Scaling a Software Security Initiative: Lessons from the BSIMM

Transcription

1 Scaling a Software Security Initiative: Lessons from the BSIMM GARY MCGRAW, PH.D. SEPTEMBER 29, Gary McGraw, PH.D. Chief Technology Officer, Cigital gem@cigital.com

2 Cigital Providing software security professionals services since 1992 World s premiere software security consulting firm 350 employees 13 offices including Dulles, Boston, New York, Santa Clara, Bloomington, Boston, Chicago, Atlanta, Amsterdam, and London Recognized experts in software security

3 BSIMM-V

4 67 Firms in the BSIMM-V Community Real data from 67 firms 161 measurements 21 over time McGraw, Migues, & West bsimm.com plus 24 anonymous firms

5 Monkeys Eat Bananas BSIMM is not about good or bad ways to eat bananas or banana best practices BSIMM is about observations BSIMM is descriptive, not prescriptive BSIMM describes and measures multiple prescriptive approaches

6 BSIMM by the Numbers BSIMM describes and measures the work of 2930 full time software security people controlling the work of 272,358 developers.

7 12 Practices 112 Activities Real activities, not theories Real data How do the 67 BSIMM firms carry out a practice? How do the practices scale?

8 BSIMM-V = Measuring Stick

9 Scaling Code Review

10 Remedial Code Review #1 Touchpoint Get a tool (HP/Fortify, IBM/Ounce, Coverity, Cigital SecureAssist) 50 of 67 firms have an automated tool

11 Code Review in the BSIMM

12 Code Review Pitfalls Security runs a complex tool Results computed WAY too late Results include too many false positives Security types have no clue how to fix anything Developers try to avoid being beaten by the security police Tool thrown over the wall to dev Developers asked to just run the tool with no real training The red screen of death ensues Developers learn to game the results 12 Copyright 2013, Cigital and/or its affiliates. All rights reserved. Cigital Confidential Restricted.

13 Scaling Code Review: Path 1 Build a centralized code review factory Streamline code submission Provide middleware data flow intelligence Normalize results (across multiple feeds) Know what to look for Create and enforce coding standards (carrot and stick) Build custom rules that work for YOUR code

14 Scaling Code Review: Path 2 (very new) Put a very simple real-time training tool on developer desktops Eliminate whole classes of bugs before they are compiled in Focus on coding more securely in the first place Teaching is more powerful than punishing Developers need to know what to DO not what not to do Train developers just in time at code writing time READ: bit.ly/1iicapb

15 Scaling Architecture Analysis

16 Remedial Architecture Analysis #2 Touchpoint Requires real expertise Know your components 56 of 67 firms review security FEATURES

17 Architecture Analysis Pitfalls The Expert Bottleneck Superman required for each analysis exercise Lots of products and teams need analysis, but must either must wait forever or skip it Ad Hoc Review Review only as powerful as whoever bothers to show up No institutional knowledge or consistency 17 Copyright 2013, Cigital and/or its affiliates. All rights reserved. Cigital Confidential Restricted.

18 Architecture Analysis in the BSIMM

19 Define a Process: Architecture Risk Analysis Step 0: Get an architecture diagram Step 1: Known attack analysis Leverage STRIDE by analogy Know your potential flaws Step 2: System-specific attack analysis Anticipate emergent flaws Build a threat model (trust boundaries and data sensitivity) Step 3: Dependency analysis Read: bit.ly/1b2f5zk

20 Scaling Architecture Analysis Security Architecture Survey (SAS) Focus on standard components and a software component model Look for your commonly encountered flaws Identify common controls Know your design principles Consider where the SDLC breaks Sweep the entire portfolio Use a proven process like Cigital ARA for high-risk applications Read: bit.ly/19jmk7f

21 Scaling Penetration Testing

22 Remedial Penetration Testing #3 Touchpoint Becoming a commodity (so buy some) 62 of 67 BSIMM firms use external pen testers Black box tools available

23 Penetration Testing Pitfalls Hiring reformed hackers Pen testing!= security meter badness-ometer 23 Copyright 2013, Cigital and/or its affiliates. All rights reserved. Cigital Confidential Restricted.

24 Penetration Testing in the BSIMM

25 Scaling Penetration Testing Automate with customized tools and know your attacker Black box Web/mobile testing tools are cheap and fast Fuzzing tools aimed at APIs also help scale Investigate cloud services (remote pen testing) Fix what you find Real integration with development is important Don t just throw rocks Periodically pen test everything you can

26 Where to Learn More

27 SearchSecurity + Justice League No-nonsense monthly security column by Gary McGraw In-depth thought leadership blog from the Cigital Principals Gary McGraw Sammy Migues John Steven Scott Matsumoto Paco Hope Jim DelGrosso

28 Silver Bullet + IEEE Security & Privacy Building Security In Software Security Best Practices column

29 The Book How to DO software security Best practices Tools Knowledge Cornerstone of the Addison- Wesley Software Security Series

30 Build Security In Read the Addison-Wesley Software Security series Send