SlideShare a Scribd company logo

BSAMMBO

Christian Heinrich
Christian Heinrich

Presented at the ISACA Meeting in Sydney, Australia on 17 November 2010

Technology
1 of 33
Download to read offline
Implementing OpenSAMM and BSIMM Christian Heinrich ISACA - Sydney, Australia 17 November 2010 1 Further information is available from: • http://bsimm.com/ • http://www.opensamm.org/
Microsoft SDL 2 Further information is available from http://www.microsoft.com/ security/sdl/
Microsoft SDL 3 Further information is available from http://www.microsoft.com/ security/sdl/getstarted/assess.aspx
Software Assurance Maturity Model (SAMM) 4 Assessment Scores 0 Implicit starting point with the Practice unfulfilled 1 Initial understanding and ad hoc provision of the Practice 2 Increase efficiency and/or effectiveness of the Practice 3 Comprehensive mastery of the Practice at scale + indicates that some activities of the higher level are present
OpenSAMM Open Software Assurance Maturity Model (SAMM) • An OWASP Project (Funded by Fortify) Releases • Draft (Beta) - August 2008 • Final (1.0) - March 2009 5
BSIMM Building Security In Maturity Model • Forked from OpenSAMM (Beta) Draft • Developed by Fortify and Cigital Releases • BSIMM1 - January 2009 • BSIMM1.5 - November 2009 • BSIMM2 - May 2010 6
BSIMM - Sample Size - USA Total of Nine (9) with Two (2) Unnamed out of 25 Most Advanced SSI 7 Financial Services (the other two remain anonymous): • The Depository Trust and Clearing Corporation (DTCC) • Wells Fargo Independent Software Vendors: • Adobe • Microsoft • Qualcomm - Vendor for the Eudora e-mail client Technology Firms: • Google • EMC Quoted from p2 or p5 (PDF Page Numbering) of BSIMM v1.5
BSIMM - Sample Size - Europe Total of Nine (9) with Five (5) Unnamed out of 56 SSI 8 The bottom row of logo is two companies i.e. total of Five. Financial Services • Standard Life • SWIFT Media and Telecommunications • Nokia • Thomson Reuters • Telecom Italia Quoted from BSIMM v1.5 p51 or p54 (PDF Page Numbering)
BSIMM2 - Sample Size Total of 30 9 Vague in terms of who is unnamed from the BSIMM (Europe and USA) - may have been able to reverse the prior unnamed from BSIMM (Europe and USA) Financial Services • Bank of America • Capital One • SallieMae Independent Software Vendors • VMWare • Intel • Intuit • Symantec Quoted from p4 or p7 (PDF Page Numbering) of BSIMM2
Licensing Both are Creative Commons (Attribution and Share Alike). Data for BSIMM is COMMERCIAL-IN-CONFIDENCE • Rumoured that VMWare is “VirtualWare” Case Study within OpenSAMM 10
Approach - OpenSAMM Integrates with the existing internal development organisational structure. • Must be reasonably mature development culture lacking secure SDL 11
Approach - BSIMM BSIMM dictates the creation of a “new” Software Security Group (SSG) Executive Representation and Endorsement of Software Security Initiative (SSI) • Bill Gates (Microsoft) “Trustworthy Computing” Memo in Jan 2002 Scenarios: • Large and political development team vs smaller existing security group • Receipt of Outsourced Development 12 Further information on the Memo from Bill Gates is available from http:// www.wired.com/techbiz/media/news/2002/01/49826
Implementation - OpenSAMM - Lightweight 13 Further information is available from p21 of p96 (PDF Numbering) of OpenSAMM v1.0
Implementation - OpenSAMM - Detailed 14 Further information is available from p21 of p96 (PDF Numbering) of OpenSAMM v1.0
Implementation - OpenSAMM - Detailed 15 Further information is available from p21 of p96 (PDF Numbering) of OpenSAMM v1.0
Implementation - OpenSAMM - Detailed 16 !"#$%&# ! "#$%!&#""#'!()#*+,"$!-%!%.,!&#/,!+,0,+ !1-2'%-2'!$#3%4-),!42%.!)5/2",'%-)6! $,&5)2%6!*,$%7()-&%2&,$!2'!(+-&, !8,%!*-$,+2',!3#)!$,&5)2%6!9'#47 .#4!-"#':!%,&.'2&-+!$%-33 !;'-*+,!<5-+2%-%20,!$,&5)2%6!&.,&9$! 3#)!*-$,+2',!$,&5)2%6!9'#4+,/:, #$''"##()"&!*'# !=>?@!/,0,+#(",'%!$%-33!*)2,3,/!#'! $,&5)2%6!2$$5,$!42%.2'!(-$%!A!6,-) !=B>@!$,'2#)!/,0,+#(",'%C -)&.2%,&%!!$%-33!*)2,3,/!#'!$,&5)2%6! 2$$5,$!42%.2'!(-$%!A!6,-) !D-5'&.!%,&.'2&-+!:52/-'&,!42%.2'! '+#&# !E)-2'2':!&#5)$,!*52+/#5%!#)!+2&,'$, !F':#2':!"-2'%,'-'&,!#3! %,&.'2&-+!:52/-'&, ,"!#+--"% !G,0,+#(,)$!HA7I!/-6$C6)J !K)&.2%,&%$!HA7I!/-6$C6)J !"%.&"/(%"0"%# !L#+2&6!M!N#"(+2-'&,!7!I !8,&5)2%6!O,<52),",'%$!7!A !8,&5),!K)&.2%,&%5),!7!A Further information is available from p21 of p96 (PDF Numbering) of OpenSAMM v1.0
Implementation - OpenSAMM - Roadmap Examples provided for: • Independent Software Vendors • Online Service Providers • Financial Services Organisations • Government Organisations 17 Further information is available from p27-p31 of p96 (PDF Numbering) of OpenSAMM v1.0
Implementation - OpenSAMM - Scorecard 18 Further information is available from p26 of p96 (PDF Numbering) of OpenSAMM v1.0
Implementation - BSIMM - Skeleton Consider all objectives from BSIMM and apply as applicable 19 Quoted from BSIMM 1.5 p3 Unify into “Buckets”: Frequency of activities across all nine (9) organisations. Creating maturity levels from the “Buckets”. This was performed independently and then merged and created “BSIMM Skeleton” Quoted from BSIMM v1.5 p35/p38 (PDF Numbering) “The BSIMM skeleton provides a way to view the maturity model at a glance and is useful when assessing a software security program. The skeleton includes one page per practice organized by three levels. Each activity is associated with an objective. More complete descriptions of the activities, examples, and term definition can be found in the main document”
Implementation - BSIMM 20
BSIMM - Activities - Global 21 Yellow - 8 out of 9 USA Yellow/Blue - More common to USA Blue - 8 out of 9 Europe Table quoted from p53 or p56 (PDF Page Numbering) of BSIMM v1.5 SM is “Strategy and Metrics” CP is “Compliance and Policy” T is “Training” AM is “Attack Models” SFD is “Security Features and Design” SR is “Standards and Requirements” AA is “Architecture Analysis” CR is “Code Review” ST is “Security Testing” PT is “Penetration Testing” SE is “Software Environment” CMWM is “Configuration Management and Vulnerability Management”
BSIMM2 - Activities 22 Fifteen (15) core activities are highlighted in yellow Quoted from p50 or p53 (PDF Page Numbering) from BSIMM2 SM is “Strategy and Metrics” CP is “Compliance and Policy” T is “Training” AM is “Attack Models” SFD is “Security Features and Design” SR is “Standards and Requirements” AA is “Architecture Analysis” CR is “Code Review” ST is “Security Testing” PT is “Penetration Testing” SE is “Software Environment” CMWM is “Configuration Management and Vulnerability Management”
