stu r37 b
Post on 11-Apr-2017
118 Views
Preview:
TRANSCRIPT
Session ID:
Session Classification:
Gary McGraw, Ph.D. CTO, Cigital
ASEC-R33
Intermediate
ZOMBIES and the BSIMM: A Decade of Software Security
Who should DO software security?
Network security ops guys
NOBODY IN THE MIDDLE
Super rad developer dudes
► Software security seems obvious to
us, but it is still catching on
► The middle market is just beginning
to emerge
► Time to scale!
ZOMBIE
► Network security FAIL
► More code more bugs
► SDLC integration
► Bugs and flaws
► Badness-ometers
Zombie ideas need repeating
► Defend the “perimeter”
with a firewall
► To keep stuff out
► Promulgate “penetrate and
patch”
► “Review” products when
they’re complete
► Throw it over the wall testing
► Too much weight on
penetration testing
► Over-rely on security
functions
► “We use SSL”
Zombie: old school security is reactive
The “network guy with keys” does
not really understand software
testing. Builders are only recently
getting involved in security.
Zombie: more code, more bugs
1090
2437
4129 3784 3780
5690
8064 7236
0100020003000400050006000700080009000
10000
2000 2001 2002 2003 2004 2005 2006 2007
Software Vulnerabilities
Windows Complexity
0
5
10
15
20
25
30
35
40
45
Win
3.1
(1990)
Win
NT
(1995)
Win 95
(1997)
NT 4.0
(1998)
Win 98
(1999)
NT 5.0
(2000)
Win
2K
(2001)
XP
(2002)
Mil
lio
ns
of
Lin
es
► Integrating best practices into large organizations
► Microsoft’s SDL
► Cigital’s touchpoints
► OWASP CLASP/SAMM
Zombie: SDLC integration
Zombie: bugs AND flaws
BUGS FLAWS
Customized static rules (Fidelity)
Commercial SCA tools: Fortify,
Ounce Labs, Coverity
Architectural risk analysis
gets() attacker in the middle
► Software security and
application security today are
about finding bugs
► The time has come to stop
looking for new bugs to add to
the list
► Which bugs in this pile should I
fix?
Zombie baby: fix the dang software
► Real data from (51) real
initiatives
► 95 measurements
► 13 over time
► McGraw, Migues, & West
BSIMM: software security measurement
PlexLogic
BSIMM4 scorecard
► 109 Activities
► 3 levels
► Top 12 activities
► 69% cutoff
► 31 of 51 firms
► Comparing
scorecards between
releases is
interesting
► Compare a firm
with peers using
the high water
mark view
► Compare business
units
► Chart an SSI over
time
BSIMM4 as a measuring stick
► Top 12 activities
► purple = good?
► red = bad?
► “Blue shift”
practices to
emphasize
BSIMM4 scorecard with FAKE firm data
► BSIMM4 released September 2012 under creative
commons
► http://bsimm.com
► Italian and German translations available soon
► BSIMM is a yardstick
► Use it to see where you stand
► Use it to figure out what your peers do
► BSIMM4BSIMM5
► BSIMM is growing
► Target of 75 firms
BSIMM4 to BSIMM5
top related