Stu r37 b

•

0 likes•171 views

1) The document discusses the evolution of software security practices from a focus on network security to more emphasis on developer practices and security integration into the software development lifecycle. 2) It introduces the Building Security In Maturity Model (BSIMM) which measures software security activities and practices at over 50 companies to serve as a benchmark. 3) The BSIMM finds that the top software security activities have shifted over time and the model can be used to compare practices within and across companies to identify areas to improve.

Session ID:
Session Classification:
Gary McGraw, Ph.D.
CTO, Cigital
ASEC-R33
Intermediate
ZOMBIES and the BSIMM:
A Decade of Software Security

Who should DO software security?
 Network security ops guys
NOBODY INTHE MIDDLE
Super rad developer dudes 

► Software security seems obvious to
us, but it is still catching on
► The middle market is just beginning
to emerge
► Time to scale!
ZOMBIE
► Network security FAIL
► More code more bugs
► SDLC integration
► Bugs and flaws
► Badness-ometers
Zombie ideas need repeating

► Defend the “perimeter”
with a firewall
► To keep stuff out
► Promulgate “penetrate and
patch”
► “Review” products when
they’re complete
► Throw it over the wall testing
► Too much weight on
penetration testing
► Over-rely on security
functions
► “We use SSL”
Zombie: old school security is reactive
The “network guy with keys” does
not really understand software
testing. Builders are only recently
getting involved in security.

Zombie: more code, more bugs
1090
2437
4129 3784 3780
5690
8064
7236
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000
2000 2001 2002 2003 2004 2005 2006 2007
Software Vulnerabilities
Windows Complexity
0
5
10
15
20
25
30
35
40
45
Win
3.1
(1990)
Win
NT
(1995)
Win 95
(1997)
NT 4.0
(1998)
Win 98
(1999)
NT 5.0
(2000)
Win
2K
(2001)
XP
(2002)
MillionsofLines

► Integrating best practices into large organizations
► Microsoft’s SDL
► Cigital’s touchpoints
► OWASP CLASP/SAMM
Zombie: SDLC integration

Zombie: bugs AND flaws
BUGS FLAWS
 Customized static rules (Fidelity)
 Commercial SCA tools: Fortify,
Ounce Labs, Coverity
 Architectural risk analysis
gets() attacker in the middle

► Software security and
application security today are
about finding bugs
► The time has come to stop
looking for new bugs to add to
the list
► Which bugs in this pile should I
fix?
Zombie baby: fix the dang software

► Real data from (51) real
initiatives
► 95 measurements
► 13 over time
► McGraw, Migues, & West
BSIMM: software security measurement
PlexLogic

51 firms in the BSIMM community
Intel
Plus 17 firms
that remain
anonymous

BSIMM4 scorecard
► 109 Activities
► 3 levels
► Top 12 activities
► 69% cutoff
► 31 of 51 firms
► Comparing
scorecards between
releases is
interesting

► Compare a firm
with peers using
the high water
mark view
► Compare business
units
► Chart an SSI over
time
BSIMM4 as a measuring stick

► Top 12 activities
► purple = good?
► red = bad?
► “Blue shift”
practices to
emphasize
BSIMM4 scorecard with FAKE firm data

► BSIMM4 released September 2012 under creative
commons
► http://bsimm.com
► Italian and German translations available soon
► BSIMM is a yardstick
► Use it to see where you stand
► Use it to figure out what your peers do
► BSIMM4BSIMM5
► BSIMM is growing
► Target of 75 firms
BSIMM4 to BSIMM5

http://bsimm.com
THANK YOU
Read the Addison-Wesley
Software Security series
Send e-mail: gem@cigital.com
Build security in

Viewers also liked

Iam f42 a

SelectedPresentations

Stu t18 b

SelectedPresentations

Stu r31 a

SelectedPresentations

Stu w22 a

SelectedPresentations

Iam r35 a

SelectedPresentations

Grc r35 b

SelectedPresentations

Spo2 t19 spo2-t19

SelectedPresentations

Hum w25 hum-w25

SelectedPresentations

Hta t17

SelectedPresentations

Exp t19 exp-t19

SelectedPresentations

Hta f42

SelectedPresentations

VII Уральский форум Информационная безопасность банков ТЕМАТИЧЕСКОЕ ЗАСЕДАНИЕ № 2 Электронное взаимодействие на финансовых рынках Кузнецов Сергей Павлович, коммерческий директор ЦЗИ ООО «Конфидент» Источник: http://ural.ib-bank.ru/materials_2015

Особенности использования современных СЗИ НСД для обеспечения информационной ...

SelectedPresentations

Viewers also liked (12)

Iam f42 a

Stu t18 b

Stu r31 a

Stu w22 a

Iam r35 a

Grc r35 b

Spo2 t19 spo2-t19

Hum w25 hum-w25

Hta t17

Exp t19 exp-t19

Hta f42

Особенности использования современных СЗИ НСД для обеспечения информационной ...