Ten Core Activities Everybody Does Objective Activity build support throughout organization create evangelism role/internal marketing meet regulatory needs or customer demand with a unified approach create policy promote culture of security throughout the organization provide awareness training see yourself in the problem create/use material specific to company history create proactive security guidance around security features build/publish security features (authentication, role management, key management, audit/log, crypto, protocols) build internal capability on security architecture have SSG lead review efforts drive efficiency/consistency with automation use automated tools along with manual review use encapsulated attacker perspective integrate black box security tools into the QA process (including protocol fuzzing) demonstrate that your organization’s code needs help too use external pen testers to find problems provide a solid host/network foundation for software ensure host/network security basics in place [SM1.2] [CP1.3] [T1.1] [T2.2] [SFD1.1] [AA1.3] [ST2.1] [PT1.1] [SE1.2] [CR2.1] BSIMM - Top Ten - USA 23 “3 out of 12 Practices are not implemented i.e. • “Attack Models” • “Standards and Requirements” • “Configuration and Vulnerability Management” Quoted from BSIMM v1.5 p47/p50 (PDF Page Numbering) Within the “Governance” Domain: • SM is “Strategy and Metrics” Practice • CP is “Compliance and Policy” Practice Within the “Intelligence” Domain: • SFP is “Security Features and Design” Practice Within the “SDL Touchpoints” Domain: • AA is “Architectural Analysis” Practice • CR is “Code Review” Practice • ST is “Security Testing” Practice Within the “Deployment” Domain: • PT is “Penetration Testing” Practice • SE is “Software Environment” Practice
Three Core Activities that Most Organizations Do Objective Activity understand the organization’s history collect and publish attack stories meet demand for security features create security standards use ops data to change dev behavior identify software bugs found in ops monitoring and feed back to dev [AM1.4] [SR1.1] [CMVM1.2] BSIMM - Top 3 Uncommon- USA 24 Recommended as future activities to be performed. Within the “Intelligence” Domain: • AM is “Attack Models” Practice • SR is “Standards and Requirements” Practice Within the “Deployment” Domain: • CMVM is “Configuration Management Vulnerability Management” Practice Table above quoted from BSIMM v1.5 p47/p50 (PDF Page Numbering)
BSIMM - SSI Duration - Global 0 3.75 7.50 11.25 15.00 USA (Jan 2009) Europe (Nov 2009) Oldest Average Newest 25 USA - 1 (year) 1/2 (6 months), 5 (years) 1/3 (4 months), 10 (years) USA Data Quoted from BSIMM v1.5 pp2 and 3 (same as PDF Page Number) European - 1 1/2 (6 months), 6 2/3 (8 months), 14 (years) European Data Quoted from BSIMM v1.5 p51 or p54 (PDF Page Numbering) BSIMM2 - 1/4 (3 months), 4 5/12 (5 Months), 14 Years - September 2009 Quoted from BSIMM2 p4 or p7 (PDF Page Numbering)
BSIMM - Resourcing - Global USA - Jan 2009 Developer Satellite SSG Median 5000 20 20 Average 7550 79 41 Largest 30000 300 100 Smallest 450 0 12 Europe - Nov 2009 Developer Satellite SSG Median 5000 0 11.5 Average 4664 29 16 Largest 12000 140 50 Smallest 400 0 1 26 Colours used in table signify Pink -> Average, Blue -> Less and Purple -> More Europe has a significant lower number of resources within their SSG compared to the USA. Yet their (European) SSI has been executing for a longer duration. “Satellite” are professionals outside of the SSG who have an interest in software security” as per the definition quoted from p6 or p9 (PDF Page Numbering) of BSIMM v1.5
BSIMM2 - Resourcing - Global May 2010 Developer Satellite SSG Median 3000 11 13 Average 5061 39.7 21.9 Largest 30000 300 100 Smallest 40 0 0.5 27 Major differences from BSIMM are highlighted in green Quoted from BSIMM2 p4 or p7 (PDF Page Numbering)
BSIMM - Global 28 “The largest deltas appear in the Training and Security Testing practices. There are three practices where the European companies show evidence of more activity: Compliance and Policy, Penetration Testing, and Software Environment. When it comes to Strategy and Metrics, the averages are exactly the same. In general, this reflects a European situation that is more process and compliance driven (including privacy compliance) and more driven to measurement. However, the Europeans tend to carry out fewer assurance activities (for example, reviewing source code to look for bugs) and instead focus more energy getting a handle on the problem and meeting compliance criteria through penetration testing.” Graph quoted from BSIMM v1.5 p52/p55 (PDF Page Numbering) SM is “Strategy and Metrics” CP is “Compliance and Policy” T is “Training” AM is “Attack Models” SFD is “Security Features and Design” SR is “Standards and Requirements” AA is “Architecture Analysis” CR is “Code Review” ST is “Security Testing” PT is “Penetration Testing” SE is “Software Environment” CMWM is “Configuration Management and Vulnerability Management”
BSIMM2 29 Quoted from p9 or p12 (PDF Page Numbering) from BSIMM2 SM is “Strategy and Metrics” CP is “Compliance and Policy” T is “Training” AM is “Attack Models” SFD is “Security Features and Design” SR is “Standards and Requirements” AA is “Architecture Analysis” CR is “Code Review” ST is “Security Testing” PT is “Penetration Testing” SE is “Software Environment” CMWM is “Configuration Management and Vulnerability Management”
BSIMM2 30 Quoted from p9 or p12 (PDF Page Numbering) from BSIMM2 SM is “Strategy and Metrics” CP is “Compliance and Policy” T is “Training” AM is “Attack Models” SFD is “Security Features and Design” SR is “Standards and Requirements” AA is “Architecture Analysis” CR is “Code Review” ST is “Security Testing” PT is “Penetration Testing” SE is “Software Environment” CMWM is “Configuration Management and Vulnerability Management”
BSIMM2 31 Refer back to BSIMM Top 30 on prior slide to compare Financial Services. Twelve (12) Financial Services vs Seven (7) ISV ISV is “Independent Software Vendors” - Include Adobe, Microsoft Quoted from p10 or p13 (PDF Page Numbering) from BSIMM2 SM is “Strategy and Metrics” CP is “Compliance and Policy” T is “Training” AM is “Attack Models” SFD is “Security Features and Design” SR is “Standards and Requirements” AA is “Architecture Analysis” CR is “Code Review” ST is “Security Testing” PT is “Penetration Testing” SE is “Software Environment” CMWM is “Configuration Management and Vulnerability Management”
BSIMM2 32 Nominalised but Dataset has not been released. Quoted from p10 or p13 (PDF Page Numbering) from BSIMM2
Thanks Sandra, Carmen and David christian.heinrich@cmlh.id.au Slides are Published on • http://www.slideshare.net/cmlh Slides can be downloaded from • http://github.com/cmlh/ In Closing 33

