SlideShare a Scribd company logo
1 of 22
A Brief History of Software, Security, and
Software Security:
Bits, Bytes, Bugs, and the BSIMM
Gary McGraw, Ph.D.
Chief Technology Officer
@cigitalgem
My Point of View
• Providing software security services since 1992
• Moving armies of developers in global institutions
SOFTWARE AND SECURITY
Software is Everywhere
• Information is the lifeblood of industry
• Software is in our power grid, our cars, our finances, and
our communications
• Software is eating the world
• Oh, and most software is broken
Perimeter Security is Failing Us
Today’s computer and
network security
mechanisms are like the
walls, moats, and
drawbridges of medieval
times. At one point, effective
for defending against isolated
attacks, mounted on
horseback. Unfortunately,
today’s attackers have
access to predator drones
and laser-guided missiles!
See: “Firewalls, Fairy Dust and
Forensics Fail”
http://bit.ly/1kluC7F
Magic Crypto Fairy Dust is not Security
“years ago I wrote another book: Applied Cryptography. I went so far as to write: ‘It
is insufficient to protect ourselves with laws; we need to protect ourselves with
mathematics.’
It’s just not true. Cryptography can’t do any of that.“
- Bruce Schneier
Applied Cryptography
Protocols, Algorithms and Source Code in C
Bruce Schneier
1996 John Wiley & Sons.
Security is not a THING
COST OF MITIGATION COST OF BREACHES
OPTIMAL SECURITY AT MINIMUM COST
TOTAL COST
COST ($)
0%
SECURITY LEVEL
100%
Modern Security is Risk Management
• There is no such thing as 100% secure
• Proactive security is about building things properly
SOFTWARE SECURITY BASICS
Who should DO software security?
NOBODY
IN THE MIDDLE
Super rad developer dudes
Network security ops guys

Requirements
and Use Cases

Architecture
and Design

Test Plans

Code 
Test and
Test Results

Feedback from
the field
Abuse
Cases
Security
Requirements
Risk
Analysis
External
Review
Risk-Based
Security Test
Code Review
(Tools)
Risk
Analysis
Penetration
Testing
Security
Operations
Software Security Touchpoints in the SDLC
1. Code review (with a tool)
2. Architectural risk analysis
3. Penetration testing
Badness-ometer != security meter
badness-ometer
Fix the Dang Software
• Software security and application security are myopically
concerned with finding bugs
• The time has come to stop over focusing on new bugs to
add to the (infinite) list
• Work on fixing the bugs (and the other defects too)
Move Past the Bug Parade
• Software security and application security tools over
focus on simple bugs
• Design level flaws account for 50% of security defects
• Software security is about fixing design and
implementation as code is created
SCIENCE AND THE BSIMM
What is the BSIMM?
• A measurement stick for software security initiatives
• A science project that escaped the lab
• A framework for building and tailoring Software Security
Initiatives
• The world’s most powerful Community of software
security practitioners and executives
• http://bsimm.com
Intel
How do you measure software security?
• Badness-ometer != security meter
• A simple tool can’t do it
• Measure the effort in a software security initiative
What good does a BSIMM measurement do?
• Shows a firm where they stand relative to their peers
What good does a BSIMM measurement do?
• Describes observed
common activities
from the real world
• Demonstrates gaps
clearly
• Provides real data
and measurement
to set SSI strategy
• Shows progress
over time
BSIMM-V+ BSIMM-
V
BSIMM4 BSIMM3 BSIMM2 BSIMM1
Firms 93 67 51 42 30 9
Measurements 216 161 95 81 49 9
2nd Measures 48 21 13 11 0 0
3rd Measures 9 4 1 0 0 0
SSG Members 1379 976 978 786 635 370
Satellite Mem. 2611 1954 2039 1750 1150 710
Developers 363,925 272,358 218,286 185,316 141,175 67,950
Applications 93,687 69,039 58,739 41,157 28,243 3970
Avg SSG Age 4.24 4.28 4.13 4.32 4.49 5.32
SSG Avg of Avgs 1.77 / 100 1.4 / 100 1.95 / 100 1.99 / 100 1.02 / 100 1.13 / 100
Financials 40 26 19 17 12 4
ISVs 32 25 19 15 7 4
High Tech 18 14 13 10 7 2
LEARNING MORE
Resources
• THANK YOU
• Join the BSIMM Community today http://bsimm.com
• http://www.cigital.com/~gem/writings
•
@cigitalgem

