Presenter Biography
Gary McGraw, Ph.D.
CTO, Cigital
company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
personal www.cigital.com/~gem
twitter @cigitalgem
Gary McGraw is the CTO of Cigital, Inc., a software security consulting firm with headquarters in the Washington, D.C. area and offices throughout the world. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Software Security, Exploiting Software, Building Secure Software, Java Security, Exploiting Online Games, and 6 other books; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 100 peer-reviewed scientific publications, authors a monthly security column for SearchSecurity and Information Security Magazine, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Dasient (acquired by Twitter), Fortify Software (acquired by HP), Raven White, Six Trees Capital, and Wall+Main. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean’s Advisory Council for the School of Informatics. Gary served on the IEEE Computer Society Board of Governors and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine (syndicated by SearchSecurity).
Cigital has offices in Virginia, New York, Boston, Atlanta, Chicago, Silicon Valley, London, Amsterdam and India. Cigital’s staff now numbers more than 270 people.
Cigital’s thought leadership in software security is second to none. Software security at Cigital kicked off in 1996 with the best selling book Java Security (co-authored by Cigital CTO Dr. Gary McGraw and Princeton Professor Ed Felten) and a multi-million dollar software security grant from DARPA.
Cigital formed its software security group in 1997, delivering software security services to Visa International. After two years of successful service delivery (focused on architectural risk analysis and code review for Java Card), the first book in the world on software security, acclaimed best seller Building Secure Software was published in 2001. The book was written by two Cigital employees, John Viega (one time Chief Security Architect of McAfee) and Gary McGraw. Building Secure Software: How to Avoid Security Problems the Right Way, touched off a revolution. Security people who once relied solely on firewalls, intrusion detection, and anti-virus mechanisms came to understand and embrace the necessity of better software. BSS provides a coherent and sensible philosophical foundation for the blossoming field of software security.
In 2006, Cigital’s risk-management driven approach to software security was further codified in the book Software Security: Building Security In. Beginning where Building Secure Software left off, Software Security teaches how to put software security into practice. The software security best practices, or touchpoints, described in this book have their basis in good software engineering and involve explicitly invoking security throughout the software lifecycle. Software Security is about putting the touchpoints to work in commercial software shops. Because the touchpoints can be applied to the kinds of software artifacts already produced as software is developed, this book’s principles can be adopted without radically changing the way software shops work.
Exploiting Online Games, a book about massively distributed software was released to much acclaim in July 2007. Cigital collaborated with the Software Engineering Institute (and CERT) to release the book Software Security Engineering in 2009 as part of the Addison-Wesley Software Security Series edited by Gary McGraw.
In 2009, Cigital spearheaded the BSIMM project <http://bsi-mm.com>, a real world data-driven study of over 38 software security initiatives. The BSIMM Community is very active and includes an impressive set of firms. BSIMM-V was released in September 2013.
Cigital’s approach to software security may be grounded in solid theory, but it is also practical. With Cigital’s help, large software organizations of tens of thousands have adopted Cigital’s touchpoints and have been measured by the BSIMM.
These are some self-evident truths about software security. For more on the basics, see Software Security (2006) http://swsec.com
Every one of the 67+ firms we have measured has an SSDL. Most are hybrids of popular methodologies.
The BSIMM is NOT a methodology, it is a tool for measuring the results of applying a methodology.
There is plenty of confusion (especially in the press) about methodologies and measurement tools. The BSIMM is not a methodology. It is a measurement tool.
The BSIMM is used to measure and describe (in common terms) each of the 67 distinct SSDL methodologies in use in the BSIMM Community.
See the InformIT article BSIMM versus SAFECode and Other Kaiju Cinema (Dec 26, 2011) http://bit.ly/tLIOnJ
Originally conceived and executed by Cigital and Fortify, BSIMM also includes work of Minded Security (Italian translation), Virtual Forge (German Translation), and Plexlogic (statistics).
BSIMM-V was released on 10/31/13
BSIMM-V now includes data from 67 firms
BSIMM-V describes 112 activities in 12 practices with 2 or more real examples for each activity
21 firms have been measured twice (giving us Longitudinal Study data) and the data show measurable improvement
A new activity (bug bounty) was described for the first time in BSIMM-V
The BSIMM3 data set has 161 distinct measurements (some firms measured twice, some firms have multiple divisions measured separately)
BSIMM-V describes the work of 974 SSG members working with a satellite of 1954 people to secure the software developed by 272,358 developers.
The BSIMM remains the only measuring stick for software security initiatives based on science. It is extremely useful for comparing the initiative of any given firm to a large group of similar firms. The BSIMM has been used by multiple firms to strategize and plan their software security initiatives and measure the results. Finally, FWIW, the government is woefully behind when it comes to software security.
44 of 67 firms. Some firms choose to remain anonymous.
We have yet to encounter a firm that cannot be measured with the BSIMM. To be sure, some firms are more complicated than others, but the BSIMM was designed to measure all SSDLs encountered on the planet. Even yours.
The importance of statistical analysis. Each time we release a new version of the BSIMM, we carefully consider its descriptive properties using math.
See the informIT article “Cargo Cult Computer Security” (January 28, 2010)
http://bit.ly/9HO6ex
BSIMM articles and the BSIMM itself can be found on the website at http://bsi-mm.com. There is also a clickable web version.
The SSF is covered exclusively in an informIT article:
A Software Security Framework: Working Towards a Realistic Maturity Model (October 15, 2008)
http://bit.ly/NDMkYn
There is a paragraph like this describing each of the 112 activities. Note the REAL examples.