Recommended

Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsArun Prabhakar
 
Penetration testing in agile software
Penetration testing in agile softwarePenetration testing in agile software
Penetration testing in agile softwareijcisjournal
 
RMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework ImplementationRMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework ImplementationBryan Len
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...John Gilligan
 
Symantec control compliance suite
Symantec control compliance suiteSymantec control compliance suite
Symantec control compliance suiteSymantec
 
Secure Engineering Practices for Java
Secure Engineering Practices for JavaSecure Engineering Practices for Java
Secure Engineering Practices for JavaTim Ellison
 
Control Compliance Suite 10
Control Compliance Suite 10Control Compliance Suite 10
Control Compliance Suite 10Symantec
 

Recommended

Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsArun Prabhakar
 
Penetration testing in agile software
Penetration testing in agile softwarePenetration testing in agile software
Penetration testing in agile softwareijcisjournal
 
RMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework ImplementationRMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework ImplementationBryan Len
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...John Gilligan
 
Symantec control compliance suite
Symantec control compliance suiteSymantec control compliance suite
Symantec control compliance suiteSymantec
 
Secure Engineering Practices for Java
Secure Engineering Practices for JavaSecure Engineering Practices for Java
Secure Engineering Practices for JavaTim Ellison
 
Control Compliance Suite 10
Control Compliance Suite 10Control Compliance Suite 10
Control Compliance Suite 10Symantec
 
IT GRC with Symantec
IT GRC with SymantecIT GRC with Symantec
IT GRC with SymantecArrow ECS UK
 
SPS Enterprise Family
SPS Enterprise FamilySPS Enterprise Family
SPS Enterprise FamilySymantec
 
Ensuring Effective Security The CIOs Dilemma 11 17 08
Ensuring Effective Security The CIOs Dilemma 11 17 08Ensuring Effective Security The CIOs Dilemma 11 17 08
Ensuring Effective Security The CIOs Dilemma 11 17 08John Gilligan
 
Gpc case study_eng_0221
Gpc case study_eng_0221Gpc case study_eng_0221
Gpc case study_eng_0221SALIH AHMED ISLAM
 
Federal Risk and Authorization Management Program (FedRAMP)
Federal Risk and Authorization Management Program (FedRAMP)Federal Risk and Authorization Management Program (FedRAMP)
Federal Risk and Authorization Management Program (FedRAMP)GovCloud Network
 
Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09
Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09
Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09Michael Smith
 
Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec
 
NASA Software Safety Guidebook
NASA Software Safety GuidebookNASA Software Safety Guidebook
NASA Software Safety GuidebookVapula
 
How I Woke Up from the CMMC Compliance Nightmare
How I Woke Up from the CMMC Compliance NightmareHow I Woke Up from the CMMC Compliance Nightmare
How I Woke Up from the CMMC Compliance NightmareIgnyte Assurance Platform
 
Corporate Cyber Program
Corporate Cyber ProgramCorporate Cyber Program
Corporate Cyber ProgramIgnyte Assurance Platform
 
MSP Mastering the Secrets to Succuss in Managed Security
MSP Mastering the Secrets to Succuss in Managed SecurityMSP Mastering the Secrets to Succuss in Managed Security
MSP Mastering the Secrets to Succuss in Managed SecurityDavid Castro
 
Why so many SIEM Implmentations Fail
Why so many SIEM Implmentations FailWhy so many SIEM Implmentations Fail
Why so many SIEM Implmentations FailRita Barry
 
Predicting Method Crashes with Bytecode Operations
Predicting Method Crashes with Bytecode OperationsPredicting Method Crashes with Bytecode Operations
Predicting Method Crashes with Bytecode OperationsThomas Zimmermann
 
Trust but Verify: Strategies for managing software supplier risk
Trust but Verify: Strategies for managing software supplier riskTrust but Verify: Strategies for managing software supplier risk
Trust but Verify: Strategies for managing software supplier riskTimothy Jarrett
 
