Copyright © 2013, Cigital and/or its affiliates. All rights reserved. BSIMM-V THE BUILDING SECURITY IN MATURITY MODEL GARY MCGRAW, PH.D. CHIEF TECHNOLOGY.

Slides:



Advertisements
Similar presentations
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Advertisements

Software Assurance Maturity Model
JANUARY | 2005 T H E W O R L D ’ S L E A D I N G L E G A L M E D I A & I N F O R M A T I O N C O M P A N Y.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
CONDO MANAGER The Leader in Association Accounting and Management Software Mailing Address: P.O. Box Charlotte, North Carolina Web Site
August 1, 2006 XP Security. August 1, 2006 Comparing XP and Security Goals XP GOALS User stories No BDUF Refactoring Continuous integration Simplicity.
©2009 Gotham Digital Science, LLC Software Assurance with SAMM 21 Sept 2009, SOURCE Barcelona Matt Bartoldus
CIT 694 Introduction. CISSP Certified Information Systems Security Professional “The credential for professionals who develop policies and procedures.
Pattern Myths1 Ten Design Pattern Myths Jim Fawcett condensed from Pattern Hatching, John Vlissides, Addison-Wesley, 1998.
How to be successful in business. Student: Bâlbâe Ioana ROMANIA.
Big Data and Social Media & Web Analytics Innovation Dr. Brand Niemann Director and Senior Enterprise Architect – Data Scientist Semantic Community
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse.
1 Introduction to Modeling Languages Striving for Engineering Precision in Information Systems Jim Carpenter Bureau of Labor Statistics, and President,
Juan Carlos Alonso Eco-Innovation - SIMPPLE - Spain 8th European Forum on Eco-Innovation, Bilbao, Spain April 2010 Making Eco-Innovation happen in.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
A Scientific Approach to Software Security Dennis Fisher May 15, 2012 The Kaspersky Lab Security News Service.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Careers at PwC October 25, PwC Confidential Information for the sole benefit and use of PwC's Client. Scott Thompson Bio Education:B.S. Business.
What You Need before You Deploy Master Data Management Presented by Malcolm Chisholm Ph.D. Telephone – Fax
Carol J Geffner, Ph.D. President Newpoint Healthcare Advisors Changing Your Executive Leadership Capabilities to Meet New Challenges Facing Hospitals.
Financing and Shaping the Media: Advertising, Public Relations, and Marketing Communications Week Three.
Managing Intellectual Capital
©SHRM What’s New at SHRM: Q Bhavna Dave, PHR Director of Talent SHRM member since 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Chapter 1 What is Organizational Behavior? McGraw-Hill/Irwin Copyright © 2009 by The McGraw-Hill Companies, Inc. All rights reserved.
HOW TO WRITE RESEARCH PROPOSAL BY DR. NIK MAHERAN NIK MUHAMMAD.
Watching Software Run Brian ChessNov 18, Success is foreseeing failure. – Henry Petroski.
JRA is a client-focused consultative market research company with a passion for solving clients problems  Advanced Analytics  High - Quality Fieldwork.
“SharePoint will be for the server what the Office suite has been for the desktop.” Bill Gates, Chairman & Chief Software Architect, Microsoft 1.
ICOM 6115: COMPUTER SYSTEMS PERFORMANCE MEASUREMENT AND EVALUATION Nayda G. Santiago August 16, 2006.
ICSTI Workshop, Paris March 5, 2012 H. Frederick Dylla Executive Director and CEO American Institute of Physics The Intersection of Scholarly Publications.
Career Profile: Systems Analyst Jenn Sroka. Is a Career as a Systems Analyst right for you? Duties include: Planning, design, installation, and development.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
On the Benefits of Copyright (Panel session: ”Copyright: how can we balance the needs of authors, publishers, users, researchers and clients”) Dragos Iliescu.
CSCE 522 Secure Software Development Best Practices.
Software Assurance Maturity Model Pravir Chandra OpenSAMM Project Lead
What is a white paper ? The term white paper is an outcome of the term white book, which is an official publication of a national government. A famous.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
ICINETIC Experts in.NET technologies and architectures.
Software Confidence. Achieved. March 2011 BSIMM: The Building Security In Maturity Model Gary McGraw, Ph.D. Chief Technology Officer, Cigital.
Code Reviews James Walden Northern Kentucky University.
CSCE 548 Secure Software Development Security Operations.
1 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. WORKSHOP Handling Third Party Software Risk.
CSCE 201 Secure Software Development Best Practices.
Confidential1 Family Business Forum 10 Strategies for Growing Revenues.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
PAN-European Exploitation of the Results of the Libraries Programme - EXPLOIT German Libraries Institute Berlin EXPLOIT 1 Exploit Interactive Web Magazine.
Chapter 1: Organizational Behavior: An Overview Copyright © 2010 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.
@NAVUG Housekeeping Organizer will mute all lines during this presentation Use the Questions Box as a means to communicate with the organizer (feel free.
How We Got Here PC and Internet changed the rules –Viruses, information sharing, “outside” and “inside” indistinguishable –Vulnerability research for.
Why do you need a Brand Strategy Consulting Firm to Advise About Your Business?
Copyright © 2016, Cigital So you’ve purchased a SAST tool? Brenton Kohler Copyright © 2016, Cigital.
GDPR Impact.
Presented by Rob Carver
The Internal Audit Role in assessing Cybersecurity
CSCE 548 Secure Software Development Test 1 Review
‘Accessing Emerald’ Saudi Digital Library
Edgewood Partners Insurance Center – Prophix story
Oracle Cloud: The Who, What, Where, When and Why
State of the CCIM Institute
Secure Coding: SDLC Integration Sixfold Path
Title of Paper Arial 36 Name of presenter Organization address Arial November Santa Fe, Argentina.
The Core Concepts of EA A Few Final Words
CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com
CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com
Presentation transcript:

