Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Confidence. Achieved. March 2011 BSIMM: The Building Security In Maturity Model Gary McGraw, Ph.D. Chief Technology Officer, Cigital.

Published byAlban Ward Modified over 9 years ago

Similar presentations

Presentation on theme: "Software Confidence. Achieved. March 2011 BSIMM: The Building Security In Maturity Model Gary McGraw, Ph.D. Chief Technology Officer, Cigital."— Presentation transcript:

1 Software Confidence. Achieved. March 2011 BSIMM: The Building Security In Maturity Model Gary McGraw, Ph.D. Chief Technology Officer, Cigital

2 © 2011 Cigital Inc. We hold these truths to be self-evident Software security is more than a set of security functions Not magic crypto fairy dust Not silver-bullet security mechanisms Non-functional aspects of design are essential Bugs and flaws are 50/50 Security is an emergent property of the entire system (just like quality) To end up with secure software, deep integration with the SDLC is necessary

3 © 2011 Cigital Inc. Real data from (33) real initiatives 60 measurements McGraw, Chess, & Migues BSIMM: Software Security Measurement PlexLogic

4 © 2011 Cigital Inc. 4 Intel + eleven unnamed firms 33 software security initiatives measured

5 © 2011 Cigital Inc. The magic 30 Since we have data from > 30 firms we can perform statistical analysis How good is the model? What activities correlate with what other activities? Do high maturity firms look the same? Etc We now have 33 firms (+ more underway) BSIMM (the nine) BSIMM Europe (nine in EU) BSIMM2 (30) some underway

6 © 2011 Cigital Inc. Building BSIMM (2009) Big idea: Build a maturity model from actual data gathered from 9 of ~60 known large-scale software security initiatives Create a software security framework Nine in-person executive interviews Build bullet lists (one per practice) Bucketize the lists to identify activities Create levels Objectives  Activities 109 activities supported by real data Three levels of “maturity” The model has been validated with data from > 30 firms

7 © 2011 Cigital Inc. Monkeys eat bananas BSIMM is not about good or bad ways to eat bananas or banana best practices BSIMM is about observations BSIMM is descriptive, not prescriptive 7

8 © 2011 Cigital Inc. Four domains Twelve practices See informIT article on BSIMM website http://bsimm.com A Software Security Framework

9 © 2011 Cigital Inc. Training practice skeleton

10 © 2011 Cigital Inc. Example activity [T1.3] Establish SSG office hours. The SSG offers help to any and all comers during an advertised lab period or regularly scheduled office hours. By acting as an informal resource for people who want to solve security problems, the SSG leverages teachable moments and emphasizes the carrot over the stick. Office hours might be held one afternoon per week in the office of a senior SSG member.

11 © 2011 Cigital Inc. 109 Activities 3 levels Top 15 things 66% cutoff 20 of 30 firms Yellow highlight BSIMM2 Scorecard

12 © 2011 Cigital Inc. BSIMM2 as a measuring stick Compare a firm with peers using the high water mark view Descriptive (not prescriptive)

13 © 2011 Cigital Inc. Top 15 things green = good? red = bad? “Blue shift” practices to emphasize activities you should maybe think about in brown BSIMM2 scorecard with firm data

14 © 2011 Cigital Inc. We are a special snowflake (NOT) ISV (7) results are similar to financial services (12) BSIMM Europe vs BSIMM US You do the same things You can demand the same results 14 11/19/2015

15 © 2011 Cigital Inc. BSIMM Community Events 22 firms gathered in Annapolis, MD Nov 9-11 2010 9 Talks by SSG leaders Workshop on efficiency and effectiveness Intense networking BSIMM mailing list High S/N ratio A BSIMM Community Mixer at RSA 2011 included New logo revealed Update on BSIMM3 BSIMM Longitudinal results Music and mixology 15 11/19/2015

