BSIMM6 Brings Science to Software Security
|
|
|
- Ross Lawson
- 10 years ago
- Views:
Transcription
1 BSIMM Building Security In Maturity Model 6 BSIMM6 Brings Science to Software Security The sixth iteration of the Building Security In Maturity Model project is a tool you can use as a measuring stick for software security initiatives. By now, you should have heard about the Building Security In Maturity Model (BSIMM) project, especially if you are a software security person. (No? A good place to start is by taking this software security quiz.) Maybe you ve even downloaded a copy of your own to peruse (it s free under the Creative Commons license). Either way, it s time to get a new copy, because BSIMM6 has just been released. Remember, because BSIMM is completely data driven, the BSIMM6 document is different than what you may have read in the past. That s how science goes. In this short piece, we re going to focus on BSIMM6 facts and figures. The numbers are about real software security nitiatives doing real work to secure the software that you use every day. This is no ephemeral top ten list from the bug parade. This is a set of facts about the real state of commercial software security on planet Earth. Who is the BSIMM community anyway? The BSIMM project is spearheaded by three co-authors (the same three who wrote this piece you re reading now). We are directly involved in gathering data in person from each of the BSIMM firms. The data we gather directly through observation describes the work of 78 software security initiatives, from firms including: Adobe, Aetna, ANDA, Autodesk, Bank of America, Black Knight Financial Services, BMO Financial Group, Box, Capital One, Cisco, Citigroup, Comerica, Cryptography Research, Depository Trust and Clearing Corporation, Elavon, EMC, Epsilon, Experian, Fannie Mae, Fidelity, F-Secure, HP Fortify, HSBC, Intel Security, JPMorgan Chase & Co., Lenovo, LinkedIn, Marks & Spencer, McKesson, NetApp, NetSuite, Neustar, Nokia, NVIDIA, PayPal, Pearson Learning Technologies, Qualcomm, Rackspace, Salesforce, Siemens, Sony Mobile, Symantec, The Advisory Board, The Home Depot, TomTom, Trainline, U.S. Bank, Vanguard, Visa, VMware, Wells Fargo, and Zephyr Health. By the way, we added a data freshness constraint to the model with BSIMM6. We now exclude measurements older than 42 months to better align with business cycles. This requirement caused 21 firms to be removed when we created BSIMM6. What is the BSIMM? The BSIMM is a measuring stick for software security. The best way to use the BSIMM is to compare and contrast your own initiative with the data contained in the model, which show what other organizations are doing. You can then identify goals and objectives of your own and look to the BSIMM to determine which further activities make sense for you. The BSIMM is not a software security methodology. To make this clear, consider that the BSIMM can be used to measure Microsoft s SDL, but it is by no means a replacement for the Microsoft SDL. BSIMM6 Brings Science to Software Security 1
2 BSIMM by the Numbers Table 1 shows how the BSIMM Project has grown over the years. Remember, software security initiatives are ongoing and not a fire-and-forget exercise. Table 1 As you can see, at this stage of the game, the BSIMM describes the work of 1,084 full-time software security professionals who are attempting to help 287,006 developers build more secure software. They have help from the satellite, which is made up of developers, architects, and people in the organization directly engaged in and promoting software security, but not as full-time software security group (SSG) members. Ever wonder how big your firm s SSG should be? We wonder also, but we do know how big the SSGs are at 78 firms. If we average all the ratios of SSG size to Development size, we get an SSG average of averages of 1.51% (median 0.7%). Table 2 on the following page contains some additional interesting data. Table 2 BSIMM6 Brings Science to Software Security 2
