Cybersecurity: Engineering a Secure Information Technology
Organization, 1st Edition
Chapter 11The Building Security in Maturity Model
(BSIMM)
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
2© Cengage Learning 2015
Objectives
• Use the BSIMM software security framework to organize and manage software security tasks
• Understand the problems that organizations face to build functional and secure software and the best practices for overcoming those problems
• Assess the progress of an organization’s software security maturity and determine how balanced its approach is compared with others
3© Cengage Learning 2015
Overview of the BSIMM
• The Building Security in Maturity Model (BSIMM) uses data up front to guide organizations toward improved software assurance programs
• The best way to use the BSIMM:– To compare and contrast your own initiative
• BSIMM is the work of three software security experts: Gary McGraw, Brian Chess, and Sammy Migues
• The model uses a software security framework (SSF) to organize software security tasks
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
4© Cengage Learning 2015
The Study
• BSIMM has had four major releases:– BSIMM4 - published in September 2012 and
included analyses of 51 organizations and a total set of 132 measurements
– BSIMM3 - published in September 2011 and included analyses of 42 organizations and a total set of 81 measurements
– BSIMM2 - published in May 2010 and included analyses of 30 organizations and 42 measurements
– Original study - published in March 2009 and included analyses of 9 organizations and 9 measurements
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
5© Cengage Learning 2015
The Study
• Participants were not necessarily software developers– Most were Fortune 500 companies that depend on
secure software for business• Companies that participate in the BSIMM project
show measurable improvement in their software security initiatives
• This chapter covers each of the 12 practices in the BSIMM and the activities that make up those practices
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
6© Cengage Learning 2014
7© Cengage Learning 2015
The Study
• The figure on the preceding slide reproduces two spider charts that show the average maturity levels in each of the 12 practices– The first graph shows data from all 51 BSIMM
organizations– The second graph shows data from the top 10
organizations• The greatest maturity appears to fall within the
Compliance & Policy practice• The least mature areas are Training, Attack
Models, Architecture Analysis, and Code ReviewCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
8© Cengage Learning 2015
BSIMM4 in Context
• BSIMM4 uses an SSF to organize software security tasks
• The SSF consists of four domains:– Governance– Intelligence– SSDL (secure software development lifecycle)
Touchpoints– Deployment
• Each domain has its own set of business goals and is broken down to define three practices to satisfy those goals
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
9© Cengage Learning 2014
10© Cengage Learning 2015
BSIMM4 in Context
• Each practice is divided into three maturity levels to clarify which activities should be addressed first– And which need prioritizing
• Each activity includes a stated objective, a description, and a brief example to illustrate how at least one organization accomplished its objective
• For example, an activity in the training practice advises the software security group (SSG) to have an advertised lab period– During which developers can drop in and discuss
secure development or coding issuesCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
11© Cengage Learning 2015
BSIMM4 in Context
• An SSG is an internal group devoted to software security
• All 51 BSIMM companies agree that the success of their programs depends on having an SSG
• The group should include:– Senior executives, system architects, developers,
and administrators• BSIMM is based on what organizations are actually
doing– Can be seen as a de facto standard
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
12© Cengage Learning 2015
BSIMM4 in Context
• The BSIMM can be seen as the next step on the path to pooling knowledge of what works and how best to implement it
• The BSIMM is free and has been released under the Creative Commons Attribution-Share Alike 3.0 License
• To get started in adopting BSIMM, form an SSG to bring in stakeholders with relevant experience– The first SSG meeting should review the BSIMM and
eliminate activities that are not relevant to current projects
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
13© Cengage Learning 2015
Governance Domain
• The BSIMM interpretation of governance is the same as SAMM’s
• The BSIMM provides a more focused approach through its activities than its counterpart in the OpenSAMM Project
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
14© Cengage Learning 2014
15© Cengage Learning 2015
Strategy & Metrics Practice
• Outcomes for the strategy and metrics practice center on the need for expectations and accountability for results
• BSIMM emphasizes that management must be clear about the organization’s expectations for the SSDL– To ensure a consistent understanding of its
importance • The BSIMM also states that management must
provide a clear set of objectives for stakeholders involved in the SSDL
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
16© Cengage Learning 2015
Compliance & Policy Practice
• The activities in this practice provide accountability mechanisms and guidance for anyone who affects the successful completion of SSDL activities
• After completing the activities of this practice:– Management has an approved set of guidelines that
must be made available to anyone involved in the SSDL• Including vendors
• Each SSDL activity must produce sufficient results to allow auditing and ensure adherence to policies