Similar to Stu r37 b

Allegory of the cave(1)

setuid0

Target Audience: Everyone involved in software development (developers, team leaders, CISOs in software-oriented companies) Focus: technical Talk language: English Abstract ********* Let’s face it: There is no such thing as a big-bang launch any more. We all want to be agile and react quickly to the wishes and demands of our customers in software development. The downside of this approach is that security has a hard time keeping pace, thereby often being completely neglected. That’s why we need to bridge the gap between security and agility. In this talk, we’ll have a look at how security can become an integral part of the development process, and more than just a penetration test at the end. We’ll see how we can overcome immediate pain and get strategic focus in software security. About the Speaker: ********************* Thomas Konrad is Principal Security Consultant at SBA Research and has been part of software security team since 2010. He focuses on secure software development, web application security, penetration testing, secure software design, architecture, and process, and trains software development teams in those areas.

SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...

SBA Research

Threat Modeling In 2021

Adam Shostack

Tech w23

SelectedPresentations

Prevent Getting Hacked by Using a Network Vulnerability Scanner

GFI Software

As a new CISO, you want to have an impact as quickly as possible - people will be watching and judging. But at the same time, you need to be practical about what's achievable in an organization that you're still getting to know. It's also important to consider the experience you bring to the role and how it applies - or doesn't - to your new job. In this webinar, we'll discuss three fundamental differences you're likely to experience in your new job and offer recommendations on strategic activities you can focus on in your first 90 days. New CISOs will gain a framework for identifying these quick wins. Existing CISOs will get an opportunity to refresh and revitalize their security program. Our featured speakers for this webinar will be: - Ted Julian, Chief Marketing Officer, Co3 Systems - Bill Campbell, IT Executive and Serial CISO Are you a CIPP holder? (CIPP/US, CIPP/C, CIPP/E, CIPP/G and CIPP/IT) Attend this webinar for CPE credit.

New CISO - The First 90 Days

Resilient Systems

SplunkSummit 2015 - ES Hands On Workshop

Splunk

This week in Open Source Insight we examine blockchain security and the cryptocurrency boom. Plus, take an in depth look at open source software in tech contracts with a legal expert from Tech Contracts Academy, Adobe Flash Player continues to be a security concern, the Open Source Initiative turns 20, and step by step instructions for migrating to Docker on Black Duck Hub. Cybersecurity and security breach news also dominates this week, as Synopsys examines security breaches in 2017 and how they were preventable.

Open Source Insight: Security Breaches and Cryptocurrency Dominating News

Black Duck by Synopsys

If I take a letter, lock it in a safe, hide the safe somewhere in New York, then tell you to read the letter, that’s not security. That’s obscurity. On the other hand, if I take a letter and lock it in a safe, and then give you the safe along with the design specifications and a hundred identical safes with their combinations so that the world’s best safecrackers can study it and you still can’t open the safe, that’s security.

Broken by design (Danny Fullerton)

Hackfest Communication

We are delighted to have Gary Miliefsky on our second Hacker Hotshot of 2013! Gary is the Editor of Cyber Defense Magazine, which he recently founded after years of being a cover story author and regular contributor to Hakin9 Magazine. In partnership with UMASS, he started the Cyber Defense Test Labs to perform independent lab reviews of next generation information security products. Gary is also the founder of NetClarity, Inc., which is the world's first next generation agentless, non-inline network access control (NAC) and bring your own device (BYOD) management appliances vendor based on a patented technology which he invented.

Bulletproof IT Security

London School of Cyber Security

Join Mike Rothman, Analyst & President of Securosis and Ted Julian, VP of Product Management and co-founder of IBM Resilient, for a webinar on common automation use cases for the Security Operations Center (SOC). Security Orchestration, Automation and Response (SOAR) tools are garnering interest in enterprise security teams due to tangible short-term benefits. Watch the recording: https://event.on24.com/wcc/r/2007717/385A881A097E8EFCE493981972303416?partnerref=LI

Automation: Embracing the Future of SecOps

IBM Security

Software craftsmanship and you a strong foundation in your team

Dattatray Kale

Security often isn’t the top priority for many developers, who already are juggling multiple projects and deadlines. In fact, security seems to get in the way of keeping up with the pace of business. However, developers control a critical piece of the security puzzle and need to be engaged in the security cause—no longer can they stand by and say the responsibility for security lies in the hands of the security team. Rather, security must be built-in from the start. In this webinar, Secure Code Warrior CTO Matias Madou will look at what we as security professionals have been doing wrong and how agile, DevSecOps and DevOps are changing the role of the developer. Madou will discuss current best practices and ways in which they often fall short of the goal of building in security from the start, and will share new methodologies being deployed at multiple global organizations that make developers want to be part of the solution. Madou will be joined by Alexandre Pluvinage, head of Cybersecurity and Fraud Awareness at ING Belgium and ING BD Netherlands, who will discuss how his team engaged developers to think with a security mindset and how they rolled out a security program for developers, and share the results of the program to date.

