BSAMMBO

Implementing OpenSAMM and BSIMM

Christian HeinrichISACA - Sydney, Australia17 November 2010

1

Further information is available from:• http://bsimm.com/• http://www.opensamm.org/

Microsoft SDL

2

Further information is available from http://www.microsoft.com/security/sdl/

Microsoft SDL

3

Further information is available from http://www.microsoft.com/security/sdl/getstarted/assess.aspx

Software Assurance Maturity Model (SAMM)

4

Assessment Scores0 Implicit starting point with the Practice unfulfilled1 Initial understanding and ad hoc provision of the Practice2 Increase efficiency and/or effectiveness of the Practice3 Comprehensive mastery of the Practice at scale

+ indicates that some activities of the higher level are present

OpenSAMM

Open Software Assurance Maturity Model (SAMM)

• An OWASP Project (Funded by Fortify)

Releases

• Draft (Beta) - August 2008

• Final (1.0) - March 2009

5

BSIMM

Building Security In Maturity Model

• Forked from OpenSAMM (Beta) Draft

• Developed by Fortify and Cigital

Releases

• BSIMM1 - January 2009

• BSIMM1.5 - November 2009

• BSIMM2 - May 2010

6

BSIMM - Sample Size - USA

Total of Nine (9) with Two (2) Unnamed out of 25 Most Advanced SSI

7

Financial Services (the other two remain anonymous):• The Depository Trust and Clearing Corporation (DTCC)• Wells Fargo

Independent Software Vendors:• Adobe• Microsoft• Qualcomm - Vendor for the Eudora e-mail client

Technology Firms:• Google• EMC

Quoted from p2 or p5 (PDF Page Numbering) of BSIMM v1.5

BSIMM - Sample Size - Europe

Total of Nine (9) with Five (5) Unnamed out of 56 SSI

8

The bottom row of logo is two companies i.e. total of Five.

Financial Services• Standard Life• SWIFT

Media and Telecommunications• Nokia• Thomson Reuters• Telecom Italia

Quoted from BSIMM v1.5 p51 or p54 (PDF Page Numbering)

BSIMM2 - Sample Size

Total of 30

9

Vague in terms of who is unnamed from the BSIMM (Europe and USA) - may have been able to reverse the prior unnamed from BSIMM (Europe and USA)

Financial Services• Bank of America• Capital One• SallieMae

Independent Software Vendors• VMWare• Intel• Intuit• Symantec

Quoted from p4 or p7 (PDF Page Numbering) of BSIMM2

Licensing

Both are Creative Commons (Attribution and Share Alike).

Data for BSIMM is COMMERCIAL-IN-CONFIDENCE

• Rumoured that VMWare is “VirtualWare” Case Study within OpenSAMM

10

Approach - OpenSAMM

Integrates with the existing internal development organisational structure.

• Must be reasonably mature development culture lacking secure SDL

11

Approach - BSIMM

BSIMM dictates the creation of a “new” Software Security Group (SSG)

Executive Representation and Endorsement of Software Security Initiative (SSI)

• Bill Gates (Microsoft) “Trustworthy Computing” Memo in Jan 2002

Scenarios:

• Large and political development team vs smaller existing security group

• Receipt of Outsourced Development

12

Further information on the Memo from Bill Gates is available from http://www.wired.com/techbiz/media/news/2002/01/49826

Implementation - OpenSAMM - Lightweight

13

Further information is available from p21 of p96 (PDF Numbering) of OpenSAMM v1.0

Implementation - OpenSAMM - Detailed

14



15



16

!"#$%&#!"#$%!&#""#'!()#*+,"$!-%!%.,!&#/,!+,0,+!1-2'%-2'!$#3%4-),!42%.!)5/2",'%-)6!$,&5)2%6!*,$%7()-&%2&,$!2'!(+-&,!8,%!*-$,+2',!3#)!$,&5)2%6!9'#47.#4!-"#':!%,&.'2&-+!$%-33!;'-*+,!<5-+2%-%20,!$,&5)2%6!&.,&9$!3#)!*-$,+2',!$,&5)2%6!9'#4+,/:,

#$''"##()"&!*'#!=>?@!/,0,+#(",'%!$%-33!*)2,3,/!#'!$,&5)2%6!2$$5,$!42%.2'!(-$%!A!6,-)!=B>@!$,'2#)!/,0,+#(",'%C-)&.2%,&%!!$%-33!*)2,3,/!#'!$,&5)2%6!2$$5,$!42%.2'!(-$%!A!6,-)!D-5'&.!%,&.'2&-+!:52/-'&,!42%.2'!