Why Traditional Security has Failed
Why Traditional Security has Failed Why Traditional Security has Failed
Why Traditional Security has Failed Steven_Jackson
 
How to improve endpoint security on a SMB budget
How to improve endpoint security on a SMB budgetHow to improve endpoint security on a SMB budget
How to improve endpoint security on a SMB budgetLumension
 
Standard life gars
Standard life garsStandard life gars
Standard life garsBerlinBear69
 
Siri ESTANDARD (Free-Thinking Education, Alternative-Attitudinal Philosophy)
Siri ESTANDARD (Free-Thinking Education, Alternative-Attitudinal Philosophy)Siri ESTANDARD (Free-Thinking Education, Alternative-Attitudinal Philosophy)
Siri ESTANDARD (Free-Thinking Education, Alternative-Attitudinal Philosophy)Siri ESTANDARD
 
Northern Trust Case Study from Gartner Catalyst 2012 Featuring Layer 7 Mobile...
Northern Trust Case Study from Gartner Catalyst 2012 Featuring Layer 7 Mobile...Northern Trust Case Study from Gartner Catalyst 2012 Featuring Layer 7 Mobile...
Northern Trust Case Study from Gartner Catalyst 2012 Featuring Layer 7 Mobile...CA API Management
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Plannet Esolutions Limited Profile.
Plannet Esolutions Limited Profile.Plannet Esolutions Limited Profile.
Plannet Esolutions Limited Profile.Divyansh Batra
 
50 data principles for loosely coupled identity management v1 0
50 data principles for loosely coupled identity management v1 050 data principles for loosely coupled identity management v1 0
50 data principles for loosely coupled identity management v1 0Ganesh Prasad
 

More Related Content

What's hot

IT GRC with Symantec
IT GRC with SymantecIT GRC with Symantec
IT GRC with SymantecArrow ECS UK
 
SPS Enterprise Family
SPS Enterprise FamilySPS Enterprise Family
SPS Enterprise FamilySymantec
 
Ensuring Effective Security The CIOs Dilemma 11 17 08
Ensuring Effective Security The CIOs Dilemma 11 17 08Ensuring Effective Security The CIOs Dilemma 11 17 08
Ensuring Effective Security The CIOs Dilemma 11 17 08John Gilligan
 
Federal Risk and Authorization Management Program (FedRAMP)
Federal Risk and Authorization Management Program (FedRAMP)Federal Risk and Authorization Management Program (FedRAMP)
Federal Risk and Authorization Management Program (FedRAMP)GovCloud Network
 
Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09
Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09
Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09Michael Smith
 
Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec
 
NASA Software Safety Guidebook
NASA Software Safety GuidebookNASA Software Safety Guidebook
NASA Software Safety GuidebookVapula
 
How I Woke Up from the CMMC Compliance Nightmare
How I Woke Up from the CMMC Compliance NightmareHow I Woke Up from the CMMC Compliance Nightmare
How I Woke Up from the CMMC Compliance NightmareIgnyte Assurance Platform
 
MSP Mastering the Secrets to Succuss in Managed Security
MSP Mastering the Secrets to Succuss in Managed SecurityMSP Mastering the Secrets to Succuss in Managed Security
MSP Mastering the Secrets to Succuss in Managed SecurityDavid Castro
 
Why so many SIEM Implmentations Fail
Why so many SIEM Implmentations FailWhy so many SIEM Implmentations Fail
Why so many SIEM Implmentations FailRita Barry
 
Predicting Method Crashes with Bytecode Operations
Predicting Method Crashes with Bytecode OperationsPredicting Method Crashes with Bytecode Operations
Predicting Method Crashes with Bytecode OperationsThomas Zimmermann
 
Trust but Verify: Strategies for managing software supplier risk
Trust but Verify: Strategies for managing software supplier riskTrust but Verify: Strategies for managing software supplier risk
Trust but Verify: Strategies for managing software supplier riskTimothy Jarrett
 
Why Traditional Security has Failed
Why Traditional Security has Failed Why Traditional Security has Failed
Why Traditional Security has Failed Steven_Jackson
 
How to improve endpoint security on a SMB budget
How to improve endpoint security on a SMB budgetHow to improve endpoint security on a SMB budget
How to improve endpoint security on a SMB budgetLumension
 

What's hot (16)

IT GRC with Symantec
IT GRC with SymantecIT GRC with Symantec
IT GRC with Symantec
 
SPS Enterprise Family
SPS Enterprise FamilySPS Enterprise Family
SPS Enterprise Family
 
Ensuring Effective Security The CIOs Dilemma 11 17 08
Ensuring Effective Security The CIOs Dilemma 11 17 08Ensuring Effective Security The CIOs Dilemma 11 17 08
Ensuring Effective Security The CIOs Dilemma 11 17 08
 
Gpc case study_eng_0221
Gpc case study_eng_0221Gpc case study_eng_0221
Gpc case study_eng_0221
 
Federal Risk and Authorization Management Program (FedRAMP)
Federal Risk and Authorization Management Program (FedRAMP)Federal Risk and Authorization Management Program (FedRAMP)
Federal Risk and Authorization Management Program (FedRAMP)
 
Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09
Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09
Massively Scaled Security Solutions for Massively Scaled IT:SecTor 09
 
Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012
 
NASA Software Safety Guidebook
NASA Software Safety GuidebookNASA Software Safety Guidebook
NASA Software Safety Guidebook
 
How I Woke Up from the CMMC Compliance Nightmare
How I Woke Up from the CMMC Compliance NightmareHow I Woke Up from the CMMC Compliance Nightmare
How I Woke Up from the CMMC Compliance Nightmare
 
Corporate Cyber Program
Corporate Cyber ProgramCorporate Cyber Program
Corporate Cyber Program
 
MSP Mastering the Secrets to Succuss in Managed Security
MSP Mastering the Secrets to Succuss in Managed SecurityMSP Mastering the Secrets to Succuss in Managed Security
MSP Mastering the Secrets to Succuss in Managed Security
 
Why so many SIEM Implmentations Fail
Why so many SIEM Implmentations FailWhy so many SIEM Implmentations Fail
Why so many SIEM Implmentations Fail
 
Predicting Method Crashes with Bytecode Operations
Predicting Method Crashes with Bytecode OperationsPredicting Method Crashes with Bytecode Operations
Predicting Method Crashes with Bytecode Operations
 
