© 2018 Synopsys, Inc. 1

How to build a rock solid software security

initiative?

Tommi Maekilae

Global Solutions Architect

© 2018 Synopsys, Inc. 2

Software security is one of many

competing priorities.

How can you build support for a

successful journey?

© 2018 Synopsys, Inc. 3

Gaining support for security is not easy

More than 50% of corporate

directors are “not satisfied” with

information they receive on cyber

risk. ~ KPMG

60% of IT and security leaders say

information they provide on cyber

risk is NOT actionable.

~ Osterman Research

66% of companies say senior IT

executives report on security to the

Board “only occasionally.”

~ Spencer Stuart

12% of CISOs include no metrics at

all in their reports to senior

executives. ~ SearchSecurity

© 2018 Synopsys, Inc. 4

A critical component of Successful Journey is Strategy

Integrated

Tools Coverity

Static Analysis

Seeker & Defensics

Dynamic Analysis

Black Duck

Software Composition

Analysis

Dynamic

Application

Security Testing

Managed

Services Static Application

Security Testing

Mobile

Application

Security Testing

Penetration

Testing

Professional

Services Industry

Solutions

Architecture

and Design

Security

Training

DevSecOps

Integration

Cloud

Security

Synopsys Software Security and Quality

Portfolio

Maturity Action Plan (MAP) Strategy &

Planning Building Security In Maturity

Model (BSIMM)

© 2018 Synopsys, Inc. 5

State of the Industry

© 2018 Synopsys, Inc. 6

The state of software security strategy

Approach 1: Stick-driven

–A way to do what we must, but not one iota more

Approach 2: Risk-driven

–A way to prioritize efforts

–A way to make the most of a lack of resources

–A way to describe what you’ve always been doing

Approach 3: Risk management

–A way to cost-effectively balance improvement, risk, compliance, objectives, and resources

© 2017 Synopsys, Inc. 7 Confidential

INACTIVE

NON-EXISTENT

Where are most initiatives today?

REACTIVE PROACTIVE

NASCENT BUSINESS AS USUAL

Ignore it Try to

transfer it

Compliance only;

Penetrate

& patch

SSI/SSG

& Informal

SDLC gates

SSI Foundation;

S-SDLC;

Capabilities

depth

breadth

cost-

effectiveness

Time to get a BSIMM assessment

Most firms make it to here and then need a real push to move forward.

Software Security Initiative (and Risk) Spectrum

© 2018 Synopsys, Inc. 8

How do I cross the chasm?

–Establish the first draft of ‘ground truth’ for the SSI, then evolve

–Concise, documented, and enforced

– SSI/SSG Charter, Secure SDLC with Gates

– Policy: Software Security, App Risk Ranking, Dev Project Impact Ranking,

Data Classification, Defect Severity

– Standards: Secure coding (language/framework-specific)

• Inventory: software and software projects

• Defect discovery: in-house or out-source

• Scale: build satellites

© 2017 Synopsys, Inc. 9 Confidential

And after I have an SSI with a good foundation?

Governance:

Ensure everyone is working towards the

common goal.

Transparency:

Refine the “software security process” –

roles, responsibilities, stakeholders, etc.

Accountability:

Use S-SDLC gates for all software projects.

Third-Party Risk:

Establish a vendor management program

(e.g., vBSIMM).

Metrics:

Publish monthly “state of the program” with KPIs

and KRIs to enable governance.

Build New Capabilities:

Implement and scale across S-SDLC; get a

BSIMM assessment.

Risk Management:

Choose mandatory actions per S-SDLC

checkpoint based on facts; customize to

engineering processes.

© 2018 Synopsys, Inc. 10

6 strategies that set you on the right path

© 2018 Synopsys, Inc. 11

Strategy #1

Get executive attention!

© 2018 Synopsys, Inc. 12

Explain why software security is essential

• The vast majority of security vulnerabilities – up to 90% – are found in applications.

• Half of software vulnerabilities stem from bugs within code, half from flaws in architecture and

design.

• Finding and fixing security defects is more efficient and less costly the earlier it happens in

the development cycle.

© 2018 Synopsys, Inc. 13

Align your message with business priorities

• Classify applications according to business risk.

– Revenue

– Customer satisfaction

– Business continuity

– Competitive advantage

– Sensitive data

• Clarify upcoming regulations or contractual obligations for applications that require special

attention.

• Explain that investment in application security will improve your overall risk profile.