There is a paragraph like this describing each of the 112 activities. Note the REAL examples.
CMVM3.4 is a new activity added to BSIMM-V and now being tracked for BSIMM6.
For lots of pretty BSIMM-V pictures in one little article, see:
Software [in]security -- BSIMM-V does a number on secure software dev (October 29, 2013)
http://bit.ly/1aBi4UZ
This is the basic information about our pool of 67 firms.
All 67 firms have an SSG. This fact is important enough that we devoted an informIT article to it:
“You Really Need a Software Security Group” (December 21, 2009)
http://bit.ly/7dqCn8
A satellite is the group of people that don’t work directly for the SSG, but still carry out day-to-day grass roots software security efforts.
The universal approach in the data set so far is to have someone specifically responsible for software security and, have that team include, on average, approximately two people for every 100 developers. Every firm in the BSIMM study attributed their ongoing success to having someone specifically responsible for software security and the growth of a satellite.
This is the 67 firm raw data about activities. Each highlighted activity is the most common one in its practice, one for each practice.
For lots of pretty BSIMM-V pictures in one little article, see:
Software [in]security -- BSIMM-V does a number on secure software dev (October 29, 2013)
http://bit.ly/1aBi4UZ
This is a comparison of a FAKE firm’s high water mark score against the top 10 curve. Note where the blue is INSIDE the orange. These are practices where the firm is substantially behind what we have observed elsewhere.
In general, firms with a “round” curve have a more balanced program than firms with a “prickly” shape or worse yet a “butterfly” shape. Remember, this is not a value judgment, it is simply a comparison to what other firms are doing.
A higher-resolution view of the same data shows how the spider diagram curve relates to the 112 activities in the BSIMM. We have also highlighted the 12 “things that everybody does” for a quick comparison of the basics. Blue shift practices are those practices in the spider diagram (see previous slide) where the firm was behind the average. By noting which activities other firms are carrying out in those practices, the target firm can create a data-driven strategic plan.
For lots of pretty BSIMM-V pictures in one little article, see:
Software [in]security -- BSIMM-V does a number on secure software dev (October 29, 2013)
http://bit.ly/1aBi4UZ
A comparison by verticals is also interesting. Some people believe that their firm (or even their entire vertical discipline) is special and that the BSIMM scores for either their firm or their vertical will be different, making the BSIMM data not as useful for them. Turns out that is incorrect.
Diverse verticals such as “Financial Services” and “Independent Software Vendors” (ISV) have much in common. An eyeball check of the overlap between spider diagrams shows this. But more importantly, statistical analysis bears this out.
Comparisons along geographic lines are also possible.
21 firms have been measured twice with a 24 month interval between measurements.
Though individual activities among the 12 practices come and go, in general, re-measurement over time shows a clear trend of increased maturity in the population of 21 firms re-measured thus far.
BSIMM shows impressive growth no matter how you slice it.
The BSIMM Community is a powerful set of firms all interested in collectively helping each other.
The current state of the BSIMM model. We are actively seeking more firms for BSIMM6
We imposed a data freshness threshold of 48 months for BSIMM-V and will decrease that window to 36 months for BSIMM6.
Get involved.
Gary McGraw publishes a monthly column for SearchSecurity
See http://www.cigital.com/~gem/writings for URLs
Software [in]security -- BSIMM-V does a number on secure software dev (October 29, 2013)
Software [in]security -- software flaws in application architecture (September 10, 2013)
Five major technology trends affecting software security assurance (August 9, 2013)
NSA data collection programs demand discussion, scrutiny (June 17, 2013)
Financial services develop a proactive posture (June 10, 2013)
BSIMM4 measures and advances secure application development (May 10, 2013)
Chinese Hackers, 'Active Defense' and Other Bad Ideas, Information Security (April 2013)
Cyberwar calls for software and system investment, not hacking back (March 20, 2013)
McGraw's mobile app security strategy: Three legs of 'trusted on busted' (February 13, 2013)
Testing, assessment methods offer third-party software security assurance (February 5, 2013)
Thirteen principles to ensure enterprise system security
(January 17, 2013)
Twelve common software security activities to lift your program (December 10, 2012)
Proactive defense prudent alternative to cyberwarfare (November 1, 2012)
Ten commandments for software security (October 4, 2012)
Data supports need for security awareness training despite naysayers (September 4, 2012)
Congress should encourage bug fixes, reward secure systems (August 1, 2012)
Mobile security: It’s all about mobile software security
(July 2, 2012)
Cloud computing pros and cons for security (June 19, 2012)
Eliminating badware addresses malware problem (May 7, 2012)
Software security assurance: Build it in, build it right
(April 10, 2012)
Cigital’s justiceleague blog covers emerging software security issues in an informal and technical manner.
The Silver Bullet security podcast has many thousands of regular listeners. With 92 episodes released to date, silver bullet includes interviews with many security luminaries including: Bruce Schneier, Ross Anderson, Avi Rubin, Dan Geer, Marcus Ranum, and many others.
Dr McGraw is the founding editor of the Building Security In Department of IEEE Security & Privacy magazine. This magazine is the best periodical in security, with both scientific accuracy, cutting edge technology, and real world relevance.
Dr. McGraw’s book “Software Security” (2006) provides an important cornerstone for the field and continues to sell briskly. <http://swsec.com>
Dr. McGraw welcomes e-mail about software security.