3 Table 3 below shows just how many firms make use of each of the 112 activities in the BSIMM. Each activity has a label (like SM1.1) and is described in detail in the BSIMM6 report. See, it turns out we do know how to do software security! We even know who is doing what. Now what we need to do is spread adoption of software security to all firms creating software. You can help. Table 3 How does your firm compare? Here s what happens when you measure a new firm using the BSIMM measuring stick. You can directly compare how your software security initiative stacks up against the other 78 firms in BSIMM6. Is your firm a financial services institution? Well, we can compare you to 33 other financial services firms. Are you an ISV? We can compare you directly to 27 other ISVs. BSIMM6 also marks the introduction of the healthcare industry with the inclusion of 10 firms. Measurement is a powerful tool that drives both budgets and improvement. Nobody wants to be the slowest zebra in the zebra pack. Is your firm the slowest zebra? You can get your own scorecard like the one in Table 4 and do some analysis to find out. BSIMM6 Brings Science to Software Security 3
4 Table 4 We also create a spider diagram (Figure 1) as a way of visualizing a comparison based on 12 practices. The 112 activities in the model fit directly into the 12 practices. Our spider-graph-yielding high-water mark approach (based on three levels per practice) is sufficient to get a lowresolution feel for maturity, especially when working with data from a particular vertical or geography. BSIMM6 Brings Science to Software Security 4
5 Figure 1 One meaningful comparison is to chart your own firm s maturity high-water mark against the averages we have published to see how your initiative compares. The BSIMM community The 78 firms participating in BSIMM6 make up the BSIMM community. A moderated private mailing list with over 250 members allows SSG leaders participating in the BSIMM to discuss solutions with others who face the same issues, discuss strategy with someone who has already addressed an issue, seek out mentors from those further along a career path, and band together to solve hard problems. The BSIMM community also hosts annual private conferences in the United States and Europe where representatives from each firm gather together in an off-the-record forum to discuss software security initiatives. Become part of the community today and take advantage of these unique resources. The BSIMM website includes a credentialed BSIMM community section where information from the conferences, working groups, and mailing-list-initiated studies are posted. Would you like your firm to be included in the BSIMM community? Give us a shout. BSIMM6 is the latest snapshot of a growing and evolving set of real data about software security. The more data we have, the better off we all are. It s science time. Authors Sammy Migues Gary McGraw, Ph.D. Jacob West BSIMM Building Security In Maturity Model 6Want to know how your software security initiative stacks up against your peers? Go to to learn more. This was first published in October About Cigital Cigital is one of the world s largest application security firms. We go beyond traditional testing services to help organizations find, fix and prevent vulnerabilities in the applications that power their business. Our holistic approach to application security offers a balance of managed services, professional services and products tailored to fit your specific needs. We don t stop when the test is over. Our experts also provide remediation guidance, program design services, and training that empower you to build and maintain secure applications. BSIMM6 Brings Science to Software Security 5 Cigital Ridgetop Circle Suite 400 Dulles, VA Cigital
112 BSIMM Activities at a Glance
112 BSIMM Activities at a Glance (Red indicates most observed BSIMM activity in that practice) 6 Level 1 Activities Governance Strategy & Metrics (SM) Publish process (roles, responsibilities, plan), evolve
Vulnerabilities from the outside. Common Vulnerabilities and Exposures (CVEs) Building Security In with BSIMM
Outline Introduction Secure Programming Lecture 2: Landscape David Aspinall, Informatics @ Edinburgh 16th January 2014 Vulnerabilities from the outside Common Vulnerabilities and Exposures (CVEs) Building
Development Processes (Lecture outline)
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
Scaling a Software Security Initiative: Lessons from the BSIMM
Scaling a Software Security Initiative: Lessons from the BSIMM GARY MCGRAW, PH.D. SEPTEMBER 29, 2014 @cigitalgem Gary McGraw, PH.D. Chief Technology Officer, Cigital Email: [email protected] Cigital Providing
