Upload
cigital
View
114
Download
2
Tags:
Embed Size (px)
Citation preview
BSIMM-V
The Building Security In Maturity Model
Gary McGraw, Ph.D.
Chief Technology Officer
April 17, 2023
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 1
Cigital
• Providing software security professionals services since 1992
• World’s premiere software security consulting firm• 430 employees• Washington DC, New York, Santa Clara, Bloomington, Boston, Chicago,
Atlanta, Amsterdam, and London
• Recognized experts in software security• Widely published in books, white papers, and articles• Industry thought leaders
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 2
BSIMM BASICS
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 3
We Hold These Truths to Be Self-evident
• Software security is more than a set of security functions• Not magic crypto fairy dust• Not silver-bullet security mechanisms
• Non-functional aspects of design are essential
• Bugs and flaws are 50/50
• Security is an emergent property of the entire system (just like quality)
• To end up with secure software, deep integration with the SDLC is necessary
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 4
2006: A Shift from Philosophy to HOW TO
• Integrating best practices into large organizations’ SDLC (that is, an SSDL)• Microsoft’s SDL• Cigital’s Touchpoints• OWASP CLASP
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 5
Prescriptive vs. Descriptive Models
Prescriptive Models• Describe what you should
do.• SAFECode• SAMM• SDL• Touchpoints
• Every firm has a methodology they follow (often a hybrid).
• You need an SSDL.
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 6
Descriptive Models• Describe what is actually
happening.• The BSIMM is a
descriptive model that can be used to measure any number of prescriptive SSDLs.
BSIMM: Software Security Measurement
• Real data from (67) real initiatives• 161 measurements• 21 (4) over time• McGraw, Migues, & West
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 7
67 Firms in the BSIMM-V Community
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 8
Building BSIMM (2009)
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 9
• Big idea: Build a maturity model from actual data gathered from 9 well known large-scale software security initiatives.• Create a software security framework.• Interview 9 firms in-person.• Discover 110 activities through observation.• Organize the activities in 3 levels.• Build A scorecard.
• The model has been validated with data from 67 firms.
• There is no special snowflake…
The Magic 30
• Since we have data from >30 firms, we can perform statistical analysis. (Laurie Williams from NCSU is doing more of that now.)• How good is the model?• What activities correlate with what other activities?• Do high maturity firms look the same?
• We now have 67 firms with 161 distinct measurements.• BSIMM (the 9)• BSIMM Europe (9 in EU)• BSIMM2 (30)• BSIMM3 (42)• BSIMM4 (51)• BSIMM-V (67) ← data freshness emphasized
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 10
Monkeys Eat Bananas
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 11
Monkeys Eat Bananas
• BSIMM is not about good or bad ways to eat bananas or banana best practices
• BSIMM is about observations• BSIMM is descriptive, not
prescriptive• BSIMM describes and
measures multiple prescriptive approaches
A Software Security Framework
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 12
• 4 domains• 12 practices• See informIT article on BSIMM: http://bsimm.com
Example Activity
[AA1.2] Perform design review for high-risk applications. The organization learns about the benefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. The reviewers must have some experience performing architecture analysis and breaking the architecture being considered. If the SSG is not yet equipped to perform an in-depth architecture analysis, it uses consultants to do this work. Ad hoc review paradigms that rely heavily on expertise may be used here, though in the long run they do not scale.
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 13
NEW BSIMM-V Activity
[CMVM3.4] Operate a bug bounty program. The organization solicits vulnerability reports from external researchers and pays a bounty for each verified and accepted vulnerability received. Payouts typically follow a sliding scale linked to multiple factors, such as vulnerability type (e.g., remote code execution is worth $10,000 versus CSRF is worth $750), exploitability (demonstrable exploits command much higher payouts), or specific services and software versions (widely- deployed or critical services warrant higher payouts). Ad hoc or short-duration activities, such as capture-the-flag contests, do not count. [This is a new activity that will be reported on in BSIMM6.]
