interfaces (AJAX, Adobe/Flex) while the other is a shift to community-controlled content as opposed to publisher-consumer model. Both have serious security issues.

Download your complimentary white paper.

What's Your Best Advice?

This Issue's Dilemma:

This Issue's Dilemma

Top training tips

Given that threats to application security are getting more severe, weíve decided to reboot our training curriculum. What are the top three points you try to get across when you teach developers about security? -- Bryce B., Software Engineer

This Issue's Dilemma Can You Help? Share your experience or your best advice, You could win a copy of Secure Programming with Static Analysis by Brian Chess & Jacob West, a $49.95 value.

Got a business problem or question for our readers to tackle? 


Previous Issue's Dilemma:

Last Issue's Dilemma

How to handle a sneaky boss?

While I like my job, my problem is not a co-worker; itís my boss. She is cheerful and chummy, but when something fails, she blames someone on our development team. Iím usually the person she blames. She assigns me projects without the guidance or resources to be successful. When the security fails, it becomes "my fault." How do I deal with her? Should I talk to her or go to HR?

-- Fred, Software Engineer       Read what our readers have to say.

Communication and Leadership

Change Careers Only as a Last Resort
Capitalize on your experience
by James E. Challenger - California Job Journal


The Highest-Paid IT Skills and Certifications during the Recession
Foote Partners' latest IT Skills and Certifications Index
by Meridith Levinson - CIO Magazine

The Increasing Threat

The Slash Heard 'round the World
Human error causes huge Google glitch
by Kenneth Corbin - internetnews.com


SANS Top 25 Most Dangerous Software Programming Errors
How to write more secure software
by Kelly Jackson Higgins - darkreading.com

Getting Things Done

Tech Investment Is Key to Banks' Recovery
Just because the industry is in crisis is no excuse to stop innovating
by Dr. Ashok Hegde - Bank Systems & Technology


A Year for Core Technology in Finance
Financial advisors skip bells and whistles
by Joel Bruckenstein - Financial Advisor Magazine

Issue 6
Issue 5
[More...]
GS.gif
productsandservices.gif solutions.gif resourcecenter.gif customers.gif partners.gif newsandevents.gif aboutfortify.gif

"ConnectedIn Media consulted in the development of our e-newsletter and
made the process easier than we ever expected."

-- Sherry Ramm, Director of Global Marketing

Fortify is concerned about your privacy. We do not rent, sell or exchange email addresses. Copyright 2009, InternetVIZ. All rights reserved. You can write to us at 2215 Bridgepointe Pkwy, Suite 400, San Mateo, CA 94404.

You are subscribed using the following email address: . If you wish to change your selections or unsubscribe altogether, click below.

:: Subscribe to this newsletter ...
:: Unsubscribe
:: Forward
:: Manage

Powered by TailoredMail