Abstract: The Building Security In Maturity Model (or BSIMM)
BSIMM observes and measures what firms' software security initiatives are actually doing. John, who has helped several firms build or improve their security initiatives, will share sometimes surprising data about security initiatives big and small. His presentation will focus on what
activities organizations use to "boot" security initiatives and which they presently focus on.
2. The OWASP Foundation
http://www.owasp.org
This Presentation
…is about observed trends, DISCUSSION to follow
Wild West AppSec - State of assessment
Growing Up – Security Initiatives
BSIMM – Measuring Security Initiatives
What Most Firms Are „On Top‟ of…
What Firms Struggle with Today
5. The OWASP Foundation
http://www.owasp.org
Assessment is TOUGH
Dynamic Assessment (tools)
<= 10% statement coverage
IFF Authenticated
Manual Penetration Testing?
Including “Expert Crawling”
What about static analysis (tools)?
SCR?
9. The OWASP Foundation
http://www.owasp.org
A software security initiative
more
A software security initiative is an:
executive-backed,
permanently-staffed,
metrics-driven
investment in…
software security policy and standards,
“secure SDLC” gates, and
governance knowledge, processes, and tools
to implement capabilities across a reasonable cross-section of the application
portfolio.
13. The OWASP Foundation
http://www.owasp.org
Building BSIMM (2009)
Big idea: Build a maturity model from actual data gathered from 9
well known large-scale software security initiatives
Create a software security framework
Interview nine firms in-person
Discover 110 activities through observation
Organize the activities in 3 levels
Build scorecard
The model has been validated with data from 51 firms
14. The OWASP Foundation
http://www.owasp.org
Prescriptive vs. Descriptive
Prescriptive models
describe what you should
do
SAFECode
SAMM
SDL
Touchpoints
Every firm has a
methodology they follow
(often a hybrid)
You need an SSDL
Descriptive models describe
what is actually happening
The BSIMM is a descriptive
model that can be used to
measure any number of
prescriptive SSDLs
15. The OWASP Foundation
http://www.owasp.org
Monkeys Eat Bananas
BSIMM is not about good or bad
ways to eat bananas or banana
best practices
BSIMM is about observations
BSIMM is descriptive, not
prescriptive
BSIMM describes and measures
multiple prescriptive approaches
15
16. The OWASP Foundation
http://www.owasp.org
Yeah but we‟re different
You *are* a special snowflake, just
like everyone else
All snowflakes are equally special
No matter how special a snowflake
you are, you‟ll still melt when it‟s
hot out.
23. The OWASP Foundation
http://www.owasp.org
We Hold These Truths to be
Self-evident
Someone (a security group) has to be responsible
Software security is more than a set of security functions
Not magic crypto fairy dust
Non-functional aspects of design are essential
Not silver-bullet security mechanisms
Bugs and flaws are 50/50
To end up with secure software, deep integration with the SDLC is
necessary
24. The OWASP Foundation
http://www.owasp.org
12 Common Activities
1.
SM1.4 Identify gate locations, gather necessary artifacts
2.
CP1.2 Identify PII obligations;
3.
T1.1 Provide awareness training;
4.
AM1.5 Gather attack intelligence;
5.
SFD1.1 Build and publish security features;
6.
SR1.1 Create security standards;
7.
AA1.1 Perform security feature review;
8.
CR1.4 Use automated tools along with manual review;
9.
ST1.1 Ensure quality assurance (QA) supports edge/boundary value condition
testing;
10.
PT1.1 Use external penetration testers to find problems;
11.
SE1.2 Ensure host and network security basics are in place; and
12.
CMVM1.2 Identify software defects found in operations monitoring and feed them
back to development.
25. The OWASP Foundation
http://www.owasp.org
Evolving Initiatives (2012)
Build an SSG
Something in Architecture
Use automated tools @ scale
Security Sign-off
3rd*
Party
Metrics
VA
Configuration*
Management
Vulnerability*
Management
CR*
Portal
Security*
Sign9off
Attack*
Intelligence
Assessment
27. The OWASP Foundation
http://www.owasp.org
One Architecture Climb
3.2 Results
Arch. Patterns
Year 5
2.3 Make SSG
Available
1.3 SSG
Reviews
2.2 Standardize
Descriptions
1.2 Perform
Review
1.1 Feature
Review
Year 3
Year 2
Year 1
37. The OWASP Foundation
http://www.owasp.org
SSIs Fit Naturally into Agile
Top 2,3
Awareness (pre-training)
Top 10
Passwords, SSL
[Open Source] Automation
Configuration Mgmt, plumbing
Infrastructure Security
API
Threat Modeling
Risk Management
Security Libraries
38. The OWASP Foundation
http://www.owasp.org
Vuln + Config. Management
Build a pile, rank the pile
Rank applications w/in portfolio
Call a spade a spade
Standardize names for vulnerabilities
Normalize assessment / tool scoring
Prioritize
Calculate risk effectively
Go from “hated cop” to B.A.U.
Establish security gates
Integrate with normal change/bug management
Editor's Notes
Every one of the 51 firms we have measured has an SSDL. Most are hybrids of popular methodologies.
While this definition is not necessarily worth of the OED, it suffices for our purposes.For those of your forming the words, “But what about…” in your heads right now, I refer you to the words of a Mr. H. Dumpty. Yes, there are likely shorter and longer ways to define a software security initiative. I certainly wouldn’t go to the press with this, but it’s important to understand these nuances as we think about ways to attach our offerings to a firm’s current state of existence. Again, why would we do that?
We have yet to encounter a firm that cannot be measured with the BSIMM. To be sure, some firms are more complicated than others, but the BSIMM was designed to measure all SSDLs encountered on the planet.
There is plenty of confusion (especially in the press) about methodologies and measurement tools. The BSIMM is not a methodology. It is a measurement tool.The BSIMM is used to measure and describe (in common terms) each of the 51 distinct SSDL methodologies in use in the BSIMM Community.See the InformIT article BSIMM versus SAFECode and Other Kaiju Cinema (Dec 26, 2011) http://bit.ly/tLIOnJ
See the informIT article “Cargo Cult Computer Security” (January 28, 2010)http://bit.ly/9HO6ex
BSIMM articles and the BSIMM itself can be found on the website at http://bsi-mm.com.The SSF is covered exclusively in an informIT article:A Software Security Framework: Working Towards a Realistic Maturity Model (October 15, 2008)http://bit.ly/NDMkYn
Each practice has a set of activities associated with it. They are divided into 3 levels.
These are some self-evident truths about software security. For more on the basics, see Software Security (2006) http://swsec.com
Simple spreadsheet is going to drive the entire process (outsource this to the business)What – risk, business anlaystsHow – architects, developersWho – TM first step (security)Impact – multiple stakeholders---VP #1: The goal of this chart (and the effort overall) is completeness: to think more thoroughly about who will attack you and how.