Trust but Verify: Strategies for managing software supplier risk
Trust but Verify: Strategies for managing software supplier riskTrust but Verify: Strategies for managing software supplier risk
Trust but Verify: Strategies for managing software supplier risk
 
Why Traditional Security has Failed
Why Traditional Security has Failed Why Traditional Security has Failed
Why Traditional Security has Failed
 
How to improve endpoint security on a SMB budget
How to improve endpoint security on a SMB budgetHow to improve endpoint security on a SMB budget
How to improve endpoint security on a SMB budget
 

Viewers also liked

Standard life gars
Standard life garsStandard life gars
Standard life garsBerlinBear69
 
Siri ESTANDARD (Free-Thinking Education, Alternative-Attitudinal Philosophy)
Siri ESTANDARD (Free-Thinking Education, Alternative-Attitudinal Philosophy)Siri ESTANDARD (Free-Thinking Education, Alternative-Attitudinal Philosophy)
Siri ESTANDARD (Free-Thinking Education, Alternative-Attitudinal Philosophy)Siri ESTANDARD
 
Northern Trust Case Study from Gartner Catalyst 2012 Featuring Layer 7 Mobile...
Northern Trust Case Study from Gartner Catalyst 2012 Featuring Layer 7 Mobile...Northern Trust Case Study from Gartner Catalyst 2012 Featuring Layer 7 Mobile...
Northern Trust Case Study from Gartner Catalyst 2012 Featuring Layer 7 Mobile...CA API Management
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Plannet Esolutions Limited Profile.
Plannet Esolutions Limited Profile.Plannet Esolutions Limited Profile.
Plannet Esolutions Limited Profile.Divyansh Batra
 
50 data principles for loosely coupled identity management v1 0
50 data principles for loosely coupled identity management v1 050 data principles for loosely coupled identity management v1 0
50 data principles for loosely coupled identity management v1 0Ganesh Prasad
 
標準人壽My Smart Planner Android應用程式 - 投資組合及查看名單
標準人壽My Smart Planner Android應用程式 - 投資組合及查看名單標準人壽My Smart Planner Android應用程式 - 投資組合及查看名單
標準人壽My Smart Planner Android應用程式 - 投資組合及查看名單StandardlifeAEM
 

Viewers also liked (8)

Standard life gars
Standard life garsStandard life gars
Standard life gars
 
Siri ESTANDARD (Free-Thinking Education, Alternative-Attitudinal Philosophy)
Siri ESTANDARD (Free-Thinking Education, Alternative-Attitudinal Philosophy)Siri ESTANDARD (Free-Thinking Education, Alternative-Attitudinal Philosophy)
Siri ESTANDARD (Free-Thinking Education, Alternative-Attitudinal Philosophy)
 
Northern Trust Case Study from Gartner Catalyst 2012 Featuring Layer 7 Mobile...
Northern Trust Case Study from Gartner Catalyst 2012 Featuring Layer 7 Mobile...Northern Trust Case Study from Gartner Catalyst 2012 Featuring Layer 7 Mobile...
Northern Trust Case Study from Gartner Catalyst 2012 Featuring Layer 7 Mobile...
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
Plannet Esolutions Limited Profile.
Plannet Esolutions Limited Profile.Plannet Esolutions Limited Profile.
Plannet Esolutions Limited Profile.
 
50 data principles for loosely coupled identity management v1 0
50 data principles for loosely coupled identity management v1 050 data principles for loosely coupled identity management v1 0
50 data principles for loosely coupled identity management v1 0
 
Solution Blueprint - Customer 360
Solution Blueprint - Customer 360Solution Blueprint - Customer 360
Solution Blueprint - Customer 360
 
標準人壽My Smart Planner Android應用程式 - 投資組合及查看名單
標準人壽My Smart Planner Android應用程式 - 投資組合及查看名單標準人壽My Smart Planner Android應用程式 - 投資組合及查看名單
標準人壽My Smart Planner Android應用程式 - 投資組合及查看名單
 

Similar to BSAMMBO

A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security FrameworksMarco Morana
 
Application Security Maturity Model
Application Security Maturity ModelApplication Security Maturity Model
Application Security Maturity ModelSecurity Innovation
 
3830100.ppt
3830100.ppt3830100.ppt
3830100.pptazida3
 
CMGT 433 Entire Course NEW
CMGT 433 Entire Course NEWCMGT 433 Entire Course NEW
CMGT 433 Entire Course NEWshyamuopuop
 
Cmgt 433 Entire Course NEW
Cmgt 433 Entire Course NEWCmgt 433 Entire Course NEW
Cmgt 433 Entire Course NEWshyamuop
 
case analysis 2.1.docxby Urusha PandeySubmission date 2.docx
case analysis 2.1.docxby Urusha PandeySubmission date 2.docxcase analysis 2.1.docxby Urusha PandeySubmission date 2.docx
case analysis 2.1.docxby Urusha PandeySubmission date 2.docxcowinhelen
 
Secure Software Development Models and Methods integrated with CMMI.ppt
Secure Software Development Models and Methods integrated with CMMI.pptSecure Software Development Models and Methods integrated with CMMI.ppt
Secure Software Development Models and Methods integrated with CMMI.pptNeha Sharma
 
iDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons LearnediDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons LearnedMichael King
 
Hack2Secure Assists Organization in Secure Application Development Through BS...
Hack2Secure Assists Organization in Secure Application Development Through BS...Hack2Secure Assists Organization in Secure Application Development Through BS...
Hack2Secure Assists Organization in Secure Application Development Through BS...hack2s
 
CMGT 430 Education Organization / snaptutorial.com
CMGT 430 Education Organization / snaptutorial.comCMGT 430 Education Organization / snaptutorial.com
CMGT 430 Education Organization / snaptutorial.comMcdonaldRyan41
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
 
OWASP San Antonio: Open Software Assurance Maturity Model (OpenSAMM)
OWASP San Antonio: Open Software Assurance Maturity Model (OpenSAMM)OWASP San Antonio: Open Software Assurance Maturity Model (OpenSAMM)
OWASP San Antonio: Open Software Assurance Maturity Model (OpenSAMM)Denim Group
 
The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.FitCEO, Inc. (FCI)
 
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15FitCEO, Inc. (FCI)
 

Similar to BSAMMBO (20)

ISACA 2016 Application Security RGJ
ISACA 2016 Application Security RGJISACA 2016 Application Security RGJ
ISACA 2016 Application Security RGJ
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
 
Application Security Maturity Model
Application Security Maturity ModelApplication Security Maturity Model
Application Security Maturity Model
 
3830100.ppt
3830100.ppt3830100.ppt
3830100.ppt
 
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...Diskusi buku: Securing an IT Organization through Governance, Risk Management...
Diskusi buku: Securing an IT Organization through Governance, Risk Management...
 
