1 / 43

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition. Chapter 11 The Building Security in Maturity Model (BSIMM). Objectives. Use the BSIMM software security framework to organize and manage software security tasks

karlyn
Download Presentation

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Chapter 11 The Building Security in Maturity Model (BSIMM)

  2. Objectives • Use the BSIMM software security framework to organize and manage software security tasks • Understand the problems that organizations face to build functional and secure software and the best practices for overcoming those problems • Assess the progress of an organization’s software security maturity and determine how balanced its approach is compared with others Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  3. Overview of the BSIMM • The Building Security in Maturity Model (BSIMM) uses data up front to guide organizations toward improved software assurance programs • The best way to use the BSIMM: • To compare and contrast your own initiative • BSIMM is the work of three software security experts: Gary McGraw, Brian Chess, and Sammy Migues • The model uses a software security framework (SSF) to organize software security tasks Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  4. The Study • BSIMM has had four major releases: • BSIMM4 - published in September 2012 and included analyses of 51 organizations and a total set of 132 measurements • BSIMM3 - published in September 2011 and included analyses of 42 organizations and a total set of 81 measurements • BSIMM2 - published in May 2010 and included analyses of 30 organizations and 42 measurements • Original study - published in March 2009 and included analyses of 9 organizations and 9 measurements Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  5. The Study • Participants were not necessarily software developers • Most were Fortune 500 companies that depend on secure software for business • Companies that participate in the BSIMM project show measurable improvement in their software security initiatives • This chapter covers each of the 12 practices in the BSIMM and the activities that make up those practices Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  6. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  7. The Study • The figure on the preceding slide reproduces two spider charts that show the average maturity levels in each of the 12 practices • The first graph shows data from all 51 BSIMM organizations • The second graph shows data from the top 10 organizations • The greatest maturity appears to fall within the Compliance & Policy practice • The least mature areas are Training, Attack Models, Architecture Analysis, and Code Review Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  8. BSIMM4 in Context • BSIMM4 uses an SSF to organize software security tasks • The SSF consists of four domains: • Governance • Intelligence • SSDL (secure software development lifecycle) Touchpoints • Deployment • Each domain has its own set of business goals and is broken down to define three practices to satisfy those goals Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  9. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  10. BSIMM4 in Context • Each practice is divided into three maturity levels to clarify which activities should be addressed first • And which need prioritizing • Each activity includes a stated objective, a description, and a brief example to illustrate how at least one organization accomplished its objective • For example, an activity in the training practice advises the software security group (SSG) to have an advertised lab period • During which developers can drop in and discuss secure development or coding issues Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  11. BSIMM4 in Context • An SSG is an internal group devoted to software security • All 51 BSIMM companies agree that the success of their programs depends on having an SSG • The group should include: • Senior executives, system architects, developers, and administrators • BSIMM is based on what organizations are actually doing • Can be seen as a de facto standard Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  12. BSIMM4 in Context • The BSIMM can be seen as the next step on the path to pooling knowledge of what works and how best to implement it • The BSIMM is free and has been released under the Creative Commons Attribution-Share Alike 3.0 License • To get started in adopting BSIMM, form an SSG to bring in stakeholders with relevant experience • The first SSG meeting should review the BSIMM and eliminate activities that are not relevant to current projects Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  13. Governance Domain The BSIMM interpretation of governance is the same as SAMM’s The BSIMM provides a more focused approach through its activities than its counterpart in the OpenSAMM Project Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  14. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  15. Strategy & Metrics Practice • Outcomes for the strategy and metrics practice center on the need for expectations and accountability for results • BSIMM emphasizes that management must be clear about the organization’s expectations for the SSDL • To ensure a consistent understanding of its importance • The BSIMM also states that management must provide a clear set of objectives for stakeholders involved in the SSDL Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  16. Compliance & Policy Practice • The activities in this practice provide accountability mechanisms and guidance for anyone who affects the successful completion of SSDL activities • After completing the activities of this practice: • Management has an approved set of guidelines that must be made available to anyone involved in the SSDL • Including vendors • Each SSDL activity must produce sufficient results to allow auditing and ensure adherence to policies Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  17. Training Practice • Activities of the training practice focus on providing training to those most closely associated with the software lifecycle • Employees gain knowledge and resources to design, develop, and deploy secure software • This practice also defines activities for preparing formal security guidelines that serve as a reference to project teams • The organization establishes expectations that security practices will be followed Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  18. Intelligence Domain • Practices of the intelligence domain seek to generate organization-wide resources • Such as tailored knowledge about attacks to which an organization is vulnerable • Knowing the threat potential allows an organization to make informed decisions about code and controls • Includes activities associated with defining security requirements and the definition and implementation of standards for input validation and authentication Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  19. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  20. Attack Models Practice • This practice requires the organization to identify potential attackers • Then use knowledge management techniques to document the risks of greatest concern • Also document any past attacks that should be considered while developing the software • Information about suspected attackers should be forwarded to all interested parties • Attack patterns are a way to identify and communicate the attacker’s perspective Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  21. Security Features and Design Practice The goal is to create customized knowledge about security features, frameworks, and patterns This knowledge should then be used to enable architecture and component decisions that are made throughout the software lifecycle The BSIMM includes an activity within this practice that emphasizes the need to report positive elements identified during architecture analysis Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  22. Standards and Requirements Practice • Activities of this practice focus on creating guidance for the internal development team • As well as for third-party vendors that may have a stake in the project’s success • The BSIMM requires that security standards, secure coding standards, and compliance requirements be created • And conveyed through proper channels Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  23. SSDL Touchpoints Domain • SSDL touchpoints domain is composed of practices that include: • Architecture analysis • Code review • Adopting a review process for software security • Conducting prerelease testing • The practices of this domain focus more on the strategic aspects of developing secure software • Not just on the near-term tactical aspects Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  24. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  25. Architecture Analysis • The BSIMM prescribes activities in which designers, architects, and analysts document assumptions and identify possible attacks • Security analysts uncover and rank architectural flaws so that mitigation can begin • Analysts highly recommend that organizations maintain a constant risk management thread with recurring risk tracking and monitoring activities • Risks crop up during all stages of the software lifecycle Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  26. Code Review • A number of security problems are caused by simple bugs in code • Code review focuses on finding and fixing bugs • Using an automated analysis tool is recommended for code review • The process is boring, difficult, and tedious • Static analysis tools, also called source code analyzers, examine the text of a program without attempting to execute it Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  27. Code Review Manual auditing is time consuming Human code auditors must know how to recognize security vulnerabilities before they can rigorously examine the code The operator of a good static analysis tool can apply it successfully without knowing the finer points of security bugs Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  28. Security Testing • BSIMM security testing encompasses activities that emphasize two strategies: • Testing security functions with standard techniques • Risk-based security testing based on attack patterns, risk analysis results, and abuse cases • Security testing is designed to make sure bad things don’t happen • Thinking like an attacker is essential • Security testing must be guided with knowledge of software architecture, common attacks, and attacker’s mindset Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  29. Deployment Domain • The deployment domain involves activities such as: • Penetration testing (testing from the outside, not just inside) • Providing patches of operating systems and applications • Providing appropriate configuration management, version control, and incident handling • The maintenance phase should include keeping the security measures taken during development • A strategy for patching and incident handling must be developed and documented Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  30. Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  31. Penetration Testing • The advantage of penetration testing is that it provides a good understanding of software in its working environment • Organizations must ensure they hire proper personnel to perform penetration testing • Should be cautious about employing a hacker who claims to be reformed only as a ploy to get hired • Each major category of penetration testing has its own set of activities • An organization must manage effectively to detect and correct security defects Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  32. Software Environment This practice recommends activities that promote building assurance for the operating environment For Web code, a Web application firewall (WAF) can monitor the software environment Operations security teams are often responsible for duties such as patching operating systems and maintaining firewalls The BSIMM requires the creation of an installation guide to help operators install and configure the software Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  33. Software Environment • Organizations can use code signing for software published across “trust boundaries” • Two common trust boundaries are execution and data • Software production should be monitored for signs of misbehavior and attacks • Intrusion detection and anomaly detection systems may focus on an application’s interaction with the operating system through system calls Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  34. Configuration Management and Vulnerability Management • This practice focuses on activities associated with software change management • These changes affect the organization’s security • The SSG should either create its own incident response capability or works with the incident response team • Defects identified through operations monitoring are fed back to developers and used to change their behavior Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  35. Configuration Management and Vulnerability Management • The organization can make quick code changes when an application is under attack • A rapid response team works in conjunction with application owners and the SSG to: • Study the code and the attack • Find a resolution • Push a patch into production • After defects are found and reported • They are entered into established defect management systems and tracked through the fix process Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  36. Configuration Management and Vulnerability Management • If a piece of code needs to be changed • The operations staff can identify all places where the change is needed • Common components shared by projects are noted so when an error occurs in one application • Developers can fix other applications that share the same components • The SSG simulate software security crises to ensure incident response capabilities minimize damage • Must focus on software failures, not natural disasters Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  37. Applying the BSIMM • Authors of BSIMM4 noted 12 activities that were found in highly successful programs: • Identify gate locations, gather necessary artifacts - SM 1.4 • Identify obligations for personally identifiable information (PII) - CP 1.2 • Provide awareness training - T 1.1 • Gather attack intelligence - AM 1.5 • Build and publish security features - SFD 1.1 • Create security standards - SR 1.1 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  38. Applying the BSIMM • Authors of BSIMM4 noted 12 activities that were found in highly successful programs (cont’d): • Perform security feature review - AA 1.1 • Use automated tools along with manual review - CR 1.4 • Ensure QA supports edge/boundary value condition testing - ST 1.1 • Use external penetration testers to find problems - PT 1.1 • Ensure host and network security basics are in place - SE 1.2 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  39. Applying the BSIMM • Authors of BSIMM4 noted 12 activities that were found in highly successful programs (cont’d): • Identify software bugs found in operations monitoring and feed them back to development - CMVM 1.2 Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  40. Key Lessons • Every one of the 51 measured organizations has an SSG in place • It is a dedicated group that makes up 1 percent of the total development team in many BSIMM organizations • Some SSGs are centralized, while others are highly distributed • Some SSGs work closely on policy and strategy, while others focus on penetration testing and code review Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  41. Key Lessons • Organizations can assess the progress of their software security maturity and determine how balanced their approach is compared with others • Example: code review (CR) has three levels: • Does code review • Enforces standards through mandatory automated code review • Automated code review with customized rules • Each level has activities that clarify what occurs at BSIMM participant organizations at each maturity level Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  42. Summary • A problem for every organization is determining the best practice for each discipline that plays a role in application development • The BSIMM is the result of analyzing nine leading software security initiatives from software vendors, technology firms, and the financial services industry • The BSIMM uses a software security framework (SSF) to organize software security tasks • An SSF helps an organization determine how its own security practices compare with others Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

  43. Summary • The SSF consists of 111 activities across the following 12 practices: strategy and metrics, attack models, architecture analysis, penetration testing, compliance and policy, security features and design, code review, software environment, training, standards and requirements, security testing, and configuration management and vulnerability management • Each of the 12 practices is broken down into three maturity levels to clarify which activities must be addressed first and which need prioritizing Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition

More Related