1 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

BSIMM4 The Building Security In Maturity Model

TODD LUKENS

MANAGING PRINCIPAL - SOUTHEAST

TLUKENS@CIGITAL.COM

2 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

Cigital

Providing software security professional services since 1992

World’s premiere software security consulting firm 250 professional consultants

Washington, NY, Chicago, Boston, Atlanta, Santa Clara, Bloomington, Amsterdam, London

Recognized experts in software security Widely published in books, white papers, and articles

Industry thought leaders

3 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

Cigital: Strategic Software Security

Mobile Application Security

Standards Development

Architecture Risk Analysis

and Threat Modeling

Mobile Application

Source Code Review

Mobile Application

Penetration Testing

Mobile Application

Vulnerability Remediation

Mobile Device Management

(MDM/BYOD) Assessment

Dynamic Analysis

Ethical Hacking

Source Code Review

Secure Architecture Survey

Application and Network

Penetration Testing

Secure Remediation Helpdesk

Vendor Assessments

3rd-Party Application Attestation

BSIMM Measurement

Software Security Initiative

Development

Standards/Policy Development

Architecture Risk Analysis

and Threat Modeling

Static Analysis Tools

Configuration and Deployment

Custom Rule Development

Red Teaming

Security Metrics

Development and Deployment

Cigital

SecureAssist™

Cigital

Enterprise Security Portal™

Cigital

Instructor-Led Training

(23 Courses)

Cigital BuildSecure eLibrary™

Computer-Based Training

(19 Courses)

4 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

BSIMM Basics

5 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

BSIMM: Software Security Measurement

Building secure software starts with understanding where you are today…

The Software Security Program Maturity Model based on the real-world practices of leading organizations

BSIMM encompasses 111 different activities organized by 12 practices

• Understand the software security actual practices in use today • Start a software security initiative using real data from an ongoing 4-year study • Evolve your software security initiative by learning about proven activities carried out by mature organizations

6 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

We Hold These Truths to be Self-evident

Software security is more than a set of security functions

Not magic crypto fairy dust

Not silver-bullet security mechanisms

Not a bolt-on, or after thought

Non-functional aspects of design are essential

Bugs and flaws are 50/50

Security is an emergent property of the entire system (just like quality)

To end up with secure software, deep integration with the SDLC is necessary

7 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

2006: A Shift from Philosophy to HOW TO

Integrating software security best practices into an organizations’ SDLC (that is, create an SSDL) Microsoft’s SDL

Cigital’s Touchpoints

OWASP CLASP

8 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

Prescriptive vs. Descriptive Models

Prescriptive models

describe what you

should do

SAFECode

SAMM

SDL

Touchpoints

Every firm has a

methodology they

follow (often a hybrid)

You need an SSDL

Descriptive models

describe what is

actually happening

The BSIMM is a

descriptive model that

can be used to

measure any number

of prescriptive SSDLs

9 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

Building BSIMM (started in 2008)

Big idea: Build a descriptive maturity model from actual data gathered from 9 well-known, large-scale software security initiatives

Created a software security framework

Interviewed nine firms in-person

Discovered 110 activities through observation

Organized the activities in 3 levels

Built model and used it build scorecards for all 9

Get feedback, validate, and publish BSIMM version 1

10 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

Monkeys Eat Bananas

BSIMM is not about good or bad ways to eat bananas or banana best practices

BSIMM is about observations

BSIMM is descriptive, not prescriptive

BSIMM describes and measures multiple prescriptive approaches

11 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

BSIMM: Software Security Measurement

BSIMM4: Real data from (51) real initiatives

13 measured over time 95 total measurements

BSIMM5: 80+ companies New activities added; some

dropped Approx 150 total

measurements

BSIMM Community – access to security and development leaders at 80+ companies

12 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

51 Firms in the BSIMM4 Community

Intel

Plus 17 firms that remain anonymous

13 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

The Magic 30

With data from >30 firms, we can perform statistical analysis How good is the model?

What activities correlate with what other activities?

Do high maturity firms look the same?