10 TIPS FOR SUCCESSFUL
PLATINUM FREE REPORT Email marketing campaigns are essential elements of any marketing strategy. They communicate and build relationships with prospects, gather important data, and help boost marketing
BUILDING SECURITY IN. Analyzing Mobile Single Sign-On Implementations
BUILDING SECURITY IN Analyzing Mobile Single Sign-On Implementations Analyzing Mobile Single Sign-On Implementations 1 Introduction Single sign-on, (SSO) is a common requirement for business-to-employee
Software Security Touchpoint: Architectural Risk Analysis
Software Security Touchpoint: Architectural Risk Analysis Gary McGraw, Ph.D. Chief Technology Officer, Cigital Founded in 1992 to provide software security and software quality professional services Recognized
scoring PREDICTIVE SCORING VENDORS
scoring PREDICTIVE SCORING VENDORS An overview of vendors in Predictive Scoring Vendors Predictive categories Lead Generation Lead Scoring Opportunity scoring Churn/upsell/cross-sell Lattice Engines (US)
Secure Development LifeCycles (SDLC)
www.pwc.com Feb 2014 Secure Development LifeCycles (SDLC) Bart De Win Bart De Win? 15+ years of Information Security Experience Ph.D. in Computer Science - Application Security Author of >60 scientific
TOP 10 TRENDS FOR 2016 BUSINESS INTELLIGENCE
2015 was a year of significant change in the world of Business Intelligence. More organizations opened up data to their employees. And more people came to see data as an important tool to get their work
Cloud Computing: It s In Your Future. What You Need to Know about Logicalis and Cloud Computing
Cloud Computing: It s In Your Future What You Need to Know about Logicalis and Cloud Computing Cloud computing is a transition that is changing the way you will buy, build, operate and consume information,
The Digital Camera: A Tool for Creative Teaching. tyc.naeyc.org. Bonnie Blagojevic and Anne Sprague
The Digital Camera: A Tool for Creative Teaching Bonnie Blagojevic and Anne Sprague Maria looks unsure as she enters the classroom for her second day at preschool. The teacher helps Maria find her cubby
TABLE OF CONTENTS 1 Chapter 1: Introduction 2 Chapter 2: Big Data Technology & Business Case 3 Chapter 3: Key Investment Sectors for Big Data
TABLE OF CONTENTS 1 Chapter 1: Introduction 1.1 Executive Summary 1.2 Topics Covered 1.3 Key Findings 1.4 Target Audience 1.5 Companies Mentioned 2 Chapter 2: Big Data Technology & Business Case 2.1 Defining
Mind Commerce. http://www.marketresearch.com/mind Commerce Publishing v3122/ Publisher Sample
Mind Commerce http://www.marketresearch.com/mind Commerce Publishing v3122/ Publisher Sample Phone: 800.298.5699 (US) or +1.240.747.3093 or +1.240.747.3093 (Int'l) Hours: Monday - Thursday: 5:30am - 6:30pm
Global Healthcare Cloud Computing Market 2015-2019
Brochure More information from http://www.researchandmarkets.com/reports/3129428/ Global Healthcare Cloud Computing Market 2015-2019 Description: About Healthcare Cloud Computing Increased adoption of
Partnering Excellence
s in Best Practice ing Excellence A New Format for Learning and Embedding Best Practices into your Business www.phoenixcg.com 1 888 848 9514 Page 0 www.phoenixcg.com 1 888 848 9514 Embracing ing Excellence
Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance
Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance Sponsored by the U.S. Department of Homeland Security (DHS), the Software Engineering Institute
Beyond ISO 27034 - Intel's Product Security Maturity Model (PSMM)
Beyond ISO 27034 - Intel's Product Security Maturity Model (PSMM) Harold Toomey Sr. Product Security Architect & PSIRT Manager Intel Corp. 2 October 2015 @NTXISSA #NTXISSACSC3 Agenda Application / Product
INTERVIEW: SOFTWARE SECURITY IN THE REAL WORLD
INTERVIEW: SOFTWARE SECURITY IN THE REAL WORLD Ann E.K. Sobel, Miami University Gary McGraw, Cigital In an interview conducted by Computer editorial board member Ann E.K. Sobel, Cigital CTO Gary McGraw
Show your value, grow your business:
Show your value, grow your business: A SUPPLIER GUIDE TO MOVE FROM A TRANSACTIONAL PROVIDER TO A STRATEGIC PARTNER KAREN A. CALINSKI INTRODUCTION /02 At KellyOCG we take a holistic approach to talent sourcing
BEST PRACTICES: CREATING AN INNOVATIVE EDUCATIONAL EXPERIENCE
