Jim Hong, Kyle Randolph and I attended the BSIMM Community Conference last week at the Skamania Lodge in Stevenson, WA (about an hour outside Portland). The BSIMM (“Building Security In Maturity Model”) community is composed of folks who work on software security as part of their day job for organizations who have performed a BSIMM measurement. Adobe was one of the original nine organizations to kickstart BSIMM in the fall of 2008 and we conducted a second measurement in 2010. I’m also a member of the BSIMM Advisory Board. You can learn more about BSIMM at http://bsimm.com/.
Of the more than 40 organizations that have conducted a BSIMM measurement, 25 were represented by 77 attendees at last week’s BSIMM community event. This group made for a very interesting subset of the broader security community because everyone is focused narrowly on practical defensive software security. Typically, offensive security topics tend to dominate most of the security conferences I attend. Even the conference talks that are supposedly about defensive topics tend to be more focused on how to employ offensive techniques during testing rather than on providing a holistic view of real-world defensive software security. So, it is refreshing and exciting when someone tries to rally attention towards research into truly defensive techniques. (The Microsoft BlueHat Prize announced at BlackHat this past summer or the exchanges among the members of SAFECode are other examples that come to mind.)
I presented “Adobe Product Security Through the BSIMM Lens: 2008-2011” on the first day of the BSIMM event and attended a number of interesting talks. However, the most valuable part of the event, as is always the case, was the “hallway track.” The chance to compare notes with peers from other organizations tackling the same technical problems with such widely varying resources, priorities and definitions of success was the reason I attended, and I wasn’t disappointed.
To sum it up, the BSIMM community event was a great opportunity to spend time with like-minded folks from across the industry. I’m looking forward to next year.