© 2018 Synopsys, Inc. 14

Estimate savings of moving security “left” in the SDLC

Cost of Fixing Vulnerabilities

EARLY

Cost of Fixing Vulnerabilities

LATE

Stage Critical bugs

identified

Cost of fixing

1 bug

Cost of fixing

all bugs

Critical bugs

identified

Cost of fixing

1 bug

Cost of fixing

all bugs

Requirements $139 $139

Design $455 $455

Coding 200 $977 $195,400 $977

Testing $7,136 50 $7,136 $356,800

Maintenance $14,102 150 $14,102 $2,115,300

Total 200 $195,400 200 $2,472,10

0

Identifying the critical bugs earlier in the lifecycle reduced costs by $2.3M.

© 2018 Synopsys, Inc. 15

Strategy #2

Aim for the high ground

© 2018 Synopsys, Inc. 16

Identify your current position and your future vision

Low Maturity High Maturity

Security checks just prior to software

release

Security checks integrated within

development

Irregular, superficial scans In-depth, business-logic testing

Patch after product release, operations

fail or breaches are discovered

Defects fixed before products are

approved for release

© 2018 Synopsys, Inc. 17

Go with a group on a well-traveled path

• Compare your software security strategy to others.

• Show executives how other organizations prioritize resources to reduce risk.

• Identify areas in which your organization lags behind.

© 2018 Synopsys, Inc. 18

Strategy #3

Recognize danger

© 2018 Synopsys, Inc. 19

Expose the gaps in your security strategy

• Which high risk applications are developed and released without security testing?

• What types of attacks may be escaping your assessment tools?

• Which security defects persist in code coming from your development team or partners?

© 2018 Synopsys, Inc. 20

Estimate how your spend is balanced with your risk

0%

5%

10%

15%

20%

25%

30%

35%

40%

Network Security Application Security

Total spend

Security risk

Overspend

Underspend

© 2018 Synopsys, Inc. 21

Explain what holds you back from making more

progress If you need more application security skills, you aren’t alone*.

0

10

20

30

40

50

60

70

80

90

100

What types of skills are you seeking to add to your organization?

In-house Consultant Cloud services

© 2018 Synopsys, Inc. 22

Strategy #4

Count your steps

© 2018 Synopsys, Inc. 23

Show your results MORE or LESS

• MORE applications reviewed and signed off, indicating an acceptable level of security

• MORE software projects that go through a secure development lifecycle

• MORE security bugs are fixed within the recommended time

• LESS security bugs that reoccur in application development

• LESS time consumed to remediate security vulnerabilities

© 2018 Synopsys, Inc. 24

Draw a map that is easy to follow

• Use a consistent framework for measurement.

• Provide visual representations so your audience can focus on priorities.

• Show previous results alongside current results to demonstrate progress.

© 2018 Synopsys, Inc. 25

Pace yourself..

• Prepare executives for the time it takes to develop software security expertise and

demonstrate success.

© 2017 Synopsys, Inc. 26 Confidential

.. As real change takes time

09 10 11 12 01 02 03 04 05 06

2018

SAST

DAST

Threat Modeling

Training

Complete all

curriculum

courses

10 Security

Champions

Complete

role-based

CBT

SAST pilot – 10

critical apps

Train satellite

75%

application

portfolio

coverage

Require IDE

tool as part of

S-SDLC

Launch DAST

capability

Scale DAST

during QA

Launch threat-

driven capability

SSG mentors

architects

during high-

risk projects

Conduct ILT

Ethical Hacking

2017

White-box

ethical hacks

© 2018 Synopsys, Inc. 27

Strategy #5

Bring friends

© 2018 Synopsys, Inc. 28

Avoid congestion on the trails

Before you talk with the executive team…

• Ground your analysis in the business strategy of the company, so you can prioritize

applications that matter the most.

• Create an alliance with development leaders so that they feel confident software security

activities will accelerate, rather than impede, their work.

© 2018 Synopsys, Inc. 29

BSIMM: Software security measurement

• 167 firms measured (data freshness)

• BSIMM9 = data from 120 real initiatives

• 389 distinct measurements over time

• 42 initiatives have been measured at least twice (one firm five times) —McGraw, Migues, and West

© 2018 Synopsys, Inc. 30

120 firms in the BSIMM9 community

For a full list of firms participating in BSIMM9, download the report

© 2018 Synopsys, Inc. 31

Strategy #6

Pack smart

© 2018 Synopsys, Inc. 32

The pitfall of this belief

Question:

How would you invest in building the software security skills of your internal team?

Answer:

Choose a training approach that fits your budget and schedule.

Question:

How can you get support to improve the breadth and depth of your security program?

Answer:

Find a managed services partner with software security expertise to help you.

Thank You