The growth of Android phones in the marketplace has triggered a huge upward curve in creation and deployment of malware, with Android being responsible for 92% of all known mobile malware. This isn’t a statement against Android, it is proof of their dominance in the market, with over 67% marketshare.
A lot of security people I am speaking with and interviewing talk about the role of the DevOp when building security into the development process. Kris Buytaert has put together a nice set of slidedecks on SlideShare that talks about the evolution of the DevOp position and how it creates a bridge between development and IT operations.
Kris also talks about what to look for in a DevOp on his blog, “Everything is a Freaking DNS problem“.
You might know Brian Chess as the Founder / Chief Scientist of Fortify Software. He is now working with NetSuite as the VP of Infrastructure and Security Engineering. I was able to catch up with Brian last week for a broad discussion, ranging from government monitoring of big data sources to the role of DevOps in the new enterprise application environment. With all the front page news on the NSA leaks, IRS targeting and other forms of government monitoring, we had plenty of fodder to choose from.
Listen to the Interview: Brian Chess – Software Security, Government Monitoring and the Role of DevOps
I had a long talk with Jeremiah Grossman about the study his company put out last month on web site vulnerabilities. One of the items that stood out for me was his analysis of the top 15 web site vulnerabilities.
Looking closely at the first six, it’s a little disturbing to see that 5 out of those 6 are things that have been known for years, if not at least a decade. What is it going to take to finally get a handle on cross-site scripting? Information leakage… still?
John Weathersby has deep knowledge of open source software usage within the government and specifically within the military. In this discussion, John and I talk about the history of the Open Source Software Institute (OSSI) and how embedded open source is in everything we do.
Listen to the Interview: John Weathersby – Open Source Software in Government
Central Repository downloads continuing to grow at an astounding rate, up over 800,000 from the previous week. Here’s the quick down and dirty stats for last week:
16,696,858 components downloaded
98,387 unique artifact downloads
Top 10 Artifacts
- junit junit 4.10 (295,835)
- junit junit 3.8.2 (214,899)
- commons-logging commons-logging 1.1.1 (88,686)
- junit junit 3.8.1 (71,453)
- commons-cli commons-cli 1.0 (56,130)
- commons-collections commons-collections 3.2.1 (48,885)
- javax.servlet servlet-api 2.5 (45,032)
- commons-codec commons-codec 1.4 (44,599)
- org.apache.commons commons-lang3 3.1 (41,939)
- commons-lang commons-lang 2.1 (41,809)
Josh Corman and I had some long conversations in the past few weeks. Frequently in those conversation, Josh brought up his idea of the “Software Survival Guide Pyramid“. He even drew one in my notebook as we were talking yesterday:
The bottom of the pyramid is the most powerful, Defensible Infrastructure, up to the top most layer, Countermeasures, after moving through the states of Operational Excellence and Situational Awareness. The interesting part of this theory is that Countermeasures are the least effective way to establish and maintain security in your networks and applications. The analogy Josh uses is that if you think of the diagram in terms of the “Food Pyramid”, the top of the pyramid is empty calories, the least efficient way to maintain security.
“Countermeasures are zero calorie solutions.” — Josh Corman
The dilemma is that most people are spending money on “zero calorie” solutions to manage software security. How could that be? Why would a company spend time, resources and money on the least effective way to solve the problem?
Jeff Williams and I were able to sit down for a quick talk at the Gartner Security and Risk Management Summit. Jeff’s work with OWASP and his own company, Aspect Security, places him in a position to take a broad view of the application security market and where it’s headed.Our talk started with a talk about trends in the industry and then moves into where most of the time and money is being spent. We end with a discussion of the immense scale of the problem we’re dealing with and how there might be a different way to approach it.
This was recorded in a cavernous room, so you’ll hear a little echo and ambient noise, but it’s worth a listen.
Listen to the Interview: Jeff Williams – The Future of Application Security
At the Gartner Summit this week, three companies released comprehensive security reports. These are in addition to the Sonatype ‘Open Source Security Survey Report” and the WhiteHat “Website Security Statistics Report”. Between the five of these, we should be able to get a good assessment of the state of application security in today’s marketplace.
Over the next few weeks, I’ll be taking a deep dive into each of these reports as part of an ongoing series on surveys and research within the industry.
PaloAlto Networks: Application Usage and Threat Report
“The Application Usage and Threat Report is the first report of its kind to provide an analysis of enterprise application usage and the associated threat activity. The report summarizes real data collected from live worldwide traffic in: ”
- 3,000+ organizations
- 1,395 applications
- 12.6 petabytes of bandwidth
- 5,307 unique threats
- 264 million threat logs
The Denim Group is well known for their work in application level security. In this conversation, I speak with Dan Cornell, Principal at Denim Group, about methodology for managing vulnerabilities through the development lifecycle.
Listen to the Interview: Dan Cornell – Manage Vulnerabilities in the Development Lifecycle