© 2017 synopsys, inc. 1€¦ · prescriptive vs. descriptive models descriptive models •...
TRANSCRIPT
© 2017 Synopsys, Inc. 1
© 2017 Synopsys, Inc. 2
Synopsys is the global leader in helping organizations design, build, and maintain
secure software.
“Our strategic investments have resulted in a comprehensive portfolio of
solutions and services that enable organizations from a variety of industries and
stages of maturity to build security into the software development lifecycle and
across the cyber supply chain, addressing today’s most pressing challenges in
cybersecurity.” ~ Andreas Kuehlmann, SVP and GM for SIG.
About Synopsys
© 2017 Synopsys, Inc. 3
BSIMM basics
© 2017 Synopsys, Inc. 4
We Hold These Truths to Be Self-Evident
• Software security is more than a set of security functions.
– Not magic crypto fairy dust
– Not silver-bullet security mechanisms
• Non-functional aspects of design are essential.
• Bugs and flaws are 50/50.
• Security is an emergent property of the entire system (just like quality).
• To end up with secure software, deep integration with the SDLC is necessary.
© 2017 Synopsys, Inc. 5
2006: A Shift From Philosophy to HOW TO
• Integrating best practices into large organizations’ SDLC (that is, an SSDL)
– Microsoft’s SDL
– Cigital’s Touchpoints
– OWASP CLASP
© 2017 Synopsys, Inc. 6
Prescriptive vs. Descriptive Models
Descriptive Models
• Descriptive models describe
what is actually happening.
• The BSIMM is a descriptive
model that can be used to
measure any number of
prescriptive SSDLs.
Prescriptive Models
• Prescriptive models describe
what you should do.
• SAFECode
• SAMM
• SDL
• Touchpoints
• Every firm has a methodology
they follow (often a hybrid).
• You need an SSDL.
© 2017 Synopsys, Inc. 7
BSIMM: Software Security Measurement
• 129 firms measured (data freshness)
• BSIMM7 = data from 95 real initiatives
• 290 distinct measurements over time
• 30 over time (one firm 5 times)
• McGraw, Migues, and West
© 2017 Synopsys, Inc. 8
95 Firms in BSIMM7 Community
© 2017 Synopsys, Inc. 9
Building BSIMM (2008)
• BIG idea: Build a maturity model from actual data gathered from 9 well-known large-
scale software security initiatives.
– Create a software security framework.
– Interview 9 firms in-person.
– Discover 110 activities through observation (1 removed, 4 added later).
– Organize the activities in 3 levels.
– Build a scorecard.
• The model has been validated with data
from 129 firms (95 in BSIMM7).
• There is no special snowflake.
© 2017 Synopsys, Inc. 10
The Magic 30
• Since we have data from >30 firms we can perform statistical analysis.
– How good is the model?
– What activities correlate with what other activities?
– Do high-maturity firms look the same?
• We now have 95 firms with 237 distinct measurements.
– BSIMM (the 9)
– BSIMM Europe (9 in EU)
– BSIMM2 (30)
– BSIMM3 (42)
– BSIMM4 (51)
– BSIMM-V (67)
– BSIMM6 (78)
– BSIMM7 (95)
© 2017 Synopsys, Inc. 11
Monkeys Eat Bananas
• BSIMM is not about good or bad ways to eat bananas
or banana best practices.
• BSIMM is about observations.
• BSIMM is descriptive, not prescriptive.
• BSIMM describes and measures multiple prescriptive
approaches.
© 2017 Synopsys, Inc. 12
A Software Security Framework
See informIT article on BSIMM website http://bsimm.com
4 Domains 12 Practices
© 2017 Synopsys, Inc. 13
Example Activity
[AA1.2] Perform design review for high-risk applications.
The organization learns about the benefits of architecture
analysis by seeing real results for a few high-risk, high-profile
applications. The reviewers must have some experience
performing detailed design review and breaking the
architecture being considered, especially for new platforms or
environments. In all cases, design review produces a set of
architecture flaws and a plan to mitigate them. If the SSG is
not yet equipped to perform an in-depth architecture analysis,
it uses consultants to do this work. Ad hoc review paradigms
that rely heavily on expertise can be used here, though in the
long run they do not scale. A review focused only on whether
a software project has performed the right process steps will
not generate expected results.
© 2017 Synopsys, Inc. 14
BSIMM measurements
© 2017 Synopsys, Inc. 15
Average percentage of SSG to dev. of 1.61%
(1 person for every 60 devs.)
© 2017 Synopsys, Inc. 16
© 2017 Synopsys, Inc. 17
Earth (95)
© 2017 Synopsys, Inc. 18
BSIMM7 as a measuring stick
© 2017 Synopsys, Inc. 19
BSIMM7 as a Measuring Stick
© 2017 Synopsys, Inc. 20
BSIMM7 Results
Top 12 activities
– purple = good?
– red = bad?
“Blue shift” = practices to
emphasize
© 2017 Synopsys, Inc. 21
Comparing groups of firms
© 2017 Synopsys, Inc. 22
We Are a Special Snowflake (NOT)
© 2017 Synopsys, Inc. 23
© 2017 Synopsys, Inc. 24
BSIMM Longitudinal: Improvement Over Time
• 30 firms measured twice (an average of 25 months apart)
• We know how firms improve: An average of 34.6% activity increase
© 2017 Synopsys, Inc. 25
BSIMM by the Numbers
© 2017 Synopsys, Inc. 26
© 2017 Synopsys, Inc. 27
BSIMM6 to BSIMM7
• BSIMM7 released October 2016 under Creative Commons.
– http://bsimm.com
• BSIMM is a yardstick.
– Use it to see where you stand.
– Use it to figure out what your peers do.
• BSIMM6→BSIMM7
– BSIMM grew to 108 firms, which we then culled to 95.
© 2017 Synopsys, Inc. 28
Where to learn more
© 2017 Synopsys, Inc. 29
BSIMM.com
• Download the BSIMM7 report: https://www.bsimm.com/download/
• Become a BSIMM member: https://www.bsimm.com/about/membership/
• Join the BSIMM Community: https://community.bsimm.com
• Attend a BSIMM conference: https://www.bsimm.com/events/
• Contact us: https://www.bsimm.com/contact/