Comparative Software Security
by Brook Schoenfield and James RansomeSoftware is critical to everything we do in the modern world and is behind our most critical systems.
As such, it is imperative that it be secure by design. Software security is therefore as much a business decision as
it is about avoiding security risks.
One of the best decisions you can make is to optimize you and your organization’s ability to secure the software in
your organization by taking the comparative software security survey.
Leading Research & Practice
Backed by decades of leadership, experience & research by Dr. James Ransome and Brook S.E. Schoenfield in their collective and individual programs.
Essential Insights
The Comparative Software Security survey represents an industry consensus as executed by 1000’s of developers at major tech companies and solid metrics proving significant improvement of security posture and reduction of serious issues.
An Invitation to a Conversation…
The survey reveals how your teams perceive they are doing across key dimensions of Software Security. Use this knowledge as a basis for a conversation to understand better how you can help reach security objectives.
Critical Traits of Software Security
Meanwhile, there is a strong tendency to represent secure development in a linear fashion—security activities preceding from planning and design through testing and release in an orderly fashion. But these attempts to provide order through linearity are a mistake.
This survey’s questions are founded upon the thousands of dedicated developers who’ve been honest and vulnerable enough to share what works, what doesn’t, and their willingness to reach with the authors for better solutions that are achievable across a gamut of software development practices and styles. The authors have listened to how developers work and what they need; this work is the result.
Sample Survey Items
We reduce our technical debt in every iteration.
Privileges are only given where strictly needed.
We control access to the DevOps/CICD chain/tools.
We keep the threat model updated as a part of our work.
Security fixes are tracked to closure.
When we choose to include 3rd party code, we perform a security assessment of the candidate code and its maker.
We use a Security Development Lifecycle (SDL).
We employ tools to identify secure coding issues.
We have designated security champions in each development team.
Sample Survey Items
We reduce our technical debt in every iteration.
Privileges are only given where strictly needed.
We control access to the DevOps/CICD chain/tools.
Top Features
Leverage proven, peer-reviewed research to quickly identify where your organization needs attention and initiate a conversation to understand how you can help.
Give your teams a voice – and allow them to express where you can do the most good for your organization.
Gain insights expeditiously - perform analysis at the team, program and organizational levels.
Benchmark the maturity of software security across your teams and organization against other organizations in your industry.
Leverage proven, peer-reviewed research to quickly identify where your organization needs attention and initiate a conversation to understand how you can help.
Give your teams a voice – and allow them to express where you can do the most good for your organization.
Gain insights expeditiously - perform analysis at the team, program and organizational levels.
Benchmark the maturity of software security across your teams and organization against other organizations in your industry.
Brook Schoenfield
MBA, GWEB, GIAC Intrusion
Detection Analyst #144
James Ransome
Ph.D. CISSP, CISM
Brook S.E. Schoenfield has authored several books on software security, has taught 100’s of security architects, while 1000’s have been through his threat modeling trainings.
He technically led five AppSec programs and 4 consulting practices. Currently, Mr. Schoenfield works with organizations and technical leaders to improve software security practices. He also teaches at the University of Montana.
With James Ransome, their latest book, Building In Security At Agile Speed (Auerbach, 2021), focuses on software security for continuous development practices and DevOps. Other books by Mr. Schoenfield include: Secrets Of A Cyber Security Architect (Auerbach, 2019) and Securing Systems: Applied Security Architecture and Threat Models (CRC Press, 2015).
Brook Schoenfield is currently the technical leader and advisor to Resilient Software Security, LLC and True Positives, LLC. Previously, he technically led product security architecture at McAfee (Intel), Cisco Engineering, IT security architecture at Autodesk, and web and application security for Cisco Infosec. He is a founding member of IEEE’s Center for Secure Design and is a featured Security Architect at the Bletchley Park Museum of Computing.
Brook Schoenfield is the originator of Baseline Application Vulnerability Assessment (BAVA), Just Good Enough Risk Rating (JGERR), Architecture, Threats, Attack Surfaces and Mitigations (ATASM) and developer-centric security. He contributed to Core Software Security (CRC Press, 2014), and co-authored The Threat Modeling Manifesto (2020), Avoiding the Top 10 Security Design Flaws (IEEE, 2014) and Tactical Threat Modeling (SAFECode, 2017).
Dr. James Ransome, PhD, CISSP, CISM is the Chief Scientist for CYBERPHOS, an early stage cybersecurity startup.
Most recently, James was the Senior Director of Security Development Lifecycle Engineering for Intel’s Product Assurance and Security (IPAS). In that capacity, he led a team of SDL engineers, architects, and product security experts to drive and implement security practices across the company. Prior to that, James was the Senior Director of Product Security and PSIRT at Intel Security (formerly McAfee).
James’s career includes leadership positions in the private and public sectors. He served in three chief information security officer (CISO) roles at Applied Materials, Autodesk, and Qwest Communications and four chief security officer (CSO) positions at Pilot Network Services, Exodus Communications, Exodus Communications—Cable and Wireless Company, and Cisco Collaborative Software Group. Before entering the corporate world. He worked in government service for 23 years supporting the U.S. intelligence community, federal law enforcement, and the Department of Defense.
Building in Security at Agile Speed and Core Software Security. Comparative Software Security is based on these books.
James holds a PhD in Information Systems, specializing in Information Security; a Master of Science Degree in Information Systems; and graduate certificates in International Business and International Affairs.
He taught Applied Cryptography, Advanced Network Security, and Information Security Management as an Adjunct Professor in the Nova Southeastern University’s Graduate School of Computer and Information Science (SCIS) Information Security Program. The graduate school is designated as a National Center of Academic Excellence in Information Assurance Education by the U.S. National Security Agency and the Department of Homeland Security.
James is a Certified Information Security Manager (CISM), a Certified Information Systems Security Professional (CISSP), and a Ponemon Institute Distinguished Fellow. He has authored and co-authored 13 cyber-related books and is currently working on his 14th.
Try it out now!
Fuel data-driven continuous improvement efforts at the team, program and organizational levels through uncommon insights and actionable feedback.