Scaling a Software Security Initiative: Lessons from …media.computer.org/pdfs/GaryMcGraw.pdf · No-nonsense monthly security column by Gary McGraw ... Building Security In Software

Copyright © 2014, Cigital and/or its affiliates. All rights reserved.

GARY MCGRAW, PH.D.

Scaling a Software Security Initiative:

Lessons from the BSIMM

Gary McGraw, PH.D.

Chief Technology Officer, Cigital

Email: [email protected]

SEPTEMBER 29, 2014

@cigitalgem


Providing software security professionals services since 1992

World’s premiere software security consulting firm

• 350 employees

• 13 offices including Dulles, Boston, New York, Santa Clara,

Bloomington, Boston, Chicago, Atlanta, Amsterdam, and London

Recognized experts in software security

Cigital

http://www.cigital.com/books/80211/

http://www.cigital.com/books/wirelesssec/


BSIMM-V


Real data from 67

firms

161 measurements

21 over time

McGraw, Migues, &

West

bsimm.com

67 Firms in the BSIMM-V Community

plus 24 anonymous firms

http://www.bsimm.com/


BSIMM is not about good or

bad ways to eat bananas or

banana best practices

BSIMM is about observations

BSIMM is descriptive, not

prescriptive

BSIMM describes and

measures multiple

prescriptive approaches

Monkeys Eat Bananas


BSIMM describes and measures the work of 2930 full time software

security people controlling the work of 272,358 developers.

BSIMM by the Numbers


Real activities, not theories

Real data

How do the 67 BSIMM firms carry out a practice?

How do the practices scale?

12 Practices 112 Activities


BSIMM-V = Measuring Stick


Scaling Code Review


#1 Touchpoint

Get a tool (HP/Fortify, IBM/Ounce, Coverity, Cigital SecureAssist)

50 of 67 firms have an automated tool

Remedial Code Review


Code Review in the BSIMM

12 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

Code Review Pitfalls

Security runs a complex tool Tool thrown over the wall to dev

Results computed WAY too

late

Results include too many

false positives

Security types have no clue

how to fix anything

Developers try to avoid

being beaten by the

security police

Developers asked to “just

run the tool” with no real

training

The “red screen of death”

ensues

Developers learn to game

the results


Build a centralized code review factory

• Streamline code submission

• Provide middleware data flow intelligence

• Normalize results (across multiple feeds)

Know what to look for

• Create and enforce coding standards (carrot and stick)

• Build custom rules that work for YOUR code

Scaling Code Review: Path 1


Put a very simple “real-time training” tool on developer

desktops

Eliminate whole classes of bugs before they are

compiled in

Focus on coding more securely in the first place

• Teaching is more powerful than punishing

• Developers need to know what to DO not what not to do

Train developers just in time at code writing time

READ: bit.ly/1iIcAPB

Scaling Code Review: Path 2 (very new)


Scaling Architecture Analysis


#2 Touchpoint

Requires real expertise

Know your components

56 of 67 firms review security FEATURES

Remedial Architecture Analysis


Architecture Analysis Pitfalls

The Expert Bottleneck Ad Hoc “Review”

Superman required for each

analysis exercise

Lots of products and teams need

analysis, but must either must

wait forever or skip it

Review only as powerful as

whoever bothers to show up

No institutional knowledge or

consistency


Architecture Analysis in the BSIMM


Step 0: Get an architecture diagram

Step 1: Known attack analysis

• Leverage STRIDE by analogy

• Know your potential flaws

Step 2: System-specific attack analysis

• Anticipate emergent flaws

• Build a threat model (trust boundaries and data sensitivity)

Step 3: Dependency analysis

Read: bit.ly/1b2f5Zk

Define a Process: Architecture Risk Analysis

http://bit.ly/1b2f5Zk


Security Architecture Survey (SAS)

• Focus on standard components and a software component

model

• Look for your commonly encountered flaws

− Identify common controls

− Know your design principles

− Consider where the SDLC breaks

• Sweep the entire portfolio

Use a proven process like Cigital ARA for high-risk

applications

Read: bit.ly/19Jmk7f

Scaling Architecture Analysis

http://bit.ly/19Jmk7f


Scaling Penetration Testing


#3 Touchpoint

Becoming a commodity (so buy some)

62 of 67 BSIMM firms use external pen testers

Black box tools available

Remedial Penetration Testing


Penetration Testing Pitfalls

Hiring “reformed” hackers Pen testing != security meter

badness-ometer


Penetration Testing in the BSIMM


Automate with customized tools and know your attacker

• Black box Web/mobile testing tools are cheap and fast

• Fuzzing tools aimed at APIs also help scale

Investigate cloud services (remote pen testing)

Fix what you find

• Real integration with development is important

• Don’t just throw rocks

Periodically pen test everything you can

Scaling Penetration Testing


Where to Learn More


SearchSecurity + Justice League

www.searchsecurity.com

No-nonsense monthly security

column by Gary McGraw

www.cigital.com/~gem/writing

www.cigital.com/justiceleague

In-depth thought leadership

blog from the Cigital Principals • Gary McGraw

• Sammy Migues

• John Steven

• Scott Matsumoto

• Paco Hope

• Jim DelGrosso

http://www.searchsecurity.com/





Silver Bullet + IEEE Security & Privacy

www.cigital.com/silverbullet

Building Security In

Software Security Best Practices

column

www.computer.org/security/bsisub/


The Book

How to DO software security

• Best practices

• Tools

• Knowledge

Cornerstone of the Addison-

Wesley Software Security

Series

www.swsec.com


Build Security In

Read the Addison-Wesley Software

Security series

Send e-mail: [email protected]

@cigitalgem

mailto:[email protected]

mailto:[email protected]

Documents

Scaling a Software Security Initiative: Lessons from …media.computer.org/pdfs/GaryMcGraw.pdf · No-nonsense monthly security column by Gary McGraw ... Building Security In Software