'+#&#!E)-2'2':!&#5)$,!*52+/#5%!#)!+2&,'$,!F':#2':!"-2'%,'-'&,!#3!%,&.'2&-+!:52/-'&,

,"!#+--"%!G,0,+#(,)$!HA7I!/-6$C6)J!K)&.2%,&%$!HA7I!/-6$C6)J

!"%.&"/(%"0"%#!L#+2&6!M!N#"(+2-'&,!7!I!8,&5)2%6!O,<52),",'%$!7!A!8,&5),!K)&.2%,&%5),!7!A


Implementation - OpenSAMM - Roadmap

Examples provided for:

• Independent Software Vendors

• Online Service Providers

• Financial Services Organisations

• Government Organisations

17

Further information is available from p27-p31 of p96 (PDF Numbering) of OpenSAMM v1.0

Implementation - OpenSAMM - Scorecard

18


Implementation - BSIMM - Skeleton

Consider all objectives from BSIMM and apply as applicable

19

Quoted from BSIMM 1.5 p3

Unify into “Buckets”: Frequency of activities across all nine (9) organisations.

Creating maturity levels from the “Buckets”. This was performed independently and then merged and created “BSIMM Skeleton”

Quoted from BSIMM v1.5 p35/p38 (PDF Numbering) “The BSIMM skeleton provides a way to view the maturity model at a glance and is useful when assessing a software security program. The skeleton includes one page per practice organized by three levels. Each activity is associated with an objective. More complete descriptions of the activities, examples, and term definition can be found in the main document”

Implementation - BSIMM

20

BSIMM - Activities - Global

21

Yellow - 8 out of 9 USAYellow/Blue - More common to USABlue - 8 out of 9 Europe

Table quoted from p53 or p56 (PDF Page Numbering) of BSIMM v1.5

SM is “Strategy and Metrics”CP is “Compliance and Policy”T is “Training”AM is “Attack Models”SFD is “Security Features and Design”SR is “Standards and Requirements”AA is “Architecture Analysis”CR is “Code Review”ST is “Security Testing”PT is “Penetration Testing”SE is “Software Environment”CMWM is “Configuration Management and Vulnerability Management”

BSIMM2 - Activities

22

Fifteen (15) core activities are highlighted in yellowQuoted from p50 or p53 (PDF Page Numbering) from BSIMM2


Ten Core Activities Everybody DoesObjective Activity

build support throughout organization create evangelism role/internal marketing meet regulatory needs or customer demand with

a uni!ed approachcreate policy

promote culture of security throughout the organization provide awareness trainingsee yourself in the problem create/use material speci!c to company history

create proactive security guidance around security features build/publish security features (authentication, role management, key management, audit/log, crypto, protocols)

build internal capability on security architecture have SSG lead review e"ortsdrive e#ciency/consistency with automation use automated tools along with manual review

use encapsulated attacker perspective integrate black box security tools into the QA process (including protocol fuzzing)

demonstrate that your organization’s code needs help too use external pen testers to !nd problemsprovide a solid host/network foundation for so$ware ensure host/network security basics in place

[SM1.2][CP1.3]

[T1.1][T2.2][SFD1.1]

[AA1.3]

[ST2.1]

[PT1.1][SE1.2]

[CR2.1]

BSIMM - Top Ten - USA

23

“3 out of 12 Practices are not implemented i.e.• “Attack Models”• “Standards and Requirements”• “Configuration and Vulnerability Management”Quoted from BSIMM v1.5 p47/p50 (PDF Page Numbering)

Within the “Governance” Domain:• SM is “Strategy and Metrics” Practice• CP is “Compliance and Policy” Practice

