Earlier this month I attended the Security Development Conference 2012 (SDC 2012). As Steve Lipner, Partner Director of Program Management, Trustworthy Computing, Microsoft wrote in his article about the event, the conference enabled people from companies, government agencies and academic institutions to share their own experiences of adopting a security development process thus helping others learn how to accelerate adoption within their own organizations. Speakers and panelists included Adobe, BlackBerry, Cisco, IBM, Intel, Itron, Lockheed Martin, Microsoft, NIST, NSA, Salesforce.com, Red Hat and others.
Over the next few weeks I’ll be posting some summaries of the keynotes and other plenary presentations and interviews with conference attendees to give you a sense of the conference and the topics it covered.
The conference was held in Washington DC with about 250 attendees from over 115 different organizations around the world. We kept it small so that participants really had the opportunity to interact with speakers and panelists in a meaningful way.
I found the keynotes to be especially thought provoking. Richard A. Clarke, the Chairman of Good Harbor Consulting and the former Special Advisor to the President of the United States for Cyber Security, delivered the opening keynote entitled “Confronting Cyber Risk in Critical Infrastructure” which focused on the importance of systematically building security into software that operates critical infrastructure.
Richard Clarke during his opening keynote at SDC 2012
Mr. Clarke proposed that the current threat landscape is characterized by attacks that are persistent and pervasive rather than “advanced.” He used “CHEW” as an acronym to discuss the four types of cyber-threat activities he sees today: Crime, Hacktivism, Espionage, and War. Mr. Clarke also spent time talking about SCADA systems and the importance of defending them against attack. He ended his keynote by recognizing the efforts of Microsoft and the industry to develop more secure software. He strongly recommended that critical infrastructure industries adopt a security development porcess to help secure software used to operate their systems.
If you are interested in learning more about the topics covered in Mr. Clarke’s keynote, I recommend reading the paper Good Harbor Consulting LLC released at the conference entitled – Confronting Cyber Risk in Critical Infrastructure: The National and Economic Benefits of Security Development Processes. The theme of the paper is that secure development processes are core to securing critical infrastructure and that solid evidence of economic benefit coming from the use of these methods exists. The paper includes information from several different providers and regulators of critical infrastructure and discusses the importance of secure development in achieving those results. You can download a copy of the Good Harbor Consulting paper by clicking on the link above.
Richard Clarke, chairman of Good Harbor Consulting and Former Special Advisor to the President for Cyber Security, and Tim Rains director Trustworthy Computing, Microsoft.
After Mr. Clarke’s keynote I sat down with him to get his view on a couple of security related topics, including the importance of secure development practices to critical infrastructure and the value of the Security Development Conference. Mr. Clarke told me “Frequently people fear it. They say SDL will slow things down – SDL will be too expensive. Over the course of the lifecycle of a piece of software, an application, a program, it’s cheaper to do it right the first time than to experience the attacks or even just experience the patches that are necessary when you don’t do it right the first time.“
You can watch the full conversation using the link to the video below. If you are interested in learning more about how the SDL is being adopted by critical infrastructure providers, my colleague Doug Cavit shares some great resources in this article: The SDL & Critical Infrastructure Protection, the Return on Investment.