Presentation is loading. Please wait.

Presentation is loading. Please wait.

SINTEF ICT Martin Gilje Jaatun, Daniela S. Cruzes, Karin Bernsmed, Inger Anne Tøndel, and Lillian Røstad 1 Software Security Maturity in Public Organisations.

Published byMervin Cain Modified over 9 years ago

Similar presentations

Presentation on theme: "SINTEF ICT Martin Gilje Jaatun, Daniela S. Cruzes, Karin Bernsmed, Inger Anne Tøndel, and Lillian Røstad 1 Software Security Maturity in Public Organisations."— Presentation transcript:

1 SINTEF ICT Martin Gilje Jaatun, Daniela S. Cruzes, Karin Bernsmed, Inger Anne Tøndel, and Lillian Røstad 1 Software Security Maturity in Public Organisations @seniorfrosk

2 SINTEF ICT Questionnaire to 32 Norwegian public-owned (municipalities, government) organisations Assumed to do internal development 20 responded (62,5 %) Based on the Building Security In Maturity Model (BSIMM) activities https://www.bsimm.com/ 2 What did we do?

3 SINTEF ICT A study of 67 software development organisations and their software security activities A framework that describes the various activities that are performed by a majority of the organisations covered The concept Software Security Group is central Those tasked with following up software security in an organisation 3 What is this BSIMM thing?

4 SINTEF ICT 4 BSIMM Software Security Framework GovernanceIntelligenceSSDL TouchpointsDeployment Strategy and MetricsAttack ModelsArchitecture AnalysisPenetration Testing Compliance and Policy Security Features and Design Code ReviewSoftware Environment TrainingStandards and Requirements Security TestingConfiguration Management and Vulnerability Management Domain Practice

5 SINTEF ICT For some orgs, multiple people involved Roles: 5 Who answered the questionnaire? IT director Head, Development department Head of IT operations Section manager IT Section manager development Group manager IT manager Development manager Solution architect Chief architect System developer IT advisor Security manager Information security manager Security architect Information security consultant Security analyst Security advisor Senior engineer Senior advisor

6 SINTEF ICT General background information Position, number of developers, fraction of contractors, whether they contract for turnkey SW solutions Concrete questions about which of the 112 BSIMM activities they perform on a regular basis Yes/No/Don't know Follow-up interviews Telephone or teleconferencing solution Latter allowed live sharing of filled-out questionnaire 6 Questionnaire and follow-up

7 SINTEF ICT 7

8 Conservative maturity (0-3) Org gets approved maturity level only if all activities on this and lower levels fulfilled ("Yes") Weighted maturity (0-6) High watermark maturity (0-3) Same as BSIMM spider charts If at least one activity on level 3, you get 3 (etc.) 8 Data analysis & maturity measurements

9 SINTEF ICT 9 Example for imaginary organi- sation

10 SINTEF ICT 10 Example, cont.

11 SINTEF ICT 11 Distribution of # activities

12 SINTEF ICT 12 High-level averages Caution!

13 SINTEF ICT 13 The most common activities https://www.flickr.com/photos/125207874@N04/14450220780/

14 SINTEF ICT 14 Conservative maturity for "top 3"

15 SINTEF ICT 15 Selected practices GovernanceIntelligenceSSDL TouchpointsDeployment Strategy and MetricsAttack ModelsArchitecture AnalysisPenetration Testing Compliance and Policy Security Features and Design Code ReviewSoftware Environment TrainingStandards and Requirements Security TestingConfiguration Management and Vulnerability Management

16 SINTEF ICT Transparency of expectations and accountability of results Management buy-in One of the practices with lowest maturity 16 Strategy and Metrics "Risk analysis is performed in the projects, but not for security" "The regime worked well as long as we were doing waterfall, but more tricky with agile" "High-level security risk analysis [ … ] is not so useful in the development process"

17 SINTEF ICT Compliances with rules and regulation Generate artefacts for audit Highest maturity on all metrics 17 Compliance and policy "We have many lawyers, and as an organisation we have many policies and regulations ensuring we cover compliance. Unsure how this affects the coding, though"

18 SINTEF ICT Quality control Discover security defects At least half do the first two activities on level 1 But generally low maturity 18 Penetration testing "Initiatives to do pentest come [ … ] from the network side. Testing is not done specifically of internally developed code or projects, but broader"