CMGT 433 Entire Course NEW
CMGT 433 Entire Course NEWCMGT 433 Entire Course NEW
CMGT 433 Entire Course NEW
 
Cmgt 433 Entire Course NEW
Cmgt 433 Entire Course NEWCmgt 433 Entire Course NEW
Cmgt 433 Entire Course NEW
 
case analysis 2.1.docxby Urusha PandeySubmission date 2.docx
case analysis 2.1.docxby Urusha PandeySubmission date 2.docxcase analysis 2.1.docxby Urusha PandeySubmission date 2.docx
case analysis 2.1.docxby Urusha PandeySubmission date 2.docx
 
Secure Software Development Models and Methods integrated with CMMI.ppt
Secure Software Development Models and Methods integrated with CMMI.pptSecure Software Development Models and Methods integrated with CMMI.ppt
Secure Software Development Models and Methods integrated with CMMI.ppt
 
iDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons LearnediDEAFest Enteprise InfoSec Program Lessons Learned
iDEAFest Enteprise InfoSec Program Lessons Learned
 
Hack2Secure Assists Organization in Secure Application Development Through BS...
Hack2Secure Assists Organization in Secure Application Development Through BS...Hack2Secure Assists Organization in Secure Application Development Through BS...
Hack2Secure Assists Organization in Secure Application Development Through BS...
 
CMGT 430 Education Organization / snaptutorial.com
CMGT 430 Education Organization / snaptutorial.comCMGT 430 Education Organization / snaptutorial.com
CMGT 430 Education Organization / snaptutorial.com
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
 
CMMC Breakdown
CMMC BreakdownCMMC Breakdown
CMMC Breakdown
 
NIST_Ignyte_OSCALWorkshop_2022.pdf
NIST_Ignyte_OSCALWorkshop_2022.pdfNIST_Ignyte_OSCALWorkshop_2022.pdf
NIST_Ignyte_OSCALWorkshop_2022.pdf
 
OWASP San Antonio: Open Software Assurance Maturity Model (OpenSAMM)
OWASP San Antonio: Open Software Assurance Maturity Model (OpenSAMM)OWASP San Antonio: Open Software Assurance Maturity Model (OpenSAMM)
OWASP San Antonio: Open Software Assurance Maturity Model (OpenSAMM)
 
The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.
 
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
 
Hacking appliances
Hacking appliancesHacking appliances
Hacking appliances
 

More from Christian Heinrich

More from Christian Heinrich (10)

Maltego "Have I been pwned?"
Maltego "Have I been pwned?"Maltego "Have I been pwned?"
Maltego "Have I been pwned?"
 
Maltego Breach
Maltego BreachMaltego Breach
Maltego Breach
 
CVSS
CVSSCVSS
CVSS
 
tit
tittit
tit
 
ssh
sshssh
ssh
 
BSIMM
BSIMMBSIMM
BSIMM
 
skipfish
skipfishskipfish
skipfish
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
PA-DSS
PA-DSSPA-DSS
PA-DSS
 
Download Indexed Cache
Download Indexed CacheDownload Indexed Cache
Download Indexed Cache
 

Recently uploaded

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Recently uploaded (20)

