Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Cybersecurity: Engineering a Secure Information Technology

Organization, 1st Edition

Chapter 11The Building Security in Maturity Model

(BSIMM)

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

2© Cengage Learning 2015

Objectives

• Use the BSIMM software security framework to organize and manage software security tasks

• Understand the problems that organizations face to build functional and secure software and the best practices for overcoming those problems

• Assess the progress of an organization’s software security maturity and determine how balanced its approach is compared with others


Overview of the BSIMM

• The Building Security in Maturity Model (BSIMM) uses data up front to guide organizations toward improved software assurance programs

• The best way to use the BSIMM:– To compare and contrast your own initiative

• BSIMM is the work of three software security experts: Gary McGraw, Brian Chess, and Sammy Migues

• The model uses a software security framework (SSF) to organize software security tasks



The Study

• BSIMM has had four major releases:– BSIMM4 - published in September 2012 and

included analyses of 51 organizations and a total set of 132 measurements

– BSIMM3 - published in September 2011 and included analyses of 42 organizations and a total set of 81 measurements

– BSIMM2 - published in May 2010 and included analyses of 30 organizations and 42 measurements

– Original study - published in March 2009 and included analyses of 9 organizations and 9 measurements



The Study

• Participants were not necessarily software developers– Most were Fortune 500 companies that depend on

secure software for business• Companies that participate in the BSIMM project

show measurable improvement in their software security initiatives

• This chapter covers each of the 12 practices in the BSIMM and the activities that make up those practices





The Study

• The figure on the preceding slide reproduces two spider charts that show the average maturity levels in each of the 12 practices– The first graph shows data from all 51 BSIMM

organizations– The second graph shows data from the top 10

organizations• The greatest maturity appears to fall within the

Compliance & Policy practice• The least mature areas are Training, Attack

Models, Architecture Analysis, and Code ReviewCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


BSIMM4 in Context

• BSIMM4 uses an SSF to organize software security tasks

• The SSF consists of four domains:– Governance– Intelligence– SSDL (secure software development lifecycle)

Touchpoints– Deployment

• Each domain has its own set of business goals and is broken down to define three practices to satisfy those goals





BSIMM4 in Context

• Each practice is divided into three maturity levels to clarify which activities should be addressed first– And which need prioritizing

• Each activity includes a stated objective, a description, and a brief example to illustrate how at least one organization accomplished its objective

• For example, an activity in the training practice advises the software security group (SSG) to have an advertised lab period– During which developers can drop in and discuss

secure development or coding issuesCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


BSIMM4 in Context

• An SSG is an internal group devoted to software security

• All 51 BSIMM companies agree that the success of their programs depends on having an SSG

• The group should include:– Senior executives, system architects, developers,

and administrators• BSIMM is based on what organizations are actually

doing– Can be seen as a de facto standard



BSIMM4 in Context

• The BSIMM can be seen as the next step on the path to pooling knowledge of what works and how best to implement it

• The BSIMM is free and has been released under the Creative Commons Attribution-Share Alike 3.0 License

• To get started in adopting BSIMM, form an SSG to bring in stakeholders with relevant experience– The first SSG meeting should review the BSIMM and

eliminate activities that are not relevant to current projects



Governance Domain

• The BSIMM interpretation of governance is the same as SAMM’s

• The BSIMM provides a more focused approach through its activities than its counterpart in the OpenSAMM Project





Strategy & Metrics Practice

• Outcomes for the strategy and metrics practice center on the need for expectations and accountability for results

• BSIMM emphasizes that management must be clear about the organization’s expectations for the SSDL– To ensure a consistent understanding of its

importance • The BSIMM also states that management must

provide a clear set of objectives for stakeholders involved in the SSDL



Compliance & Policy Practice

• The activities in this practice provide accountability mechanisms and guidance for anyone who affects the successful completion of SSDL activities

• After completing the activities of this practice:– Management has an approved set of guidelines that

must be made available to anyone involved in the SSDL• Including vendors

• Each SSDL activity must produce sufficient results to allow auditing and ensure adherence to policies



Training Practice

• Activities of the training practice focus on providing training to those most closely associated with the software lifecycle– Employees gain knowledge and resources to design,

develop, and deploy secure software• This practice also defines activities for preparing

formal security guidelines that serve as a reference to project teams– The organization establishes expectations that

security practices will be followed



Intelligence Domain

• Practices of the intelligence domain seek to generate organization-wide resources – Such as tailored knowledge about attacks to which

an organization is vulnerable• Knowing the threat potential allows an organization

to make informed decisions about code and controls

• Includes activities associated with defining security requirements and the definition and implementation of standards for input validation and authentication





Attack Models Practice

• This practice requires the organization to identify potential attackers– Then use knowledge management techniques to

document the risks of greatest concern– Also document any past attacks that should be

considered while developing the software• Information about suspected attackers should be

forwarded to all interested parties• Attack patterns are a way to identify and

communicate the attacker’s perspective



Security Features and Design Practice

• The goal is to create customized knowledge about security features, frameworks, and patterns

• This knowledge should then be used to enable architecture and component decisions that are made throughout the software lifecycle

• The BSIMM includes an activity within this practice that emphasizes the need to report positive elements identified during architecture analysis



Standards and Requirements Practice

• Activities of this practice focus on creating guidance for the internal development team– As well as for third-party vendors that may have a

stake in the project’s success• The BSIMM requires that security standards,

secure coding standards, and compliance requirements be created – And conveyed through proper channels



SSDL Touchpoints Domain

• SSDL touchpoints domain is composed of practices that include:– Architecture analysis– Code review– Adopting a review process for software security– Conducting prerelease testing

• The practices of this domain focus more on the strategic aspects of developing secure software– Not just on the near-term tactical aspects