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
17© Cengage Learning 2015
Training Practice
• Activities of the training practice focus on providing training to those most closely associated with the software lifecycle– Employees gain knowledge and resources to design,
develop, and deploy secure software• This practice also defines activities for preparing
formal security guidelines that serve as a reference to project teams– The organization establishes expectations that
security practices will be followed
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
18© Cengage Learning 2015
Intelligence Domain
• Practices of the intelligence domain seek to generate organization-wide resources – Such as tailored knowledge about attacks to which
an organization is vulnerable• Knowing the threat potential allows an organization
to make informed decisions about code and controls
• Includes activities associated with defining security requirements and the definition and implementation of standards for input validation and authentication
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
19© Cengage Learning 2014
20© Cengage Learning 2015
Attack Models Practice
• This practice requires the organization to identify potential attackers– Then use knowledge management techniques to
document the risks of greatest concern– Also document any past attacks that should be
considered while developing the software• Information about suspected attackers should be
forwarded to all interested parties• Attack patterns are a way to identify and
communicate the attacker’s perspective
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
21© Cengage Learning 2015
Security Features and Design Practice
• The goal is to create customized knowledge about security features, frameworks, and patterns
• This knowledge should then be used to enable architecture and component decisions that are made throughout the software lifecycle
• The BSIMM includes an activity within this practice that emphasizes the need to report positive elements identified during architecture analysis
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
22© Cengage Learning 2015
Standards and Requirements Practice
• Activities of this practice focus on creating guidance for the internal development team– As well as for third-party vendors that may have a
stake in the project’s success• The BSIMM requires that security standards,
secure coding standards, and compliance requirements be created – And conveyed through proper channels
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
23© Cengage Learning 2015
SSDL Touchpoints Domain
• SSDL touchpoints domain is composed of practices that include:– Architecture analysis– Code review– Adopting a review process for software security– Conducting prerelease testing
• The practices of this domain focus more on the strategic aspects of developing secure software– Not just on the near-term tactical aspects
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
24© Cengage Learning 2014
25© Cengage Learning 2015
Architecture Analysis
• The BSIMM prescribes activities in which designers, architects, and analysts document assumptions and identify possible attacks
• Security analysts uncover and rank architectural flaws so that mitigation can begin
• Analysts highly recommend that organizations maintain a constant risk management thread with recurring risk tracking and monitoring activities– Risks crop up during all stages of the software
lifecycle
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
26© Cengage Learning 2015
Code Review
• A number of security problems are caused by simple bugs in code
• Code review focuses on finding and fixing bugs• Using an automated analysis tool is recommended
for code review– The process is boring, difficult, and tedious
• Static analysis tools, also called source code analyzers, examine the text of a program without attempting to execute it
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
27© Cengage Learning 2015
Code Review
• Manual auditing is time consuming• Human code auditors must know how to recognize
security vulnerabilities before they can rigorously examine the code
• The operator of a good static analysis tool can apply it successfully without knowing the finer points of security bugs
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
28© Cengage Learning 2015
Security Testing
• BSIMM security testing encompasses activities that emphasize two strategies:– Testing security functions with standard techniques – Risk-based security testing based on attack patterns,
risk analysis results, and abuse cases• Security testing is designed to make sure bad
things don’t happen• Thinking like an attacker is essential• Security testing must be guided with knowledge of
software architecture, common attacks, and attacker’s mindset
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
29© Cengage Learning 2015
Deployment Domain
• The deployment domain involves activities such as:– Penetration testing (testing from the outside, not just
inside)– Providing patches of operating systems and
applications– Providing appropriate configuration management,
version control, and incident handling• The maintenance phase should include keeping
the security measures taken during development• A strategy for patching and incident handling must
be developed and documentedCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
30© Cengage Learning 2014
31© Cengage Learning 2015
Penetration Testing
• The advantage of penetration testing is that it provides a good understanding of software in its working environment
• Organizations must ensure they hire proper personnel to perform penetration testing– Should be cautious about employing a hacker who
claims to be reformed only as a ploy to get hired• Each major category of penetration testing has its
own set of activities– An organization must manage effectively to detect