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

BSAMMBO

  • 1. Implementing OpenSAMM and BSIMM Christian Heinrich ISACA - Sydney, Australia 17 November 2010 1 Further information is available from: • http://bsimm.com/ • http://www.opensamm.org/
  • 2. Microsoft SDL 2 Further information is available from http://www.microsoft.com/ security/sdl/
  • 3. Microsoft SDL 3 Further information is available from http://www.microsoft.com/ security/sdl/getstarted/assess.aspx
  • 4. Software Assurance Maturity Model (SAMM) 4 Assessment Scores 0 Implicit starting point with the Practice unfulfilled 1 Initial understanding and ad hoc provision of the Practice 2 Increase efficiency and/or effectiveness of the Practice 3 Comprehensive mastery of the Practice at scale + indicates that some activities of the higher level are present
  • 5. OpenSAMM Open Software Assurance Maturity Model (SAMM) • An OWASP Project (Funded by Fortify) Releases • Draft (Beta) - August 2008 • Final (1.0) - March 2009 5
  • 6. BSIMM Building Security In Maturity Model • Forked from OpenSAMM (Beta) Draft • Developed by Fortify and Cigital Releases • BSIMM1 - January 2009 • BSIMM1.5 - November 2009 • BSIMM2 - May 2010 6
  • 7. BSIMM - Sample Size - USA Total of Nine (9) with Two (2) Unnamed out of 25 Most Advanced SSI 7 Financial Services (the other two remain anonymous): • The Depository Trust and Clearing Corporation (DTCC) • Wells Fargo Independent Software Vendors: • Adobe • Microsoft • Qualcomm - Vendor for the Eudora e-mail client Technology Firms: • Google • EMC Quoted from p2 or p5 (PDF Page Numbering) of BSIMM v1.5
  • 8. BSIMM - Sample Size - Europe Total of Nine (9) with Five (5) Unnamed out of 56 SSI 8 The bottom row of logo is two companies i.e. total of Five. Financial Services • Standard Life • SWIFT Media and Telecommunications • Nokia • Thomson Reuters • Telecom Italia Quoted from BSIMM v1.5 p51 or p54 (PDF Page Numbering)
  • 9. BSIMM2 - Sample Size Total of 30 9 Vague in terms of who is unnamed from the BSIMM (Europe and USA) - may have been able to reverse the prior unnamed from BSIMM (Europe and USA) Financial Services • Bank of America • Capital One • SallieMae Independent Software Vendors • VMWare • Intel • Intuit • Symantec Quoted from p4 or p7 (PDF Page Numbering) of BSIMM2
  • 10. Licensing Both are Creative Commons (Attribution and Share Alike). Data for BSIMM is COMMERCIAL-IN-CONFIDENCE • Rumoured that VMWare is “VirtualWare” Case Study within OpenSAMM 10
  • 11. Approach - OpenSAMM Integrates with the existing internal development organisational structure. • Must be reasonably mature development culture lacking secure SDL 11
  • 12. Approach - BSIMM BSIMM dictates the creation of a “new” Software Security Group (SSG) Executive Representation and Endorsement of Software Security Initiative (SSI) • Bill Gates (Microsoft) “Trustworthy Computing” Memo in Jan 2002 Scenarios: • Large and political development team vs smaller existing security group • Receipt of Outsourced Development 12 Further information on the Memo from Bill Gates is available from http:// www.wired.com/techbiz/media/news/2002/01/49826
  • 13. Implementation - OpenSAMM - Lightweight 13 Further information is available from p21 of p96 (PDF Numbering) of OpenSAMM v1.0
  • 14. Implementation - OpenSAMM - Detailed 14 Further information is available from p21 of p96 (PDF Numbering) of OpenSAMM v1.0
  • 15. Implementation - OpenSAMM - Detailed 15 Further information is available from p21 of p96 (PDF Numbering) of OpenSAMM v1.0
  • 16. Implementation - OpenSAMM - Detailed 16 !"#$%&# ! "#$%!&#""#'!()#*+,"$!-%!%.,!&#/,!+,0,+ !1-2'%-2'!$#3%4-),!42%.!)5/2",'%-)6! $,&5)2%6!*,$%7()-&%2&,$!2'!(+-&, !8,%!*-$,+2',!3#)!$,&5)2%6!9'#47 .#4!-"#':!%,&.'2&-+!$%-33 !;'-*+,!<5-+2%-%20,!$,&5)2%6!&.,&9$! 3#)!*-$,+2',!$,&5)2%6!9'#4+,/:, #$''"##()"&!*'# !=>?@!/,0,+#(",'%!$%-33!*)2,3,/!#'! $,&5)2%6!2$$5,$!42%.2'!(-$%!A!6,-) !=B>@!$,'2#)!/,0,+#(",'%C -)&.2%,&%!!$%-33!*)2,3,/!#'!$,&5)2%6! 2$$5,$!42%.2'!(-$%!A!6,-) !D-5'&.!%,&.'2&-+!:52/-'&,!42%.2'! '+#&# !E)-2'2':!&#5)$,!*52+/#5%!#)!+2&,'$, !F':#2':!"-2'%,'-'&,!#3! %,&.'2&-+!:52/-'&, ,"!#+--"% !G,0,+#(,)$!HA7I!/-6$C6)J !K)&.2%,&%$!HA7I!/-6$C6)J !"%.&"/(%"0"%# !L#+2&6!M!N#"(+2-'&,!7!I !8,&5)2%6!O,<52),",'%$!7!A !8,&5),!K)&.2%,&%5),!7!A Further information is available from p21 of p96 (PDF Numbering) of OpenSAMM v1.0
  • 17. Implementation - OpenSAMM - Roadmap Examples provided for: • Independent Software Vendors • Online Service Providers • Financial Services Organisations • Government Organisations 17 Further information is available from p27-p31 of p96 (PDF Numbering) of OpenSAMM v1.0
  • 18. Implementation - OpenSAMM - Scorecard 18 Further information is available from p26 of p96 (PDF Numbering) of OpenSAMM v1.0
  • 19. Implementation - BSIMM - Skeleton Consider all objectives from BSIMM and apply as applicable 19 Quoted from BSIMM 1.5 p3 Unify into “Buckets”: Frequency of activities across all nine (9) organisations. Creating maturity levels from the “Buckets”. This was performed independently and then merged and created “BSIMM Skeleton” Quoted from BSIMM v1.5 p35/p38 (PDF Numbering) “The BSIMM skeleton provides a way to view the maturity model at a glance and is useful when assessing a software security program. The skeleton includes one page per practice organized by three levels. Each activity is associated with an objective. More complete descriptions of the activities, examples, and term definition can be found in the main document”
  • 21. BSIMM - Activities - Global 21 Yellow - 8 out of 9 USA Yellow/Blue - More common to USA Blue - 8 out of 9 Europe Table quoted from p53 or p56 (PDF Page Numbering) of BSIMM v1.5 SM is “Strategy and Metrics” CP is “Compliance and Policy” T is “Training” AM is “Attack Models” SFD is “Security Features and Design” SR is “Standards and Requirements” AA is “Architecture Analysis” CR is “Code Review” ST is “Security Testing” PT is “Penetration Testing” SE is “Software Environment” CMWM is “Configuration Management and Vulnerability Management”
  • 22. BSIMM2 - Activities 22 Fifteen (15) core activities are highlighted in yellow Quoted from p50 or p53 (PDF Page Numbering) from BSIMM2 SM is “Strategy and Metrics” CP is “Compliance and Policy” T is “Training” AM is “Attack Models” SFD is “Security Features and Design” SR is “Standards and Requirements” AA is “Architecture Analysis” CR is “Code Review” ST is “Security Testing” PT is “Penetration Testing” SE is “Software Environment” CMWM is “Configuration Management and Vulnerability Management”