Education Perspectives BEST PRACTICES: CREATING AN INNOVATIVE EDUCATIONAL EXPERIENCE PERSONALIZED LEARNING PRACTICES TO ENGAGE STUDENTS AND INCREASE PERFORMANCE Barbra Thoeming 2 INTRODUCTION BEST PRACTICES
The Shadow IT Phenomenon
The Shadow IT Phenomenon CIOs respond with internal service provider transformation IT DEPT A research paper from Logicalis based on a global study of CIO pressures and priorities In summary This report
getting there Models for Self- Directed Support broker support Getting There Discussion paper
Models for Self- Directed Support broker support Getting There Discussion paper getting there Outside the Box November 2012 Introduction Introduction what this section covers: About Getting There Summary
Big Data Services Market in Western Europe 2015-2019
Brochure More information from http://www.researchandmarkets.com/reports/3301866/ Big Data Services Market in Western Europe 2015-2019 Description: About Big Data Services Data generated from various sources
A framework for creating custom rules for static analysis tools
A framework for creating custom rules for static analysis tools Eric Dalci John Steven Cigital Inc. 21351 Ridgetop Circle, Suite 400 Dulles VA 20166 (703) 404-9293 edalci,[email protected] Abstract Code
Building Private Cloud on
Building Private Cloud on Summary of Content Introduction of Cloud Computing Cloud Computing vs. Server Virtualization Cloud Computing Components Stack Public vs. Private Clouds Open Source Software for
EBOOK. TIPS For SUCCESSFUL Email Marketing Campaigns
EBOOK 10 TIPS For SUCCESSFUL Email Marketing Campaigns Email marketing campaigns are essential elements of any marketing strategy. They communicate and build relationships with prospects, gather important
TechTarget 2009 Media Consumption Benchmark Report 2:
TechTarget 2009 Media Consumption Benchmark Report 2: Closing the Between IT Buyers and IT For more research, insight and video presentations visit, www.techtarget.com/for TechTarget 2009 Media Consumption
Program Review of Occupational Education/Discipline Review Template
Program Review of Occupational Education/Discipline Review Template Program/Discipline Name: Multimedia/Web Design Department: Computer Information Systems Date: 2/7/11 Department Chair: Dave Fitzgerald
UX Professionals Salary Survey
UX Professionals Salary Survey 1 Some Key Findings Salaries in the UX industry depend on many variables, such as the location and size of your company, the industry, your academic background and professional
Masters. in Digital Marketing. www.digitalmarketinginstitute.com
Masters in Digital Marketing www.digitalmarketinginstitute.com Contents Masters in Digital Marketing 1. Welcome 2. Course overview 3. Course content 4. Course assessment 5. Digital Qualifications Roadmap
The Logicalis Data Center Practice We help you bridge the gap between the data center you have today and the data center strategy you will need
The Logicalis Practice We help you bridge the gap between the data center you have today and the data center strategy you will need tomorrow. The in Your Future Companies that confront their data center
Cybersecurity report 2015. As technology evolves, new risks drive innovation in cybersecurity
Cybersecurity report 2015 As technology evolves, new risks drive innovation in cybersecurity 2 As the digital industry scrambles to keep up with the pace of innovation, we re seeing dramatic new opportunities
Research Investments in Large Indian Software Companies
Research Investments in Large Indian Software Companies Pankaj Jalote Professor, Department of Computer Science and Engineering Indian Institute of Technology Kanpur, India 208016 [email protected], www.cse.iitk.ac.in/users/jalote
upport uy in ccountable ndependent epresentative impact ower and influence Measuring the impact and success of your youth voice vehicle
Measuring the impact and success of your youth voice vehicle epresentative ccountable ndependent upport uy in impact ower and influence A guide for staff, councillors and young people involved in youth
INTERNATIONAL GRADUATE SCHOOL OF BUSINESS MBA IS AN MBA RIGHT FOR YOU?
INTERNATIONAL GRADUATE SCHOOL OF BUSINESS MBA IS AN MBA RIGHT FOR YOU? THE MBA THAT S S AHEAD OF OF THE THE REST REST Is an MBA right for me? Over the years we ve helped thousands answer this question.
