Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
A Brief History of Software, Security, and
Software Security:
Bits, Bytes, Bugs, and the BSIMM
Gary McGraw, Ph.D.
Chief Te...
My Point of View
• Providing software security services since 1992
• Moving armies of developers in global institutions
SOFTWARE AND SECURITY
Software is Everywhere
• Information is the lifeblood of industry
• Software is in our power grid, our cars, our finances,...
Perimeter Security is Failing Us
Today’s computer and
network security
mechanisms are like the
walls, moats, and
drawbridg...
Magic Crypto Fairy Dust is not Security
“years ago I wrote another book: Applied Cryptography. I went so far as to write: ...
COST OF MITIGATION COST OF BREACHES
OPTIMAL SECURITY AT MINIMUM COST
TOTAL COST
COST ($)
0%
SECURITY LEVEL
100%
Modern Sec...
SOFTWARE SECURITY BASICS
Who should DO software security?
NOBODY
IN THE MIDDLE
Super rad developer dudes
Network security ops guys

Requirements
and Use Cases

Architecture
and Design

Test Plans

Code 
Test and
Test Results

Feedback from
the fie...
Badness-ometer != security meter
badness-ometer
Fix the Dang Software
• Software security and application security are myopically
concerned with finding bugs
• The time h...
Move Past the Bug Parade
• Software security and application security tools over
focus on simple bugs
• Design level flaws...
SCIENCE AND THE BSIMM
What is the BSIMM?
• A measurement stick for software security initiatives
• A science project that escaped the lab
• A fr...
Intel
How do you measure software security?
• Badness-ometer != security meter
• A simple tool can’t do it
• Measure the effort ...
What good does a BSIMM measurement do?
• Shows a firm where they stand relative to their peers
What good does a BSIMM measurement do?
• Describes observed
common activities
from the real world
• Demonstrates gaps
clea...
BSIMM-V+ BSIMM-
V
BSIMM4 BSIMM3 BSIMM2 BSIMM1
Firms 93 67 51 42 30 9
Measurements 216 161 95 81 49 9
2nd Measures 48 21 13...
LEARNING MORE
Resources
• THANK YOU
• Join the BSIMM Community today http://bsimm.com
• http://www.cigital.com/~gem/writings
•
@cigitalg...
Upcoming SlideShare
Loading in …5
×

4

Share

Download to read offline

A Brief History of Software, Security, and Software Security: Bits, Bytes, Bugs, and the BSIMM

Download to read offline


Software is a reasonably new human artifact that seems to grow more complex every year, even as our smart phones and the Internet of Things become easier and easier to use. These days, it’s hard to live without software. At the same time that software has become the lifeblood of modern economies, very serious security concerns have emerged. So what happens when software and security intersect? This talk will trace the history of software security from its inception 15 years ago to a multi-billion dollar industry that impacts us all daily. In the early days of software, if system architects and developers thought about security at all, they usually concentrated on the liberal application of magic crypto fairy dust. We have come a long way since then. Several things happened in the early part of the decade that set in motion a major shift in the way people build software: the release of my book Building Secure Software, the publication of Bill Gates's Trustworthy Computing memo, and a wave of high-profile attacks such as Code Red and Nimda that forced Microsoft, and ultimately other large software companies, to get religion about software security. Ten years ago we all collectively realized that the way to approach software security was to integrate security practices that I term the “Touchpoints” into the software development lifecycle. Now, at the end of fifteen years of great progress in software security, we have a way of measuring software security initiatives called the BSIMM <http: />. BSIMM is helping transform the field from an art into a measurable science. This talk provides an entertaining look at the software security journey from its "bug of the day" beginnings to the multi-million dollar software security initiatives charged with corralling and controlling devops, agile methodologies, and tomorrow’s hyperfast development schedules.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

A Brief History of Software, Security, and Software Security: Bits, Bytes, Bugs, and the BSIMM