More Related Content

Viewers also liked

Security in the Development Lifecycle - lessons learned
Security in the Development Lifecycle - lessons learnedSecurity in the Development Lifecycle - lessons learned
Security in the Development Lifecycle - lessons learnedBoaz Shunami
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.Priyanka Aash
 
Threat modeling with architectural risk patterns
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patternsStephen de Vries
 
nhận làm dịch vụ giúp việc theo tháng chất lượng cao tại hồ chí minh
nhận làm dịch vụ giúp việc theo tháng chất lượng cao tại hồ chí minhnhận làm dịch vụ giúp việc theo tháng chất lượng cao tại hồ chí minh
nhận làm dịch vụ giúp việc theo tháng chất lượng cao tại hồ chí minhvella241
 
Ford Motor Company Digital Strategy - Final Presentation
Ford Motor Company Digital Strategy - Final PresentationFord Motor Company Digital Strategy - Final Presentation
Ford Motor Company Digital Strategy - Final PresentationPatrick O'Connor
 
Can You See Now- Addressing Mental Health in Advertising
Can You See Now- Addressing Mental Health in AdvertisingCan You See Now- Addressing Mental Health in Advertising
Can You See Now- Addressing Mental Health in AdvertisingJustina Ojom
 
Mapping Sexually Exploited Young People in Dundee
Mapping Sexually Exploited Young People in DundeeMapping Sexually Exploited Young People in Dundee
Mapping Sexually Exploited Young People in DundeeBASPCAN
 
Company profile
Company profileCompany profile
Company profileRiaz Kh
 

Viewers also liked (13)

Security in the Development Lifecycle - lessons learned
Security in the Development Lifecycle - lessons learnedSecurity in the Development Lifecycle - lessons learned
Security in the Development Lifecycle - lessons learned
 
SSE
SSESSE
SSE
 
Security Maturity Models.
Security Maturity Models.Security Maturity Models.
Security Maturity Models.
 
Threat modeling with architectural risk patterns
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patterns
 
2016 коллективный договор оцбс
2016 коллективный договор оцбс2016 коллективный договор оцбс
2016 коллективный договор оцбс
 
nhận làm dịch vụ giúp việc theo tháng chất lượng cao tại hồ chí minh
nhận làm dịch vụ giúp việc theo tháng chất lượng cao tại hồ chí minhnhận làm dịch vụ giúp việc theo tháng chất lượng cao tại hồ chí minh
nhận làm dịch vụ giúp việc theo tháng chất lượng cao tại hồ chí minh
 
Romania & Portugal
Romania & PortugalRomania & Portugal
Romania & Portugal
 
Unit 14 LO1
Unit 14 LO1Unit 14 LO1
Unit 14 LO1
 
Ford Motor Company Digital Strategy - Final Presentation
Ford Motor Company Digital Strategy - Final PresentationFord Motor Company Digital Strategy - Final Presentation
Ford Motor Company Digital Strategy - Final Presentation
 
Muhammad Ramzan CV
Muhammad Ramzan CVMuhammad Ramzan CV
Muhammad Ramzan CV
 
Can You See Now- Addressing Mental Health in Advertising
Can You See Now- Addressing Mental Health in AdvertisingCan You See Now- Addressing Mental Health in Advertising
Can You See Now- Addressing Mental Health in Advertising
 
Mapping Sexually Exploited Young People in Dundee
Mapping Sexually Exploited Young People in DundeeMapping Sexually Exploited Young People in Dundee
Mapping Sexually Exploited Young People in Dundee
 