Architecture Analysis

• The BSIMM prescribes activities in which designers, architects, and analysts document assumptions and identify possible attacks

• Security analysts uncover and rank architectural flaws so that mitigation can begin

• Analysts highly recommend that organizations maintain a constant risk management thread with recurring risk tracking and monitoring activities– Risks crop up during all stages of the software

lifecycle



Code Review

• A number of security problems are caused by simple bugs in code

• Code review focuses on finding and fixing bugs• Using an automated analysis tool is recommended

for code review– The process is boring, difficult, and tedious

• Static analysis tools, also called source code analyzers, examine the text of a program without attempting to execute it



Code Review

• Manual auditing is time consuming• Human code auditors must know how to recognize

security vulnerabilities before they can rigorously examine the code

• The operator of a good static analysis tool can apply it successfully without knowing the finer points of security bugs



Security Testing

• BSIMM security testing encompasses activities that emphasize two strategies:– Testing security functions with standard techniques – Risk-based security testing based on attack patterns,

risk analysis results, and abuse cases• Security testing is designed to make sure bad

things don’t happen• Thinking like an attacker is essential• Security testing must be guided with knowledge of

software architecture, common attacks, and attacker’s mindset



Deployment Domain

• The deployment domain involves activities such as:– Penetration testing (testing from the outside, not just

inside)– Providing patches of operating systems and

applications– Providing appropriate configuration management,

version control, and incident handling• The maintenance phase should include keeping

the security measures taken during development• A strategy for patching and incident handling must

be developed and documentedCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition




Penetration Testing

• The advantage of penetration testing is that it provides a good understanding of software in its working environment

• Organizations must ensure they hire proper personnel to perform penetration testing– Should be cautious about employing a hacker who

claims to be reformed only as a ploy to get hired• Each major category of penetration testing has its

own set of activities– An organization must manage effectively to detect

and correct security defectsCybersecurity: Engineering a Secure Information Technology Organization, 1st Edition


Software Environment

• This practice recommends activities that promote building assurance for the operating environment

• For Web code, a Web application firewall (WAF) can monitor the software environment

• Operations security teams are often responsible for duties such as patching operating systems and maintaining firewalls

• The BSIMM requires the creation of an installation guide to help operators install and configure the software



Software Environment

• Organizations can use code signing for software published across “trust boundaries”– Two common trust boundaries are execution and

data• Software production should be monitored for signs

of misbehavior and attacks• Intrusion detection and anomaly detection systems

may focus on an application’s interaction with the operating system through system calls



Configuration Management and Vulnerability Management

• This practice focuses on activities associated with software change management– These changes affect the organization’s security

• The SSG should either create its own incident response capability or works with the incident response team

• Defects identified through operations monitoring are fed back to developers and used to change their behavior




• The organization can make quick code changes when an application is under attack

• A rapid response team works in conjunction with application owners and the SSG to:– Study the code and the attack– Find a resolution– Push a patch into production

• After defects are found and reported– They are entered into established defect

management systems and tracked through the fix process




• If a piece of code needs to be changed– The operations staff can identify all places where the

change is needed• Common components shared by projects are noted

so when an error occurs in one application– Developers can fix other applications that share the

same components• The SSG simulate software security crises to

ensure incident response capabilities minimize damage– Must focus on software failures, not natural disasters



Applying the BSIMM

• Authors of BSIMM4 noted 12 activities that were found in highly successful programs:– Identify gate locations, gather necessary artifacts -

SM 1.4– Identify obligations for personally identifiable

information (PII) - CP 1.2– Provide awareness training - T 1.1– Gather attack intelligence - AM 1.5– Build and publish security features - SFD 1.1– Create security standards - SR 1.1



Applying the BSIMM

• Authors of BSIMM4 noted 12 activities that were found in highly successful programs (cont’d):– Perform security feature review - AA 1.1– Use automated tools along with manual review - CR

1.4– Ensure QA supports edge/boundary value condition

testing - ST 1.1– Use external penetration testers to find problems -

PT 1.1– Ensure host and network security basics are in place

- SE 1.2



Applying the BSIMM

• Authors of BSIMM4 noted 12 activities that were found in highly successful programs (cont’d):– Identify software bugs found in operations monitoring

and feed them back to development - CMVM 1.2



Key Lessons

• Every one of the 51 measured organizations has an SSG in place– It is a dedicated group that makes up 1 percent of

the total development team in many BSIMM organizations

• Some SSGs are centralized, while others are highly distributed

• Some SSGs work closely on policy and strategy, while others focus on penetration testing and code review



Key Lessons

• Organizations can assess the progress of their software security maturity and determine how balanced their approach is compared with others

• Example: code review (CR) has three levels:– Does code review– Enforces standards through mandatory automated

code review– Automated code review with customized rules

• Each level has activities that clarify what occurs at BSIMM participant organizations at each maturity level




Summary• A problem for every organization is determining the

best practice for each discipline that plays a role in application development

• The BSIMM is the result of analyzing nine leading software security initiatives from software vendors, technology firms, and the financial services industry

• The BSIMM uses a software security framework (SSF) to organize software security tasks

• An SSF helps an organization determine how its own security practices compare with others



Summary

• The SSF consists of 111 activities across the following 12 practices: strategy and metrics, attack models, architecture analysis, penetration testing, compliance and policy, security features and design, code review, software environment, training, standards and requirements, security testing, and configuration management and vulnerability management

• Each of the 12 practices is broken down into three maturity levels to clarify which activities must be addressed first and which need prioritizing

Date post:	23-Jan-2016
Category:	Documents
Upload:	karlyn
View:	55 times
Download:	0 times

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Documents