  1. 1. A Brief History of Software, Security, and Software Security: Bits, Bytes, Bugs, and the BSIMM Gary McGraw, Ph.D. Chief Technology Officer @cigitalgem
  2. 2. My Point of View • Providing software security services since 1992 • Moving armies of developers in global institutions
  3. 3. SOFTWARE AND SECURITY
  4. 4. Software is Everywhere • Information is the lifeblood of industry • Software is in our power grid, our cars, our finances, and our communications • Software is eating the world • Oh, and most software is broken
  5. 5. Perimeter Security is Failing Us Today’s computer and network security mechanisms are like the walls, moats, and drawbridges of medieval times. At one point, effective for defending against isolated attacks, mounted on horseback. Unfortunately, today’s attackers have access to predator drones and laser-guided missiles! See: “Firewalls, Fairy Dust and Forensics Fail” http://bit.ly/1kluC7F
  6. 6. Magic Crypto Fairy Dust is not Security “years ago I wrote another book: Applied Cryptography. I went so far as to write: ‘It is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics.’ It’s just not true. Cryptography can’t do any of that.“ - Bruce Schneier Applied Cryptography Protocols, Algorithms and Source Code in C Bruce Schneier 1996 John Wiley & Sons. Security is not a THING
  7. 7. COST OF MITIGATION COST OF BREACHES OPTIMAL SECURITY AT MINIMUM COST TOTAL COST COST ($) 0% SECURITY LEVEL 100% Modern Security is Risk Management • There is no such thing as 100% secure • Proactive security is about building things properly
  8. 8. SOFTWARE SECURITY BASICS
  9. 9. Who should DO software security? NOBODY IN THE MIDDLE Super rad developer dudes Network security ops guys
  10. 10.  Requirements and Use Cases  Architecture and Design  Test Plans  Code  Test and Test Results  Feedback from the field Abuse Cases Security Requirements Risk Analysis External Review Risk-Based Security Test Code Review (Tools) Risk Analysis Penetration Testing Security Operations Software Security Touchpoints in the SDLC 1. Code review (with a tool) 2. Architectural risk analysis 3. Penetration testing
  11. 11. Badness-ometer != security meter badness-ometer
  12. 12. Fix the Dang Software • Software security and application security are myopically concerned with finding bugs • The time has come to stop over focusing on new bugs to add to the (infinite) list • Work on fixing the bugs (and the other defects too)
  13. 13. Move Past the Bug Parade • Software security and application security tools over focus on simple bugs • Design level flaws account for 50% of security defects • Software security is about fixing design and implementation as code is created
  14. 14. SCIENCE AND THE BSIMM
  15. 15. What is the BSIMM? • A measurement stick for software security initiatives • A science project that escaped the lab • A framework for building and tailoring Software Security Initiatives • The world’s most powerful Community of software security practitioners and executives • http://bsimm.com
  16. 16. Intel
  17. 17. How do you measure software security? • Badness-ometer != security meter • A simple tool can’t do it • Measure the effort in a software security initiative
  18. 18. What good does a BSIMM measurement do? • Shows a firm where they stand relative to their peers
  19. 19. What good does a BSIMM measurement do? • Describes observed common activities from the real world • Demonstrates gaps clearly • Provides real data and measurement to set SSI strategy • Shows progress over time
  20. 20. BSIMM-V+ BSIMM- V BSIMM4 BSIMM3 BSIMM2 BSIMM1 Firms 93 67 51 42 30 9 Measurements 216 161 95 81 49 9 2nd Measures 48 21 13 11 0 0 3rd Measures 9 4 1 0 0 0 SSG Members 1379 976 978 786 635 370 Satellite Mem. 2611 1954 2039 1750 1150 710 Developers 363,925 272,358 218,286 185,316 141,175 67,950 Applications 93,687 69,039 58,739 41,157 28,243 3970 Avg SSG Age 4.24 4.28 4.13 4.32 4.49 5.32 SSG Avg of Avgs 1.77 / 100 1.4 / 100 1.95 / 100 1.99 / 100 1.02 / 100 1.13 / 100 Financials 40 26 19 17 12 4 ISVs 32 25 19 15 7 4 High Tech 18 14 13 10 7 2
  21. 21. LEARNING MORE
  22. 22. Resources • THANK YOU • Join the BSIMM Community today http://bsimm.com • http://www.cigital.com/~gem/writings • @cigitalgem
  • mehashe

    Dec. 16, 2020
  • LuisSaiz1

    Oct. 19, 2015
  • chinasoc

    Oct. 10, 2015
  • ScottGoette

    Oct. 5, 2015

Software is a reasonably new human artifact that seems to grow more complex every year, even as our smart phones and the Internet of Things become easier and easier to use. These days, it’s hard to live without software. At the same time that software has become the lifeblood of modern economies, very serious security concerns have emerged. So what happens when software and security intersect? This talk will trace the history of software security from its inception 15 years ago to a multi-billion dollar industry that impacts us all daily. In the early days of software, if system architects and developers thought about security at all, they usually concentrated on the liberal application of magic crypto fairy dust. We have come a long way since then. Several things happened in the early part of the decade that set in motion a major shift in the way people build software: the release of my book Building Secure Software, the publication of Bill Gates's Trustworthy Computing memo, and a wave of high-profile attacks such as Code Red and Nimda that forced Microsoft, and ultimately other large software companies, to get religion about software security. Ten years ago we all collectively realized that the way to approach software security was to integrate security practices that I term the “Touchpoints” into the software development lifecycle. Now, at the end of fifteen years of great progress in software security, we have a way of measuring software security initiatives called the BSIMM &lt;http: />. BSIMM is helping transform the field from an art into a measurable science. This talk provides an entertaining look at the software security journey from its "bug of the day" beginnings to the multi-million dollar software security initiatives charged with corralling and controlling devops, agile methodologies, and tomorrow’s hyperfast development schedules.

Views

Total views

2,320

On Slideshare

0

From embeds

0

Number of embeds

99

Actions

Downloads

51

Shares

0

Comments

0

Likes

4

×