November 8, 2011
I’m excited to welcome Siemens as the newest member of SAFECode and Dr. Frances Paulisch to the SAFECode board of directors.
Adobe joined SAFECode (the Software Assurance Forum for Excellence in Code) in 2009. You can read a bit about what I was hoping Adobe would gain from its SAFECode membership in a Q&A posted at the time to the SAFECode blog. Since we joined, we’ve contributed to a couple of major publications—the Fundamental Practices for Secure Software Development paper and an Overview of Software Integrity Controls—as well as numerous smaller efforts.
However, the biggest value Adobe has gained from its SAFECode membership comes from the very frequent interactions we have at all levels with our peers from the secure software engineering teams of SAFECode member firms. From comparing external communication strategies to technical release checklists and tooling, the benefit of tapping into a community of people tackling the same challenges can not be overstated.
Expanding this community to include the Siemens security folks is a big win for the SAFECode community and will help accelerate the hard work Siemens is putting into securing their software. SAFECode is always on the lookout for prospective new members, so if you think your organization might be a fit, please get in touch. You can learn more about SAFECode here.
October 11, 2011
Brad Arkin here, live from RSA Conference Europe 2011, which opened earlier today in London. I’m moderating a panel on Thursday, October 13, 2011, titled “Building Secure Software—Real World Software Development Programs” (ASEC-302). If you happen to be at the show, please drop by King’s Suite A (West Wing) at the Hilton London Metropole Hotel at 10 a.m. to join me and my SAFECode peers (Steve Lipner from Microsoft, Gunter Blitz from SAP, Reeny Sondhi from EMC, and Janne Uusilehto from Nokia) as we discuss our experiences of putting together secure development programs. Also, Bryan Sullivan is presenting “NoSQL, But Even Less Security: Attacking and Defending NoSQL Databases” (DAS-207) on Wednesday, October 12, 2011 at 2:10 p.m. (A podcast introducing Bryan’s talk is available here.)
Coinciding with the first day of the conference, Microsoft today released volume 11 of its Security Intelligence Report (SIR). One of the key take-aways is the importance for users to stay up-to-date. Microsoft’s findings show that less than one percent of exploits in the first half of 2011 were against zero-day vulnerabilities—or in other words: More than 99 percent of exploits in the first half of 2011 were targeting outdated installations, exploiting vulnerabilities for which a fix was already available. But don’t take my word for it; give the report a read. It provides valuable insight into global online threats, including zero-days, which help customers better prioritize defenses to more effectively manage risk.
