![Page 1: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/1.jpg)
Presenters: Jim RouthGreg BarnesSammy Migues
Software Security In Healthcare, What We’ve Learned
![Page 2: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/2.jpg)
Presenters
Jim RouthCISO
Aetna
Greg BarnesCISO
Horizon Blue Cross Blue Shield
Sammy MiguesPrincipal Scientist
Cigital
![Page 3: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/3.jpg)
1. How to sell the program to stakeholders (executives, development leads, direct leader, testing, infrastructure)
2. Selecting practices and activities
3. Initial results
▫ Approach 1= Greg Barnes, CISO Horizon Blue Cross/Blue Shield of NJ
▫ Approach 2= Jim Routh, CSO Aetna
4. Leveraging the BSIMM to Bring Change
Agenda
![Page 4: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/4.jpg)
• Be the expert …• Align with Development Leadership (QA)
▫ Establish risk based approach to remediation▫ Establish training program and governance
• Communicate with Business Operations ▫ Minimize impact to delivery timelines▫ Resist pressure for exceptions▫ Transparent but Principled Communication = Trust and Partnership
• Integrate to Project Management Organization• Align with Compliance / Audit
Selling a Software Security Program Approach 1 (Grassroots)
![Page 5: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/5.jpg)
• I used an economic-driven rationale, not risk avoidance
• I started with the CFO, then the CIO and ultimately the CEO
• Developers used to resist (10 years ago) but not today, they embrace the program – as long as you give them tools
• Development leads … they resist – Who is paying for remediation?
• Security defects are nothing more (or less) than functional defects during the development cycle
• Once in production – they are security incidents
How to Sell a Software Security Program – Approach 2
![Page 6: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/6.jpg)
• Pen testing applications after they’ve been developed is the equivalent of banging out dents in cars after they roll off the assembly line.
Use a Manufacturing Analogy – Approach 2
• It makes more sense to fix the source of the dents by adjusting the robotic design so the dents don’t occur in the first place
![Page 7: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/7.jpg)
Phase 1• Developer Enablement: Training and Awareness • Governance- Policy and Standards• Communication on Risk Approach• Service Definitions and Engagement Methods
Phase 2• Enhance Governance – expand program scope• Supply Chain Secure SDLC Reporting• Enhance open source software management
Practices and Activities Approach 1
Don’t try to improve every domain…
![Page 8: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/8.jpg)
12 Practices• Identify which practices should be targeted for
improvement• I use a bias toward early stage controls
112 Activities• Some activities are more important for some industries
over others• Some activities are essential
Choosing Practices and Activities Approach 2 Opportunity to invest
in control maturity
![Page 9: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/9.jpg)
Selected / Key Domains 1. Config Mgmt/Vuln Mgmt
2. Security Testing
3. Sustainable Training
4. Coding Standards
5. Automating Metrics
Initial Results- Approach 1
![Page 10: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/10.jpg)
• Low defect density scores
• Mobile security controls
• 3rd party software and mobile security
• Widespread adoption
• Security imbedded in dev/ops model
Characteristics of a Mature Program- Approach 2
Aetna’s Software Security Program places an emphasis on detecting and addressing the vast majority of defects in the ‘Code’ phase, as opposed to the ‘Test’ phase
• Net productivity gain for Security Defect – Remediation: 73 percent
• IT capacity freed up in 2015 to pursue other strategic enterprise initiatives: ~ 285,000 hours
![Page 11: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/11.jpg)
Leveraging the BSIMM to Bring Change
![Page 12: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/12.jpg)
• Software security is more than a set of security functions.▫ Not magic crypto fairy dust▫ Not silver-bullet security mechanisms
• Non-functional aspects of design are essential.
• Bugs and flaws are 50/50.
• Security is an emergent property of the entire system (just like quality).
• To end up with secure software, deep integration with the SDLC is necessary.
We Hold These Truths to Be Self-Evident
![Page 13: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/13.jpg)
• Descriptive models describe what is actually happening.
• The BSIMM is a descriptive model that can be used to measure any number of prescriptive SSDLs.
Descriptive Models
• Prescriptive models describe what you should do.▫ SAFECode▫ SAMM▫ SDL▫ Touchpoints
• Every firm has a methodology they follow (often a hybrid).
• You need an SSDL.
Prescriptive Models
Prescriptive vs. Descriptive Models
![Page 14: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/14.jpg)
• BIG idea: Build a maturity model from actual data gathered from 9 well-known large-scale software security initiatives.
▫ Create a software security framework.
▫ Interview 9 firms in-person.
▫ Discover 110 activities through observation (1 removed, 3 added later).
▫ Organize the activities in 3 levels.
▫ Build a scorecard.
• The model has been validated with datafrom 104 firms (78 in BSIMM6).
• There is no special snowflake.
Building BSIMM (2008)
![Page 15: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/15.jpg)
78 Firms in BSIMM6 Community
![Page 16: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/16.jpg)
BSIMM By the Numbers
![Page 17: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/17.jpg)
Real World Data
Average percentage of SSG to dev. of 1.51% (1 person for every 75 devs.)
![Page 18: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/18.jpg)
A Software Security Framework
![Page 19: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/19.jpg)
[AA1.2] Perform design review for high-risk applications.
The organization learns about the benefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. The reviewers must have some experience performing detailed design review and breaking the architecture being considered. In all cases, design review produces a set of architecture flaws and a plan to mitigate them. If the SSG is not yet equipped to perform an in-depth architecture analysis, it uses consultants to do this work. Ad hoc review paradigms that rely heavily on expertise may be used here, though in the long run they do not scale. A review focused on whether a software project has performed the right process steps will not generate expected results.
Example Activity
![Page 20: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/20.jpg)
![Page 21: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/21.jpg)
•Office for Civil Rights
•Federal Trade Commission
•Data Breach Class Action Lawsuits
• Insurance
•HIPAA
Why Have A Software Security Initiative?
![Page 22: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/22.jpg)
Earth (78)
![Page 23: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/23.jpg)
Earth (78) and Healthcare (10)
![Page 24: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/24.jpg)
Top 12 activities in each practice• purple = good?• red = bad?
“Blue shift” = practices to emphasize
BSIMM6 Results
![Page 25: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/25.jpg)
• 26 firms measured twice (an average of 24 months apart)• We know how firms improve
▫ An average of 29.6% activity increase
BSIMM Longitudinal: Improvement Over Time
![Page 26: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/26.jpg)
Not All Business Units Mature Equally
![Page 27: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/27.jpg)
•Vendor Free
•Moderated Mailing List
•Two Member Conferences Annually
•Quarterly Webinar Series
•Quarterly Community Newsletter
The BSIMM Community
![Page 28: Software Security In Healthcare, What We’ve Learned](https://reader035.vdocuments.net/reader035/viewer/2022070517/58cf098a1a28ab5f2b8b551d/html5/thumbnails/28.jpg)
Join the BSIMM Community at https://www.bsimm.com/
Build Security In