The model is now updated and validated with data from 51 firms, comprising 95 distinct measurements BSIMM in 2009 with 9 firms

BSIMM Europe in 2009 with 9 firms

BSIMM2 in 2010 with 30 firms

BSIMM3 in 2011 with 42 firms and 11 re-measurements

BSIMM4 in 2012 with 51 firms and 14 re-measurements

There is no special snowflake

14 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

A Software Security Framework

Strategy and Metrics

Compliance and

Policy

Training

Governance

Attack Models

Security Features

and Design

Standards and

Requirements

Intelligence

Architecture Analysis

Code Review

Security Testing

SSDL

Touchpoints

Penetration Testing

Software

Environment

Configuration

Management and

Vulnerability

Management

Deployment

15 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

Architecture Analysis Practice Skeleton

16 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

Example Activity

[AA1.2] Perform design review for high-risk applications. The organization learns about the benefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. If the software security group (SSG) is not yet equipped to perform an in-depth architecture analysis, it uses consultants to do this work. Ad hoc review paradigms that rely heavily on expertise may be used here, though in the long run they do not scale.

17 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

BSIMM4 Measurements

18 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

BSIMM by the Numbers

19 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

Real-world Data (51 firms)

Initiative age

Average: 5.5 years

Newest: 0

Oldest: 17

Median: 4

SSG size

Average: 19.48

Smallest: 1

Largest: 100

Median: 7.5

Satellite size

Average: 40.77

Smallest: 0

Largest: 350

Median: 6

Dev size

Average: 4455

Smallest: 11

Largest: 30,000

Median: 1500

Average SSG size: 1.95% of dev group size

20 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

111 Activities

3 levels of maturity

Top activities per practice

Comparing scorecards between releases is interesting

BSIMM4 Scorecard

21 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

Twelve Things “Everybody” Does

Core activities 1. identify gates

2. know PII obligations

3. awareness training

4. data classification

5. identify features

6. security standards

7. review security features

8. static analysis tool

9. QA boundary testing

10. external pen testers

11. good network security

12. close ops bugs loop

22 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

Using BSIMM4

23 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

BSIMM4 as a Measuring Stick

Compare a firm with peers using the high-water mark view

Compare business units

24 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

BSIMM Longitudinal: Improvement over time

13 firms measured twice ( average 19 months apart)

1 firm measured three times

BSIMM measurements show how firms improve

33% increase

25 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

Top 12 activities

purple = good?

red = bad?

“Blue shift” practices to emphasize

Drive budgets with data

BSIMM4 Scorecard with FAKE Firm Data

26 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

We Are a Special Snowflake (NOT)

ISV (19) results are similar to financial services (19)

You do the same things

You can demand the same results

Measurement works for all

27 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

BSIMM Over Four Studies

28 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

vBSIMM

Subset of BSIMM4 used as part of vendor management

Adds easily to existing processes

Clearly distinguishes vendors that understand software security

Can form the basis for software security SLAs

29 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

BSIMM4 to BSIMM5

BSIMM4 released September 2012 under creative commons

http://bsimm.com

Italian and German translations available soon

BSIMM is a yardstick

Use it to see where you stand

Use it to figure out what your peers do

BSIMM4BSIMM5

BSIMM is growing

Target of 80 firms

30 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

BSIMM Key Benefits

Compare your firm with industry peers

Compare business units

Compare to a specific industry vertical or grouping

Compare a group to itself over time

Explain the programme to others – regulators, auditors, etc.

Drive budgeting

BSIMM gives you a scientific measurement of your software security activities. This information is useful in many ways including:

31 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

Where to learn more

32 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

searchsecurity + justice league

www.searchsecurity.com

No-nonsense monthly security column by Gary McGraw

www.cigital.com/justiceleague

In-depth thought leadership blog from Cigital Principals

Scott Matsumoto

Gary McGraw

Sammy Migues

John Steven

Paco Hope

http://bsimm.com

Send e-mail: : tlukens@cigital.com

33 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

TODD LUKENS

MANAGING PRINCIPAL

TLUKENS@CIGITAL.COM

703-404-9293 EXT: 4213