1	"October 2009" October 2009
2	Cigital Founded in 1992 to provide software security and software quality professional services Recognized experts in software security and software quality Widely published in books, white papers, and articles Industry thought leaders
3	We hold these truths to be self-evident Software security is more than a set of security functions Not magic crypto fairy dust Not silver-bullet security mechanisms Non-functional aspects of design are essential Bugs and flaws are 50/50 Security is an emergent property of the entire system (just like quality) To end up with secure software, deep integration with the SDLC is necessary
4	A shift from philosophy to HOW TO Integrating best practices into large organizations Microsoft’s SDL Cigital’s touchpoints OWASP adopts CLASP
5	Breaking new ground Building Security In Maturity Model Real data from real initiatives McGraw, Chess, & Migues
6	46 software security initiatives microsoft dtcc emc fidelity adobe wells fargo goldman sachs google qualcomm morgan stanley usaf dell pershing the hartford barclays capital bank of tokyo ups bank of montreal 26 Financial 7 ISV 6 Tech 2 Defense 3 Retail 1 Oil 1 Behemoth
7	The nine Two more unnamed financial services firms
8	Building BSIMM Big idea: Build a maturity model from actual data gathered from 9 of 46 known large-scale software security initiatives Create a software security framework Nine in-person executive interviews Build bullet lists (one per practice) Bucketize the lists to identify activities Create levels Objectives à Activities 110 activities supported by real data Three levels of “maturity”
9	A Software Security Framework Four domains Twelve practices An “archeology grid” See informIT article at http://bsi-mm.com
10	Monkeys eat bananas BSIMM is not about good or bad ways to eat bananas or banana best practices BSIMM is about observations
11	On cargo cults and divining rods
12	Real-world data: the nine Satellite size: 79 Smallest: 0 Largest: 300 Median: 20 Dev size: 7750 Smallest: 450 Largest: 30,000 Median: 5000 Initiative age: 5yrs 4months avg. Newest: 2.5 Oldest: 10 SSG size: 41 Smallest: 12 Largest: 100 Median: 35
13	Ten surprising things ARA is hard Practitioners don’t talk attacks Training is advanced Pen testing is diminishing Fuzz testing Bad metrics hurt Secure-by default frameworks Nobody uses WAFs QA can’t do software security Evangelize over audit
14	BSIMM basics Software security framework Top-down presentation through GOALS and OBJECTIVES 110 activities with examples Three levels of maturity Discussion of how to use the model
15	A Software Security Framework Four domains Twelve practices See informIT article on BSIMM website http://bsi-mm.com
16	Training practice skeleton
17	Example activity [T1.3] Establish SSG office hours. The SSG offers help to any and all comers during an advertised lab period or regularly scheduled office hours. By acting as an informal resource for people who want to solve security problems, the SSG leverages teachable moments and emphasizes the carrot over the stick. Office hours might be held one afternoon per week in the office of a senior SSG member.
18	Ten things everybody does Activities that ALL do evangelist role policy awareness training history in training security features SSG does ARA code review tools black box tools external pen testing good network security
19	"Top 10 things" Top 10 things green = good? red = bad? Blue shift practices to emphasize activities you should maybe think about in blue
20	We are a special snowflake (NOT) ISV results are similar to financial services You do the same things You can demand the same results BSIMM Europe coming soon!
21	Using BSIMM BSIMM released March 2009 under creative commons http://bsi-mm.com steal the data if you want BSIMM is a yardstick Use it to see where you stand Use it to figure out what your peers do BSIMM is growing More BSIMM victims (9+17 and counting) BSIMM Europe BSIMM Begin Statistics Correlations
22	Take the BSIMM Begin survey today Web-based survey of level one activities and the ten things everybody does http://bsi-mm.com/begin
23
24	informIT & Justice League www.cigital.com/justiceleague In-depth thought leadership blog from the Cigital Principals Scott Matsumoto Gary McGraw Sammy Migues Craig Miller John Steven www.informIT.com No-nonsense monthly security column by Gary McGraw
25	IEEE Security & Privacy Magazine + 2 Podcasts Building Security In Software Security Best Practices column edited by John Steven www.computer.org/security/bsisub/ www.cigital.com/silverbullet www.cigital.com/realitycheck
26	Software Security: the book How to DO software security Best practices Tools Knowledge Cornerstone of the Addison-Wesley Software Security Series www.swsec.com
27	For more on BSIMM http://bsi-mm.com See the Addison-Wesley Software Security series Send e-mail: gem@cigital.com chess@fortify.com