Scaling a Software Security Initiative: Lessons from …media.computer.org/pdfs/GaryMcGraw.pdf ·...
Transcript of Scaling a Software Security Initiative: Lessons from …media.computer.org/pdfs/GaryMcGraw.pdf ·...
Copyright © 2014, Cigital and/or its affiliates. All rights reserved.
GARY MCGRAW, PH.D.
Scaling a Software Security Initiative:
Lessons from the BSIMM
Gary McGraw, PH.D.
Chief Technology Officer, Cigital
Email: [email protected]
SEPTEMBER 29, 2014
@cigitalgem
Copyright © 2014, Cigital and/or its affiliates. All rights reserved.
Providing software security professionals services since 1992
World’s premiere software security consulting firm
• 350 employees
• 13 offices including Dulles, Boston, New York, Santa Clara,
Bloomington, Boston, Chicago, Atlanta, Amsterdam, and London
Recognized experts in software security
Cigital
Copyright © 2014, Cigital and/or its affiliates. All rights reserved.
Real data from 67
firms
161 measurements
21 over time
McGraw, Migues, &
West
bsimm.com
67 Firms in the BSIMM-V Community
plus 24 anonymous firms
Copyright © 2014, Cigital and/or its affiliates. All rights reserved.
BSIMM is not about good or
bad ways to eat bananas or
banana best practices
BSIMM is about observations
BSIMM is descriptive, not
prescriptive
BSIMM describes and
measures multiple
prescriptive approaches
Monkeys Eat Bananas
Copyright © 2014, Cigital and/or its affiliates. All rights reserved.
BSIMM describes and measures the work of 2930 full time software
security people controlling the work of 272,358 developers.
BSIMM by the Numbers
Copyright © 2014, Cigital and/or its affiliates. All rights reserved.
Real activities, not theories
Real data
How do the 67 BSIMM firms carry out a practice?
How do the practices scale?
12 Practices 112 Activities
Copyright © 2014, Cigital and/or its affiliates. All rights reserved.
#1 Touchpoint
Get a tool (HP/Fortify, IBM/Ounce, Coverity, Cigital SecureAssist)
50 of 67 firms have an automated tool
Remedial Code Review
12 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Code Review Pitfalls
Security runs a complex tool Tool thrown over the wall to dev
Results computed WAY too
late
Results include too many
false positives
Security types have no clue
how to fix anything
Developers try to avoid
being beaten by the
security police
Developers asked to “just
run the tool” with no real
training
The “red screen of death”
ensues
Developers learn to game
the results
Copyright © 2014, Cigital and/or its affiliates. All rights reserved.
Build a centralized code review factory
• Streamline code submission
• Provide middleware data flow intelligence
• Normalize results (across multiple feeds)
Know what to look for
• Create and enforce coding standards (carrot and stick)
• Build custom rules that work for YOUR code
Scaling Code Review: Path 1
Copyright © 2014, Cigital and/or its affiliates. All rights reserved.
Put a very simple “real-time training” tool on developer
desktops
Eliminate whole classes of bugs before they are
compiled in
Focus on coding more securely in the first place
• Teaching is more powerful than punishing
• Developers need to know what to DO not what not to do
Train developers just in time at code writing time
READ: bit.ly/1iIcAPB
Scaling Code Review: Path 2 (very new)
Copyright © 2014, Cigital and/or its affiliates. All rights reserved.
#2 Touchpoint
Requires real expertise
Know your components
56 of 67 firms review security FEATURES
Remedial Architecture Analysis
17 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Architecture Analysis Pitfalls
The Expert Bottleneck Ad Hoc “Review”
Superman required for each
analysis exercise
Lots of products and teams need
analysis, but must either must
wait forever or skip it
Review only as powerful as
whoever bothers to show up
No institutional knowledge or
consistency
Copyright © 2014, Cigital and/or its affiliates. All rights reserved.
Architecture Analysis in the BSIMM
Copyright © 2014, Cigital and/or its affiliates. All rights reserved.
Step 0: Get an architecture diagram
Step 1: Known attack analysis
• Leverage STRIDE by analogy
• Know your potential flaws
Step 2: System-specific attack analysis
• Anticipate emergent flaws
• Build a threat model (trust boundaries and data sensitivity)
Step 3: Dependency analysis
Read: bit.ly/1b2f5Zk
Define a Process: Architecture Risk Analysis
Copyright © 2014, Cigital and/or its affiliates. All rights reserved.
Security Architecture Survey (SAS)
• Focus on standard components and a software component
model
• Look for your commonly encountered flaws
− Identify common controls
− Know your design principles
− Consider where the SDLC breaks
• Sweep the entire portfolio
Use a proven process like Cigital ARA for high-risk
applications
Read: bit.ly/19Jmk7f
Scaling Architecture Analysis
Copyright © 2014, Cigital and/or its affiliates. All rights reserved.
#3 Touchpoint
Becoming a commodity (so buy some)
62 of 67 BSIMM firms use external pen testers
Black box tools available
Remedial Penetration Testing
23 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Penetration Testing Pitfalls
Hiring “reformed” hackers Pen testing != security meter
badness-ometer
Copyright © 2014, Cigital and/or its affiliates. All rights reserved.
Penetration Testing in the BSIMM
Copyright © 2014, Cigital and/or its affiliates. All rights reserved.
Automate with customized tools and know your attacker
• Black box Web/mobile testing tools are cheap and fast
• Fuzzing tools aimed at APIs also help scale
Investigate cloud services (remote pen testing)
Fix what you find
• Real integration with development is important
• Don’t just throw rocks
Periodically pen test everything you can
Scaling Penetration Testing
Copyright © 2014, Cigital and/or its affiliates. All rights reserved.
SearchSecurity + Justice League
www.searchsecurity.com
No-nonsense monthly security
column by Gary McGraw
www.cigital.com/~gem/writing
www.cigital.com/justiceleague
In-depth thought leadership
blog from the Cigital Principals • Gary McGraw
• Sammy Migues
• John Steven
• Scott Matsumoto
• Paco Hope
• Jim DelGrosso
Copyright © 2014, Cigital and/or its affiliates. All rights reserved.
Silver Bullet + IEEE Security & Privacy
www.cigital.com/silverbullet
Building Security In
Software Security Best Practices
column
www.computer.org/security/bsisub/
Copyright © 2014, Cigital and/or its affiliates. All rights reserved.
The Book
How to DO software security
• Best practices
• Tools
• Knowledge
Cornerstone of the Addison-
Wesley Software Security
Series
www.swsec.com
Copyright © 2014, Cigital and/or its affiliates. All rights reserved.
Build Security In
Read the Addison-Wesley Software
Security series
Send e-mail: [email protected]
@cigitalgem