bsimm: bringing science to software security
TRANSCRIPT
Science is a way of discovering what's in the universe and how those things work today, how they worked in the past, and how they are likely to work in the future.
Why study security?“Because I said so”doesn’t work as a strategy.
Software security axioms• Software security is more than a set
of security functions• Not magic crypto fairy dust• Not silver-bullet security mechanisms
• Non-functional aspects of design are essential
• Bugs and flaws are split 50/50• Security is an emergent property of
the entire system
In the beginning…
We made up prescriptive frameworks:• Microsoft SDL• CLASP (OWASP)• Cigital’s Touchpoints
Thou shalt build security in…
BSIMM is a scientific studymeasuring activities
companies are actually doing.
Measurements matter• Understand today, plan for tomorrow
• Metrics drive behaviors
• Enable management
• Continuous process improvement
78 firms in the BSIMM6 Community
What the numbers tell us BSIMM6 BSIMM5 BSIMM4 BSIMM3 BSIMM2 BSIMM1
Firms 78 67 51 42 30 9Software Security
Group(SSG) Members
1,084 976 978 786 635 370
Satellite Members 2,111 1,954 2,039 1,750 1,150 710Developers 287,006 272,358 218,286 185,316 141,175 67,950
Applications 69,750 69,039 58,739 41,157 28,243 3,970Avg SSG Age 3.98 4.28 4.13 4.32 4.49 5.32
SSG Avg. of Avgs 1.51/100 1.4/100 1.95/10
01.99/10
01.02/10
01.13/10
0Financials 33 26 19 17 12 4
ISVs 27 25 19 15 7 4Healthcare 10
Consumer Electronics 13
Monkeys eat bananas• BSIMM is not about good or bad
ways to eat bananas or banana best practices
• BSIMM is about observations• BSIMM is not prescriptive• BSIMM describes and measures
multiple prescriptive approaches
A software security frameworkGovernance Intelligence SSDL
Touchpoints Deployment
Strategy and Metrics Attack Models Architecture
AnalysisPenetration
Testing
Compliance and Policy
Security Features and Design Code Review Software
Environment
Training Standards and Requirements Security Testing
Configuration Management and
Vulnerability Management
Example domainIntelligence: standards and requirements
Objective Activity
SR1.1 meet demand for security features create security standards (T: sec features/design)
SR1.2 ensure that everybody knows where to get latest and greatest create security portal
SR1.3 compliance strategy translate compliance constraints to requirements
SR1.4 tell people what to look for in code review use secure coding standardsSR2.2 formalize standards process create a standards review boardSR2.3 reduce SSG workload create standards for technology stacksSR2.4 manage open source risk identify open sourceSR2.5 gain buy-in from legal department and standardize
approachcreate SLA boilerplate (T: compliance and policy)
SR3.1 manage open source risk control open source riskSR3.2 educate third-party vendors communicate standards to vendors
Example activity[AA1.2] Perform design review for high-risk applications.The organisation learns about the benefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. The reviewers must have some experience performing architecture analysis and breaking the architecture being considered. If the SSG is not yet equipped to perform an in-depth architecture analysis, it uses consultants to do this work. Ad hoc review paradigms that rely heavily on expertise may be used here, though in the long run they do not scale.
The software security group (SSG)• Security as a day job• High expertise• “Group” level or central role• Cross business units / projects
The “satellite”• Not directly part of the SSG• Developers, testers, architects• Have an affinity for security
Real world dataSoftware Security
Initiative Age Software Security
Satellite SizeAverage 4 years Average 27 peopleNewest 5 months Smallest 0 peopleOldest 12 years Largest 400 people
Median 3 years Median 3 people
Software SecurityGroup Size
Development / Engineering
Staff SizeAverage 14 people Average 3680 peopleSmallest 1 person Smallest 23 peopleLargest 130 people Largest 35,000 peopleMedian 6 people Median 1200 people
Scorecard Overview• Number of firms
performing various activities
• Highlighted activity is most popular in its practice
What BSIMMtells you about you.
Example firm scorecard
Lessons learned• Your company isn’t unique
• You’re on your own when it comes to getting started
• Your security team can’t do everything
• Security still needs people
• Security usually exists before the security team
What do you do next?• Read the BSIMM report at www.bsimm.com
• Join the BSIMM community
• Measure your program
• Build security in
