Presentation is loading. Please wait.

Presentation is loading. Please wait.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

Published byDinah Dulcie Carter Modified over 8 years ago

Similar presentations

Presentation on theme: "The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under."— Presentation transcript:

1 The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. OWASP Geneva Chapter May 7 th 2013 BSIMM Measuring Software Security Initiative Maturity Simon Blanchet, CISSP, CSSLP, PMP Head of Application Security http://ch.linkedin.com/in/sblanchet

2 2 Agenda Who Am I? What is this talk all about? Why talking about BSIMM? BSIMM4 Lessons learned & take-aways Conclusion

3 3 Who Am I?  Head of Application Security in a Private Bank  CISSP, CSSLP, PMP  Where I’m coming from?  Computer Science  Security Software Designer  Software Security Manager  I’m managing a SSG applying a Risk-Based approach to ensure that our organization is  Building Secure Software  Acquiring & Integrating Securely Vendors’ Software  Securely Modifying legacy Software without compromising the Security of the whole Banking Information System

4 4 What is this talk all about? The story of a guy who wanted to know where he was standing w/r/t his enterprise Software Security Initiative One tool (BSIMM) which can be used to answer few SW Security questions Software Security Software Security Initiative / Program Software Security Domains / Practices / Activities

5 5 Why BSIMM? We are all doing “something” w/r/t SW Sec Are we doing the right things? What other key players are doing? How do we compare to others? How really mature are we?

6 BSIMM BSIMM (special thanks to Gary McGraw for the permission to use his original material)

7 7 BSIMM? A measuring stick for SW Security A descriptive model Software Security Framework 4 Domains 12 Practices 111 Activities

8 Take-Aways, Summary & Conclusion

9 9 Lessons Learned How to be “BSIMMed” * concretely? 1. Do it yourself ((CC) license)… -  Risks: consistency, underestimate, overestimate, +  $ (as in saving) 2. Mandate someone else -  $ (as in it cost something) +  Consistency, Official Report, Community, Experience (using Cigital who performed the exercise more than 95+ times on 50+ firms)Cigital * BSIMMed  Having the BSIMM assessment performed on your organization.

10 10 Lessons Learned What happen exactly? 5+ interviews with Heads / Directors Application Security / SSG Development Quality Assurance / Testing Architecture Operation / Incident Response Draft / Final Report (High Water Mark views, Scorecard, Practices & Activities worth investigating)

11 11 Summary BSIMM is not a methodology. It is a measurement tool. BSIMM can answer questions about: Compare a firm with peers using the high water mark view Compare business units (within a large org) Chart an SSI over time (longitudinal)

12 12 Conclusion Use it to see where you stand Use it to figure out what your peers do BSIMM helps to create a data-driven strategic plan

13 13 Questions?

14 14 References BSIMM4 BSIMM website

15 15 About the author Simon Blanchet, CISSP, CSSLP, PMP Associate Director, Head of Application Security Simon Blanchet is an Associate Director and Head of Application Security in a Private Bank. He is responsible, with the help of his team of application security specialists, for ensuring the security of internally developed applications as well as the secure integration of commercial off-the-shelf applications within the banking information systems. Simon's team provides internal security-consulting expertise to project management, business and development staff. He and his team are responsible for all aspects of application security including risk assessment, threat modeling, security testing and raising awareness about application security best practices. Simon Blanchet has been professionally working in the fields of Information Systems Security and Security Software Design & Development for the past 12 years. He started his career as a Software Developer and Development Team Leader (cryptographic & security related software) in Montreal, Canada. Prior to moving into the Swiss Private Banking industry, Simon had the opportunity to contribute to the first version of the SDK implementing Stefan Brands' Digital Credential upon which is now built Microsoft U-Prove. Simon's career progressively evolved from being a seasoned security software developer to managing software security, combining a software developer background with a true passion for application security architecture, software security and software exploitation techniques. Simon likes to solve security related problems at the crossroads of software development and IT Security. Simon holds a B.Sc. in Computer Science from Laval University in Canada. He is a Certified Information Systems Security Professional (CISSP), a Certified Secure Software Lifecycle Professional (CSSLP) and a Project Management Professional (PMP).

Download ppt "The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under."

Similar presentations

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Secure Coding Practices Quick Reference Guide

OWASP Secure Coding Practices Quick Reference Guide
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Value Of CMC ® Wayne Outlaw, CSP, CMC ® Clint Burdett, CMC ®

Value Of CMC ® Wayne Outlaw, CSP, CMC ® Clint Burdett, CMC ®
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Dr Jim Briggs http://userweb.port.ac.uk/~briggsj/masterliness/ Masterliness Not got an MSc myself; BA DPhil; been teaching masters students for 18 years.

Dr Jim Briggs Masterliness Not got an MSc myself; BA DPhil; been teaching masters students for 18 years.
Www.methoda.com MethodAssess System Assessment. Methoda Computers Ltd 2 List of Subjects 1. Introduction 2. Actions and deliverables 3. Lessons and decisions.

MethodAssess System Assessment. Methoda Computers Ltd 2 List of Subjects 1. Introduction 2. Actions and deliverables 3. Lessons and decisions.
Presentation to CAREGROUP Board of Directors Governing Your Networked IT Organization Ken Peffers Applicable IT Research, Inc. November 21, 2002.

Presentation to CAREGROUP Board of Directors Governing Your Networked IT Organization Ken Peffers Applicable IT Research, Inc. November 21, 2002.
Chapter 1 Thinking Critically 2,4,5,9,10 Assoc. for Information Technology 1,2,3.

Chapter 1 Thinking Critically 2,4,5,9,10 Assoc. for Information Technology 1,2,3.
Oversight CHAPTER SIXTEEN Student Version Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.

Oversight CHAPTER SIXTEEN Student Version Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.
Oversight CHAPTER SIXTEEN Student Version Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.

Oversight CHAPTER SIXTEEN Student Version Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs Marco Morana, Member of OWASP London, Project Lead of the OWASP, CISO Guide Tobias Gondrom,

2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs Marco Morana, Member of OWASP London, Project Lead of the OWASP, CISO Guide Tobias Gondrom,
Factors influencing open source software adoption

Factors influencing open source software adoption
Effective Methods for Software and Systems Integration

Effective Methods for Software and Systems Integration
W. Hord Tipton, CISSP- ISSEP, CAP, CISA (ISC)² Executive Director.

W. Hord Tipton, CISSP- ISSEP, CAP, CISA (ISC)² Executive Director.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Test Organization and Management

Test Organization and Management

Similar presentations

Ads by Google