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. BSIMM-V THE BUILDING SECURITY IN MATURITY MODEL GARY MCGRAW, PH.D. CHIEF TECHNOLOGY OFFICER

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. Cigital Providing software security professional services since 1992 World’s premiere software security consulting firm o 270 employees o Washington DC, New York, Santa Clara, Bloomington, Boston, Chicago, Atlanta, Amsterdam, and London Recognized experts in software security o Widely published in books, white papers, and articles o Industry thought leaders

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. BSIMM basics

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. We Hold These Truths to be Self-evident Software security is more than a set of security functions o Not magic crypto fairy dust o Not silver-bullet security mechanisms Non-functional aspects of design are essential Bugs and flaws are 50/50 Security is an emergent property of the entire system (just like quality) To end up with secure software, deep integration with the SDLC is necessary

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. 2006: A Shift From Philosophy to HOW TO Integrating best practices into large organizations’ SDLC (that is, an SSDL) o Microsoft’s SDL o Cigital’s Touchpoints o OWASP CLASP

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. Prescriptive vs. Descriptive Models Descriptive models describe what is actually happening The BSIMM is a descriptive model that can be used to measure any number of prescriptive SSDLs Prescriptive Models Descriptive Models Prescriptive models describe what you should do SAFECode SAMM SDL Touchpoints Every firm has a methodology they follow (often a hybrid) You need an SSDL

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. BSIMM: Software Security Measurement Real data from (67) real initiatives 161 measurements 21 (4) over time McGraw, Migues, & West

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. 67 Firms in the BSIMM-V Community Intel

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. Building BSIMM (2009) Big idea: Build a maturity model from actual data gathered from 9 well known large-scale software security initiatives o Create a software security framework o Interview nine firms in-person o Discover 110 activities through observation o Organize the activities in 3 levels o Build scorecard The model has been validated with data from 67 firms There is no special snowflake

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. The Magic 30 Since we have data from > 30 firms we can perform statistical analysis (Laurie Williams from NCSU is doing more of that now) o How good is the model? o What activities correlate with what other activities? o Do high maturity firms look the same? We now have 67 firms with 161 distinct measurements o BSIMM (the nine) o BSIMM Europe (nine in EU) o BSIMM2 (30) o BSIMM3 (42) o BSIMM4 (51) o BSIMM-V (67) ← data freshness emphasized

