Professional Documents
Culture Documents
Secure Development Lifecyle: Bsimm and Opensamm
Secure Development Lifecyle: Bsimm and Opensamm
Secure Development Lifecyle: Bsimm and Opensamm
Agenda
50 minutes
The Problem
BSIMM
OpenSAMM
SSA
10 minutes
Questions
Attackers
PCs
Network
Software
Intellectual
Property
Customer
Data
Business
Processes
Corporate Trade
Secrets
People remember !
SQL Injection
Access to corporate
network
SDLC
Secure Development Lifecycle
Humans Processes Technology
11
Maturity Models
12
BSIMM
Contains four domains
Governance
Intelligence
SSDL Touchpoints
Deployment
13
BSIMM
14
BSIMM
There are three levels for every practice
Level 1: straigtforward and simple
Level 2: more difficult, requiring more coordination
Level 3: rocket science
15
16
OpenSAMM
Contains four business functions
Governance
Construction
Verification
Deployment
17
OpenSAMM
18
OpenSAMM
Each Security Practice contains 3 Maturity Levels
Level 1: Initial understanding and ad hoc provision of Security
Practice
Level 2: Increase efficiency and/or effectiveness of the Security
Practice
Level 3: Comprehensive mastery of the Security Practice at scale
19
20
Comparison of Activities
BSIMM
OpenSAMM
Activity 1: Conduct
technical security
awareness training
Activity 1: Conduct rolespecific application
security training
Activity 1: Create formal
application security
support portal
Activity 2: Establish rolebased
examination/certification
Activity 1: Provide
awareness training.
Activity 1: Offer role-specific
advanced curriculum (tools,
technology stacks, bug
parade)
Activity 1: Reward
progression through
curriculum (certification or
HR)
21
22
23
What do we need?
We need to know, what we we want to implement
Good idea is to look what other companies in our sector do
BSIMM is a great help here
Scorecard
Blank
Scorecard
Industry
Best Practices
Enterprise
Scoring
Prioritized
Roadmap
Objective 3
Objective 2
2
5
Objective 1
Objective 0
Strat&
Met
Poli&
Comp
Edu&Gui
ThreatAss
Governance
SecReq
SecureArch
Construction
DesignRev
CodeRev
SecTesting
Verification
Deployment
25
27
Objectives
Strategy and Metrics
Establish unified strategic roadmap for software security within the Organization
Measure relative value of data and software assets and choose risk tolerance
Align security expenditure with relevant business indicators and asset value
Policy & Compliance
Understand relevant governance and compliance drivers to the organization
Establish security and compliance baseline and understand per-project risks
Require compliance and measure projects against organization-wide policies and standards
Education & Guidance
Offer development staff access to resources around the topics of secure programming and
deployment
Educate all personnel in the software life-cycle with role-specific guidance on secure
development
Mandate comprehensive security training and certify personnel for baseline knowledge
28
29
Objectives
Threat Assessment
Identify and understand high-level threats to the organization and individual projects
Increase accuracy of threat assessment and improve granularity of per-project understanding
Concretely tie compensating controls to each threat against internal and third-party software
Security Requirements
Consider security explicitly during the software requirements process
Increase granularity of security requirements derived from business logic and known risks
Mandate security requirements process for all software projects and third-party dependencies
Security Architecture
Insert consideration of proactive security guidance into the software design process
Direct the software design process toward known-secure services and secure-by-default designs
Formally control the software design process and validate utilization of secure components
30
31
Objectives
Design Review
Support ad hoc reviews of software design to ensure baseline mitigations for known risks
Offer assessment services to review software design against comprehensive best practices for
security
Require assessments and validate artifacts to develop detailed understanding of protection
mechanisms
Code Review
Opportunistically find basic code-level vulnerabilities and other high-risk security issues
Make code review during development more accurate and efficient through automation
Mandate comprehensive code review process to discover language-level and applicationspecific risks
Security Testing
Establish process to perform basic security tests based on implementation and software
requirements
Make security testing during development more complete and efficient through automation
Require application-specific security testing to ensure baseline security before deployment
32
33
Objectives
Vulnerability Management
Understand high-level plan for responding to vulnerability reports or incidents
Elaborate expectations for response process to improve consistency and communications
Improve analysis and data gathering within response process for feedback into proactive
planning
Environment Hardening
Understand baseline operational environment for applications and software components
Improve confidence in application operations by hardening the operating environment
Validate application health and status of operational environment against known best practices
Operational Enablement
Enable communications between development teams and operators for critical securityrelevant data
Improve expectations for continuous secure operations through provision of detailed
procedures
Mandate communication of security information and validate artifacts for completeness
34
How to implement
Software Security Assurance
Define
Design
Develop
Test
Implement
Operate
Governance
Secure Architecture
Design Review
Code
Review
Verification
Security Testing
Vulnerability Management
Vulnerability Management
Environment
Hardening
Deployment
Operational Enablement
36
Pilot
Assess
Establish
SSA Team
38
Roll-out
Mature
Pilot
Assess
Roll-out
Mature
Establish
SSA Team
Baseline assessment against SSA Maturity Model
Next step
39
Pilot
Assess
Establish
SSA Team
Establish and manage the SA program
Define Policies
Application Security center of excellence
Application Catalogue
Compliance Reporting
40
Roll-out
Mature
41
Assess
Assess
Establish
SSA Team
Work with Pilot Application/Team
Remediation Support
42
Roll-out
Mature
Pilot
Assess
Roll-out
Mature
Establish
SSA Team
Review Baseline assessment against SSA Maturity Model
Next step
43
Pilot
Assess
Establish
SSA Team
Publicise SSA Program
Base-line Audit
Fortify 360 Training
Mentoring
BAU Process Integration
Publish Metrics
44
Roll-out
Mature
Pilot
Assess
Roll-out
Mature
Establish
SSA Team
Increase maturity level across all functions
Raise the security bar
Establish Continuous Improvement Loop
45
Pilot
Assess
Roll-out
Mature
Establish
SSA Team
Thank you