© 2018 Synopsys, Inc. 1
How to build a rock solid software security
initiative?
Tommi Maekilae
Global Solutions Architect
© 2018 Synopsys, Inc. 2
Software security is one of many
competing priorities.
How can you build support for a
successful journey?
© 2018 Synopsys, Inc. 3
Gaining support for security is not easy
More than 50% of corporate
directors are “not satisfied” with
information they receive on cyber
risk. ~ KPMG
60% of IT and security leaders say
information they provide on cyber
risk is NOT actionable.
~ Osterman Research
66% of companies say senior IT
executives report on security to the
Board “only occasionally.”
~ Spencer Stuart
12% of CISOs include no metrics at
all in their reports to senior
executives. ~ SearchSecurity
© 2018 Synopsys, Inc. 4
A critical component of Successful Journey is Strategy
Integrated
Tools Coverity
Static Analysis
Seeker & Defensics
Dynamic Analysis
Black Duck
Software Composition
Analysis
Dynamic
Application
Security Testing
Managed
Services Static Application
Security Testing
Mobile
Application
Security Testing
Penetration
Testing
Professional
Services Industry
Solutions
Architecture
and Design
Security
Training
DevSecOps
Integration
Cloud
Security
Synopsys Software Security and Quality
Portfolio
Maturity Action Plan (MAP) Strategy &
Planning Building Security In Maturity
Model (BSIMM)
© 2018 Synopsys, Inc. 5
State of the Industry
© 2018 Synopsys, Inc. 6
The state of software security strategy
Approach 1: Stick-driven
–A way to do what we must, but not one iota more
Approach 2: Risk-driven
–A way to prioritize efforts
–A way to make the most of a lack of resources
–A way to describe what you’ve always been doing
Approach 3: Risk management
–A way to cost-effectively balance improvement, risk, compliance, objectives, and resources
© 2017 Synopsys, Inc. 7 Confidential
INACTIVE
NON-EXISTENT
Where are most initiatives today?
REACTIVE PROACTIVE
NASCENT BUSINESS AS USUAL
Ignore it Try to
transfer it
Compliance only;
Penetrate
& patch
SSI/SSG
& Informal
SDLC gates
SSI Foundation;
S-SDLC;
Capabilities
depth
breadth
cost-
effectiveness
Time to get a BSIMM assessment
Most firms make it to here and then need a real push to move forward.
Software Security Initiative (and Risk) Spectrum
© 2018 Synopsys, Inc. 8
How do I cross the chasm?
–Establish the first draft of ‘ground truth’ for the SSI, then evolve
–Concise, documented, and enforced
– SSI/SSG Charter, Secure SDLC with Gates
– Policy: Software Security, App Risk Ranking, Dev Project Impact Ranking,
Data Classification, Defect Severity
– Standards: Secure coding (language/framework-specific)
• Inventory: software and software projects
• Defect discovery: in-house or out-source
• Scale: build satellites
© 2017 Synopsys, Inc. 9 Confidential
And after I have an SSI with a good foundation?
Governance:
Ensure everyone is working towards the
common goal.
Transparency:
Refine the “software security process” –
roles, responsibilities, stakeholders, etc.
Accountability:
Use S-SDLC gates for all software projects.
Third-Party Risk:
Establish a vendor management program
(e.g., vBSIMM).
Metrics:
Publish monthly “state of the program” with KPIs
and KRIs to enable governance.
Build New Capabilities:
Implement and scale across S-SDLC; get a
BSIMM assessment.
Risk Management:
Choose mandatory actions per S-SDLC
checkpoint based on facts; customize to
engineering processes.
© 2018 Synopsys, Inc. 10
6 strategies that set you on the right path
© 2018 Synopsys, Inc. 11
Strategy #1
Get executive attention!
© 2018 Synopsys, Inc. 12
Explain why software security is essential
• The vast majority of security vulnerabilities – up to 90% – are found in applications.
• Half of software vulnerabilities stem from bugs within code, half from flaws in architecture and
design.
• Finding and fixing security defects is more efficient and less costly the earlier it happens in
the development cycle.
© 2018 Synopsys, Inc. 13
Align your message with business priorities
• Classify applications according to business risk.
– Revenue
– Customer satisfaction
– Business continuity
– Competitive advantage
– Sensitive data
• Clarify upcoming regulations or contractual obligations for applications that require special
attention.
• Explain that investment in application security will improve your overall risk profile.