and correct security defectsCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
32© Cengage Learning 2015
Software Environment
• This practice recommends activities that promote building assurance for the operating environment
• For Web code, a Web application firewall (WAF) can monitor the software environment
• Operations security teams are often responsible for duties such as patching operating systems and maintaining firewalls
• The BSIMM requires the creation of an installation guide to help operators install and configure the software
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
33© Cengage Learning 2015
Software Environment
• Organizations can use code signing for software published across “trust boundaries”– Two common trust boundaries are execution and
data• Software production should be monitored for signs
of misbehavior and attacks• Intrusion detection and anomaly detection systems
may focus on an application’s interaction with the operating system through system calls
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
34© Cengage Learning 2015
Configuration Management and Vulnerability Management
• This practice focuses on activities associated with software change management– These changes affect the organization’s security
• The SSG should either create its own incident response capability or works with the incident response team
• Defects identified through operations monitoring are fed back to developers and used to change their behavior
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
35© Cengage Learning 2015
Configuration Management and Vulnerability Management
• The organization can make quick code changes when an application is under attack
• A rapid response team works in conjunction with application owners and the SSG to:– Study the code and the attack– Find a resolution– Push a patch into production
• After defects are found and reported– They are entered into established defect
management systems and tracked through the fix process
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
36© Cengage Learning 2015
Configuration Management and Vulnerability Management
• If a piece of code needs to be changed– The operations staff can identify all places where the
change is needed• Common components shared by projects are noted
so when an error occurs in one application– Developers can fix other applications that share the
same components• The SSG simulate software security crises to
ensure incident response capabilities minimize damage– Must focus on software failures, not natural disasters
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
37© Cengage Learning 2015
Applying the BSIMM
• Authors of BSIMM4 noted 12 activities that were found in highly successful programs:– Identify gate locations, gather necessary artifacts -
SM 1.4– Identify obligations for personally identifiable
information (PII) - CP 1.2– Provide awareness training - T 1.1– Gather attack intelligence - AM 1.5– Build and publish security features - SFD 1.1– Create security standards - SR 1.1
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
38© Cengage Learning 2015
Applying the BSIMM
• Authors of BSIMM4 noted 12 activities that were found in highly successful programs (cont’d):– Perform security feature review - AA 1.1– Use automated tools along with manual review - CR
1.4– Ensure QA supports edge/boundary value condition
testing - ST 1.1– Use external penetration testers to find problems -
PT 1.1– Ensure host and network security basics are in place
- SE 1.2
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
39© Cengage Learning 2015
Applying the BSIMM
• Authors of BSIMM4 noted 12 activities that were found in highly successful programs (cont’d):– Identify software bugs found in operations monitoring
and feed them back to development - CMVM 1.2
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
40© Cengage Learning 2015
Key Lessons
• Every one of the 51 measured organizations has an SSG in place– It is a dedicated group that makes up 1 percent of
the total development team in many BSIMM organizations
• Some SSGs are centralized, while others are highly distributed
• Some SSGs work closely on policy and strategy, while others focus on penetration testing and code review
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
41© Cengage Learning 2015
Key Lessons
• Organizations can assess the progress of their software security maturity and determine how balanced their approach is compared with others
• Example: code review (CR) has three levels:– Does code review– Enforces standards through mandatory automated
code review– Automated code review with customized rules
• Each level has activities that clarify what occurs at BSIMM participant organizations at each maturity level
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
42© Cengage Learning 2015
Summary• A problem for every organization is determining the
best practice for each discipline that plays a role in application development
• The BSIMM is the result of analyzing nine leading software security initiatives from software vendors, technology firms, and the financial services industry
• The BSIMM uses a software security framework (SSF) to organize software security tasks
• An SSF helps an organization determine how its own security practices compare with others
Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition
43© Cengage Learning 2015
Summary
• The SSF consists of 111 activities across the following 12 practices: strategy and metrics, attack models, architecture analysis, penetration testing, compliance and policy, security features and design, code review, software environment, training, standards and requirements, security testing, and configuration management and vulnerability management
• Each of the 12 practices is broken down into three maturity levels to clarify which activities must be addressed first and which need prioritizing