Company profile
Company profileCompany profile
Company profile
 

More from Cigital

7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMM7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMMCigital
 
Getting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramGetting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramCigital
 
Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Cigital
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCigital
 
How to Choose the Right Security Training for You
How to Choose the Right Security Training for YouHow to Choose the Right Security Training for You
How to Choose the Right Security Training for YouCigital
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling MisconceptionsCigital
 
Video Game Security
Video Game SecurityVideo Game Security
Video Game SecurityCigital
 
Get Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentGet Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentCigital
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security MetricsCigital
 
Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Cigital
 
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind SpotStatic Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind SpotCigital
 
Cyber War, Cyber Peace, Stones, and Glass Houses
Cyber War, Cyber Peace, Stones, and Glass HousesCyber War, Cyber Peace, Stones, and Glass Houses
Cyber War, Cyber Peace, Stones, and Glass HousesCigital
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistCigital
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application SecurityCigital
 
BSIMM By The Numbers
BSIMM By The NumbersBSIMM By The Numbers
BSIMM By The NumbersCigital
 
BSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityBSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityCigital
 
BSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity ModelBSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity ModelCigital
 
5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams 5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams Cigital
 

More from Cigital (19)

7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMM7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMM
 
Getting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramGetting Executive Support for a Software Security Program
Getting Executive Support for a Software Security Program
 
Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself Secure
 
How to Choose the Right Security Training for You
How to Choose the Right Security Training for YouHow to Choose the Right Security Training for You
How to Choose the Right Security Training for You
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions
 
Video Game Security
Video Game SecurityVideo Game Security
Video Game Security
 
Get Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentGet Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM Assessment
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security Metrics
 
Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin?
 
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind SpotStatic Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot
 
Cyber War, Cyber Peace, Stones, and Glass Houses
Cyber War, Cyber Peace, Stones, and Glass HousesCyber War, Cyber Peace, Stones, and Glass Houses
Cyber War, Cyber Peace, Stones, and Glass Houses
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing Checklist
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application Security
 
BSIMM By The Numbers
BSIMM By The NumbersBSIMM By The Numbers
BSIMM By The Numbers
 
BSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityBSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software Security
 
BSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity ModelBSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity Model
 
5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams 5 Models for Enterprise Software Security Management Teams
5 Models for Enterprise Software Security Management Teams
 

Recently uploaded

Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfkalichargn70th171
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shardsChristopher Curtin
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxRTS corp
 
Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Anthony Dahanne
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogueitservices996
 

Recently uploaded (20)

Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
 
Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogue
 

A Brief History of Software, Security, and Software Security: Bits, Bytes, Bugs, and the BSIMM

