The OWASP Foundation
http://www.owasp.org

Building a Security Initiative
( Field +XP & Measures )

-jOHN (Steven)
Interna...
The OWASP Foundation
http://www.owasp.org

This Presentation
…is about observed trends, DISCUSSION to follow
Wild West App...
The OWASP Foundation
http://www.owasp.org

’06: Shift Philosophy to HOW
 Cigital’s Touchpoints
 Microsoft’s SDL
 OWASP ...
The OWASP Foundation
http://www.owasp.org

State of Assessment
The OWASP Foundation
http://www.owasp.org

Assessment is TOUGH
Dynamic Assessment (tools)

<= 10% statement coverage
IFF A...
The OWASP Foundation
http://www.owasp.org

Actual Results Breakdown





Static tool: 20%
Dynamic tool: 5%
Manual SCR:...
The OWASP Foundation
http://www.owasp.org

We Won‟t Test Our Way to
Security,

Orgs need Security Initiative
The OWASP Foundation
http://www.owasp.org
The OWASP Foundation
http://www.owasp.org

A software security initiative
more

A software security initiative is an:

 e...
The OWASP Foundation
http://www.owasp.org

Security Initiative !=
Does * NOT * mean…
Heavy
Waterfall
Process
Microsoft SDL...
The OWASP Foundation
http://www.owasp.org

Security Initiative ~=
May look very different than other
organizations’

Needs...
The OWASP Foundation
http://www.owasp.org

Where Orgs Are
…and how do we know?
We‟ve measured.
The OWASP Foundation
http://www.owasp.org

Building BSIMM (2009)
 Big idea: Build a maturity model from actual data gathe...
The OWASP Foundation
http://www.owasp.org

Prescriptive vs. Descriptive
 Prescriptive models
describe what you should
do
...
The OWASP Foundation
http://www.owasp.org

Monkeys Eat Bananas
 BSIMM is not about good or bad
ways to eat bananas or ban...
The OWASP Foundation
http://www.owasp.org

Yeah but we‟re different
You *are* a special snowflake, just
like everyone else...
The OWASP Foundation
http://www.owasp.org

…but they‟re HUGE right?
The OWASP Foundation
http://www.owasp.org

BSIMM Basics
The OWASP Foundation
http://www.owasp.org

A Software Security
Framework

 Four domains
 Twelve practices
 See informIT...
The OWASP Foundation
http://www.owasp.org

Architecture Analysis Practice
Skeleton
The OWASP Foundation
http://www.owasp.org

…It could have been worse
The OWASP Foundation
http://www.owasp.org

Where Orgs Are
(Actually this time)
The OWASP Foundation
http://www.owasp.org

We Hold These Truths to be
Self-evident
 Someone (a security group) has to be ...
The OWASP Foundation
http://www.owasp.org

12 Common Activities
1.

SM1.4 Identify gate locations, gather necessary artifa...
The OWASP Foundation
http://www.owasp.org

Evolving Initiatives (2012)
 Build an SSG

 Something in Architecture
 Use a...
The OWASP Foundation
http://www.owasp.org

Something in Architecture
US vs. Them *

Ugly babies *
Unfunded fixes *
Lock-in...
The OWASP Foundation
http://www.owasp.org

One Architecture Climb
3.2 Results 
Arch. Patterns

Year 5
2.3 Make SSG
Availa...
The OWASP Foundation
http://www.owasp.org

Automation =
<anything> + Plumbing
The OWASP Foundation
http://www.owasp.org

Static Step by Step
The OWASP Foundation
http://www.owasp.org

Plumbing can mean email…
The OWASP Foundation
http://www.owasp.org

Real Sign-off
The OWASP Foundation
http://www.owasp.org

Evolving Initiatives (2014)
 Metrics driving budget
 Gather attack Intelligen...
The OWASP Foundation
http://www.owasp.org

Metrics-driven Budget
The OWASP Foundation
http://www.owasp.org

Security Intelligence
The OWASP Foundation
http://www.owasp.org

Threat Traceability Matrix

Who

Where

What

How

So what?

Now what?

Threat
...
The OWASP Foundation
http://www.owasp.org

Addressing Threat Intel
helps the Something

(Anything)
in architecture
The OWASP Foundation
http://www.owasp.org

SSIs Fit Naturally into Agile
Top 2,3
Awareness (pre-training)
Top 10
Passwords...
The OWASP Foundation
http://www.owasp.org

Vuln + Config. Management
Build a pile, rank the pile
Rank applications w/in po...
Upcoming SlideShare
Loading in...5
×

BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014

438

Published on

Abstract: The Building Security In Maturity Model (or BSIMM)

