Findings Reveal Organizations are Taking Steps to Implement Security Assurance Programs but Most Programs are Still Immature

Industry Leaders Gather at Secure Software Forum(R) 2006 Launch Event to Discuss Directive for Software Security

SAN JOSE, Calif., Feb. 15 /PRNewswire/ -- S.P.I. Dynamics Incorporated yesterday announced results from the Secure Software Forum 2005 educational initiatives and revealed details of the Secure Software Forum 2006 program.

The Secure Software Forum (SSF), co-created by S.P.I. Dynamics and Microsoft Corp., was first launched in February 2005 and is an initiative centered on providing leading executives at corporations and government agencies spanning all disciplines within the application lifecycle local forums, to discuss their challenges, experiences and best practices around the shared global mandate to improve software security. Recent findings from 2005 participants indicate organizations are taking steps to develop their own secure coding programs, but most programs are still immature as only 27 percent of participants polled have integrated security into their software development process.

"The Secure Software Forum represents a powerful platform for bringing the industry together to share thoughts and encourage cooperation in order to collectively reach the objective of secure software development," said Rhonda MacLean, keynote speaker for yesterday's Secure Software Forum 2006 launch event, CEO of MacLean Risk Partners and former Chief Security Officer of Bank of America. "Education and collaboration are essential to successfully imparting a clear understanding of the importance of secure software development."

Additional Secure Software Forum 2005 Findings

Based on a survey conducted recently among attendees of the Secure Software Forum events including executives of security operations, development and quality assurance, the following results were found:

- 25% have some sophisticated security testing tools and a defined
- 46% have some automated tools and a loosely defined process
- 36% have implemented a program to educate development teams on secure
coding practices
- 18% have only in-house application development efforts
- 73% are familiar with the Security Development Lifecycle (SDL) released
by Microsoft
- 70% have not integrated a security assurance program into their own
development process

Secure Software Forum 2006 Educational Program
Details of the Secure Software Forum 2006 program were also announced at the launch event which brought together leading companies with top industry spokespeople, notable academic leaders, leading security associations and the vendor community spanning all disciplines within the application lifecycle to share their experiences around secure software development. This year's Launch event was co-sponsored by Microsoft, SPI Dynamics, Visa International, Mercury, Wintellect and ISSA and included a distinguished panel of experts including:

- Panel moderator, Jim Reavis, Editor, CSOinformer and Executive
Director, ISSA
- Steve Lipner, director of Security Engineering Strategy, Microsoft
- Penny Lane, Chief Info Security Specialist, Inovant LLC
- Caleb Sima, CTO & founder, SPI Dynamics
- Dr. Bill Scherlis, Professor-School of Computer Science, Carnegie
Mellon University
- Steven Zimmerman, Vice President, Technology Risk Management, Regions
- Justin Peavey, Vice President, Security Architecture & Engineering,
State Street Corporation
- David Cullinane, CSO, Washington Mutual and President, ISSA
- Jonathan Rende, Vice President, Product Marketing, Mercury

Goals for the 2006 SSF year long initiative are to gather and offer organizations feedback on best practices, suggest roadmaps for actionable secure software programs and to offer a broad range of free educational events and documentation to assist in advancing the awareness of the need for software security, all based on individual participant input. These goals will be supported through a series of 84 international events co-sponsored by Microsoft and SPI Dynamics and a series of five executive events focused on compliance issues sponsored by SPI Dynamics. All of these events will be offered free to participants.

About Secure Software Forum

The Secure Software Forum is an in-depth educational initiative co-created by S.P.I. Dynamics Incorporated and Microsoft centered around providing leading executives at corporations and government agencies spanning all disciplines within the application lifecycle local forums to discuss their challenges, experiences and best practices around the shared global mandate to improve software security. For more information on the Secure Software Forum and the ongoing educational initiatives, please visit

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Secure Software Forum Moderator

"Developing secure software is a shared responsibility -- we cannot pass the buck to vendors, litigators or anyone else without doing our fair share of work," said Jim Reavis, Moderator for the Secure Software Forum activities, Executive Director, Information Systems Security Association (ISSA) and Editor, CSOinformer. "A holistic program providing end to end lifecycle coverage while spanning people, process and technology is needed within each organization. This year, to assist in those efforts, the Secure Software Forum will focus on providing a place for cross-industry discussions and education where organizations can work together to define their own roadmaps for software security. Throughout the year will discuss how best to implement existing processes such as Microsoft's SDL through an Application Security Assurance Program (ASAP) Maturity Model."


