SINTEF ICT Martin Gilje Jaatun, Daniela S. Cruzes, Karin Bernsmed, Inger Anne Tøndel, and Lillian Røstad 1 Software Security Maturity in Public Organisations.

Slides:



Advertisements
Similar presentations
Enabling Technology Innovation using Open Source Software
Advertisements

Software Engineering CSE470: Process 15 Software Engineering Phases Definition: What? Development: How? Maintenance: Managing change Umbrella Activities:
Auditing the HR Function Kelli W. Vito, SPHR, CCP KV Consulting.
By Collin Smith COBIT Introduction By Collin Smith
Quality evaluation and improvement for Internal Audit
Tan Jenny 23 September 2009 SESSION 4: Understanding Your IT Control Environment & Its Readiness.
BRIEFING TO THE PORTFOLIO COMMITTEE ON THE DPSA’S RISK MANAGEMENT STRATEGY PRESENTATION TO THE PORTFOLIO COMMITTEE 12 MAY
Preparing Scotland’s first Records Management Plan Ava Wieclawska Records Manager.
Factors influencing open source software adoption
Internal Auditing and Outsourcing
IT Professional Perspectives, Discussions, and Recommendations Steven K. Wall IT7833 IT Strategy, Policy and Governance.
Self Assessment Feedback Logistics R Us GOLD Member.
SecureAware Building an Information Security Management System.
SEC835 Database and Web application security Information Security Architecture.
1 Talal Abu Ghazaleh Information Technology International (TAG-ITI)
ICT 1 Towards an Integrated Approach to Access Control to Health Information Presented by: Inger Anne Tøndel SINTEF Co-authors: Per Håkon Meland SINTEF.
Introduction to Software Quality Assurance (SQA)
Presentation Handout EDBA – Module 8 Information Technology 7 th December 2014 By K.M.Prashanthan.
Dillon: CSE470: SE, Process1 Software Engineering Phases l Definition: What? l Development: How? l Maintenance: Managing change l Umbrella Activities:
April 9,  Employers  IS Careers  Business Support  Key Trends  Manage your career  Questions 2.
© 2004 EUROCONTROL TUNIS, 3-4 June Fundamentals of a Safety Framework Dr. Erik Merckx EUROCONTROL EUROCONTROL Head of Safety Enhancement Business.
Roles and Responsibilities
CTO Head Of ICT Business & Governance Head of ICT Change Portfolio Lead ICT Architect Head of ICT Corporate Solutions Head of ICT Schools & Business Solutions.
Chapter 6 of the Executive Guide manual Technology.
Principles of Local Governance: Covering local governmental legislations and compliance issues IMFO WOMEN IN LOCAL GOVERNMENT FINANCE CONFERENCE 07/02/13.
1 Chapter 5 Project management. 2 Project management : Is Organizing, planning and scheduling software projects.
Annual seminar in Berlin – 27 th May Should EU corporate governance measures take into account the size of listed companies ? How ? Should a.
Security and Policy Proposed efforts FY Roadmap Presentations for Committee on Technology and Architecture February 2011 David Rusting Information.
University of Sunderland CIFM03Lecture 2 1 Quality Management of IT CIFM03 Lecture 2.
13.6 Legal Aspects Corporate IT Security Policy. Objectives Understand the need for a corporate information technology security policy and its role within.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Search Engine Optimization © HiTech Institute. All rights reserved. Slide 1 What is Solution Assessment & Validation?
MOSCOW, NOVEMBER 12 – 14, THE RESEARCH 1.Respondents 8 respondents from SAI Indonesia : auditor, investigator, R &D 2.Time 3 weeks (Sept to Oct.
COBIT®. COBIT® - Control Objectives for Information and related Technology. C OBI T was initially created by the Information Systems Audit & Control Foundation.
1 Managing the Security Function Chapter 11 2 Figure 11-1: Organizational Issues Top Management Support  Top-Management security awareness briefing.
TEFMA 2008 Sudhish Nayyar. AGENDA CRISIS –What is the worst thing that could happen? –Where? –When? Steps in effective Crisis Management Aon’s capabilities.
VAE (Validation of Acquired Experience) methodological support 1st workshop : Administrative admissibility and feasibility process.
Chapter 8 Auditing in an E-commerce Environment
Governance, Risk and Ethics. 2 Section A: Governance and responsibility Section B: Internal control and review Section C: Identifying and assessing risk.
The roles of people at different levels of the organisation OCR Diploma.
1 Emerging Issues in Internal Audit Charles Ndegwa.
1 Vereniging van Compliance Officers The Compliance Function in Banks Amsterdam, 10 June 2004 Marc Pickeur CBFA CBFA.
Shared Services Initiative Summary of Findings and Next Steps.
Outcomes of the FMC review Vania Tomeva, PIFC consultant July 2013, Tbilisi 1.
CompTIA Security+ Certification Exam SY COMPTIA SECURITY+SY0-401 Q&A is a straight forward,efficient,and effective method of preparing for the new.
Australian National Audit Office Better Practice Guide: Implementation of Programme and Policy Initiatives Presentation to the Canberra PMI Chapter 7 March.
EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.
Non Financial Risk Senior Executive & Board Reporting Richard Pike.
Communications Strategy for Coding Paul McCallion Development of National Coding Standards within the Czech DRG System.
Integrated permitting and inspections
Joint Seminar Brussels 2017.
Presented by Rob Carver
SCOA for Municipalities:
Cybersecurity - What’s Next? June 2017
INTRODUCTION TO GENERAL MANAGEMENT
SCOA for Municipalities:
Third Party Risk Governance in a Diverse Environment
IS4680 Security Auditing for Compliance
Implementation Plan for the Higher Education Sector
CISM Dumps PDF Latest Certified Information Security Manager CISM dumpsCISM dumps pdfCISM braindumpsCISM exam dumps.
Making Information Security Manageable with GRC
Organisation Model Assistant Director: IT & Digital
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
Managing the Security Function
Secure Coding: SDLC Integration Sixfold Path
Title By Name(s) CS 478 Network Security
Chapter 8 Developing an Effective Ethics Program
Title By Name(s) CS 478 Network Security
Data Governance & Management Skills and Experience
‘Delivering better value from professional services’
Presentation transcript:

SINTEF ICT Martin Gilje Jaatun, Daniela S. Cruzes, Karin Bernsmed, Inger Anne Tøndel, and Lillian Røstad 1 Software Security Maturity in Public

SINTEF ICT Questionnaire to 32 Norwegian public-owned (municipalities, government) organisations Assumed to do internal development 20 responded (62,5 %) Based on the Building Security In Maturity Model (BSIMM) activities 2 What did we do?

SINTEF ICT A study of 67 software development organisations and their software security activities A framework that describes the various activities that are performed by a majority of the organisations covered The concept Software Security Group is central Those tasked with following up software security in an organisation 3 What is this BSIMM thing?

SINTEF ICT 4 BSIMM Software Security Framework GovernanceIntelligenceSSDL TouchpointsDeployment Strategy and MetricsAttack ModelsArchitecture AnalysisPenetration Testing Compliance and Policy Security Features and Design Code ReviewSoftware Environment TrainingStandards and Requirements Security TestingConfiguration Management and Vulnerability Management Domain Practice

SINTEF ICT For some orgs, multiple people involved Roles: 5 Who answered the questionnaire? IT director Head, Development department Head of IT operations Section manager IT Section manager development Group manager IT manager Development manager Solution architect Chief architect System developer IT advisor Security manager Information security manager Security architect Information security consultant Security analyst Security advisor Senior engineer Senior advisor

SINTEF ICT General background information Position, number of developers, fraction of contractors, whether they contract for turnkey SW solutions Concrete questions about which of the 112 BSIMM activities they perform on a regular basis Yes/No/Don't know Follow-up interviews Telephone or teleconferencing solution Latter allowed live sharing of filled-out questionnaire 6 Questionnaire and follow-up

SINTEF ICT 7

Conservative maturity (0-3) Org gets approved maturity level only if all activities on this and lower levels fulfilled ("Yes") Weighted maturity (0-6) High watermark maturity (0-3) Same as BSIMM spider charts If at least one activity on level 3, you get 3 (etc.) 8 Data analysis & maturity measurements

SINTEF ICT 9 Example for imaginary organi- sation

SINTEF ICT 10 Example, cont.

SINTEF ICT 11 Distribution of # activities

SINTEF ICT 12 High-level averages Caution!

SINTEF ICT 13 The most common activities

SINTEF ICT 14 Conservative maturity for "top 3"

SINTEF ICT 15 Selected practices GovernanceIntelligenceSSDL TouchpointsDeployment Strategy and MetricsAttack ModelsArchitecture AnalysisPenetration Testing Compliance and Policy Security Features and Design Code ReviewSoftware Environment TrainingStandards and Requirements Security TestingConfiguration Management and Vulnerability Management

SINTEF ICT Transparency of expectations and accountability of results Management buy-in One of the practices with lowest maturity 16 Strategy and Metrics "Risk analysis is performed in the projects, but not for security" "The regime worked well as long as we were doing waterfall, but more tricky with agile" "High-level security risk analysis [ … ] is not so useful in the development process"

SINTEF ICT Compliances with rules and regulation Generate artefacts for audit Highest maturity on all metrics 17 Compliance and policy "We have many lawyers, and as an organisation we have many policies and regulations ensuring we cover compliance. Unsure how this affects the coding, though"

SINTEF ICT Quality control Discover security defects At least half do the first two activities on level 1 But generally low maturity 18 Penetration testing "Initiatives to do pentest come [ … ] from the network side. Testing is not done specifically of internally developed code or projects, but broader"

SINTEF ICT Change management Organisations have faith in their own level of host & network security Important to remember that network security in general more mature than SWsec 19 Software environment

SINTEF ICT What software security activities do vendors do? Could be a long distance from legal expertise to developers Different cultures between infrastructure and dev Good that developers check each other's code But do they have required SW sec skills? Security managers are sent on training, not devs Enterprise risk analysis not seen relevant to dev Too little testing on security 20 Summary

SINTEF ICT 21 Could we do better?

SINTEF ICT 22 Questions? ? twitter.com/ SINTEF_Infosec

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.