BSIMM observes and measures what firms' software security initiatives are actually doing. John, who has helped several firms build or improve their security initiatives, will share sometimes surprising data about security initiatives big and small. His presentation will focus on what
activities organizations use to "boot" security initiatives and which they presently focus on.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
438
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Every one of the 51 firms we have measured has an SSDL. Most are hybrids of popular methodologies.
  • While this definition is not necessarily worth of the OED, it suffices for our purposes.For those of your forming the words, “But what about…” in your heads right now, I refer you to the words of a Mr. H. Dumpty. Yes, there are likely shorter and longer ways to define a software security initiative. I certainly wouldn’t go to the press with this, but it’s important to understand these nuances as we think about ways to attach our offerings to a firm’s current state of existence. Again, why would we do that?
  • We have yet to encounter a firm that cannot be measured with the BSIMM. To be sure, some firms are more complicated than others, but the BSIMM was designed to measure all SSDLs encountered on the planet.
  • There is plenty of confusion (especially in the press) about methodologies and measurement tools. The BSIMM is not a methodology. It is a measurement tool.The BSIMM is used to measure and describe (in common terms) each of the 51 distinct SSDL methodologies in use in the BSIMM Community.See the InformIT article BSIMM versus SAFECode and Other Kaiju Cinema (Dec 26, 2011) http://bit.ly/tLIOnJ
  • See the informIT article “Cargo Cult Computer Security” (January 28, 2010)http://bit.ly/9HO6ex
  • BSIMM articles and the BSIMM itself can be found on the website at http://bsi-mm.com.The SSF is covered exclusively in an informIT article:A Software Security Framework: Working Towards a Realistic Maturity Model (October 15, 2008)http://bit.ly/NDMkYn
  • Each practice has a set of activities associated with it. They are divided into 3 levels.
  • These are some self-evident truths about software security. For more on the basics, see Software Security (2006) http://swsec.com
  • Simple spreadsheet is going to drive the entire process (outsource this to the business)What – risk, business anlaystsHow – architects, developersWho – TM first step (security)Impact – multiple stakeholders---VP #1: The goal of this chart (and the effort overall) is completeness: to think more thoroughly about who will attack you and how.
  • Transcript of "BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014"

