Software Confidence. Achieved. March 2011 BSIMM: The Building Security In Maturity Model Gary McGraw, Ph.D. Chief Technology Officer, Cigital

© 2011 Cigital Inc. We hold these truths to be self-evident Software security is more than a set of security functions Not magic crypto fairy dust Not silver-bullet security mechanisms Non-functional aspects of design are essential Bugs and flaws are 50/50 Security is an emergent property of the entire system (just like quality) To end up with secure software, deep integration with the SDLC is necessary

© 2011 Cigital Inc. Real data from (33) real initiatives 60 measurements McGraw, Chess, & Migues BSIMM: Software Security Measurement PlexLogic

© 2011 Cigital Inc. 4 Intel + eleven unnamed firms 33 software security initiatives measured

© 2011 Cigital Inc. The magic 30 Since we have data from > 30 firms we can perform statistical analysis How good is the model? What activities correlate with what other activities? Do high maturity firms look the same? Etc We now have 33 firms (+ more underway) BSIMM (the nine) BSIMM Europe (nine in EU) BSIMM2 (30) some underway

© 2011 Cigital Inc. Building BSIMM (2009) Big idea: Build a maturity model from actual data gathered from 9 of ~60 known large-scale software security initiatives Create a software security framework Nine in-person executive interviews Build bullet lists (one per practice) Bucketize the lists to identify activities Create levels Objectives  Activities 109 activities supported by real data Three levels of “maturity” The model has been validated with data from > 30 firms

© 2011 Cigital Inc. Monkeys eat bananas BSIMM is not about good or bad ways to eat bananas or banana best practices BSIMM is about observations BSIMM is descriptive, not prescriptive 7

© 2011 Cigital Inc. Four domains Twelve practices See informIT article on BSIMM website A Software Security Framework

© 2011 Cigital Inc. Training practice skeleton

© 2011 Cigital Inc. Example activity [T1.3] Establish SSG office hours. The SSG offers help to any and all comers during an advertised lab period or regularly scheduled office hours. By acting as an informal resource for people who want to solve security problems, the SSG leverages teachable moments and emphasizes the carrot over the stick. Office hours might be held one afternoon per week in the office of a senior SSG member.

© 2011 Cigital Inc. 109 Activities 3 levels Top 15 things 66% cutoff 20 of 30 firms Yellow highlight BSIMM2 Scorecard

© 2011 Cigital Inc. BSIMM2 as a measuring stick Compare a firm with peers using the high water mark view Descriptive (not prescriptive)

© 2011 Cigital Inc. Top 15 things green = good? red = bad? “Blue shift” practices to emphasize activities you should maybe think about in brown BSIMM2 scorecard with firm data

© 2011 Cigital Inc. We are a special snowflake (NOT) ISV (7) results are similar to financial services (12) BSIMM Europe vs BSIMM US You do the same things You can demand the same results 14 11/19/2015

© 2011 Cigital Inc. BSIMM Community Events 22 firms gathered in Annapolis, MD Nov Talks by SSG leaders Workshop on efficiency and effectiveness Intense networking BSIMM mailing list High S/N ratio A BSIMM Community Mixer at RSA 2011 included New logo revealed Update on BSIMM3 BSIMM Longitudinal results Music and mixology 15 11/19/2015

© 2011 Cigital Inc. BSIMM2 to BSIMM3 BSIMM2 released April 2010 under creative commons Italian and German translations available BSIMM is a yardstick Use it to see where you stand Use it to figure out what your peers do BSIMM3 BSIMM Longitudinal (10) BSIMM3 (40)

© 2011 Cigital Inc. Get involved in the BSIMM Community See the Addison-Wesley Software Security series Send “ So now, when we face a choice between adding features and resolving security issues, we need to choose security.” -Bill Gates