Sammy Migues

Abstract: They Can’t Manage What They Don’t Know About. Many application security owners haven’t had “the risk talk” with groups in their organization. “What do evolving agile, continuous integration/continuous delivery (CI/CD), and DevSecOps revolutions in software engineering mean for the firm’s risk posture.” Discussions also need to be had with company technology teams about how risk tolerances, proactive governance, and execution goals might require across-the-board changes in development practices.

Sammy Migues is Principal Scientist at Synopsys where his role is to solve hard software security problems and scale solution delivery.

Over the past 12 years, Sammy focused on computer-based and instructor-led training, smart grid, supply chain, metrics, software security initiative maturity, and management consulting. Sammy co-authored the BSIMM, a unique study in the software security industry, and has used BSIMM as an assessment tool hundreds of times across many industry verticals. Sammy also co-authored the Synopsys CISO Report, a review of approaches to the CISO role. Sammy started his career studying computer science. He worked on computer security in the Air Force, including participation in creating the ‘Rainbow Books’ from NSA and in some Orange Book security evaluations. His work at that time included formal methods and theorem provers, as well as on multilevel secure networks and systems. After the military, Sammy has worked in security consulting, covering the time span from operating system security to computer security, network security, data security, and software security. His primary focus was creating the intellectual property that helps firms successfully manage big areas of risk such as IT security and software security.