bsimm measuring software security initiative maturity
DESCRIPTION
OWASP Geneva Chapter May 7 th 2013. BSIMM Measuring Software Security Initiative Maturity. Simon Blanchet , CISSP, CSSLP, PMP Head of Application Security http://ch.linkedin.com/in/ sblanchet. Agenda. Who Am I? What is this talk all about? Why talking about BSIMM? BSIMM4 - PowerPoint PPT PresentationTRANSCRIPT
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
OWASP Geneva Chapter
May 7th 2013
BSIMMMeasuring Software Security Initiative Maturity
Simon Blanchet, CISSP, CSSLP, PMPHead of Application Security
http://ch.linkedin.com/in/sblanchet
2
Agenda• Who Am I?• What is this talk all about?• Why talking about BSIMM?• BSIMM4• Lessons learned & take-aways• Conclusion
3
Who Am I?· Head of Application Security in a Private Bank· CISSP, CSSLP, PMP· Where I’m coming from?
· Computer Science· Security Software Designer Software Security Manager
· I’m managing a SSG applying a Risk-Based approach to ensure that our organization is
· Building Secure Software· Acquiring & Integrating Securely Vendors’ Software· Securely Modifying legacy Software without compromising the
Security of the whole Banking Information System
4
What is this talk all about?• The story of a guy who wanted to
know where he was standing w/r/t his enterprise Software Security Initiative
• One tool (BSIMM) which can be used to answer few SW Security questions
• Software Security• Software Security Initiative / Program• Software Security Domains / Practices /
Activities
5
Why BSIMM?• We are all doing “something” w/r/t SW
Sec• Are we doing the right things?• What other key players are doing?• How do we compare to others?• How really mature are we?
BSIMM(special thanks to Gary McGraw for the permission to use his
original material)
7
BSIMM?• A measuring stick for SW Security• A descriptive model• Software Security Framework
• 4 Domains• 12 Practices• 111 Activities
Take-Aways, Summary & Conclusion
9
Lessons Learned• How to be “BSIMMed”*
concretely?1. Do it yourself ((CC) license)…
- Risks: consistency, underestimate, overestimate, + $ (as in saving)
2. Mandate someone else- $ (as in it cost something)+ Consistency, Official Report, Community, Experience (using Cigital who performed the exercise more than 95+ times on 50+ firms)
* BSIMMed Having the BSIMM assessment performed on your organization.
10
Lessons Learned• What happen exactly?• 5+ interviews with Heads /
Directors• Application Security / SSG• Development• Quality Assurance / Testing• Architecture • Operation / Incident Response
• Draft / Final Report (High Water Mark views, Scorecard, Practices & Activities worth investigating)
11
Summary• BSIMM is not a methodology. It is a
measurement tool.• BSIMM can answer questions
about:• Compare a firm with peers using the
high water mark view• Compare business units (within a large
org)• Chart an SSI over time
(longitudinal)
12
Conclusion• Use it to see where you stand• Use it to figure out what your
peers do• BSIMM helps to create a data-
driven strategic plan
13
Questions?
15
About the authorSimon Blanchet, CISSP, CSSLP, PMP Associate Director, Head of Application Security
Simon Blanchet is an Associate Director and Head of Application Security in a Private Bank. He is responsible, with the help of his team of application security specialists, for ensuring the security of internally developed applications as well as the secure integration of commercial off-the-shelf applications within the banking information systems. Simon's team provides internal security-consulting expertise to project management, business and development staff. He and his team are responsible for all aspects of application security including risk assessment, threat modeling, security testing and raising awareness about application security best practices.
Simon Blanchet has been professionally working in the fields of Information Systems Security and Security Software Design & Development for the past 12 years. He started his career as a Software Developer and Development Team Leader (cryptographic & security related software) in Montreal, Canada. Prior to moving into the Swiss Private Banking industry, Simon had the opportunity to contribute to the first version of the SDK implementing Stefan Brands' Digital Credential upon which is now built Microsoft U-Prove. Simon's career progressively evolved from being a seasoned security software developer to managing software security, combining a software developer background with a true passion for application security architecture, software security and software exploitation techniques. Simon likes to solve security related problems at the crossroads of software development and IT Security.
Simon holds a B.Sc. in Computer Science from Laval University in Canada. He is a Certified Information Systems Security Professional (CISSP), a Certified Secure Software Lifecycle Professional (CSSLP) and a Project Management Professional (PMP).