Attack Trends 2011. software security? Gary McGraw, Ph.D. Chief Technology Officer, Cigital. 2011 Cigital
Attack Trends 2011 -orwhy software security? Gary McGraw, Ph.D. Chief Technology Officer, Cigital Cigital n n Founded in 1992 to provide software security and software quality professional services Recognized
WEBTRENDS + SITRION SOCIAL ENTERPRISE SOLUTION
COLLABORATION OPTIMIZATION WEBTRENDS + SITRION SOCIAL ENTERPRISE SOLUTION Road to Engagement: Measuring the Success of the Social Enterprise SOLUTION BRIEF 2014 2014 WEBTRENDS, INC. WWW.WEBTRENDS.COM WEBTRENDS
Professional Diploma in Mobile gmarketing
Professional Diploma in Mobile gmarketing Irrawaddy College are delighted to bring a new an exciting Diploma in Mobile Marketing. This new programme is industry designed, practitioner led accredited programme.
Private Cloud Market in India
Private Cloud Market in India EMC-Zinnov Whitepaper 7/19/2011 Zinnov Management Consulting 1 IT industry goes through periodic transformations 3 2 Internet Revolution 1 Mainframe Revolution A few hundreds
Virtual Classroom Designer Competency Resources
Virtual Classroom Designer Competency Resources Learn Anywhere Start Now InSync Training: Your Source for Blended Learning and Virtual Design and Delivery InSync Training sets standards for synchronous
How To Understand The Business Case For Big Data
Brochure More information from http://www.researchandmarkets.com/reports/2643647/ Big Data and Telecom Analytics Market: Business Case, Market Analysis & Forecasts 2014-2019 Description: Big Data refers
Approach to Information Security Architecture. Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera
Approach to Information Security Architecture Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera About TeliaSonera TeliaSonera provides network access and telecommunication services that help
NSW Public Service Commissioner NSW Health Good Health Great Jobs Stepping Up Forum 2015
NSW Public Service Commissioner NSW Health Good Health Great Jobs Stepping Up Forum 2015 Our Aboriginal workforce The Australian Bureau of Statistics figures from 2011 estimate that 2.9% of the NSW population
Logicalis Data and Storage Practice
Logicalis Data and Storage Practice Our vendor-independent approach helps you find the correct storage solutions for your organization The Data Explosion The large volume of data fl owing into organizations
Office of Communications for Enrollment Management
Office of Communications for Enrollment Management WHO WE ARE & WHAT WE DO We call ourselves OCEM for short. OFFICE OF COMMUNICATIONS FOR ENROLLMENT MANAGEMENT UNIVERSITY OF ILLINOIS WE SUPPORT... Admissions
Beyond Succession Planning The Explosive Rush to Talent Readiness
HCI #HCIwebcast Beyond Succession Planning The Explosive Rush to Talent Readiness HCI #HCIwebcast Today s Moderator Andrew Bateman @AndyWebcast HCI #HCIwebcast T H A N K Y O U www.harrisonassessmentsna.com
Improving Visibility into your Vulnerability Management Program
Improving Visibility into your Vulnerability Management Program One of the most challenging aspects of managing your vulnerability management program is understanding where to focus your time and effort.
EVOLVING PERFORMANCE MANAGEMENT BECAUSE THE WORK YOU DO MATTERS.
EVOLVING PERFORMANCE MANAGEMENT BECAUSE THE WORK YOU DO MATTERS. THE POWER OF PARTNERSHIP. GROWING OUR BUSINESS AND OURSELVES. To fuel our continued growth for today and tomorrow, we re evolving our idea
With Chase Commercial Online, you can quickly and easily view statements, check images and deposit slip images online. 1
C OMMER CIAL BANKING CHASE COMMERCIAL ONLINE SM STATEMENTS AND IMAGES VIEW STATEMENTS With Chase Commercial Online, you can quickly and easily view statements, check images and deposit slip images online.