© 2018 Synopsys, Inc. 14
Estimate savings of moving security “left” in the SDLC
Cost of Fixing Vulnerabilities
EARLY
Cost of Fixing Vulnerabilities
LATE
Stage Critical bugs
identified
Cost of fixing
1 bug
Cost of fixing
all bugs
Critical bugs
identified
Cost of fixing
1 bug
Cost of fixing
all bugs
Requirements $139 $139
Design $455 $455
Coding 200 $977 $195,400 $977
Testing $7,136 50 $7,136 $356,800
Maintenance $14,102 150 $14,102 $2,115,300
Total 200 $195,400 200 $2,472,10
0
Identifying the critical bugs earlier in the lifecycle reduced costs by $2.3M.
© 2018 Synopsys, Inc. 15
Strategy #2
Aim for the high ground
© 2018 Synopsys, Inc. 16
Identify your current position and your future vision
Low Maturity High Maturity
Security checks just prior to software
release
Security checks integrated within
development
Irregular, superficial scans In-depth, business-logic testing
Patch after product release, operations
fail or breaches are discovered
Defects fixed before products are
approved for release
© 2018 Synopsys, Inc. 17
Go with a group on a well-traveled path
• Compare your software security strategy to others.
• Show executives how other organizations prioritize resources to reduce risk.
• Identify areas in which your organization lags behind.
© 2018 Synopsys, Inc. 18
Strategy #3
Recognize danger
© 2018 Synopsys, Inc. 19
Expose the gaps in your security strategy
• Which high risk applications are developed and released without security testing?
• What types of attacks may be escaping your assessment tools?
• Which security defects persist in code coming from your development team or partners?
© 2018 Synopsys, Inc. 20
Estimate how your spend is balanced with your risk
0%
5%
10%
15%
20%
25%
30%
35%
40%
Network Security Application Security
Total spend
Security risk
Overspend
Underspend
© 2018 Synopsys, Inc. 21
Explain what holds you back from making more
progress If you need more application security skills, you aren’t alone*.
0
10
20
30
40
50
60
70
80
90
100
What types of skills are you seeking to add to your organization?
In-house Consultant Cloud services
© 2018 Synopsys, Inc. 22
Strategy #4
Count your steps
© 2018 Synopsys, Inc. 23
Show your results MORE or LESS
• MORE applications reviewed and signed off, indicating an acceptable level of security
• MORE software projects that go through a secure development lifecycle
• MORE security bugs are fixed within the recommended time
• LESS security bugs that reoccur in application development
• LESS time consumed to remediate security vulnerabilities
© 2018 Synopsys, Inc. 24
Draw a map that is easy to follow
• Use a consistent framework for measurement.
• Provide visual representations so your audience can focus on priorities.
• Show previous results alongside current results to demonstrate progress.
© 2018 Synopsys, Inc. 25
Pace yourself..
• Prepare executives for the time it takes to develop software security expertise and
demonstrate success.
© 2017 Synopsys, Inc. 26 Confidential
.. As real change takes time
09 10 11 12 01 02 03 04 05 06
2018
SAST
DAST
Threat Modeling
Training
Complete all
curriculum
courses
10 Security
Champions
Complete
role-based
CBT
SAST pilot – 10
critical apps
Train satellite
75%
application
portfolio
coverage
Require IDE
tool as part of
S-SDLC
Launch DAST
capability
Scale DAST
during QA
Launch threat-
driven capability
SSG mentors
architects
during high-
risk projects
Conduct ILT
Ethical Hacking
2017
White-box
ethical hacks
© 2018 Synopsys, Inc. 27
Strategy #5
Bring friends
© 2018 Synopsys, Inc. 28
Avoid congestion on the trails
Before you talk with the executive team…
• Ground your analysis in the business strategy of the company, so you can prioritize
applications that matter the most.
• Create an alliance with development leaders so that they feel confident software security
activities will accelerate, rather than impede, their work.
© 2018 Synopsys, Inc. 29
BSIMM: Software security measurement
• 167 firms measured (data freshness)
• BSIMM9 = data from 120 real initiatives
• 389 distinct measurements over time
• 42 initiatives have been measured at least twice (one firm five times) —McGraw, Migues, and West
© 2018 Synopsys, Inc. 30
120 firms in the BSIMM9 community
For a full list of firms participating in BSIMM9, download the report
© 2018 Synopsys, Inc. 31
Strategy #6
Pack smart
© 2018 Synopsys, Inc. 32
The pitfall of this belief
Question:
How would you invest in building the software security skills of your internal team?
Answer:
Choose a training approach that fits your budget and schedule.
Question:
How can you get support to improve the breadth and depth of your security program?
Answer:
Find a managed services partner with software security expertise to help you.