  • 23. Ten Core Activities Everybody Does Objective Activity build support throughout organization create evangelism role/internal marketing meet regulatory needs or customer demand with a unified approach create policy promote culture of security throughout the organization provide awareness training see yourself in the problem create/use material specific to company history create proactive security guidance around security features build/publish security features (authentication, role management, key management, audit/log, crypto, protocols) build internal capability on security architecture have SSG lead review efforts drive efficiency/consistency with automation use automated tools along with manual review use encapsulated attacker perspective integrate black box security tools into the QA process (including protocol fuzzing) demonstrate that your organization’s code needs help too use external pen testers to find problems provide a solid host/network foundation for software ensure host/network security basics in place [SM1.2] [CP1.3] [T1.1] [T2.2] [SFD1.1] [AA1.3] [ST2.1] [PT1.1] [SE1.2] [CR2.1] BSIMM - Top Ten - USA 23 “3 out of 12 Practices are not implemented i.e. • “Attack Models” • “Standards and Requirements” • “Configuration and Vulnerability Management” Quoted from BSIMM v1.5 p47/p50 (PDF Page Numbering) Within the “Governance” Domain: • SM is “Strategy and Metrics” Practice • CP is “Compliance and Policy” Practice Within the “Intelligence” Domain: • SFP is “Security Features and Design” Practice Within the “SDL Touchpoints” Domain: • AA is “Architectural Analysis” Practice • CR is “Code Review” Practice • ST is “Security Testing” Practice Within the “Deployment” Domain: • PT is “Penetration Testing” Practice • SE is “Software Environment” Practice
  • 24. Three Core Activities that Most Organizations Do Objective Activity understand the organization’s history collect and publish attack stories meet demand for security features create security standards use ops data to change dev behavior identify software bugs found in ops monitoring and feed back to dev [AM1.4] [SR1.1] [CMVM1.2] BSIMM - Top 3 Uncommon- USA 24 Recommended as future activities to be performed. Within the “Intelligence” Domain: • AM is “Attack Models” Practice • SR is “Standards and Requirements” Practice Within the “Deployment” Domain: • CMVM is “Configuration Management Vulnerability Management” Practice Table above quoted from BSIMM v1.5 p47/p50 (PDF Page Numbering)
  • 25. BSIMM - SSI Duration - Global 0 3.75 7.50 11.25 15.00 USA (Jan 2009) Europe (Nov 2009) Oldest Average Newest 25 USA - 1 (year) 1/2 (6 months), 5 (years) 1/3 (4 months), 10 (years) USA Data Quoted from BSIMM v1.5 pp2 and 3 (same as PDF Page Number) European - 1 1/2 (6 months), 6 2/3 (8 months), 14 (years) European Data Quoted from BSIMM v1.5 p51 or p54 (PDF Page Numbering) BSIMM2 - 1/4 (3 months), 4 5/12 (5 Months), 14 Years - September 2009 Quoted from BSIMM2 p4 or p7 (PDF Page Numbering)
  • 26. BSIMM - Resourcing - Global USA - Jan 2009 Developer Satellite SSG Median 5000 20 20 Average 7550 79 41 Largest 30000 300 100 Smallest 450 0 12 Europe - Nov 2009 Developer Satellite SSG Median 5000 0 11.5 Average 4664 29 16 Largest 12000 140 50 Smallest 400 0 1 26 Colours used in table signify Pink -> Average, Blue -> Less and Purple -> More Europe has a significant lower number of resources within their SSG compared to the USA. Yet their (European) SSI has been executing for a longer duration. “Satellite” are professionals outside of the SSG who have an interest in software security” as per the definition quoted from p6 or p9 (PDF Page Numbering) of BSIMM v1.5
  • 27. BSIMM2 - Resourcing - Global May 2010 Developer Satellite SSG Median 3000 11 13 Average 5061 39.7 21.9 Largest 30000 300 100 Smallest 40 0 0.5 27 Major differences from BSIMM are highlighted in green Quoted from BSIMM2 p4 or p7 (PDF Page Numbering)
  • 28. BSIMM - Global 28 “The largest deltas appear in the Training and Security Testing practices. There are three practices where the European companies show evidence of more activity: Compliance and Policy, Penetration Testing, and Software Environment. When it comes to Strategy and Metrics, the averages are exactly the same. In general, this reflects a European situation that is more process and compliance driven (including privacy compliance) and more driven to measurement. However, the Europeans tend to carry out fewer assurance activities (for example, reviewing source code to look for bugs) and instead focus more energy getting a handle on the problem and meeting compliance criteria through penetration testing.” Graph quoted from BSIMM v1.5 p52/p55 (PDF Page Numbering) SM is “Strategy and Metrics” CP is “Compliance and Policy” T is “Training” AM is “Attack Models” SFD is “Security Features and Design” SR is “Standards and Requirements” AA is “Architecture Analysis” CR is “Code Review” ST is “Security Testing” PT is “Penetration Testing” SE is “Software Environment” CMWM is “Configuration Management and Vulnerability Management”
  • 29. BSIMM2 29 Quoted from p9 or p12 (PDF Page Numbering) from BSIMM2 SM is “Strategy and Metrics” CP is “Compliance and Policy” T is “Training” AM is “Attack Models” SFD is “Security Features and Design” SR is “Standards and Requirements” AA is “Architecture Analysis” CR is “Code Review” ST is “Security Testing” PT is “Penetration Testing” SE is “Software Environment” CMWM is “Configuration Management and Vulnerability Management”
  • 30. BSIMM2 30 Quoted from p9 or p12 (PDF Page Numbering) from BSIMM2 SM is “Strategy and Metrics” CP is “Compliance and Policy” T is “Training” AM is “Attack Models” SFD is “Security Features and Design” SR is “Standards and Requirements” AA is “Architecture Analysis” CR is “Code Review” ST is “Security Testing” PT is “Penetration Testing” SE is “Software Environment” CMWM is “Configuration Management and Vulnerability Management”
  • 31. BSIMM2 31 Refer back to BSIMM Top 30 on prior slide to compare Financial Services. Twelve (12) Financial Services vs Seven (7) ISV ISV is “Independent Software Vendors” - Include Adobe, Microsoft Quoted from p10 or p13 (PDF Page Numbering) from BSIMM2 SM is “Strategy and Metrics” CP is “Compliance and Policy” T is “Training” AM is “Attack Models” SFD is “Security Features and Design” SR is “Standards and Requirements” AA is “Architecture Analysis” CR is “Code Review” ST is “Security Testing” PT is “Penetration Testing” SE is “Software Environment” CMWM is “Configuration Management and Vulnerability Management”
  • 32. BSIMM2 32 Nominalised but Dataset has not been released. Quoted from p10 or p13 (PDF Page Numbering) from BSIMM2
  • 33. Thanks Sandra, Carmen and David christian.heinrich@cmlh.id.au Slides are Published on • http://www.slideshare.net/cmlh Slides can be downloaded from • http://github.com/cmlh/ In Closing 33