Session ID:

Session Classification:

Gary McGraw, Ph.D. CTO, Cigital

ASEC-R33

Intermediate

ZOMBIES and the BSIMM: A Decade of Software Security

Who should DO software security?

Network security ops guys

NOBODY IN THE MIDDLE

Super rad developer dudes

SOFTWARE SECURITY ZOMBIES

► Software security seems obvious to

us, but it is still catching on

► The middle market is just beginning

to emerge

► Time to scale!

ZOMBIE

► Network security FAIL

► More code more bugs

► SDLC integration

► Bugs and flaws

► Badness-ometers

Zombie ideas need repeating

► Defend the “perimeter”

with a firewall

► To keep stuff out

► Promulgate “penetrate and

patch”

► “Review” products when

they’re complete

► Throw it over the wall testing

► Too much weight on

penetration testing

► Over-rely on security

functions

► “We use SSL”

Zombie: old school security is reactive

The “network guy with keys” does

not really understand software

testing. Builders are only recently

getting involved in security.

Zombie: more code, more bugs

1090

2437

4129 3784 3780

5690

8064 7236

0100020003000400050006000700080009000

10000

2000 2001 2002 2003 2004 2005 2006 2007

Software Vulnerabilities

Windows Complexity

0

5

10

15

20

25

30

35

40

45

Win

3.1

(1990)

Win

NT

(1995)

Win 95

(1997)

NT 4.0

(1998)

Win 98

(1999)

NT 5.0

(2000)

Win

2K

(2001)

XP

(2002)

Mil

lio

ns

of

Lin

es

► Integrating best practices into large organizations

► Microsoft’s SDL

► Cigital’s touchpoints

► OWASP CLASP/SAMM

Zombie: SDLC integration

Zombie: bugs AND flaws

BUGS FLAWS

Customized static rules (Fidelity)

Commercial SCA tools: Fortify,

Ounce Labs, Coverity

Architectural risk analysis

gets() attacker in the middle

Zombie: badness-ometer

badness-ometer

► Software security and

application security today are

about finding bugs

► The time has come to stop

looking for new bugs to add to

the list

► Which bugs in this pile should I

fix?

Zombie baby: fix the dang software

THE BSIMM

► Real data from (51) real

initiatives

► 95 measurements

► 13 over time

► McGraw, Migues, & West

BSIMM: software security measurement

PlexLogic

51 firms in the BSIMM community

Intel

Plus 17 firms that remain anonymous

BSIMM4 scorecard

► 109 Activities

► 3 levels

► Top 12 activities

► 69% cutoff

► 31 of 51 firms

► Comparing

scorecards between

releases is

interesting

► Compare a firm

with peers using

the high water

mark view

► Compare business

units

► Chart an SSI over

time

BSIMM4 as a measuring stick

► Top 12 activities

► purple = good?

► red = bad?

► “Blue shift”

practices to

emphasize

BSIMM4 scorecard with FAKE firm data

► BSIMM4 released September 2012 under creative

commons

► http://bsimm.com

► Italian and German translations available soon

► BSIMM is a yardstick

► Use it to see where you stand

► Use it to figure out what your peers do

► BSIMM4BSIMM5

► BSIMM is growing

► Target of 75 firms

BSIMM4 to BSIMM5

WHERE TO LEARN MORE

http://bsimm.com

THANK YOU

Read the Addison-Wesley

Software Security series

Send e-mail: gem@cigital.com

Build security in