bsimm4 - information · pdf filenot silver-bullet security mechanisms ... bananas or banana...
TRANSCRIPT
1 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
BSIMM4 The Building Security In Maturity Model
TODD LUKENS
MANAGING PRINCIPAL - SOUTHEAST
2 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Cigital
Providing software security professional services since 1992
World’s premiere software security consulting firm 250 professional consultants
Washington, NY, Chicago, Boston, Atlanta, Santa Clara, Bloomington, Amsterdam, London
Recognized experts in software security Widely published in books, white papers, and articles
Industry thought leaders
3 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Cigital: Strategic Software Security
Mobile Application Security
Standards Development
Architecture Risk Analysis
and Threat Modeling
Mobile Application
Source Code Review
Mobile Application
Penetration Testing
Mobile Application
Vulnerability Remediation
Mobile Device Management
(MDM/BYOD) Assessment
Dynamic Analysis
Ethical Hacking
Source Code Review
Secure Architecture Survey
Application and Network
Penetration Testing
Secure Remediation Helpdesk
Vendor Assessments
3rd-Party Application Attestation
BSIMM Measurement
Software Security Initiative
Development
Standards/Policy Development
Architecture Risk Analysis
and Threat Modeling
Static Analysis Tools
Configuration and Deployment
Custom Rule Development
Red Teaming
Security Metrics
Development and Deployment
Cigital
SecureAssist™
Cigital
Enterprise Security Portal™
Cigital
Instructor-Led Training
(23 Courses)
Cigital BuildSecure eLibrary™
Computer-Based Training
(19 Courses)
4 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
BSIMM Basics
5 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
BSIMM: Software Security Measurement
Building secure software starts with understanding where you are today…
The Software Security Program Maturity Model based on the real-world practices of leading organizations
BSIMM encompasses 111 different activities organized by 12 practices
• Understand the software security actual practices in use today • Start a software security initiative using real data from an ongoing 4-year study • Evolve your software security initiative by learning about proven activities carried out by mature organizations
6 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
We Hold These Truths to be Self-evident
Software security is more than a set of security functions
Not magic crypto fairy dust
Not silver-bullet security mechanisms
Not a bolt-on, or after thought
Non-functional aspects of design are essential
Bugs and flaws are 50/50
Security is an emergent property of the entire system (just like quality)
To end up with secure software, deep integration with the SDLC is necessary
7 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
2006: A Shift from Philosophy to HOW TO
Integrating software security best practices into an organizations’ SDLC (that is, create an SSDL) Microsoft’s SDL
Cigital’s Touchpoints
OWASP CLASP
8 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Prescriptive vs. Descriptive Models
Prescriptive models
describe what you
should do
SAFECode
SAMM
SDL
Touchpoints
Every firm has a
methodology they
follow (often a hybrid)
You need an SSDL
Descriptive models
describe what is
actually happening
The BSIMM is a
descriptive model that
can be used to
measure any number
of prescriptive SSDLs
9 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Building BSIMM (started in 2008)
Big idea: Build a descriptive maturity model from actual data gathered from 9 well-known, large-scale software security initiatives
Created a software security framework
Interviewed nine firms in-person
Discovered 110 activities through observation
Organized the activities in 3 levels
Built model and used it build scorecards for all 9
Get feedback, validate, and publish BSIMM version 1
10 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Monkeys Eat Bananas
BSIMM is not about good or bad ways to eat bananas or banana best practices
BSIMM is about observations
BSIMM is descriptive, not prescriptive
BSIMM describes and measures multiple prescriptive approaches
11 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
BSIMM: Software Security Measurement
BSIMM4: Real data from (51) real initiatives
13 measured over time 95 total measurements
BSIMM5: 80+ companies New activities added; some
dropped Approx 150 total
measurements
BSIMM Community – access to security and development leaders at 80+ companies
12 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
51 Firms in the BSIMM4 Community
Intel
Plus 17 firms that remain anonymous
13 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
The Magic 30
With data from >30 firms, we can perform statistical analysis How good is the model?
What activities correlate with what other activities?