Threat Intelligence is Like Three Day Potty Training
SESSION ID: CXO-T08R Threat Intelligence is Like Three Day Potty Training Rick Holland Principal Analyst Forrester Research @rickhholland Potty training method that guarantees success so you can say goodbye
Doctorate in Business
Doctorate in Business Administration (DBA) Start dates: April 2014, September 2014, February 2015 and June 2015 Part-time study Work-based learning What s unique about this course? The philosophy underpinning
Practical Applications of Software Security Model Chris Nagel
Practical Applications of Software Security Model Chris Nagel Software Security Consultant Fortify Software Introductions About Me: Chris Nagel Software Security Consultant With Fortify for 2+ Years Before
Cloud Cube Model: Selecting Cloud Formations for Secure Collaboration
Cloud Cube Model: Selecting Cloud Formations for Secure Collaboration Problem Cloud computing offers massive scalability - in virtual computing power, storage, and applications resources - all at almost
Data Center Solutions
Data Center Solutions New Data Center Challenges Require New Solutions Data Center Architecture. Inside and Out. Data centers are mission-critical facilities. A silo-based approach to designing, deploying
White Paper. Before we begin a few definitions. Executive Overview Converged Infrastructure Enables Advanced IT
A Practical Guide to Converged Instrastructure Solutions Converged Infrastructure Solutions are changing the game for data centers Top five recommendations for selecting converged infrastructures. Executive
Optimizing Enrollment Management with Predictive Modeling
Optimizing Enrollment Management with Predictive Modeling Tips and Strategies for Getting Started with Predictive Analytics in Higher Education an ebook presented by Optimizing Enrollment with Predictive
Post Graduation Survey Results 2015 College of Engineering Information Networking Institute INFORMATION NETWORKING Master of Science
INFORMATION NETWORKING Amazon (4) Software Development Engineer (3) Seattle WA Software Development Engineer Sunnyvale CA Apple GPU Engineer Cupertino CA Bloomberg Software Engineer New York NY Clari Software
Cyber Security: Software Risk Management for Utilities
Cyber Security: Software Risk Management for Utilities Gary McGraw, Ph.D. Chief Technology Officer, Cigital Founded in 1992 to provide software security and software quality professional services Recognized
THE SECRET OF ONLINE SUCCESS: WHY STRUCTURE MATTERS
THE SECRET OF ONLINE SUCCESS: WHY STRUCTURE MATTERS Published: May 2009 Authors: Brian Hauf, VP Client Success Services, Convio Quinn Donovan, Analytics Manager, Convio INTRODUCTION With decades of experience
UP L04 Introduction to 3 rd Party Patching Using the 4A Model Hands-On Lab
UP L04 Introduction to 3 rd Party Patching Using the 4A Model Hands-On Lab Description The objective of this course is to introduce students to the various concepts of 3rd party patching. Students will
Five Core Principles of Successful Business Architecture. STA Group, LLC Revised: May 2013
Five Core Principles of Successful Business Architecture STA Group, LLC Revised: May 2013 Executive Summary This whitepaper will provide readers with important principles and insights on business architecture
Excel Dashboard Diploma
Excel Dashboard Diploma Managing Data in Excel 2010 Duration: 8 hrs. This course will give you the skills to improve the ability to sort or filter data in excel 20120 also you will be capable to eliminate
Supply Chain Talent: A Broken Link in the Supply Chain
Supply Chain Talent: A Broken Link in the Supply Chain Five Proven Strategies to Close the Gaps 8/19/2014 By Lora Cecere Founder and CEO Supply Chain Insights LLC Contents Disclosure Research Research
Realist 2.0 MLS Support (512) 454-7636 Monday thru Friday 9:00 am 5:00 pm
Realist 2.0 MLS Support (512) 454-7636 Monday thru Friday 9:00 am 5:00 pm 0 Understanding Realist On Realist s main page you ll find a full set of searching and mapping tools, all contained within one,
APQC CORPORATE EDUCATION CATALOG
APQC CORPORATE EDUCATION CATALOG APQC CORPORATE EDUCATION OFFERINGS Learn key improvement tools quickly with training courses that address your most pressing organizational issues. We focus every APQC
Secure Data Transfer
Secure Data Transfer INSTRUCTIONS 3 Options to SECURELY TRANSMIT DATA 1. FTP 2. WinZip 3. Password Protection Version 2.0 Page 1 Table of Contents Acronyms & Abbreviations...1 Option 1: File Transfer Protocol
Why Computer Science? Robert H. Sloan University of Illinois at Chicago
Why Computer Science? Robert H. Sloan University of Illinois at Chicago I have two teenage daughters. The older one is in college, and is studying computer science (CS). The younger one is in high school,
The Metamorphosis of Communications Competition
The Metamorphosis of Communications Competition Driven By Broadband, Internet & CloudTechnologies The Transformation of Communications Competition Requires a Transformation in Communications Law Scott