Within the “Intelligence” Domain:• SFP is “Security Features and Design” Practice

Within the “SDL Touchpoints” Domain:• AA is “Architectural Analysis” Practice• CR is “Code Review” Practice• ST is “Security Testing” Practice

Within the “Deployment” Domain:• PT is “Penetration Testing” Practice• SE is “Software Environment” Practice

Three Core Activities that Most Organizations DoObjective Activity

understand the organization’s history collect and publish attack storiesmeet demand for security features create security standards

use ops data to change dev behavior identify so!ware bugs found in ops monitoring and feed back to dev

[AM1.4][SR1.1][CMVM1.2]

BSIMM - Top 3 Uncommon- USA

24

Recommended as future activities to be performed.

Within the “Intelligence” Domain:• AM is “Attack Models” Practice• SR is “Standards and Requirements” Practice

Within the “Deployment” Domain:• CMVM is “Configuration Management Vulnerability Management” Practice

Table above quoted from BSIMM v1.5 p47/p50 (PDF Page Numbering)

BSIMM - SSI Duration - Global

0

3.75

7.50

11.25

15.00

USA (Jan 2009) Europe (Nov 2009)

Oldest

Average

Newest 25

USA - 1 (year) 1/2 (6 months), 5 (years) 1/3 (4 months), 10 (years)USA Data Quoted from BSIMM v1.5 pp2 and 3 (same as PDF Page Number)European - 1 1/2 (6 months), 6 2/3 (8 months), 14 (years)European Data Quoted from BSIMM v1.5 p51 or p54 (PDF Page Numbering)

BSIMM2 - 1/4 (3 months), 4 5/12 (5 Months), 14 Years - September 2009Quoted from BSIMM2 p4 or p7 (PDF Page Numbering)

BSIMM - Resourcing - Global

USA - Jan 2009

Developer Satellite SSG

Median 5000 20 20

Average 7550 79 41

Largest 30000 300 100

Smallest 450 0 12

Europe - Nov 2009


Median 5000 0 11.5

Average 4664 29 16

Largest 12000 140 50

Smallest 400 0 1

26

Colours used in table signify Pink -> Average, Blue -> Less and Purple -> More

Europe has a significant lower number of resources within their SSG compared to the USA. Yet their (European) SSI has been executing for a longer duration.

“Satellite” are professionals outside of the SSG who have an interest in software security” as per the definition quoted from p6 or p9 (PDF Page Numbering) of BSIMM v1.5

BSIMM2 - Resourcing - Global

May 2010


Median 3000 11 13

Average 5061 39.7 21.9

Largest 30000 300 100

Smallest 40 0 0.5

27

Major differences from BSIMM are highlighted in green Quoted from BSIMM2 p4 or p7 (PDF Page Numbering)

BSIMM - Global

28

“The largest deltas appear in the Training and Security Testing practices.

There are three practices where the European companies show evidence of more activity: Compliance and Policy, Penetration Testing, and Software Environment.

When it comes to Strategy and Metrics, the averages are exactly the same.

In general, this reflects a European situation that is more process and compliance driven (including privacy compliance) and more driven to measurement.

However, the Europeans tend to carry out fewer assurance activities (for example, reviewing source code to look for bugs) and instead focus more energy getting a handle on the problem and meeting compliance criteria through penetration testing.”

Graph quoted from BSIMM v1.5 p52/p55 (PDF Page Numbering)


BSIMM2

29

Quoted from p9 or p12 (PDF Page Numbering) from BSIMM2


BSIMM2

30



BSIMM2

31

Refer back to BSIMM Top 30 on prior slide to compare Financial Services.

Twelve (12) Financial Services vs Seven (7) ISV

ISV is “Independent Software Vendors” - Include Adobe, Microsoft



BSIMM2

32

Nominalised but Dataset has not been released.Quoted from p10 or p13 (PDF Page Numbering) from BSIMM2

Thanks Sandra, Carmen and David

[email protected]

Slides are Published on

• http://www.slideshare.net/cmlh

Slides can be downloaded from

• http://github.com/cmlh/

In Closing

33

BSAMMBO

Technology

Transcript of BSAMMBO