Do high maturity firms look the same?
The model is now updated and validated with data from 51 firms, comprising 95 distinct measurements BSIMM in 2009 with 9 firms
BSIMM Europe in 2009 with 9 firms
BSIMM2 in 2010 with 30 firms
BSIMM3 in 2011 with 42 firms and 11 re-measurements
BSIMM4 in 2012 with 51 firms and 14 re-measurements
There is no special snowflake
14 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
A Software Security Framework
Strategy and Metrics
Compliance and
Policy
Training
Governance
Attack Models
Security Features
and Design
Standards and
Requirements
Intelligence
Architecture Analysis
Code Review
Security Testing
SSDL
Touchpoints
Penetration Testing
Software
Environment
Configuration
Management and
Vulnerability
Management
Deployment
15 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Architecture Analysis Practice Skeleton
16 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Example Activity
[AA1.2] Perform design review for high-risk applications. The organization learns about the benefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the software security group (SSG) is not yet equipped to perform an in-depth architecture analysis, it uses consultants to do this work. Ad hoc review paradigms that rely heavily on expertise may be used here, though in the long run they do not scale.
17 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
BSIMM4 Measurements
18 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
BSIMM by the Numbers
19 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Real-world Data (51 firms)
Initiative age
Average: 5.5 years
Newest: 0
Oldest: 17
Median: 4
SSG size
Average: 19.48
Smallest: 1
Largest: 100
Median: 7.5
Satellite size
Average: 40.77
Smallest: 0
Largest: 350
Median: 6
Dev size
Average: 4455
Smallest: 11
Largest: 30,000
Median: 1500
Average SSG size: 1.95% of dev group size
20 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
111 Activities
3 levels of maturity
Top activities per practice
Comparing scorecards between releases is interesting
BSIMM4 Scorecard
21 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Twelve Things “Everybody” Does
Core activities 1. identify gates
2. know PII obligations
3. awareness training
4. data classification
5. identify features
6. security standards
7. review security features
8. static analysis tool
9. QA boundary testing
10. external pen testers
11. good network security
12. close ops bugs loop
22 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Using BSIMM4
23 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
BSIMM4 as a Measuring Stick
Compare a firm with peers using the high-water mark view
Compare business units
24 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
BSIMM Longitudinal: Improvement over time
13 firms measured twice ( average 19 months apart)
1 firm measured three times
BSIMM measurements show how firms improve
33% increase
25 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Top 12 activities
purple = good?
red = bad?
“Blue shift” practices to emphasize
Drive budgets with data
BSIMM4 Scorecard with FAKE Firm Data
26 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
We Are a Special Snowflake (NOT)
ISV (19) results are similar to financial services (19)
You do the same things
You can demand the same results
Measurement works for all
27 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
BSIMM Over Four Studies
28 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
vBSIMM
Subset of BSIMM4 used as part of vendor management
Adds easily to existing processes
Clearly distinguishes vendors that understand software security
Can form the basis for software security SLAs
29 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
BSIMM4 to BSIMM5
BSIMM4 released September 2012 under creative commons
http://bsimm.com
Italian and German translations available soon
BSIMM is a yardstick
Use it to see where you stand
Use it to figure out what your peers do
BSIMM4BSIMM5
BSIMM is growing
Target of 80 firms
30 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
BSIMM Key Benefits
Compare your firm with industry peers
Compare business units
Compare to a specific industry vertical or grouping
Compare a group to itself over time
Explain the programme to others – regulators, auditors, etc.
Drive budgeting
BSIMM gives you a scientific measurement of your software security activities. This information is useful in many ways including:
31 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Where to learn more
32 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
searchsecurity + justice league
www.searchsecurity.com
No-nonsense monthly security column by Gary McGraw
www.cigital.com/justiceleague
In-depth thought leadership blog from Cigital Principals
Scott Matsumoto
Gary McGraw
Sammy Migues
John Steven
Paco Hope
http://bsimm.com
Send e-mail: : [email protected]
33 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
TODD LUKENS
MANAGING PRINCIPAL
703-404-9293 EXT: 4213