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 14
BSIMM-V MEASUREMENTS
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 15
Real-World Data (67 firms)
Initiative age• Average: 6 years• Newest: 0.4• Oldest: 18.1• Median: 5.3
SSG size• Average: 14.78• Smallest: 1• Largest: 100• Median: 7
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 16
Satellite size• Average: 29.6• Smallest: 0• Largest: 400• Median: 4
Dev size• Average: 4190• Smallest: 11• Largest: 30,000• Median: 1600
Average SSG size: 1.4% of dev group size
BSIMM-V Scorecard
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 17
Earth (67)
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 18
BSIMM-V AS A MEASURING STICK
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 19
BSIMM-V as a Measuring Stick
• Compare a firm with peers using the high water mark view
• Compare business units• Chart an SSI over time
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 20
BSIMM-V Scorecard with FAKE Firm Data
• Top 12 activities• purple = good?• red = bad?
• “Blue shift” practices to emphasize
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 21
COMPARING GROUPS OF FIRMS
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 22
We Are a Special Snowflake (NOT!)
ISV (25) results are similar to financial services (26)
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 23
BSIMM Longitudinal: Improvement Over Time
• 21 firms measured twice (an average of 24 months apart)• Show how firms improve
• An average of 16% activity increase
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 24
BSIMM By the Numbers
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 25
BSIMM-V+ BSIMM-V BSIMM4 BSIMM3 BSIMM2 BSIMM1
Firms 93 67 51 42 30 9
Measurements 216 161 95 81 49 9
2nd Measures 48 21 13 11 0 0
3rd Measures 9 4 1 0 0 0
SSG Members 1379 976 978 786 635 370
Satellite Mem. 2611 1954 2039 1750 1150 710
Developers 363,925 272,358 218,286 185,316 141,175 67,950
Applications 93,687 69,039 58,739 41,157 28,243 3970
Avg SSG Age 4.24 4.28 4.13 4.32 4.49 5.32
SSG Avg of Avgs 1.77 / 100 1.4 / 100 1.95 / 100 1.99 / 100 1.02 / 100 1.13 / 100
Financials 40 26 19 17 12 4
ISVs 32 25 19 15 7 4
High Tech 18 14 13 10 7 2
The BSIMM Community
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 26
BSIMM Conferences• 2010: Annapolis, MD• 2011: Stevenson, WA• 2012: Galloway, NJ• 2013: Dulles, VA• 2014: Monrerey, CA• 2015: Denver, CO
BSIMM EU Conferences• 2012: Amsterdam• 2013: London• 2014: Oxford• 2015: Windsor (this week)
BSIMM RSA Mixers• 2010: RSA• 2011: RSA• 2012: RSA• 2013: RSA• 2014: RSA• 2015 RSA
BSIMM Mailing List• Moderated• High S/N ratio
BSIMM Community Conference 2015• November in Denver
BSIMM-V to BSIMM6
• BSIMM-V released October 2013 under creative commons• http://bsimm.com• Italian, German, and Spanish translations available
• BSIMM is a yardstick• Use it to see where you stand• Use it to figure out what your peers do
• BSIMM-V→BSIMM6• BSIMM is growing (93 firms)• Goal = 100 firms
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 27
WHERE TO LEARN MORE
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 28
SearchSecurity + Justice League
1. In-depth thought-leadership blog from the Cigital Principals:• Gary McGraw• Sammy Migues• John Steven• Paco Hope• Jim DelGrosso
www.cigital.com/justiceleague
2. No-nonsense monthly security column by Gary McGraw:
www.searchsecurity.com
3. Gary McGraw’s blog: www.cigital.com/~gem/writing
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 29
Silver Bullet + IEEE Security & Privacy
1. Monthly Silver Bullet podcast with Gary McGraw:
www.cigital.com/silverbullet
2. Building Security In Software Security Best Practices column
www.computer.org/security/bsisub/
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 30
The Book
• How to DO software security•Best practices•Tools•Knowledge
• Cornerstone of the Addison-Wesley Software Security Series: www.swsec.com
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 31
Build Security In
• Real Software Security Measurement http://bsimm.com
• Read the Addison-Wesley Software Security series
• Send e-mail: [email protected]• @cigitalgem
Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted 32