16 © 2011 Cigital Inc. BSIMM2 to BSIMM3 BSIMM2 released April 2010 under creative commons http://bsimm.com Italian and German translations available BSIMM is a yardstick Use it to see where you stand Use it to figure out what your peers do BSIMM3 BSIMM Longitudinal (10) BSIMM3 (40)

17 © 2011 Cigital Inc. Get involved in the BSIMM Community http://bsimm.com See the Addison-Wesley Software Security series Send e-mail: gem@cigital.com “ So now, when we face a choice between adding features and resolving security issues, we need to choose security.” -Bill Gates

Download ppt "Software Confidence. Achieved. March 2011 BSIMM: The Building Security In Maturity Model Gary McGraw, Ph.D. Chief Technology Officer, Cigital."

Similar presentations

Strengthening Your HR Capacity The Government of Canada Perspective

Strengthening Your HR Capacity The Government of Canada Perspective
Software Assurance Maturity Model

Software Assurance Maturity Model
Memorable Events dont just happen They start with a plan Thats where we come in.

Memorable Events dont just happen They start with a plan Thats where we come in.
Austin Discovery Middle School Transformation to Fine Arts Academy.

Austin Discovery Middle School Transformation to Fine Arts Academy.
International Society for Pharmaceutical Engineering Student Chapter Standard of Excellence Training Program Webinar August 2007.

International Society for Pharmaceutical Engineering Student Chapter Standard of Excellence Training Program Webinar August 2007.
How to attract customers and increase sales?. Foundation.

How to attract customers and increase sales?. Foundation.
Copyright © 2013, Cigital and/or its affiliates. All rights reserved. BSIMM-V THE BUILDING SECURITY IN MATURITY MODEL GARY MCGRAW, PH.D. CHIEF TECHNOLOGY.

Copyright © 2013, Cigital and/or its affiliates. All rights reserved. BSIMM-V THE BUILDING SECURITY IN MATURITY MODEL GARY MCGRAW, PH.D. CHIEF TECHNOLOGY.
6/2/20151 Enterprise Risk & Assurance Management in Zurich North America Brian Selby MA (Audit), FIIA, QiCA, MBCS, CISA.

6/2/20151 Enterprise Risk & Assurance Management in Zurich North America Brian Selby MA (Audit), FIIA, QiCA, MBCS, CISA.
A Technical Game Project 4 Due dates: Game Idea Friday, March 16 th Game Plan Friday, March 23 rd Web Page Sunday, April 9 th First Playable Wednesday,

A Technical Game Project 4 Due dates: Game Idea Friday, March 16 th Game Plan Friday, March 23 rd Web Page Sunday, April 9 th First Playable Wednesday,
Diane Green Greentree Naturals Small Farm Marketing.

Diane Green Greentree Naturals Small Farm Marketing.
St. Mark’s Catholic Church Working Hands Career Ministry Networking Jonathan Donahue.

St. Mark’s Catholic Church Working Hands Career Ministry Networking Jonathan Donahue.
‘How engineers create solutions to problems ’ Manuel Burton.

‘How engineers create solutions to problems ’ Manuel Burton.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Dialog Practices Connections Roundtable September 2014.

Dialog Practices Connections Roundtable September 2014.
Craig J. Nichols, Secretary Purchasing Directors’ Meeting September 19, 2013.

Craig J. Nichols, Secretary Purchasing Directors’ Meeting September 19, 2013.
PUBLIC RELATIONS AN INTRODUCTION.

PUBLIC RELATIONS AN INTRODUCTION.
© Infosys Technologies Limited 2005 - 06 Consulting Services Paul Cole Managing Director – Infosys Consulting.

© Infosys Technologies Limited Consulting Services Paul Cole Managing Director – Infosys Consulting.
The Chartered Professional (Ch.P.) Strategic Wealth.

The Chartered Professional (Ch.P.) Strategic Wealth.
FUNDRAISING APAMSA Leadership Development Module.

FUNDRAISING APAMSA Leadership Development Module.
NovaVision Software A/S Company Profile, May 2006.

NovaVision Software A/S Company Profile, May 2006.

Similar presentations

Ads by Google