The Building Security In Maturity Model. Quality Assurance Perspective. Sammy Migues Principal Consultant, Cigital. Software Confidence. Achieved.

Transcription

1 The Building Security In Maturity Model Quality Assurance Perspective Software Confidence. Achieved. Sammy Migues Principal Consultant, Cigital March 31, 2009

2 Breaking new ground Building Security In Maturity Model (BSIMM) First empirical data from real initiatives Joint work by Gary McGraw, Sammy Migues, and Brian Chess

3 The nine (and two unnamed financial services companies)

4 Real-world data: the nine Initiative age Average: 5.3 years Newest: 2.5 Oldest: 10 Satellite size Average: 79 Smallest: 0 Largest: 300 SSG size Average: 41 Smallest: 12 Largest: 100 Dev size Average: 7750 Smallest: 450 Largest: 30,000 Average of SSG sizes: just over 1% of dev group size

5 Ten surprising things 1. Bad metrics hurt 2. Secure-by default frameworks 3. Nobody uses WAFs 4. QA involvement non-trivial 5. Evangelize over audit 6. ARA is hard 7. Practitioners don t talk attacks 8. Training is advanced 9. Pen testing role is diminishing 10. Fuzz testing

6 Common ground Everyone has a software security group (SSG) SSG is roughly 1% size of dev team Ten activities that ALL do evangelist role policy awareness training history in training security features static analysis tools SSG does AA black box tools & fuzzing external pen testing good network security

7 The Software Security Framework Governance Intelligence SSDL Touchpoints Deployment Strategy and Metrics Attack Models Architecture Analysis Penetration Testing Compliance and Policy Security Features and Design Code Review Software Environment Training Standards and Requirements Security Testing Configuration Management and Vulnerability Management

8 Governance Domain Practices Strategy and Metrics, Compliance and Policy, Training Highlighted activities relevant to testing/fuzzing SM1.2 Create evangelism role/internal marketing SM1.4 Identify gate locations, gather necessary artifacts SM 2.2 Enforce gates with measures and track exceptions. CP2.4 Paper all vendor contracts with SLAs compatible with policy CP3.2 Impose policy on vendors T2.1 Offer role-specific advanced curriculum (tools, technology stacks, bug parade) Metrics Use good metrics to start a dialogue Training SSG and QA may have to educate each other 8

9 Intelligence Domain Practices Attack Models, Security Features and Design, Standards and Requirements Highlighted activities relevant to testing/fuzzing AM1.1 Build and maintain a top N possible attacks list AM3,2 Create and use automation to do what attackers will do SR1.2 Create security portal SR1.3 Translate compliance constraints to requirements SR2.3 Create standards for technology stacks Focus Tune everything to your environment 9

10 Deployment Domain Practices Penetration Testing, Software Environment, Vulnerability Management and Change Management Highlighted activities relevant to testing/fuzzing PT2.1 Use pen testing tools internally PT2.2 Provide penetration testers with all available information PT3.2 Have SSG customize penetration testing (tools and scripts) CMVM3.2 Enhance dev processes (SSDL) to prevent cause of software bugs found in ops Current state External pen testing most prevalent activity 10

11 SSDL Touchpoints Domain Practices Architecture analysis, Code review, Security testing ST Level 1: Enhance QA beyond functional perspective SSG shares security knowledge with QA QA does functional edge cases and boundary conditions ST Level 2: Integrate the attacker perspective into test plans QA integrates black box security tools (including protocol fuzzing) QA builds tests for functional security features, then adversarial tests ST Level 3: Deliver risk-based security testing QA includes security testing in automated regression suites SSG provides risk information that drives testing depth Cooperation Key to success here is a two-way street between the SSG and QA 11

12 Summary Training, intelligence, technology, and process integration related to quality assurance and testing figure prominently Some activity popularity numbers out of the nine surveyed 8-9: Evangelism, Fuzzing 5-7: Gate locations, Identify satellite with training, Role-based curriculum, Top attacks list, Teach tools about your code 3-4: Enforce gates, Tech stack standards, SLAs, Internal pen test tool use 1-2: Impose policy on vendors, create security portal, Compliance constraints, White box pen testing, Customize pen test tools, Enhance dev processes, Create/use automation to simulate attackers Bring BSIMM ideas for growth into your own organizations 12

13 Use BSIMM BSIMM released March 5, BSIMM is a yardstick Use it to see where you stand Use it to figure out what should you do next