scaling a software security initiative: lessons from the bsimm with gary mcgraw
TRANSCRIPT
Scaling a Software Security Initiative:Lessons from the BSIMM
Gary McGraw, Ph.D.Chief Technology Officer
May 1, 2023
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
@cigitalgem
Cigital
• Providing software security professionals services since 1992
• World’s premiere software security consulting firm• 350 employees• 13 offices including Dulles, Boston, New York, Santa Clara,
Bloomington, Boston, Chicago, Atlanta, Amsterdam, and London• Recognized experts in software security
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
BSIMM-V
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
67 Firms in the BSIMM-V Community
• Real data from 67 firms• 161 measurements• 21 over time• McGraw, Migues, &
West• bsimm.com
plus 24 anonymous firms
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
Monkeys Eat Bananas
• BSIMM is not about good or bad ways to eat bananas or banana best practices
• BSIMM is about observations• BSIMM is descriptive, not
prescriptive• BSIMM describes and
measures multiple prescriptive approaches
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
BSIMM by the NumbersBSIMM describes and measures the work of 2930 full time software security people controlling the work of 272,358 developers.
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
12 Practices 112 Activities
• Real activities, not theories• Real data• How do the 67 BSIMM firms carry out a practice?• How do the practices scale?
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
BSIMM-V = Measuring Stick
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
SCALING CODE REVIEW
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
Remedial Code Review
• #1 Touchpoint• Get a tool (HP/Fortify, IBM/Ounce, Coverity, Cigital SecureAssist)
• 50 of 67 firms have an automated tool
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
Code Review in the BSIMM
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
Code Review Pitfalls
Security runs a complex tool Tool thrown over the wall to dev
• Results computed WAY too late
• Results include too many false positives
• Security types have no clue how to fix anything
• Developers try to avoid being beaten by the security police
• Developers asked to “just run the tool” with no real training
• The “red screen of death” ensues
• Developers learn to game the results
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
Scaling Code Review: Path 1
• Build a centralized code review factory• Streamline code submission• Provide middleware data flow intelligence• Normalize results (across multiple feeds)
• Know what to look for• Create and enforce coding standards (carrot and stick)• Build custom rules that work for YOUR code
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
Scaling Code Review: Path 2 (Very New)
• Put a very simple “real-time training” tool on developer desktops
• Eliminate whole classes of bugs before they are compiled in
• Focus on coding more securely in the first place• Teaching is more powerful than punishing• Developers need to know what to DO not what not to do
• Train developers just in time at code writing time
Read: bit.ly/1iIcAPB
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
SCALING ARCHITECTURE ANALYSIS
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
Remedial Code Review
• #2 Touchpoint• Requires real expertise• Know your components• 56 of 67 firms review security FEATURES
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
Architecture Analysis Pitfalls
The Expert Bottleneck Ad Hoc “Review” Superman required for each
analysis exercise Lots of products and teams
need analysis, but must either must wait forever or skip it
Review only as powerful as whoever bothers to show up
No institutional knowledge or consistency
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
Architecture Analysis in the BSIMM
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
Define a Process: Architecture Risk Analysis
• Step 0: Get an architecture diagram• Step 1: Known attack analysis
• Leverage STRIDE by analogy• Know your potential flaws
• Step 2: System-specific attack analysis• Anticipate emergent flaws• Build a threat model (trust boundaries and data sensitivity)
• Step 3: Dependency analysis
Read: bit.ly/1b2f5Zk
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
Scaling Architecture Analysis
• Security Architecture Survey (SAS)• Focus on standard components and a software component model• Look for your commonly encountered flaws• Identify common controls• Know your design principles• Consider where the SDLC breaks
• Sweep the entire portfolio• Use a proven process like Cigital ARA for high-risk
applications
Read: bit.ly/19Jmk7f
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
IEEE Center for Secure Design
Avoiding the top ten swsec design flaws:http://cybersecurity.ieee.org/center-for-secure-design.html
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
SCALING PENETRATION TESTING
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
Remedial Penetration Testing
• #3 Touchpoint• Becoming a commodity (so buy some)• 62 of 67 BSIMM firms use external pen testers• Black box tools available
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
Penetration Testing Pitfalls
Hiring “reformed” hackers Pen testing != security meter
badness-ometer
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
Penetration Testing in the BSIMM
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
Scaling Penetration Testing
• Automate with customized tools and know your attacker• Black box Web/mobile testing tools are cheap and fast• Fuzzing tools aimed at APIs also help scale
• Investigate cloud services (remote pen testing)• Fix what you find
• Real integration with development is important• Don’t just throw rocks
• Periodically pen test everything you can
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
WHERE TO LEARN MORE
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
SearchSecurity + Justice League
1. No-nonsense monthly security column by Gary McGraw:www.searchsecurity.com
2. In-depth thought-leadership blog from the Cigital Principals:• Gary McGraw• Sammy Migues• John Steven• Paco Hope• Jim DelGrosso
www.cigital.com/justiceleague
3. Gary McGraw’s writings: www.cigital.com/~gem/writing
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
Silver Bullet + IEEE Security & Privacy
1. Monthly Silver Bullet podcast with Gary McGraw:www.cigital.com/silverbullet
2. IEEE Security & Privacy magazine (Building Security In)www.computer.org/security/bsisub/
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
The Book
• How to DO software security•Best practices•Tools•Knowledge
• Cornerstone of the Addison-Wesley Software Security Series: www.swsec.com
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
Build Security In
• Read the Addison-Wesley Software Security series
• Send e-mail: [email protected]
•
Copyright © 2015, Cigital and/or its affiliates. All rights reserved
@cigitalgem