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. Monkeys Eat Bananas BSIMM is not about good or bad ways to eat bananas or banana best practices BSIMM is about observations BSIMM is descriptive, not prescriptive BSIMM describes and measures multiple prescriptive approaches

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. A Software Security Framework Four domains Twelve practices See informIT article on BSIMM website

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. Example Activity [AA1.2] Perform design review for high-risk applications. The organization learns about the benefits of architecture analysis by seeing real results for a few high-risk, high- profile applications. The reviewers must have some experience performing architecture analysis and breaking the architecture being considered. If the SSG is not yet equipped to perform an in-depth architecture analysis, it uses consultants to do this work. Ad hoc review paradigms that rely heavily on expertise may be used here, though in the long run they do not scale.

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. NEW BSIMM-V Activity [CMVM3.4] Operate a bug bounty program. The organization solicits vulnerability reports from external researchers and pays a bounty for each verified and accepted vulnerability received. Payouts typically follow a sliding scale linked to multiple factors, such as vulnerability type (e.g., remote code execution is worth $10,000 versus CSRF is worth $750), exploitability (demonstrable exploits command much higher payouts), or specific services and software versions (widely- deployed or critical services warrant higher payouts). Ad hoc or short-duration activities, such as capture-the-flag contests, do not count. [This is a new activity that will be reported on in BSIMM6.]

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. BSIMM-V measurements

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. Real-world Data (67 firms) Initiative age o Average: 6 years o Newest: 0.4 o Oldest: 18.1 o Median: 5.3 SSG size o Average: o Smallest: 1 o Largest: 100 o Median: 7 Satellite size o Average: 29.6 o Smallest: 0 o Largest: 400 o Median: 4 Dev size o Average: 4190 o Smallest: 11 o Largest: 30,000 o Median: 1600 Average SSG size: 1.4% of dev group size

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. BSIMM-V Scorecard

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. Earth (67)

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. BSIMM-V as a measuring stick

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. BSIMM-V as a Measuring Stick Compare a firm with peers using the high water mark view Compare business units Chart an SSI over time

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. BSIMM-V Scorecard with FAKE Firm Data Top 12 activities o purple = good? o red = bad? “Blue shift” practices to emphasize

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. comparing groups of firms

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. We Are a Special Snowflake (NOT) ISV (25) results are similar to financial services (26)

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. BSIMM Longitudinal: Improvement over Time 21 firms measured twice (an average of 24 months apart) Show how firms improve o An average of 16% activity increase

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. BSIMM by the Numbers

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. The BSIMM Community BSIMM Conferences 2010: Annapolis, MD 2011: Stevenson, WA 2012: Galloway, NJ 2013: Dulles, VA BSIMM EU Conferences 2012: Amsterdam 2013: London 2014: Ghent BSIMM RSA Mixers 2010: RSA 2011: RSA 2012: RSA 2013: RSA 2014: RSA BSIMM mailing list Moderated High S/N ratio BSIMM Community Conference 2014 November in San Diego

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. BSIMM-V to BSIMM6 BSIMM-V released October 2013 under creative commons o o Italian, German, and Spanish translations available BSIMM is a yardstick o Use it to see where you stand o Use it to figure out what your peers do BSIMM-V→BSIMM6 o BSIMM is growing o Goal = 100 firms

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. where to learn more

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. SearchSecurity + Justice League No-nonsense monthly security column by Gary McGraw In-depth thought leadership blog from the Cigital Principals Gary McGraw Sammy Migues John Steven Scott Matsumoto Paco Hope Jim DelGrosso

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. Silver Bullet + IEEE Security & Privacy Building Security In Software Security Best Practices column /

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. The Book How to DO software security o Best practices o Tools o Knowledge Cornerstone of the Addison- Wesley Software Security Series

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. Build Security In WE NEED MORE BSIMM FIRMS Read the Addison-Wesley Software Security series Send

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.