![Page 1: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/1.jpg)
Scaling a Software Security Initiative:Lessons from the BSIMM
Gary McGraw, Ph.D.Chief Technology Officer
May 1, 2023
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
@cigitalgem
![Page 2: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/2.jpg)
Cigital
• Providing software security professionals services since 1992
• World’s premiere software security consulting firm• 350 employees• 13 offices including Dulles, Boston, New York, Santa Clara,
Bloomington, Boston, Chicago, Atlanta, Amsterdam, and London• Recognized experts in software security
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 3: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/3.jpg)
BSIMM-V
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 4: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/4.jpg)
67 Firms in the BSIMM-V Community
• Real data from 67 firms• 161 measurements• 21 over time• McGraw, Migues, &
West• bsimm.com
plus 24 anonymous firms
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 5: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/5.jpg)
Monkeys Eat Bananas
• BSIMM is not about good or bad ways to eat bananas or banana best practices
• BSIMM is about observations• BSIMM is descriptive, not
prescriptive• BSIMM describes and
measures multiple prescriptive approaches
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 6: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/6.jpg)
BSIMM by the NumbersBSIMM describes and measures the work of 2930 full time software security people controlling the work of 272,358 developers.
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 7: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/7.jpg)
12 Practices 112 Activities
• Real activities, not theories• Real data• How do the 67 BSIMM firms carry out a practice?• How do the practices scale?
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 8: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/8.jpg)
BSIMM-V = Measuring Stick
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 9: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/9.jpg)
SCALING CODE REVIEW
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 10: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/10.jpg)
Remedial Code Review
• #1 Touchpoint• Get a tool (HP/Fortify, IBM/Ounce, Coverity, Cigital SecureAssist)
• 50 of 67 firms have an automated tool
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 11: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/11.jpg)
Code Review in the BSIMM
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 12: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/12.jpg)
Code Review Pitfalls
Security runs a complex tool Tool thrown over the wall to dev
• Results computed WAY too late
• Results include too many false positives
• Security types have no clue how to fix anything
• Developers try to avoid being beaten by the security police
• Developers asked to “just run the tool” with no real training
• The “red screen of death” ensues
• Developers learn to game the results
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 13: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/13.jpg)
Scaling Code Review: Path 1
• Build a centralized code review factory• Streamline code submission• Provide middleware data flow intelligence• Normalize results (across multiple feeds)
• Know what to look for• Create and enforce coding standards (carrot and stick)• Build custom rules that work for YOUR code
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 14: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/14.jpg)
Scaling Code Review: Path 2 (Very New)
• Put a very simple “real-time training” tool on developer desktops
• Eliminate whole classes of bugs before they are compiled in
• Focus on coding more securely in the first place• Teaching is more powerful than punishing• Developers need to know what to DO not what not to do
• Train developers just in time at code writing time
Read: bit.ly/1iIcAPB
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 15: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/15.jpg)
SCALING ARCHITECTURE ANALYSIS
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 16: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/16.jpg)
Remedial Code Review
• #2 Touchpoint• Requires real expertise• Know your components• 56 of 67 firms review security FEATURES
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 17: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/17.jpg)
Architecture Analysis Pitfalls
The Expert Bottleneck Ad Hoc “Review” Superman required for each
analysis exercise Lots of products and teams
need analysis, but must either must wait forever or skip it
Review only as powerful as whoever bothers to show up
No institutional knowledge or consistency
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 18: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/18.jpg)
Architecture Analysis in the BSIMM
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 19: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/19.jpg)
Define a Process: Architecture Risk Analysis
• Step 0: Get an architecture diagram• Step 1: Known attack analysis
• Leverage STRIDE by analogy• Know your potential flaws
• Step 2: System-specific attack analysis• Anticipate emergent flaws• Build a threat model (trust boundaries and data sensitivity)
• Step 3: Dependency analysis
Read: bit.ly/1b2f5Zk
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 20: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/20.jpg)
Scaling Architecture Analysis
• Security Architecture Survey (SAS)• Focus on standard components and a software component model• Look for your commonly encountered flaws• Identify common controls• Know your design principles• Consider where the SDLC breaks
• Sweep the entire portfolio• Use a proven process like Cigital ARA for high-risk
applications
Read: bit.ly/19Jmk7f
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 21: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/21.jpg)
IEEE Center for Secure Design
Avoiding the top ten swsec design flaws:http://cybersecurity.ieee.org/center-for-secure-design.html
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 22: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/22.jpg)
SCALING PENETRATION TESTING
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 23: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/23.jpg)
Remedial Penetration Testing
• #3 Touchpoint• Becoming a commodity (so buy some)• 62 of 67 BSIMM firms use external pen testers• Black box tools available
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 24: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/24.jpg)
Penetration Testing Pitfalls
Hiring “reformed” hackers Pen testing != security meter
badness-ometer
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 25: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/25.jpg)
Penetration Testing in the BSIMM
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 26: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/26.jpg)
Scaling Penetration Testing
• Automate with customized tools and know your attacker• Black box Web/mobile testing tools are cheap and fast• Fuzzing tools aimed at APIs also help scale
• Investigate cloud services (remote pen testing)• Fix what you find
• Real integration with development is important• Don’t just throw rocks
• Periodically pen test everything you can
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 27: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/27.jpg)
WHERE TO LEARN MORE
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 28: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/28.jpg)
SearchSecurity + Justice League
1. No-nonsense monthly security column by Gary McGraw:www.searchsecurity.com
2. In-depth thought-leadership blog from the Cigital Principals:• Gary McGraw• Sammy Migues• John Steven• Paco Hope• Jim DelGrosso
www.cigital.com/justiceleague
3. Gary McGraw’s writings: www.cigital.com/~gem/writing
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 29: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/29.jpg)
Silver Bullet + IEEE Security & Privacy
1. Monthly Silver Bullet podcast with Gary McGraw:www.cigital.com/silverbullet
2. IEEE Security & Privacy magazine (Building Security In)www.computer.org/security/bsisub/
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 30: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/30.jpg)
The Book
• How to DO software security•Best practices•Tools•Knowledge
• Cornerstone of the Addison-Wesley Software Security Series: www.swsec.com
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
![Page 31: Scaling a Software Security Initiative: Lessons from the BSIMM with Gary McGraw](https://reader036.vdocuments.us/reader036/viewer/2022062522/589d299d1a28abeb478b6473/html5/thumbnails/31.jpg)
Build Security In
• Read the Addison-Wesley Software Security series
• Send e-mail: [email protected]
•
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
@cigitalgem