In “Conway’s Law: does your organization’s structure make software security even harder?,” Steve Lipner mixes history and wisdom: As a result, the developers understood pretty quickly that product security was their job rather than ours. And instead of having twenty or thirty security engineers trying to “inspect (or test) security in” to the code, we…
Read More Conway’s Law and Software SecurityYou know, I left, and now look what Word wants to suggest.. ∞
Yesterday, I got into a bit of a back and forth with Wendy Nather on threat modeling and the role of risk management, and I wanted to respond more fully. So first, what was said: (Wendy) As much as I love Elevation of Privilege, I don’t think any threat modeling is complete without considering probability…
Read More Threat Modeling and Risk AssessmentThis week, the annual Symposium on Usable Privacy and Security (SOUPS) is being held on the Microsoft campus. I delivered a keynote, entitled “Engineers Are People Too:” In “Engineers Are People, Too” Adam Shostack will address an often invisible link in the chain between research on usable security and privacy and delivering that usability: the…
Read More SOUPS Keynote & SlidesIn my work blog: “Announcing Elevation of Privilege: The Threat Modeling Game.” After RSA, I’ll have more to say about how it came about, how it helps you and how it helps more chaos emerge. But if you’re here, you should come get a deck at the Microsoft booth (1500 row).
Read More Elevation of Privilege: the Threat Modeling GameIn “U-Prove Minimal Disclosure availability,” Kim Cameron says: This blog is about technology issues, problems, plans for the future, speculative possibilities, long term ideas – all things that should make any self-respecting product marketer with concrete goals and metrics run for the hills! But today, just for once, I’m going to pick up an actual…
Read More News from RSA: U-ProveAt Microsoft, there’s a very long history of ‘eating your own dogfood’ or using the latest and greatest daily builds. Although today, people seem to use the term “self-host,” which seems evidence that they don’t do either. Eating your own dogfood gives you a decent idea of when it starts to taste ok, which is…
Read More Pay for your own dog foodThree years and three days ago I announced that “I’m Joining Microsoft.” While I was interviewing, my final interviewer asked me “how long do you plan to stay?” I told him that I’d make a three year commitment, but I really didn’t know. We both knew that a lot of senior industry people have trouble…
Read More On the Assimilation ProcessWhile I was running around between the Berkeley Data Breaches conference and SOURCE Boston, Gary McGraw and Brian Chess were releasing the Building Security In Maturity Model. Lots has been said, so I’d just like to quote one little bit: One could build a maturity model for software security theoretically (by pondering what organizations should…
Read More Building Security In, Maturely