Software Confidence. Achieved.

March 2011

BSIMM: The Building Security In

Maturity Model

Gary McGraw, Ph.D.Chief Technology Officer, Cigital

© 2011 Cigital Inc.

We hold these truths to be self-evident

Software security is more than a set of security functions Not magic crypto fairy dust Not silver-bullet security mechanisms

Non-functional aspects of design are essential Bugs and flaws are 50/50 Security is an emergent property of the entire system

(just like quality) To end up with secure software, deep integration with

the SDLC is necessary

© 2011 Cigital Inc.

Real data from (33) real initiatives

60 measurements McGraw, Chess, &

Migues

BSIMM: Software Security Measurement

PlexLogic

© 2011 Cigital Inc. 4

Intel

+ eleven

unnamed

firms

33 software security initiatives measured

© 2011 Cigital Inc.

The magic 30

Since we have data from > 30 firms we can perform statistical analysis How good is the model? What activities correlate with what other activities? Do high maturity firms look the same? Etc

We now have 33 firms (+ more underway) BSIMM (the nine) BSIMM Europe (nine in EU) BSIMM2 (30) some underway

© 2011 Cigital Inc.

Building BSIMM (2009)

Big idea: Build a maturity model from actual data gathered from 9 of ~60 known large-scale software security initiatives Create a software security framework Nine in-person executive interviews Build bullet lists (one per practice) Bucketize the lists to identify activities Create levels

Objectives Activities 109 activities supported by real data Three levels of “maturity”

The model has been validated with data from > 30 firms

© 2011 Cigital Inc.

Monkeys eat bananas

BSIMM is not about good or bad ways to eat bananas or banana best practices

BSIMM is about observations

BSIMM is descriptive, not prescriptive

7

© 2011 Cigital Inc.

Four domains Twelve practices See informIT article on BSIMM website

http://bsimm.com

A Software Security Framework

© 2011 Cigital Inc.

Training practice skeleton

© 2011 Cigital Inc.

Example activity

[T1.3] Establish SSG office hours. The SSG offers help to any and all comers during an advertised lab period or regularly scheduled office hours. By acting as an informal resource for people who want to solve security problems, the SSG leverages teachable moments and emphasizes the carrot over the stick. Office hours might be held one afternoon per week in the office of a senior SSG member.

© 2011 Cigital Inc.

109 Activities 3 levels Top 15 things

66% cutoff 20 of 30 firms Yellow highlight

BSIMM2 Scorecard

© 2011 Cigital Inc.

BSIMM2 as a measuring stick

Compare a firm with peers using the high water mark view

Descriptive (not prescriptive)

© 2011 Cigital Inc.

Top 15 things green = good? red = bad?

“Blue shift” practices to emphasize activities you should

maybe think about in brown

BSIMM2 scorecard with firm data

© 2011 Cigital Inc.

We are a special snowflake (NOT)

ISV (7) results are similar to financial services (12)

BSIMM Europe vs BSIMM US

You do the same things

You can demand the same results

1404/21/23

© 2011 Cigital Inc.

BSIMM Community Events

22 firms gathered in Annapolis, MD Nov 9-11 2010 9 Talks by SSG

leaders Workshop on

efficiency and effectiveness

Intense networking

BSIMM mailing list High S/N ratio

A BSIMM Community Mixer at RSA 2011 included New logo revealed Update on BSIMM3 BSIMM Longitudinal

results Music and mixology

1504/21/23

© 2011 Cigital Inc.

BSIMM2 to BSIMM3

BSIMM2 released April 2010 under creative commons http://bsimm.com Italian and German translations available

BSIMM is a yardstick Use it to see where you stand Use it to figure out what your peers do

BSIMM3 BSIMM Longitudinal (10) BSIMM3 (40)

© 2011 Cigital Inc.

Get involved in the BSIMM Community http://bsimm.com

See the Addison-Wesley Software Security series

Send e-mail: gem@cigital.com

“So now, when we face a choice between adding features and resolving

security issues, we need to choose security.”

-Bill Gates