  • 1. A Brief History of Software, Security, and Software Security: Bits, Bytes, Bugs, and the BSIMM Gary McGraw, Ph.D. Chief Technology Officer @cigitalgem
  • 2. My Point of View • Providing software security services since 1992 • Moving armies of developers in global institutions
  • 4. Software is Everywhere • Information is the lifeblood of industry • Software is in our power grid, our cars, our finances, and our communications • Software is eating the world • Oh, and most software is broken
  • 5. Perimeter Security is Failing Us Today’s computer and network security mechanisms are like the walls, moats, and drawbridges of medieval times. At one point, effective for defending against isolated attacks, mounted on horseback. Unfortunately, today’s attackers have access to predator drones and laser-guided missiles! See: “Firewalls, Fairy Dust and Forensics Fail” http://bit.ly/1kluC7F
  • 6. Magic Crypto Fairy Dust is not Security “years ago I wrote another book: Applied Cryptography. I went so far as to write: ‘It is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics.’ It’s just not true. Cryptography can’t do any of that.“ - Bruce Schneier Applied Cryptography Protocols, Algorithms and Source Code in C Bruce Schneier 1996 John Wiley & Sons. Security is not a THING
  • 7. COST OF MITIGATION COST OF BREACHES OPTIMAL SECURITY AT MINIMUM COST TOTAL COST COST ($) 0% SECURITY LEVEL 100% Modern Security is Risk Management • There is no such thing as 100% secure • Proactive security is about building things properly
  • 9. Who should DO software security? NOBODY IN THE MIDDLE Super rad developer dudes Network security ops guys
  • 10.  Requirements and Use Cases  Architecture and Design  Test Plans  Code  Test and Test Results  Feedback from the field Abuse Cases Security Requirements Risk Analysis External Review Risk-Based Security Test Code Review (Tools) Risk Analysis Penetration Testing Security Operations Software Security Touchpoints in the SDLC 1. Code review (with a tool) 2. Architectural risk analysis 3. Penetration testing
  • 11. Badness-ometer != security meter badness-ometer
  • 12. Fix the Dang Software • Software security and application security are myopically concerned with finding bugs • The time has come to stop over focusing on new bugs to add to the (infinite) list • Work on fixing the bugs (and the other defects too)
  • 13. Move Past the Bug Parade • Software security and application security tools over focus on simple bugs • Design level flaws account for 50% of security defects • Software security is about fixing design and implementation as code is created
  • 15. What is the BSIMM? • A measurement stick for software security initiatives • A science project that escaped the lab • A framework for building and tailoring Software Security Initiatives • The world’s most powerful Community of software security practitioners and executives • http://bsimm.com
  • 16. Intel
  • 17. How do you measure software security? • Badness-ometer != security meter • A simple tool can’t do it • Measure the effort in a software security initiative
  • 18. What good does a BSIMM measurement do? • Shows a firm where they stand relative to their peers
  • 19. What good does a BSIMM measurement do? • Describes observed common activities from the real world • Demonstrates gaps clearly • Provides real data and measurement to set SSI strategy • Shows progress over time
  • 20. BSIMM-V+ BSIMM- V BSIMM4 BSIMM3 BSIMM2 BSIMM1 Firms 93 67 51 42 30 9 Measurements 216 161 95 81 49 9 2nd Measures 48 21 13 11 0 0 3rd Measures 9 4 1 0 0 0 SSG Members 1379 976 978 786 635 370 Satellite Mem. 2611 1954 2039 1750 1150 710 Developers 363,925 272,358 218,286 185,316 141,175 67,950 Applications 93,687 69,039 58,739 41,157 28,243 3970 Avg SSG Age 4.24 4.28 4.13 4.32 4.49 5.32 SSG Avg of Avgs 1.77 / 100 1.4 / 100 1.95 / 100 1.99 / 100 1.02 / 100 1.13 / 100 Financials 40 26 19 17 12 4 ISVs 32 25 19 15 7 4 High Tech 18 14 13 10 7 2
  • 22. Resources • THANK YOU • Join the BSIMM Community today http://bsimm.com • http://www.cigital.com/~gem/writings • @cigitalgem

Editor's Notes

  1. Perimeter security is only effective if you have a perimeter. Today there are many factors causing the perimeter to disappear, including: massively distributed systems, cloud computing, BYOD, and mobile computing. The old paradigm is failing: http://bit.ly/1kluC7F
  2. Even Bruce Schneier knows that security is not a feature or function but a process…and he wrote the book on crypto.
  3. Much of the narrative in application security and software security focuses on the best way to find defects. Some favor dynamic analysis (testing of a completed system, including penetration testing). Some favor static analysis (looking through source code or executables for security vulnerabilities). Some like a combination of many different methods. As experts in all of these methods, Cigital consultants believe the time has come to focus more attention on FIXING security problems. The way things stand, many organizations are finding more defects than they can fix. The way forward is to identify problems as early as possible and then fix them. When it comes to finding versus fixing, we come down on the side of fixing. Unfortunately, current tools do almost nothing to correct the problems they find, leaving everyone frustrated and exposed to liability.