210 likes | 695 Views
OWASP Geneva Chapter May 7 th 2013. BSIMM Measuring Software Security Initiative Maturity. Simon Blanchet , CISSP, CSSLP, PMP Head of Application Security http://ch.linkedin.com/in/ sblanchet. Agenda. Who Am I? What is this talk all about? Why talking about BSIMM? BSIMM4
E N D
OWASP Geneva Chapter May 7th 2013 BSIMMMeasuring Software Security Initiative Maturity • Simon Blanchet, CISSP, CSSLP, PMP • Head of Application Security • http://ch.linkedin.com/in/sblanchet
Agenda • Who Am I? • What is this talk all about? • Why talking about BSIMM? • BSIMM4 • Lessons learned & take-aways • Conclusion
Who Am I? • Head of Application Security in a Private Bank • CISSP, CSSLP, PMP • Where I’m coming from? • Computer Science • Security Software Designer Software Security Manager • I’m managing a SSG applying a Risk-Based approach to ensure that our organization is • BuildingSecure Software • Acquiring& Integrating Securely Vendors’ Software • Securely Modifying legacy Software without compromising the Security of the whole Banking Information System
What is this talk all about? • The story of a guy who wanted to know where he was standing w/r/t his enterprise Software Security Initiative • One tool (BSIMM) which can be used to answerfew SW Security questions • Software Security • Software Security Initiative / Program • Software Security Domains / Practices / Activities
Why BSIMM? • We are all doing “something” w/r/t SW Sec • Are we doing the right things? • What other key players are doing? • How do we compare to others? • How really mature are we?
BSIMM(special thanks to Gary McGraw for the permission to use his original material)
BSIMM? • A measuring stick for SW Security • A descriptive model • Software Security Framework • 4 Domains • 12 Practices • 111 Activities
Lessons Learned • How to be “BSIMMed”*concretely? • Do it yourself ((CC) license)… - Risks: consistency, underestimate, overestimate, + $ (as in saving) • Mandate someone else - $ (as in it cost something) + Consistency, Official Report, Community, Experience (using Cigital who performed the exercise more than 95+ times on 50+ firms) • * BSIMMed Having the BSIMM assessment performed on your organization.
Lessons Learned • What happen exactly? • 5+ interviews with Heads / Directors • Application Security / SSG • Development • Quality Assurance / Testing • Architecture • Operation / Incident Response • Draft / Final Report (High Water Mark views, Scorecard, Practices & Activities worth investigating)
Summary • BSIMM is not a methodology. It is a measurement tool. • BSIMM can answer questions about: • Compare a firm with peers using the high water mark view • Compare business units (within a large org) • Chart an SSI over time (longitudinal)
Conclusion • Use it to see where you stand • Use it to figure out what your peers do • BSIMM helps to create a data-driven strategic plan
References • BSIMM4 • BSIMM website
About the author • Simon Blanchet, CISSP, CSSLP, PMP • Associate Director, Head of Application Security • Simon Blanchet is an Associate Director and Head of Application Security in a Private Bank. He is responsible, with the help of his team of application security specialists, for ensuring the security of internally developed applications as well as the secure integration of commercial off-the-shelf applications within the banking information systems. Simon's team provides internal security-consulting expertise to project management, business and development staff. He and his team are responsible for all aspects of application security including risk assessment, threat modeling, security testing and raising awareness about application security best practices. • Simon Blanchet has been professionally working in the fields of Information Systems Security and Security Software Design & Development for the past 12 years. He started his career as a Software Developer and Development Team Leader (cryptographic & security related software) in Montreal, Canada. Prior to moving into the Swiss Private Banking industry, Simon had the opportunity to contribute to the first version of the SDK implementing Stefan Brands' Digital Credential upon which is now built Microsoft U-Prove. Simon's career progressively evolved from being a seasoned security software developer to managing software security, combining a software developer background with a true passion for application security architecture, software security and software exploitation techniques. Simon likes to solve security related problems at the crossroads of software development and IT Security. • Simon holds a B.Sc. in Computer Science from Laval University in Canada. He is a Certified Information Systems Security Professional (CISSP), a Certified Secure Software Lifecycle Professional (CSSLP) and a Project Management Professional (PMP).