Comparative Software Security
Software is critical to everything we do in the modern world and is behind our most critical systems.
As such, it is imperative that it be secure by design. Software security is therefore as much a business decision as
it is about avoiding security risks.
One of the best decisions you can make is to optimize you and your organization's ability to secure the software in
your organization by taking the comparative software security survey.
Created by:
Brook Schoenfield
MBA, GWEB, GIAC Intrusion
Detection Analyst #144
James Ransome
Ph.D. CISSP, CISM
Leading Research & Practice
Backed by decades of leadership, experience & research by Dr. James Ransome and Brook S.E. Schoenfield in their collective and individual programs.
Essential Insights
The Comparative Software Security survey represents an industry consensus as executed by thousands of developers at major tech companies and solid metrics proving significant improvement of security posture and reduction of serious issues.
An Invitation to a Conversation…
The survey reveals how your teams perceive they are doing across key dimensions of Software Security. Use this knowledge as a basis for a conversation to better understand how you can help reach security objectives.
The paradigms for producing and operating software, as well as the way that functionality is architected,
have been through profound sea changes such that if security is going to be built and then run effectively,
security techniques, tools, and operations must match, and, in fact, integrate easily, fully, and relatively
painlessly with the ways that software is currently built and run.
Meanwhile, there is a strong tendency to represent secure development in a linear fashion—security
activities preceding from planning and design through testing and release in an orderly fashion. But these
attempts to provide order through linearity are a mistake.
This survey's questions are founded upon the thousands of dedicated developers who've been honest and
vulnerable enough to share what works, what doesn't, and their willingness to reach with the authors for
better solutions that are achievable across a gamut of software development practices and styles. The authors
have listened to how developers work and what they need; this work is the result.
Sample Questions
SDL & Management
We reduce our technical debt in every iteration.
Access / Rights
Privileges are only given where strictly needed.
Access / Rights
We control access to the DevOps/CICD chain/tools.
Risk Identification
We keep the threat model updated as a part of our work.
Risk Identification
Security fixes are tracked to closure.
Provenance
When we choose to include 3rd party code, we perform a security assessment of the candidate code and its maker.
SDL & Management
We use a Security Development Lifecycle (SDL).
Developing Code
We employ tools to identify secure coding issues.
SDL & Management
We have designated security champions in each development team.
Top Features
Leverage proven, peer-reviewed research to quickly identify where your organization needs attention and initiate a conversation to understand how you can help.
Give your teams a voice - and allow them to express where you can do the most good for your organization.
Gain insights expeditiously - perform analysis at the team, program and organizational levels.
Benchmark the maturity of software security across your teams and organization against other organizations in your industry.
Brook S.E. Schoenfield has authored several books on software security, has taught 100's of security architects, while 1000's have been through his threat modeling trainings.
He technically led five AppSec programs and 4 consulting practices. Currently, Mr. Schoenfield works with organizations and technical leaders to improve software security practices. He also teaches at the University of Montana.
With James Ransome, their latest book, Building In Security At Agile Speed (Auerbach, 2021), focuses on software security for continuous development practices and DevOps. Other books by Mr. Schoenfield include: Secrets Of A Cyber Security Architect (Auerbach, 2019) and Securing Systems: Applied Security Architecture and Threat Models (CRC Press, 2015).
Brook Schoenfield is currently the technical leader and advisor to Resilient Software Security, LLC and True Positives, LLC. Previously, he technically led product security architecture at McAfee (Intel), Cisco Engineering, IT security architecture at Autodesk, and web and application security for Cisco Infosec. He is a founding member of IEEE's Center for Secure Design and is a featured Security Architect at the Bletchley Park Museum of Computing.
Brook Schoenfield is the originator of Baseline Application Vulnerability Assessment (BAVA), Just Good Enough Risk Rating (JGERR), Architecture, Threats, Attack Surfaces and Mitigations (ATASM) and developer-centric security. He contributed to Core Software Security (CRC Press, 2014), and co-authored The Threat Modeling Manifesto (2020), Avoiding the Top 10 Security Design Flaws (IEEE, 2014) and Tactical Threat Modeling (SAFECode, 2017).
Dr. James Ransome, PhD, CISSP, CISM is the Chief Scientist for CYBERPHOS, an early stage cybersecurity startup.
Most recently, James was the Senior Director of Security Development Lifecycle Engineering for Intel's Product Assurance and Security (IPAS). In that capacity, he led a team of SDL engineers, architects, and product security experts to drive and implement security practices across the company. Prior to that, James was the Senior Director of Product Security and PSIRT at Intel Security (formerly McAfee).
James's career includes leadership positions in the private and public sectors. He served in three chief information security officer (CISO) roles at Applied Materials, Autodesk, and Qwest Communications and four chief security officer (CSO) positions at Pilot Network Services, Exodus Communications, Exodus Communications—Cable and Wireless Company, and Cisco Collaborative Software Group. Before entering the corporate world. He worked in government service for 23 years supporting the U.S. intelligence community, federal law enforcement, and the Department of Defense.
Building in Security at Agile Speed and Core Software Security. Comparative Software Security is based on these books.
James holds a PhD in Information Systems, specializing in Information Security; a Master of Science Degree in Information Systems; and graduate certificates in International Business and International Affairs.
He taught Applied Cryptography, Advanced Network Security, and Information Security Management as an Adjunct Professor in the Nova Southeastern University's Graduate School of Computer and Information Science (SCIS) Information Security Program. The graduate school is designated as a National Center of Academic Excellence in Information Assurance Education by the U.S. National Security Agency and the Department of Homeland Security.
James is a Certified Information Security Manager (CISM), a Certified Information Systems Security Professional (CISSP), and a Ponemon Institute Distinguished Fellow. He has authored and co-authored 13 cyber-related books and is currently working on his 14th.
Securing Systems
Brook Schoenfield
Secrets of a Cyber Security Architect
Brook Schoenfield
Tactical Threat Modeling
Brook Schoenfield
Avoiding the Top 10 Software Security Design Flaws
Brook Schoenfield
Threat Modeling Manifesto
Brook Schoenfield
Defending the Cloud: Waging Warfare in Cyberspace
James Ransome
Cloud Computing: Implementation, Management, and Security
James Ransome
Wireless Security: Know It All
James Ransome
Business Continuity Planning and Disaster Recovery for Information…
James Ransome
Instant Messaging (IM) Security
James Ransome
Voice over Internet Protocol (VoIP) Security
James Ransome
Wireless Operational Security
James Ransome
Wireless Integrated Secure Options Model (WISDOM) for Converged Network Security
James Ransome
Comparative Agility By Simon Hilton
Listen to our domain experts outline the science, observations and thinking motivating their work.