I attended the Information Security Society Switzerland (ISSS) Security Lunch in Zürich on October 6, 2010. It was a civilised affair consisting of a sit down lunch, with a security presentation given between the first and main courses. About 20 people were present. I didn't know that ISSS existed until a few weeks ago.
The president of the ISSS, Thomas Dübendorfer gave a brief introduction to the speaker, Prof. Dr. Hartmut Pohl. Prof. Pohl is the CEO of softScheck which is a spin-off from the Hochschule Bonn-Rhein-Sieg in Germany. Peter Sakal was also there to answer questions.In his talk, Prof. Pohl gave an overview of their Secure Development Life Cycle (SDLC) which is called Rapid in-Depth Analysis (RiDA). The approach is similar to the Microsoft Secure Development Lifecycle (SDL). This is perhaps not surprising, since Microsoft is one of their partners. RiDA places great emphasis on Threat Modelling, Fuzzing and Static Analysis. An important goal is to identify vulnerabilities before the project is actually launched. To achieve this, RiDA employs best-of-breed fuzzing tools to get the optimum results. Code coverage is a significant driver. In their testing, softScheck aims to cover between 75% and 85% of the actual codebase.
Prof. Pohl provided statistics which show, that RiDA identifies on average 50 critical vulnerabilities per application tested.
RiDA is a sound approach, as it provides a formalised SDLC methodology. But I can imagine that it is not cheap as, for example, the fuzzing tools require a lot of manual interaction. However, Prof Pohl argued that it is still a lot more cost effective to identify the vulnerabilities during the development phase than to wait until they are found in the wild.As an aside, I wonder if that is always the case - especially in the web environment. A few weeks ago, a Cross Site Scripting (XSS) vulnerability was discovered in Twitter. While this was no doubt a bit embarrassing for Twitter, and perhaps did some reputational damage, they did have it fixed in a day or two. So it didn't cost too much and the issue itself will be quickly forgotten - except by us information security people.
Rapid in-depth Analysis is a contender in the drive to minimize security bugs, but you will probably need deep pockets to derive all the benefits. This implies serious commitment to security from company management.
Links:
- Presentation Slides (PDF)
- softScheck (German)
- Information Security Society Switzerland (ISSS) (German)
- Microsoft SDL
- XSS and Twitter
Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot
ReplyDeleteI am very happy to visit your wonderful blog, I appreciate your great effort. Thank you for your sharing and I want more posts...
Excel Training in Chennai
Advanced Excel Training in Chennai
corporate training in chennai
Tableau Training in Chennai
Pega Training in Chennai
Spark Training in Chennai
Embedded System Course Chennai
Linux Training in Chennai
Excel Training in Chennai
Advanced Excel Training in Chennai
Great Article Cyber Security Projects projects for cse Networking Security Projects JavaScript Training in Chennai JavaScript Training in Chennai The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training
DeleteI like your post. It is good to see you verbalize from the heart and clarity on this important subject can be easily observed... Webdesign
ReplyDeleteWonderful post and more informative!keep sharing Like this!
ReplyDeleteSoftware Testing Training in Chennai
Software Testing Course in Bangalore
Software Testing Training in Coimbatore
Software Testing Course in Madurai
Best Software Testing Institute in Bangalore
Software Testing Training in Bangalore
Software Testing Training Institute in Bangalore
Tally Course in Bangalore