Software Confidence. Achieved. March 2011 BSIMM: The Building Security In Maturity Model Gary...
-
Upload
alban-ward -
Category
Documents
-
view
213 -
download
0
Transcript of Software Confidence. Achieved. March 2011 BSIMM: The Building Security In Maturity Model Gary...
Software Confidence. Achieved.
March 2011
BSIMM: The Building Security In
Maturity Model
Gary McGraw, Ph.D.Chief Technology Officer, Cigital
© 2011 Cigital Inc.
We hold these truths to be self-evident
Software security is more than a set of security functions Not magic crypto fairy dust Not silver-bullet security mechanisms
Non-functional aspects of design are essential Bugs and flaws are 50/50 Security is an emergent property of the entire system
(just like quality) To end up with secure software, deep integration with
the SDLC is necessary
© 2011 Cigital Inc.
Real data from (33) real initiatives
60 measurements McGraw, Chess, &
Migues
BSIMM: Software Security Measurement
PlexLogic
© 2011 Cigital Inc. 4
Intel
+ eleven
unnamed
firms
33 software security initiatives measured
© 2011 Cigital Inc.
The magic 30
Since we have data from > 30 firms we can perform statistical analysis How good is the model? What activities correlate with what other activities? Do high maturity firms look the same? Etc
We now have 33 firms (+ more underway) BSIMM (the nine) BSIMM Europe (nine in EU) BSIMM2 (30) some underway
© 2011 Cigital Inc.
Building BSIMM (2009)
Big idea: Build a maturity model from actual data gathered from 9 of ~60 known large-scale software security initiatives Create a software security framework Nine in-person executive interviews Build bullet lists (one per practice) Bucketize the lists to identify activities Create levels
Objectives Activities 109 activities supported by real data Three levels of “maturity”
The model has been validated with data from > 30 firms
© 2011 Cigital Inc.
Monkeys eat bananas
BSIMM is not about good or bad ways to eat bananas or banana best practices
BSIMM is about observations
BSIMM is descriptive, not prescriptive
7
© 2011 Cigital Inc.
Four domains Twelve practices See informIT article on BSIMM website
http://bsimm.com
A Software Security Framework
© 2011 Cigital Inc.
Training practice skeleton
© 2011 Cigital Inc.
Example activity
[T1.3] Establish SSG office hours. The SSG offers help to any and all comers during an advertised lab period or regularly scheduled office hours. By acting as an informal resource for people who want to solve security problems, the SSG leverages teachable moments and emphasizes the carrot over the stick. Office hours might be held one afternoon per week in the office of a senior SSG member.
© 2011 Cigital Inc.
109 Activities 3 levels Top 15 things
66% cutoff 20 of 30 firms Yellow highlight
BSIMM2 Scorecard
© 2011 Cigital Inc.
BSIMM2 as a measuring stick
Compare a firm with peers using the high water mark view
Descriptive (not prescriptive)
© 2011 Cigital Inc.
Top 15 things green = good? red = bad?
“Blue shift” practices to emphasize activities you should
maybe think about in brown
BSIMM2 scorecard with firm data
© 2011 Cigital Inc.
We are a special snowflake (NOT)
ISV (7) results are similar to financial services (12)
BSIMM Europe vs BSIMM US
You do the same things
You can demand the same results
1404/21/23
© 2011 Cigital Inc.
BSIMM Community Events
22 firms gathered in Annapolis, MD Nov 9-11 2010 9 Talks by SSG
leaders Workshop on
efficiency and effectiveness
Intense networking
BSIMM mailing list High S/N ratio
A BSIMM Community Mixer at RSA 2011 included New logo revealed Update on BSIMM3 BSIMM Longitudinal
results Music and mixology
1504/21/23
© 2011 Cigital Inc.
BSIMM2 to BSIMM3
BSIMM2 released April 2010 under creative commons http://bsimm.com Italian and German translations available
BSIMM is a yardstick Use it to see where you stand Use it to figure out what your peers do
BSIMM3 BSIMM Longitudinal (10) BSIMM3 (40)
© 2011 Cigital Inc.
Get involved in the BSIMM Community http://bsimm.com
See the Addison-Wesley Software Security series
Send e-mail: [email protected]
“So now, when we face a choice between adding features and resolving
security issues, we need to choose security.”
-Bill Gates