1 / 32

BSIMM-V

BSIMM-V. The Building Security In Maturity Model. Gary McGraw, Ph.D. Chief Technology Officer. Cigital. Providing software security professional services since 1992 World’s premiere software security consulting firm 270 employees

hana
Download Presentation

BSIMM-V

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BSIMM-V The Building Security In Maturity Model Gary McGraw, Ph.D. Chief Technology Officer

  2. Cigital • Providing software security professional services since 1992 • World’s premiere software security consulting firm • 270 employees • Washington DC, New York, Santa Clara, Bloomington, Boston, Chicago, Atlanta, Amsterdam, and London • Recognized experts in software security • Widely published in books, white papers, and articles • Industry thought leaders

  3. BSIMM basics

  4. We Hold These Truths to be Self-evident • Software security is more than a set of security functions • Not magic crypto fairy dust • Not silver-bullet security mechanisms • Non-functional aspects of design are essential • Bugs and flaws are 50/50 • Security is an emergent property of the entire system (just like quality) • To end up with secure software, deep integration with the SDLC is necessary

  5. 2006: A Shift From Philosophy to HOW TO • Integrating best practices into large organizations’ SDLC (that is, an SSDL) • Microsoft’s SDL • Cigital’sTouchpoints • OWASP CLASP

  6. Prescriptive vs. Descriptive Models Prescriptive Models Descriptive Models • Descriptive models describe what is actually happening • The BSIMM is a descriptive model that can be used to measure any number of prescriptive SSDLs • Prescriptive models describe what you should do • SAFECode • SAMM • SDL • Touchpoints • Every firm has a methodology they follow (often a hybrid) • You need an SSDL

  7. BSIMM: Software Security Measurement • Real data from (67) real initiatives • 161 measurements • 21 (4) over time • McGraw, Migues, & West

  8. 67 Firms in the BSIMM-V Community Intel

  9. Building BSIMM (2009) • Big idea: Build a maturity model from actual data gathered from 9 well known large-scale software security initiatives • Create a software security framework • Interview nine firms in-person • Discover 110 activities through observation • Organize the activities in 3 levels • Build scorecard • The model has been validated with data from 67 firms • There is no special snowflake

  10. The Magic 30 • Since we have data from > 30 firms we can perform statistical analysis (Laurie Williams from NCSU is doing more of that now) • How good is the model? • What activities correlate with what other activities? • Do high maturity firms look the same? • We now have 67 firms with 161 distinct measurements • BSIMM (the nine) • BSIMM Europe (nine in EU) • BSIMM2 (30) • BSIMM3 (42) • BSIMM4 (51) • BSIMM-V (67) ← data freshness emphasized

  11. Monkeys Eat Bananas • BSIMM is not about good or bad ways to eat bananas or banana best practices • BSIMM is about observations • BSIMM is descriptive, not prescriptive • BSIMM describes and measures multiple prescriptive approaches

  12. A Software Security Framework • Four domains • Twelve practices • See informIT article on BSIMM website http://bsimm.com

  13. Example Activity [AA1.2] Perform design review for high-risk applications. The organization learns about the benefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. The reviewers must have some experience performing architecture analysis and breaking the architecture being considered. If the SSG is not yet equipped to perform an in-depth architecture analysis, it uses consultants to do this work. Ad hoc review paradigms that rely heavily on expertise may be used here, though in the long run they do not scale.

  14. NEW BSIMM-V Activity [CMVM3.4] Operate a bug bounty program. The organization solicits vulnerability reports from external researchers and pays a bounty for each verified and accepted vulnerability received. Payouts typically follow a sliding scale linked to multiple factors, such as vulnerability type (e.g., remote code execution is worth $10,000 versus CSRF is worth $750), exploitability (demonstrable exploits command much higher payouts), or specific services and software versions (widely- deployed or critical services warrant higher payouts). Ad hoc or short-duration activities, such as capture-the-flag contests, do not count. [This is a new activity that will be reported on in BSIMM6.]

  15. BSIMM-V measurements

  16. Real-world Data (67 firms) • Satellite size • Average: 29.6 • Smallest: 0 • Largest: 400 • Median: 4 • Dev size • Average: 4190 • Smallest: 11 • Largest: 30,000 • Median: 1600 • Initiative age • Average: 6 years • Newest: 0.4 • Oldest: 18.1 • Median: 5.3 • SSG size • Average: 14.78 • Smallest: 1 • Largest: 100 • Median: 7 Average SSG size: 1.4% of dev group size

  17. BSIMM-V Scorecard

  18. Earth (67)

  19. BSIMM-V as a measuring stick

  20. BSIMM-V as a Measuring Stick • Compare a firm with peers using the high water mark view • Compare business units • Chart an SSI over time

  21. BSIMM-V Scorecard with FAKE Firm Data • Top 12 activities • purple = good? • red = bad? • “Blue shift” practices to emphasize

  22. comparing groups of firms

  23. We Are a Special Snowflake (NOT) ISV (25) results are similar to financial services (26)

  24. BSIMM Longitudinal: Improvement over Time • 21 firms measured twice (an average of 24 months apart) • Show how firms improve • An average of 16% activity increase

  25. BSIMM by the Numbers

  26. The BSIMM Community BSIMM RSA Mixers • 2010: RSA • 2011: RSA • 2012: RSA • 2013: RSA • 2014: RSA BSIMM mailing list • Moderated • High S/N ratio BSIMM Community Conference 2014 • November in San Diego BSIMM Conferences • 2010: Annapolis, MD • 2011: Stevenson, WA • 2012: Galloway, NJ • 2013: Dulles, VA BSIMM EU Conferences • 2012: Amsterdam • 2013: London • 2014: Ghent

  27. BSIMM-V to BSIMM6 • BSIMM-V released October 2013 under creative commons • http://bsimm.com • Italian, German, and Spanish translations available • BSIMM is a yardstick • Use it to see where you stand • Use it to figure out what your peers do • BSIMM-V→BSIMM6 • BSIMM is growing • Goal = 100 firms

  28. where to learn more

  29. SearchSecurity + Justice League www.cigital.com/justiceleague In-depth thought leadership blog from the Cigital Principals • Gary McGraw • Sammy Migues • John Steven • Scott Matsumoto • PacoHope • Jim DelGrosso www.searchsecurity.com No-nonsense monthly security column by Gary McGraw www.cigital.com/~gem/writing

  30. Silver Bullet + IEEE Security & Privacy www.cigital.com/silverbullet Building Security In Software Security Best Practices column www.computer.org/security/bsisub/

  31. The Book How to DO software security • Best practices • Tools • Knowledge Cornerstone of the Addison-Wesley Software Security Series www.swsec.com

  32. Build Security In WE NEED MORE BSIMM FIRMS Read the Addison-Wesley Software Security series Send e-mail: gem@cigital.com

More Related