RSA Conference 2016

I'll be speaking at RSA Conference this year.

If you are attending the conference, please be sure to check out the talk titled "Agile Security—Field of Dreams".

Here is the abstract:

"PayPal started its Waterfall to Agile transformation journey two years ago. That meant that the software security program had to morph as well. The Field of Dreams question of “if you build it, will they come?” was no longer a valid question! Come hear about real-world insights about integrating security into Agile—approaches, processes and tools put in place and the results from them."

Thing Explainer

Just finished reading "Thing Explainer" by Randall Munroe (yes, the xkcd dude!).

One of my favorite topics was "Shape Checker".


"This machine checks whether you have a piece of metal with a certain shape. If you do, it lets go of whatever it’s holding on to. People put these machines on boxes, doors, and cars to try to control who can open or use them.

What’s interesting about these machines isn’t really the machine itself. There are lots of different kinds that work in different ways, but they’re all the same in one way: They try to put people into groups.

By checking whether someone has a piece of metal that’s the right shape, this machine is really a way to try to tell whether people are who they say they are. It’s an idea—about which people should be allowed to do something—brought to life in metal."

BayThreat 4

I'll be speaking at BayThreat 4 tomorrow. If you managed to grab the tickets (it is all sold out now), please stop by at 10:30 AM ("Building Security" track).

This is basically an action-oriented quickfire version of the talk that I did earlier this year at the MS SDL Conference.

Two-Step Verification on LinkedIn

Following Microsoft, Apple, Evernote and others, LinkedIn has now enabled two-step verification.

Their iOS mobile app experience could be better (for now: you have to login with your password, get the one-time sms code, then concatenate it with your password for you to complete your login) . I'm sure future updates to the app will fix that...

Good to see multi-factor authentication take off in a big way. I hope that FIDO gains good adoption in the months and years to follow ...

Security Development Conference 2013

If you are attending the Security Development Conference next week, please be sure to check out the talk titled "Tales from the Trenches: Rollout of Static Analysis Tools for Large Enterprises".

My colleague, Rick Marvin and I will be the co-speakers at this talk. While security relies on multiple practices of SDL, we mostly focus on one practice: Static Analysis. From real-life experience, we discuss what worked, what proved challenging and provide actionable rollout tips for security practitioners.

RFC6797 - HTTP Strict Transport Security

What if there was no such thing as a "hostile" network? You could either connect "securely" or not connect at all...

Well, RFC6797 is one baby-step in that direction. Congrats to =JeffH and the co-authors on successful publication of this RFC.

IEEE Security & Privacy | Static Analysis in Motion

I had the opportunity to participate in a roundtable discussion on static analysis tools, for the IEEE Security and Privacy magazine. The roundtable was organized by Brian Chess, the founder of Fortify software. Bill Pugh, Kris Britton, Chris Eng, Jacob West and myself took part in the discussion. A partial transcript of the discussion appeared in the current edition of the magazine.

Here is an excerpt of the article.

To read the entire article, please visit and subscribe/purchase the magazine.

Note: This article is Copyright IEEE and was originally published in IEEE Security &
Privacy magazine, Vol. 10, No. 3, 2012, pp. 53-56.

BITS Software Assurance Framework

BITS has published its "Software Assurance Framework". I had the opportunity to participate in the drafting of this framework and in the process collaborate with a  number of software security subject matter experts from various organizations...

Quick Overview:

The BITS Software Assurance Framework represents a set of common practices within financial services firms to improve software security for customer- and employee-facing applications.  This framework leverages the maturity of software assurance controls that were adopted by financial services firms in recent years and is intended to provide guidance and serve as a reference tool for financial services firms interested in improving software security controls and practices.

Download the PDF from here.

New Book

We've been busy working hard on our second book titled "Secure and Resilient Software: Requirements, Test Cases, and Testing Methods". It is finally out today and can be purchased from online retailers like Amazon and B&N.

The press release is here.

Appreciate your feedback and comments!

2011 CWE/SANS Top 25 Most Dangerous Software Errors

The Top 25 list, which we referred to in the book, has been refreshed. The latest version can be found here. I'm glad to know that this received some good media coverage when it was published.

MITRE also published a list of Monster Mitigations that will be effective in eliminating or reducing the severity of the Top 25.

For the curious, here is a summary of what's changed.