"Microsoft continues to be dedicated to improving software quality not only through its Trustworthy Computing initiative and its efforts around the SDL, but also by sharing its ongoing findings and ideas for more secure software development," said Rick Samona, product manager of the Application Platform and Development Team at Microsoft Corp. "The Secure Software Forum is an excellent venue for the enterprise community to gain insight into building a foundation for producing better and more secure software, as well as learning to balance and facilitate best practice approaches in any organization."

SPI Dynamics

"Leading organizations have made considerable progress in the effort to build security into their underlying methodologies by creating internal programs to address security in all phases of the software development lifecycle, but there's still a ways to go," said Brian Cohen, CEO, SPI Dynamics. "Throughout 2006, the Secure Software Forum will be evangelizing an enterprise approach to software security assurance to benchmark and continuously improve software security development practices. We've gathered some of the top thought leaders to join us in the efforts to turn the theory of building secure software into practice."

Inovant LLC

"Visa is dedicated to delivering innovative and secure technology solutions that provide greater choice in payments while also protecting cardholder information," said Penny Lane, Chief Info Security Specialist, Inovant LLC, Visa's global IT organization responsible for global transactions processing and technology development. "We look forward to working with the Secure Software Forum and its partners to discuss best practices for secure software development."

Carnegie Mellon University

"It's vital to offer an educational platform for corporations, government agencies and universities to explore emerging trends beneficial to long term improvement in software security assurance," said Dr. Bill Scherlis, Professor, School of Computer Science, Carnegie Mellon University. "Academia plays a fundamental role in long-term research and education related to software security. At Carnegie Mellon, we actively collaborate with both industry and government through diverse research and educational programs at CyLab, CERT, and the School of Computer Science. We are pleased to participate and support the Secure Software Forum program to continue in those efforts."

Regions Financial Corporation

"The time is right for organizations to take an enterprise approach to software security assurance to benchmark and continuously improve secure development practices," said Steven Zimmerman, Vice President, Technology Risk Management, Regions Financial Corporation. "Through the open environment of the Secure Software Forum events, security and development executives can gather together and openly discuss both their best practices and mistakes -- invaluable information to the industry."

State Street Corporation

"The threat environment is ever-evolving, and it is not only the task of the security team within an enterprise to eliminate a company's risk," said Justin Peavey, Vice President, Security Architecture & Engineering, State Street Corporation. "Security is directly related to the overall business and reputation of an organization. Successfully securing software takes the commitment of an entire organization to education across the SDLC. Most importantly, it takes a sincere focus on maintaining good internal communication between business and technology in order to effectively identify, assess, and mitigate software-based risk."

Alaska Airlines

"Alaska Airlines is committed to ongoing development of effective e- commerce software security measures and to maintaining consumer trust in the e-commerce marketplace," said Marty Miller, Manager of Information Security at Alaska Airlines. "The best practices established by the Secure Software Forum's initiatives will contribute significantly as the e-commerce industry works collectively to address the advancement of secure software coding practices."

ISSA International

"Understanding how to better develop software that is free from security defects is fundamental," said Dave Cullinane, President, ISSA International. "Only by collaboration between top thinkers representing all stakeholders can we solve this problem. The Secure Software Forum is a tremendous step towards that solution and ISSA is excited to be supporting these efforts."

"2005 brought much needed focus to the growing concern over insecure software and the real risks that security defects can pose to an organization and its customers," said Pamela Fusco, Presidential Advisor, ISSA International. "As leaders in the security community, we have a responsibility to share learned best practices with each other. Collectively, we can work together to achieve a high-maturity enterprise wide security assurance programs."


"Early detection and resolution of security defects saves organizations valuable time and money," said Lewis Frazer III, president and CEO, Wintellect. "We intimately understand the basic drivers for developers to be coding securely and we are looking forward to participating in the Secure Software Forum Program 2006 efforts to help advocate advancements in SDLC processes."

Source: S.P.I. Dynamics Incorporated