The OWASP Foundationhttp://www.owasp.org

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

OWASP Geneva Chapter

May 7th 2013

BSIMMMeasuring Software Security Initiative Maturity

Simon Blanchet, CISSP, CSSLP, PMPHead of Application Security

http://ch.linkedin.com/in/sblanchet

2

Agenda• Who Am I?• What is this talk all about?• Why talking about BSIMM?• BSIMM4• Lessons learned & take-aways• Conclusion

3

Who Am I?· Head of Application Security in a Private Bank· CISSP, CSSLP, PMP· Where I’m coming from?

· Computer Science· Security Software Designer Software Security Manager

· I’m managing a SSG applying a Risk-Based approach to ensure that our organization is

· Building Secure Software· Acquiring & Integrating Securely Vendors’ Software· Securely Modifying legacy Software without compromising the

Security of the whole Banking Information System

4

What is this talk all about?• The story of a guy who wanted to

know where he was standing w/r/t his enterprise Software Security Initiative

• One tool (BSIMM) which can be used to answer few SW Security questions

• Software Security• Software Security Initiative / Program• Software Security Domains / Practices /

Activities

5

Why BSIMM?• We are all doing “something” w/r/t SW

Sec• Are we doing the right things?• What other key players are doing?• How do we compare to others?• How really mature are we?

BSIMM(special thanks to Gary McGraw for the permission to use his

original material)

7

BSIMM?• A measuring stick for SW Security• A descriptive model• Software Security Framework

• 4 Domains• 12 Practices• 111 Activities

Take-Aways, Summary & Conclusion

9

Lessons Learned• How to be “BSIMMed”*

concretely?1. Do it yourself ((CC) license)…

- Risks: consistency, underestimate, overestimate, + $ (as in saving)

2. Mandate someone else- $ (as in it cost something)+ Consistency, Official Report, Community, Experience (using Cigital who performed the exercise more than 95+ times on 50+ firms)

* BSIMMed Having the BSIMM assessment performed on your organization.

10

Lessons Learned• What happen exactly?• 5+ interviews with Heads /

Directors• Application Security / SSG• Development• Quality Assurance / Testing• Architecture • Operation / Incident Response

• Draft / Final Report (High Water Mark views, Scorecard, Practices & Activities worth investigating)

11

Summary• BSIMM is not a methodology. It is a

measurement tool.• BSIMM can answer questions

about:• Compare a firm with peers using the

high water mark view• Compare business units (within a large

org)• Chart an SSI over time

(longitudinal)

12

Conclusion• Use it to see where you stand• Use it to figure out what your

peers do• BSIMM helps to create a data-

driven strategic plan

13

Questions?

14

References• BSIMM4• BSIMM website

15

About the authorSimon Blanchet, CISSP, CSSLP, PMP Associate Director, Head of Application Security

Simon Blanchet is an Associate Director and Head of Application Security in a Private Bank. He is responsible, with the help of his team of application security specialists, for ensuring the security of internally developed applications as well as the secure integration of commercial off-the-shelf applications within the banking information systems. Simon's team provides internal security-consulting expertise to project management, business and development staff. He and his team are responsible for all aspects of application security including risk assessment, threat modeling, security testing and raising awareness about application security best practices.

Simon Blanchet has been professionally working in the fields of Information Systems Security and Security Software Design & Development for the past 12 years. He started his career as a Software Developer and Development Team Leader (cryptographic & security related software) in Montreal, Canada. Prior to moving into the Swiss Private Banking industry, Simon had the opportunity to contribute to the first version of the SDK implementing Stefan Brands' Digital Credential upon which is now built Microsoft U-Prove. Simon's career progressively evolved from being a seasoned security software developer to managing software security, combining a software developer background with a true passion for application security architecture, software security and software exploitation techniques. Simon likes to solve security related problems at the crossroads of software development and IT Security.

Simon holds a B.Sc. in Computer Science from Laval University in Canada. He is a Certified Information Systems Security Professional (CISSP), a Certified Secure Software Lifecycle Professional (CSSLP) and a Project Management Professional (PMP).