Comparative Software Security

Comparative Software Security

by Brook Schoenfield and James Ransome

Software is critical to everything we do in the modern world and is behind our most critical systems. As such, it is imperative that it be secure by design. Software security is therefore as much a business decision as it is about avoiding security risks.

One of the best decisions you can make is to optimize you and your organization’s ability to secure the software in your organization by taking the comparative software security survey.

Created by:
Brook Schoenfield
Brook Schoenfield MBA, GWEB, GIAC Intrusion
Detection Analyst #144
James Ransome
James Ransome Ph.D. CISSP, CISM

Leading Research & Practice

Backed by decades of leadership, experience & research by Dr. James Ransome and Brook S.E. Schoenfield in their collective and individual programs.

Essential Insights

The Comparative Software Security survey represents an industry consensus as executed by 1000’s of developers at major tech companies and solid metrics proving significant improvement of security posture and reduction of serious issues.

An Invitation to a Conversation…

The survey reveals how your teams perceive they are doing across key dimensions of Software Security. Use this knowledge as a basis for a conversation to understand better how you can help reach security objectives.

Critical Traits of Software Security

The paradigms for producing and operating software, as well as the way that functionality is architected, have been through profound sea changes such that if security is going to be built and then run effectively, security techniques, tools, and operations must match, and, in fact, integrate easily, fully, and relatively painlessly with the ways that software is currently built and run.

Meanwhile, there is a strong tendency to represent secure development in a linear fashion—security activities preceding from planning and design through testing and release in an orderly fashion. But these attempts to provide order through linearity are a mistake.

This survey’s questions are founded upon the thousands of dedicated developers who’ve been honest and vulnerable enough to share what works, what doesn’t, and their willingness to reach with the authors for better solutions that are achievable across a gamut of software development practices and styles. The authors have listened to how developers work and what they need; this work is the result.

Sample Survey Items

We reduce our technical debt in every iteration.
Privileges are only given where strictly needed.
We control access to the DevOps/CICD chain/tools.
We keep the threat model updated as a part of our work.
Security fixes are tracked to closure.
When we choose to include 3rd party code, we perform a security assessment of the candidate code and its maker.
We use a Security Development Lifecycle (SDL).
We employ tools to identify secure coding issues.
We have designated security champions in each development team.

Sample Survey Items

We reduce our technical debt in every iteration.

Privileges are only given where strictly needed.

We control access to the DevOps/CICD chain/tools.
Load More

Top Features

Leverage proven, peer-reviewed research to quickly identify where your organization needs attention and initiate a conversation to understand how you can help.

Give your teams a voice – and allow them to express where you can do the most good for your organization.

Gain insights expeditiously - perform analysis at the team, program and organizational levels.

Benchmark the maturity of software security across your teams and organization against other organizations in your industry.

Leverage proven, peer-reviewed research to quickly identify where your organization needs attention and initiate a conversation to understand how you can help.

Give your teams a voice – and allow them to express where you can do the most good for your organization.

Gain insights expeditiously - perform analysis at the team, program and organizational levels.

Benchmark the maturity of software security across your teams and organization against other organizations in your industry.

Brook Schoenfield

Brook Schoenfield LinkedIn

MBA, GWEB, GIAC Intrusion
Detection Analyst #144

James Ransome

James Ransome LinkedIn

Ph.D. CISSP, CISM

Brook S.E. Schoenfield has authored several books on software security, has taught 100’s of security architects, while 1000’s have been through his threat modeling trainings.

He technically led five AppSec programs and 4 consulting practices. Currently, Mr. Schoenfield works with organizations and technical leaders to improve software security practices. He also teaches at the University of Montana.

With James Ransome, their latest book, Building In Security At Agile Speed (Auerbach, 2021), focuses on software security for continuous development practices and DevOps.  Other books by Mr. Schoenfield include: Secrets Of A Cyber Security Architect (Auerbach, 2019) and Securing Systems: Applied Security Architecture and Threat Models (CRC Press, 2015).

Brook Schoenfield is currently the technical leader and advisor to Resilient Software Security, LLC and True Positives, LLC. Previously, he technically led product security architecture at McAfee (Intel), Cisco Engineering, IT security architecture at Autodesk, and web and application security for Cisco Infosec. He is a founding member of IEEE’s Center for Secure Design and is a featured Security Architect at the Bletchley Park Museum of Computing.

Brook Schoenfield is the originator of Baseline Application Vulnerability Assessment (BAVA), Just Good Enough Risk Rating (JGERR), Architecture, Threats, Attack Surfaces and Mitigations (ATASM) and developer-centric security. He contributed to Core Software Security (CRC Press, 2014), and co-authored The Threat Modeling Manifesto (2020), Avoiding the Top 10 Security Design Flaws (IEEE, 2014) and Tactical Threat Modeling (SAFECode, 2017).

Dr. James Ransome, PhD, CISSP, CISM is the Chief Scientist for CYBERPHOS, an early stage cybersecurity startup.

Most recently, James was the Senior Director of Security Development Lifecycle Engineering for Intel’s Product Assurance and Security (IPAS). In that capacity, he led a team of SDL engineers, architects, and product security experts to drive and implement security practices across the company. Prior to that, James was the Senior Director of Product Security and PSIRT at Intel Security (formerly McAfee).

James’s career includes leadership positions in the private and public sectors. He served in three chief information security officer (CISO) roles at Applied Materials, Autodesk, and Qwest Communications and four chief security officer (CSO) positions at Pilot Network Services, Exodus Communications, Exodus Communications—Cable and Wireless Company, and Cisco Collaborative Software Group. Before entering the corporate world. He worked in government service for 23 years supporting the U.S. intelligence community, federal law enforcement, and the Department of Defense.

Building in Security at Agile Speed and Core Software Security

Building in Security at Agile Speed and Core Software Security. Comparative Software Security is based on these books.

James holds a PhD in Information Systems, specializing in Information Security; a Master of Science Degree in Information Systems; and graduate certificates in International Business and International Affairs.

He taught Applied Cryptography, Advanced Network Security, and Information Security Management as an Adjunct Professor in the Nova Southeastern University’s Graduate School of Computer and Information Science (SCIS) Information Security Program. The graduate school is designated as a National Center of Academic Excellence in Information Assurance Education by the U.S. National Security Agency and the Department of Homeland Security.

James is a Certified Information Security Manager (CISM), a Certified Information Systems Security Professional (CISSP), and a Ponemon Institute Distinguished Fellow. He has authored and co-authored 13 cyber-related books and is currently working on his 14th.

Try it out now!

Fuel data-driven continuous improvement efforts at the team, program and organizational levels through uncommon insights and actionable feedback.