19 SINTEF ICT Change management Organisations have faith in their own level of host & network security Important to remember that network security in general more mature than SWsec 19 Software environment

20 SINTEF ICT What software security activities do vendors do? Could be a long distance from legal expertise to developers Different cultures between infrastructure and dev Good that developers check each other's code But do they have required SW sec skills? Security managers are sent on training, not devs Enterprise risk analysis not seen relevant to dev Too little testing on security 20 Summary

21 SINTEF ICT 21 Could we do better?

22 SINTEF ICT http://infosec.sintef.no 22 Questions? ? twitter.com/ SINTEF_Infosec http://www.sintef.no/sos-agile

Download ppt "SINTEF ICT Martin Gilje Jaatun, Daniela S. Cruzes, Karin Bernsmed, Inger Anne Tøndel, and Lillian Røstad 1 Software Security Maturity in Public Organisations."

Similar presentations

Enabling Technology Innovation using Open Source Software

Enabling Technology Innovation using Open Source Software
Software Engineering CSE470: Process 15 Software Engineering Phases Definition: What? Development: How? Maintenance: Managing change Umbrella Activities:

Software Engineering CSE470: Process 15 Software Engineering Phases Definition: What? Development: How? Maintenance: Managing change Umbrella Activities:
Auditing the HR Function Kelli W. Vito, SPHR, CCP KV Consulting.

Auditing the HR Function Kelli W. Vito, SPHR, CCP KV Consulting.
By Collin Smith http://techinitiatives.blogspot.com COBIT Introduction By Collin Smith http://techinitiatives.blogspot.com.

By Collin Smith COBIT Introduction By Collin Smith
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
Tan Jenny 23 September 2009 SESSION 4: Understanding Your IT Control Environment & Its Readiness.

Tan Jenny 23 September 2009 SESSION 4: Understanding Your IT Control Environment & Its Readiness.
BRIEFING TO THE PORTFOLIO COMMITTEE ON THE DPSA’S RISK MANAGEMENT STRATEGY PRESENTATION TO THE PORTFOLIO COMMITTEE 12 MAY 2010 1.

BRIEFING TO THE PORTFOLIO COMMITTEE ON THE DPSA’S RISK MANAGEMENT STRATEGY PRESENTATION TO THE PORTFOLIO COMMITTEE 12 MAY
Preparing Scotland’s first Records Management Plan Ava Wieclawska Records Manager.

Preparing Scotland’s first Records Management Plan Ava Wieclawska Records Manager.
Factors influencing open source software adoption

Factors influencing open source software adoption
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
IT Professional Perspectives, Discussions, and Recommendations Steven K. Wall IT7833 IT Strategy, Policy and Governance.

IT Professional Perspectives, Discussions, and Recommendations Steven K. Wall IT7833 IT Strategy, Policy and Governance.
Self Assessment Feedback Logistics R Us GOLD Member.

Self Assessment Feedback Logistics R Us GOLD Member.
SecureAware Building an Information Security Management System.

SecureAware Building an Information Security Management System.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
1 Talal Abu Ghazaleh Information Technology International (TAG-ITI)

1 Talal Abu Ghazaleh Information Technology International (TAG-ITI)
ICT 1 Towards an Integrated Approach to Access Control to Health Information Presented by: Inger Anne Tøndel SINTEF Co-authors: Per Håkon Meland SINTEF.

ICT 1 Towards an Integrated Approach to Access Control to Health Information Presented by: Inger Anne Tøndel SINTEF Co-authors: Per Håkon Meland SINTEF.
Introduction to Software Quality Assurance (SQA)

Introduction to Software Quality Assurance (SQA)
Presentation Handout EDBA – Module 8 Information Technology 7 th December 2014 By K.M.Prashanthan.

Presentation Handout EDBA – Module 8 Information Technology 7 th December 2014 By K.M.Prashanthan.
Dillon: CSE470: SE, Process1 Software Engineering Phases l Definition: What? l Development: How? l Maintenance: Managing change l Umbrella Activities:

Dillon: CSE470: SE, Process1 Software Engineering Phases l Definition: What? l Development: How? l Maintenance: Managing change l Umbrella Activities:
April 9, 2010 1.  Employers  IS Careers  Business Support  Key Trends  Manage your career  Questions 2.

April 9,  Employers  IS Careers  Business Support  Key Trends  Manage your career  Questions 2.

Similar presentations

Ads by Google