The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. OWASP Geneva Chapter May 7 th 2013 BSIMM Measuring Software Security Initiative Maturity Simon Blanchet, CISSP, CSSLP, PMP Head of Application Security

2 Agenda Who Am I? What is this talk all about? Why talking about BSIMM? BSIMM4 Lessons learned & take-aways Conclusion

3 Who Am I?  Head of Application Security in a Private Bank  CISSP, CSSLP, PMP  Where I’m coming from?  Computer Science  Security Software Designer  Software Security Manager  I’m managing a SSG applying a Risk-Based approach to ensure that our organization is  Building Secure Software  Acquiring & Integrating Securely Vendors’ Software  Securely Modifying legacy Software without compromising the Security of the whole Banking Information System

4 What is this talk all about? The story of a guy who wanted to know where he was standing w/r/t his enterprise Software Security Initiative One tool (BSIMM) which can be used to answer few SW Security questions Software Security Software Security Initiative / Program Software Security Domains / Practices / Activities

5 Why BSIMM? We are all doing “something” w/r/t SW Sec Are we doing the right things? What other key players are doing? How do we compare to others? How really mature are we?

BSIMM BSIMM (special thanks to Gary McGraw for the permission to use his original material)

7 BSIMM? A measuring stick for SW Security A descriptive model Software Security Framework 4 Domains 12 Practices 111 Activities

Take-Aways, Summary & Conclusion

9 Lessons Learned How to be “BSIMMed” * concretely? 1. Do it yourself ((CC) license)… -  Risks: consistency, underestimate, overestimate, +  $ (as in saving) 2. Mandate someone else -  $ (as in it cost something) +  Consistency, Official Report, Community, Experience (using Cigital who performed the exercise more than 95+ times on 50+ firms)Cigital * BSIMMed  Having the BSIMM assessment performed on your organization.

10 Lessons Learned What happen exactly? 5+ interviews with Heads / Directors Application Security / SSG Development Quality Assurance / Testing Architecture Operation / Incident Response Draft / Final Report (High Water Mark views, Scorecard, Practices & Activities worth investigating)

11 Summary BSIMM is not a methodology. It is a measurement tool. BSIMM can answer questions about: Compare a firm with peers using the high water mark view Compare business units (within a large org) Chart an SSI over time (longitudinal)

12 Conclusion Use it to see where you stand Use it to figure out what your peers do BSIMM helps to create a data-driven strategic plan

13 Questions?

14 References BSIMM4 BSIMM website

15 About the author Simon Blanchet, CISSP, CSSLP, PMP Associate Director, Head of Application Security Simon Blanchet is an Associate Director and Head of Application Security in a Private Bank. He is responsible, with the help of his team of application security specialists, for ensuring the security of internally developed applications as well as the secure integration of commercial off-the-shelf applications within the banking information systems. Simon's team provides internal security-consulting expertise to project management, business and development staff. He and his team are responsible for all aspects of application security including risk assessment, threat modeling, security testing and raising awareness about application security best practices. Simon Blanchet has been professionally working in the fields of Information Systems Security and Security Software Design & Development for the past 12 years. He started his career as a Software Developer and Development Team Leader (cryptographic & security related software) in Montreal, Canada. Prior to moving into the Swiss Private Banking industry, Simon had the opportunity to contribute to the first version of the SDK implementing Stefan Brands' Digital Credential upon which is now built Microsoft U-Prove. Simon's career progressively evolved from being a seasoned security software developer to managing software security, combining a software developer background with a true passion for application security architecture, software security and software exploitation techniques. Simon likes to solve security related problems at the crossroads of software development and IT Security. Simon holds a B.Sc. in Computer Science from Laval University in Canada. He is a Certified Information Systems Security Professional (CISSP), a Certified Secure Software Lifecycle Professional (CSSLP) and a Project Management Professional (PMP).