scaling a software security initiative: lessons from the bsimm with gary mcgraw

Scaling a Software Security Initiative:Lessons from the BSIMM

Gary McGraw, Ph.D.Chief Technology Officer

May 1, 2023

Copyright © 2015, Cigital and/or its affiliates. All rights reserved

@cigitalgem

Cigital

• Providing software security professionals services since 1992

• World’s premiere software security consulting firm• 350 employees• 13 offices including Dulles, Boston, New York, Santa Clara,

Bloomington, Boston, Chicago, Atlanta, Amsterdam, and London• Recognized experts in software security


http://www.cigital.com/books/80211/





http://www.cigital.com/books/wirelesssec/










BSIMM-V


67 Firms in the BSIMM-V Community

• Real data from 67 firms• 161 measurements• 21 over time• McGraw, Migues, &

West• bsimm.com

plus 24 anonymous firms


http://www.bsimm.com/

Monkeys Eat Bananas

• BSIMM is not about good or bad ways to eat bananas or banana best practices

• BSIMM is about observations• BSIMM is descriptive, not

prescriptive• BSIMM describes and

measures multiple prescriptive approaches


BSIMM by the NumbersBSIMM describes and measures the work of 2930 full time software security people controlling the work of 272,358 developers.


12 Practices 112 Activities

• Real activities, not theories• Real data• How do the 67 BSIMM firms carry out a practice?• How do the practices scale?


BSIMM-V = Measuring Stick


SCALING CODE REVIEW


Remedial Code Review

• #1 Touchpoint• Get a tool (HP/Fortify, IBM/Ounce, Coverity, Cigital SecureAssist)

• 50 of 67 firms have an automated tool


Code Review in the BSIMM


Code Review Pitfalls

Security runs a complex tool Tool thrown over the wall to dev

• Results computed WAY too late

• Results include too many false positives

• Security types have no clue how to fix anything

• Developers try to avoid being beaten by the security police

• Developers asked to “just run the tool” with no real training

• The “red screen of death” ensues

• Developers learn to game the results


Scaling Code Review: Path 1

• Build a centralized code review factory• Streamline code submission• Provide middleware data flow intelligence• Normalize results (across multiple feeds)

• Know what to look for• Create and enforce coding standards (carrot and stick)• Build custom rules that work for YOUR code


Scaling Code Review: Path 2 (Very New)

• Put a very simple “real-time training” tool on developer desktops

• Eliminate whole classes of bugs before they are compiled in

• Focus on coding more securely in the first place• Teaching is more powerful than punishing• Developers need to know what to DO not what not to do

• Train developers just in time at code writing time

Read: bit.ly/1iIcAPB


SCALING ARCHITECTURE ANALYSIS


Remedial Code Review

• #2 Touchpoint• Requires real expertise• Know your components• 56 of 67 firms review security FEATURES


Architecture Analysis Pitfalls

The Expert Bottleneck Ad Hoc “Review” Superman required for each

analysis exercise Lots of products and teams

need analysis, but must either must wait forever or skip it

Review only as powerful as whoever bothers to show up

No institutional knowledge or consistency


Architecture Analysis in the BSIMM


Define a Process: Architecture Risk Analysis

• Step 0: Get an architecture diagram• Step 1: Known attack analysis

• Leverage STRIDE by analogy• Know your potential flaws

• Step 2: System-specific attack analysis• Anticipate emergent flaws• Build a threat model (trust boundaries and data sensitivity)

• Step 3: Dependency analysis

Read: bit.ly/1b2f5Zk


http://bit.ly/1b2f5Zk

http://bit.ly/1b2f5Zk

Scaling Architecture Analysis

• Security Architecture Survey (SAS)• Focus on standard components and a software component model• Look for your commonly encountered flaws• Identify common controls• Know your design principles• Consider where the SDLC breaks

• Sweep the entire portfolio• Use a proven process like Cigital ARA for high-risk

applications

Read: bit.ly/19Jmk7f


http://bit.ly/19Jmk7f

IEEE Center for Secure Design

Avoiding the top ten swsec design flaws:http://cybersecurity.ieee.org/center-for-secure-design.html


http://cybersecurity.ieee.org/center-for-secure-design.html

SCALING PENETRATION TESTING


Remedial Penetration Testing

• #3 Touchpoint• Becoming a commodity (so buy some)• 62 of 67 BSIMM firms use external pen testers• Black box tools available


Penetration Testing Pitfalls

Hiring “reformed” hackers Pen testing != security meter

badness-ometer


Penetration Testing in the BSIMM


Scaling Penetration Testing

• Automate with customized tools and know your attacker• Black box Web/mobile testing tools are cheap and fast• Fuzzing tools aimed at APIs also help scale

• Investigate cloud services (remote pen testing)• Fix what you find

• Real integration with development is important• Don’t just throw rocks

• Periodically pen test everything you can


WHERE TO LEARN MORE


SearchSecurity + Justice League

1. No-nonsense monthly security column by Gary McGraw:www.searchsecurity.com

2. In-depth thought-leadership blog from the Cigital Principals:• Gary McGraw• Sammy Migues• John Steven• Paco Hope• Jim DelGrosso

www.cigital.com/justiceleague

3. Gary McGraw’s writings: www.cigital.com/~gem/writing


http://www.searchsecurity.com/

http://www.cigital.com/justiceleague

http://www.cigital.com/~gem/writing



Silver Bullet + IEEE Security & Privacy

1. Monthly Silver Bullet podcast with Gary McGraw:www.cigital.com/silverbullet

2. IEEE Security & Privacy magazine (Building Security In)www.computer.org/security/bsisub/


http://www.cigital.com/silverbullet

http://www.computer.org/security/bsisub/

http://www.computer.org/security/bsisub/

The Book

• How to DO software security•Best practices•Tools•Knowledge

• Cornerstone of the Addison-Wesley Software Security Series: www.swsec.com


http://www.swsec.com/

Build Security In

• Read the Addison-Wesley Software Security series

• Send e-mail: [email protected]

•


@cigitalgem

mailto:[email protected]

mailto:[email protected]