Improving Software Security in an Agile Environment: A Case Study

DevOps.com

PCM Vision 2019 Breakout: IBM | Red Hat

PCM

Title: Smalltalk Security Landscape Abstract: In this talk, Jerry will present an overview of various Smalltalk dialects, platforms and frameworks in the context of cybersecurity threat landscape. He will focus on the OWASP Top Ten most critical web application vulnerabilities and how they apply to Smalltalk-written web applications. He will show practical examples of testing Smalltalk applications for security vulnerabilities. Bio: Jerry has been a Smalltalk developer and advocate for over 25 years. Throughout his career, he has worked as a Smalltalk consultant in a variety of industries including finance, insurance, telecommunications, manufacturing and entertainment. He spent ten years as an engineer at Cincom Systems where he was responsible for protocols and web application development components of the Cincom Smalltalk Foundation. Jerry’s interest in cybersecurity led him to pursue advanced cybersecurity training. He is an Offensive Security Certified Professional, with additional training in Enterprise Incident Response from Mandiant, a leading cybersecurity consulting firm. In his quest for understanding all aspects of security, he developed a deep appreciation for the human side of cybersecurity and learning of the attacker mindset. After leaving Cincom, Jerry has focused his energy on applying cybersecurity's best practices in the Smalltalk space, doing research in vulnerability assessment and penetration testing.

Smalltalk Security Landscape

ESUG

Threats have increased exponentially. Current indicators show a massive increase in threat vectors as a result of COVID-19. What makes this more unsettling is the fact that most ransomware will remain dormant for months before activating. Check out this presentation with ATC provider, TPx. Topics covered during this virtual event include: firewall security, firewall software, endpoints, malware, backups and DR, managed security services and TPx MSx.

Cybersecurity Concerns You Should be Thinking About

Advanced Technology Consulting (ATC)

Making Security Agile - Oleg Gryb

SeniorStoryteller

BruCon 2019 Keynote -=> My name is Rob Fuller, I've been around a bit, not as long as some but longer than others. From the US military to government contracting, consulting, large companies, tiny startups and silicon valley behemoths, from podcasting to television, I've had a storied and humbling career in infosec. Let’s get past complaining about blinky lights and users. Let’s talk about what actually works and what doesn't.

Why isn't infosec working? Did you turn it off and back on again?

Rob Fuller

The cyber security hype cycle is upon us

Jonathan Sinclair

Codemash 2018 - Crimson and Clover (Over and Over)

Josh Wallace

Similar to Stu r37 b (20)

Allegory of the cave(1)

SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...

Threat Modeling In 2021

Tech w23

Prevent Getting Hacked by Using a Network Vulnerability Scanner

New CISO - The First 90 Days

SplunkSummit 2015 - ES Hands On Workshop

Open Source Insight: Security Breaches and Cryptocurrency Dominating News

Broken by design (Danny Fullerton)

Bulletproof IT Security

Automation: Embracing the Future of SecOps

Software craftsmanship and you a strong foundation in your team

Improving Software Security in an Agile Environment: A Case Study

PCM Vision 2019 Breakout: IBM | Red Hat

Smalltalk Security Landscape

Cybersecurity Concerns You Should be Thinking About

Making Security Agile - Oleg Gryb

Why isn't infosec working? Did you turn it off and back on again?

The cyber security hype cycle is upon us

Codemash 2018 - Crimson and Clover (Over and Over)

More from SelectedPresentations

Длительное архивное хранение ЭД: правовые аспекты и технологические решения

SelectedPresentations

Трансграничное пространство доверия. Доверенная третья сторона.

SelectedPresentations

Варианты реализации атак через мобильные устройства

SelectedPresentations

Новые технологические возможности и безопасность мобильных решений

SelectedPresentations

Управление безопасностью мобильных устройств

SelectedPresentations

Современные технологии контроля и защиты мобильных устройств, тенденции рынка...

SelectedPresentations

Кадровое агентство отрасли информационной безопасности

SelectedPresentations

Основное содержание профессионального стандарта «Специалист по безопасности и...

SelectedPresentations

Основное содержание профессионального стандарта «Специалист по безопасности а...

SelectedPresentations

Основное содержание профессионального стандарта «Специалист по технической за...

SelectedPresentations

Основное содержание профессионального стандарта «Специалист по безопасности т...

SelectedPresentations

О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...

SelectedPresentations

Запись активности пользователей с интеллектуальным анализом данных

SelectedPresentations

Импортозамещение в системах ИБ банков. Практические аспекты перехода на росси...

SelectedPresentations

Обеспечение защиты информации на стадиях жизненного цикла ИС

SelectedPresentations

Документ, как средство защиты: ОРД как основа обеспечения ИБ

SelectedPresentations

Чего не хватает в современных ids для защиты банковских приложений

SelectedPresentations

Об участии МОО «АЗИ» в разработке профессиональных стандартов в области инфор...

SelectedPresentations

Оценка состояния, меры формирования индустрии информационной безопасности Рос...

SelectedPresentations

Об угрозах информационной безопасности, актуальных для разработчика СЗИ

SelectedPresentations

More from SelectedPresentations (20)