The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

Slides:



Advertisements
Similar presentations
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Advertisements

OWASP Secure Coding Practices Quick Reference Guide
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Value Of CMC ® Wayne Outlaw, CSP, CMC ® Clint Burdett, CMC ®
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Dr Jim Briggs Masterliness Not got an MSc myself; BA DPhil; been teaching masters students for 18 years.
MethodAssess System Assessment. Methoda Computers Ltd 2 List of Subjects 1. Introduction 2. Actions and deliverables 3. Lessons and decisions.
Presentation to CAREGROUP Board of Directors Governing Your Networked IT Organization Ken Peffers Applicable IT Research, Inc. November 21, 2002.
Chapter 1 Thinking Critically 2,4,5,9,10 Assoc. for Information Technology 1,2,3.
Oversight CHAPTER SIXTEEN Student Version Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.
Oversight CHAPTER SIXTEEN Student Version Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs Marco Morana, Member of OWASP London, Project Lead of the OWASP, CISO Guide Tobias Gondrom,
Factors influencing open source software adoption
Effective Methods for Software and Systems Integration
W. Hord Tipton, CISSP- ISSEP, CAP, CISA (ISC)² Executive Director.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Test Organization and Management
Information Systems Security Computer System Life Cycle Security.
(ISC)2 SecureLondon 2009, London, United Kingdom This information is not intended, and should not be construed, as an offer to sell, or as a solicitation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Promoting Research and Application of Information Assurance and Cybersecurity 6 th Annual Security Summit May 20, 2009 Mark Weatherford, Chief Information.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Karolina Muszyńska. Reverse engineering - looking at the solution to figure out how it works Reverse engineering - breaking something down in order to.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Current Inspection Process for Operators of Hazardous Liquids Pipelines Rod Seeley OPS SW Region Director May 18, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Centre for Water Management and Reuse Publish from your PhD: Why, How and Where Simon Beecham Professor of Sustainable Water Resources Engineering Head.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
BSc Honours Project Introduction CSY4010 Amir Minai Module Leader.
BSc Honours Project Introduction CSY4010 Amir Minai Module Leader.
Strohl Systems International User Group Conference — April 9-12, 2006 — Orlando, Florida USA Assess Your BC Career Today ~ to Ensure Your Marketability.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Software Confidence. Achieved. March 2011 BSIMM: The Building Security In Maturity Model Gary McGraw, Ph.D. Chief Technology Officer, Cigital.
Workforce Innovation in Regional Economic Development (WIRED) 1 Dude, Where’s my “Collaborative Workspace?” AN OVERVIEW OF THE WIRED WEST MICHIGAN CWS.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
BSc Honours Project Introduction CSY4010 Amir Minai Module Leader.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Concept Presentation Philip Robbins - August 1, 2012 University of Phoenix Hawaii Campus Information Systems Security Management.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Continual Service Improvement Methods & Techniques.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
BSc Honours Project Introduction CSY4010 Amir Minai Module Leader.
Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 1: Why Study Information Security?
Principles of Information Security, Fourth Edition Chapter 1 Introduction to Information Security Part II.
Software Engineering Process - II 7.1 Unit 7: Quality Management Software Engineering Process - II.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
© ITT Educational Services, Inc. All rights reserved. IS4680 Security Auditing for Compliance Unit 1 Information Security Compliance.
The Network Development Life Cycle
Identify the Risk of Not Doing BA
Chapter Objectives To understand the operational environment in which you execute your project To understand the need and role of oversight in managing.
Preparing for SEM Careers
Presentation transcript:

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. OWASP Geneva Chapter May 7 th 2013 BSIMM Measuring Software Security Initiative Maturity Simon Blanchet, CISSP, CSSLP, PMP Head of Application Security

2 Agenda Who Am I? What is this talk all about? Why talking about BSIMM? BSIMM4 Lessons learned & take-aways Conclusion

3 Who Am I?  Head of Application Security in a Private Bank  CISSP, CSSLP, PMP  Where I’m coming from?  Computer Science  Security Software Designer  Software Security Manager  I’m managing a SSG applying a Risk-Based approach to ensure that our organization is  Building Secure Software  Acquiring & Integrating Securely Vendors’ Software  Securely Modifying legacy Software without compromising the Security of the whole Banking Information System

4 What is this talk all about? The story of a guy who wanted to know where he was standing w/r/t his enterprise Software Security Initiative One tool (BSIMM) which can be used to answer few SW Security questions Software Security Software Security Initiative / Program Software Security Domains / Practices / Activities

5 Why BSIMM? We are all doing “something” w/r/t SW Sec Are we doing the right things? What other key players are doing? How do we compare to others? How really mature are we?

BSIMM BSIMM (special thanks to Gary McGraw for the permission to use his original material)

7 BSIMM? A measuring stick for SW Security A descriptive model Software Security Framework 4 Domains 12 Practices 111 Activities

Take-Aways, Summary & Conclusion

9 Lessons Learned How to be “BSIMMed” * concretely? 1. Do it yourself ((CC) license)… -  Risks: consistency, underestimate, overestimate, +  $ (as in saving) 2. Mandate someone else -  $ (as in it cost something) +  Consistency, Official Report, Community, Experience (using Cigital who performed the exercise more than 95+ times on 50+ firms)Cigital * BSIMMed  Having the BSIMM assessment performed on your organization.

10 Lessons Learned What happen exactly? 5+ interviews with Heads / Directors Application Security / SSG Development Quality Assurance / Testing Architecture Operation / Incident Response Draft / Final Report (High Water Mark views, Scorecard, Practices & Activities worth investigating)

11 Summary BSIMM is not a methodology. It is a measurement tool. BSIMM can answer questions about: Compare a firm with peers using the high water mark view Compare business units (within a large org) Chart an SSI over time (longitudinal)

12 Conclusion Use it to see where you stand Use it to figure out what your peers do BSIMM helps to create a data-driven strategic plan

13 Questions?

14 References BSIMM4 BSIMM website

15 About the author Simon Blanchet, CISSP, CSSLP, PMP Associate Director, Head of Application Security Simon Blanchet is an Associate Director and Head of Application Security in a Private Bank. He is responsible, with the help of his team of application security specialists, for ensuring the security of internally developed applications as well as the secure integration of commercial off-the-shelf applications within the banking information systems. Simon's team provides internal security-consulting expertise to project management, business and development staff. He and his team are responsible for all aspects of application security including risk assessment, threat modeling, security testing and raising awareness about application security best practices. Simon Blanchet has been professionally working in the fields of Information Systems Security and Security Software Design & Development for the past 12 years. He started his career as a Software Developer and Development Team Leader (cryptographic & security related software) in Montreal, Canada. Prior to moving into the Swiss Private Banking industry, Simon had the opportunity to contribute to the first version of the SDK implementing Stefan Brands' Digital Credential upon which is now built Microsoft U-Prove. Simon's career progressively evolved from being a seasoned security software developer to managing software security, combining a software developer background with a true passion for application security architecture, software security and software exploitation techniques. Simon likes to solve security related problems at the crossroads of software development and IT Security. Simon holds a B.Sc. in Computer Science from Laval University in Canada. He is a Certified Information Systems Security Professional (CISSP), a Certified Secure Software Lifecycle Professional (CSSLP) and a Project Management Professional (PMP).