Presented by Rob Carver Secure Coding 201 Presented by Rob Carver

Bugs and Flaws Bugs Flaws Software Defects as a result of written code. Flaws Software Architecture Integration Architecture Infrastructure Architecture

Threat & Vulnerability Management

Secure Software Development Lifecycle (SSDLC)

Plan PenTest SCR Secure Code Review % Bugs introduced in this phase % Bugs found in this phase $ Cost to repair bug in this phase $16,000 $1,000 $100 $250 $25 85% Percentage of Bugs and Flaws Code Build Test Release Plan PenTest Everyone wants to create more secure software, but: developers aren’t security experts and security teams find flaws too late in the SDLC Secure Code Review helps developers find and fix software security defects early in the SDLC SCR *Integrating corrective action into the developers native environment is key (today)

Actionable guidance for fixing security bugs Not only finds problems, but shows the right way to fix it. Contextual Guidance and examples specific to the programming language Customizable Incorporate company-specific custom rules. Validated Guidance based on real-world security experience. Just-in-time analysis Contextual and actionable guidance Error detection as the developer codes

Source Code Review and Organization Specific Metrics LEVEL RATING OPEN VULN COUNT DESCRIPTION Prod (95 apps) Pre-Prod (77 apps) 5 Critical 52 17 Attacker can assume remote root or remote administrator roles. Exposes entire host to attacker; backend database, personally identifiable records, credit card data. Full read and write access, remote execution of commands 4 High 63 110 Attacker can assume remote user only, not root or admin. Exposes internal IP addresses, source code. Partial file-system access (full read access without full write access) 3 Medium 94 71 Exposes security settings, software distributions and versions, database names 2 Low 60 53 Exposes precise versions of applications. Sensitive configuration information may be used to research potential attacks against host 1 Note --- General information may be exposed to attackers, such as developer comments

Application Vulnerability Trending

Software Security Training for Every Role

Software Security Satellite Training Program Yellow Belt eLearning (CBT) Activity Foundations of Software Security OWASP Top 10 Advanced Training (ILT) Static Analysis Application On-Boarding (1 app) Advanced Practices Green Belt Defensive Programming (for relevant language) Software Security Requirements Attack & Defense Threat Modeling Security Testing Defensive Programming ILT Threat Modeling ILT Brown Belt Contribute to Threat Models Black Belt Serve on standards Build re-usable IP to prevent risk Teach and influence peers Certification Level Progression Implement static analysis coverage enhancements Combining CBT, ILT, and practice adoption within a progressive program is an effective implementation strategy

BSIMM: Software Security Measurement Real data from (78) real initiatives 161 measurements 21 (4) over time McGraw, Migues, & West

Who gets measured by the BSIMM?

A Software Security Framework

BSIMM: A Software Security Framework

BSIMM: Measurement is Benchmarking

Earth (78)

BSIMM6 Score Distrobution

No Special Snowflakes!

BSIMM by the Numbers

The Vendor BSIMM (vBSIMM)

Questions?