    1. 1. The OWASP Foundation http://www.owasp.org Building a Security Initiative ( Field +XP & Measures ) -jOHN (Steven) Internal CTO, Cigital Inc. @m1splacedsoul
    2. 2. The OWASP Foundation http://www.owasp.org This Presentation …is about observed trends, DISCUSSION to follow Wild West AppSec - State of assessment Growing Up – Security Initiatives BSIMM – Measuring Security Initiatives What Most Firms Are „On Top‟ of… What Firms Struggle with Today
    3. 3. The OWASP Foundation http://www.owasp.org ’06: Shift Philosophy to HOW  Cigital’s Touchpoints  Microsoft’s SDL  OWASP CLASP (2001)
    4. 4. The OWASP Foundation http://www.owasp.org State of Assessment
    5. 5. The OWASP Foundation http://www.owasp.org Assessment is TOUGH Dynamic Assessment (tools) <= 10% statement coverage IFF Authenticated Manual Penetration Testing? Including “Expert Crawling” What about static analysis (tools)? SCR?
    6. 6. The OWASP Foundation http://www.owasp.org Actual Results Breakdown     Static tool: 20% Dynamic tool: 5% Manual SCR: 15% Architecture Risk Analysis: 60%       Static tool: 12% Dynamic Tool: 12% Manual SCR: 21% Manual Pen: 21% ARA: 14% Sec Testing: 20%
    7. 7. The OWASP Foundation http://www.owasp.org We Won‟t Test Our Way to Security, Orgs need Security Initiative
    8. 8. The OWASP Foundation http://www.owasp.org
    9. 9. The OWASP Foundation http://www.owasp.org A software security initiative more A software security initiative is an:  executive-backed,  permanently-staffed,  metrics-driven investment in…  software security policy and standards,  “secure SDLC” gates, and  governance knowledge, processes, and tools to implement capabilities across a reasonable cross-section of the application portfolio.
    10. 10. The OWASP Foundation http://www.owasp.org Security Initiative != Does * NOT * mean… Heavy Waterfall Process Microsoft SDL Audit
    11. 11. The OWASP Foundation http://www.owasp.org Security Initiative ~= May look very different than other organizations’ Needs to match an organization’s culture
    12. 12. The OWASP Foundation http://www.owasp.org Where Orgs Are …and how do we know? We‟ve measured.
    13. 13. The OWASP Foundation http://www.owasp.org Building BSIMM (2009)  Big idea: Build a maturity model from actual data gathered from 9 well known large-scale software security initiatives Create a software security framework Interview nine firms in-person Discover 110 activities through observation Organize the activities in 3 levels Build scorecard  The model has been validated with data from 51 firms
    14. 14. The OWASP Foundation http://www.owasp.org Prescriptive vs. Descriptive  Prescriptive models describe what you should do     SAFECode SAMM SDL Touchpoints  Every firm has a methodology they follow (often a hybrid)  You need an SSDL  Descriptive models describe what is actually happening  The BSIMM is a descriptive model that can be used to measure any number of prescriptive SSDLs
    15. 15. The OWASP Foundation http://www.owasp.org Monkeys Eat Bananas  BSIMM is not about good or bad ways to eat bananas or banana best practices  BSIMM is about observations  BSIMM is descriptive, not prescriptive  BSIMM describes and measures multiple prescriptive approaches 15
    16. 16. The OWASP Foundation http://www.owasp.org Yeah but we‟re different You *are* a special snowflake, just like everyone else All snowflakes are equally special No matter how special a snowflake you are, you‟ll still melt when it‟s hot out.
    17. 17. The OWASP Foundation http://www.owasp.org …but they‟re HUGE right?
    18. 18. The OWASP Foundation http://www.owasp.org BSIMM Basics
    19. 19. The OWASP Foundation http://www.owasp.org A Software Security Framework  Four domains  Twelve practices  See informIT article on BSIMM website http://bsimm.com
    20. 20. The OWASP Foundation http://www.owasp.org Architecture Analysis Practice Skeleton
    21. 21. The OWASP Foundation http://www.owasp.org …It could have been worse
    22. 22. The OWASP Foundation http://www.owasp.org Where Orgs Are (Actually this time)
    23. 23. The OWASP Foundation http://www.owasp.org We Hold These Truths to be Self-evident  Someone (a security group) has to be responsible  Software security is more than a set of security functions  Not magic crypto fairy dust  Non-functional aspects of design are essential  Not silver-bullet security mechanisms  Bugs and flaws are 50/50  To end up with secure software, deep integration with the SDLC is necessary
    24. 24. The OWASP Foundation http://www.owasp.org 12 Common Activities 1. SM1.4 Identify gate locations, gather necessary artifacts 2. CP1.2 Identify PII obligations; 3. T1.1 Provide awareness training; 4. AM1.5 Gather attack intelligence; 5. SFD1.1 Build and publish security features; 6. SR1.1 Create security standards; 7. AA1.1 Perform security feature review; 8. CR1.4 Use automated tools along with manual review; 9. ST1.1 Ensure quality assurance (QA) supports edge/boundary value condition testing; 10. PT1.1 Use external penetration testers to find problems; 11. SE1.2 Ensure host and network security basics are in place; and 12. CMVM1.2 Identify software defects found in operations monitoring and feed them back to development.
    25. 25. The OWASP Foundation http://www.owasp.org Evolving Initiatives (2012)  Build an SSG  Something in Architecture  Use automated tools @ scale  Security Sign-off 3rd* Party Metrics VA Configuration* Management Vulnerability* Management CR* Portal Security* Sign9off Attack* Intelligence Assessment
    26. 26. The OWASP Foundation http://www.owasp.org Something in Architecture US vs. Them * Ugly babies * Unfunded fixes * Lock-in *
    27. 27. The OWASP Foundation http://www.owasp.org One Architecture Climb 3.2 Results  Arch. Patterns Year 5 2.3 Make SSG Available 1.3 SSG Reviews 2.2 Standardize Descriptions 1.2 Perform Review 1.1 Feature Review Year 3 Year 2 Year 1
    28. 28. The OWASP Foundation http://www.owasp.org Automation = <anything> + Plumbing
    29. 29. The OWASP Foundation http://www.owasp.org Static Step by Step
    30. 30. The OWASP Foundation http://www.owasp.org Plumbing can mean email…
    31. 31. The OWASP Foundation http://www.owasp.org Real Sign-off
    32. 32. The OWASP Foundation http://www.owasp.org Evolving Initiatives (2014)  Metrics driving budget  Gather attack Intelligence  Security comes to Agile  Open source risk  Something in Architecture, maybe threat modeling? (again)  Security BAU  Dev doing Security (particularly static testing)  CM& VM plumbing (making previous ideas tools) 3rd* Party Metrics VA Configuration* Management Vulnerability* Management CR* Portal Security* Sign9off Attack* Intelligence Assessment
    33. 33. The OWASP Foundation http://www.owasp.org Metrics-driven Budget
    34. 34. The OWASP Foundation http://www.owasp.org Security Intelligence
    35. 35. The OWASP Foundation http://www.owasp.org Threat Traceability Matrix Who Where What How So what? Now what? Threat Attack Surface Asset/Privileg e Attack Vector Impact Mitigation
    36. 36. The OWASP Foundation http://www.owasp.org Addressing Threat Intel helps the Something (Anything) in architecture
    37. 37. The OWASP Foundation http://www.owasp.org SSIs Fit Naturally into Agile Top 2,3 Awareness (pre-training) Top 10 Passwords, SSL [Open Source] Automation Configuration Mgmt, plumbing Infrastructure Security API Threat Modeling Risk Management Security Libraries
    38. 38. The OWASP Foundation http://www.owasp.org Vuln + Config. Management Build a pile, rank the pile Rank applications w/in portfolio Call a spade a spade Standardize names for vulnerabilities Normalize assessment / tool scoring Prioritize Calculate risk effectively Go from “hated cop” to B.A.U. Establish security gates Integrate with normal change/bug management

    ×