Software is a reasonably new human artifact that seems to grow more complex every year, even as our smart phones and the Internet of Things become easier and easier to use. These days, it’s hard to live without software. At the same time that software has become the lifeblood of modern economies, very serious security concerns have emerged. So what happens when software and security intersect? This talk will trace the history of software security from its inception 15 years ago to a multi-billion dollar industry that impacts us all daily. In the early days of software, if system architects and developers thought about security at all, they usually concentrated on the liberal application of magic crypto fairy dust. We have come a long way since then. Several things happened in the early part of the decade that set in motion a major shift in the way people build software: the release of my book Building Secure Software, the publication of Bill Gates's Trustworthy Computing memo, and a wave of high-profile attacks such as Code Red and Nimda that forced Microsoft, and ultimately other large software companies, to get religion about software security. Ten years ago we all collectively realized that the way to approach software security was to integrate security practices that I term the “Touchpoints” into the software development lifecycle. Now, at the end of fifteen years of great progress in software security, we have a way of measuring software security initiatives called the BSIMM <http: />. BSIMM is helping transform the field from an art into a measurable science. This talk provides an entertaining look at the software security journey from its "bug of the day" beginnings to the multi-million dollar software security initiatives charged with corralling and controlling devops, agile methodologies, and tomorrow’s hyperfast development schedules.
How to submit a standout Adobe Champion Application
A Brief History of Software, Security, and Software Security: Bits, Bytes, Bugs, and the BSIMM
1. A Brief History of Software, Security, and
Software Security:
Bits, Bytes, Bugs, and the BSIMM
Gary McGraw, Ph.D.
Chief Technology Officer
@cigitalgem
2. My Point of View
• Providing software security services since 1992
• Moving armies of developers in global institutions
4. Software is Everywhere
• Information is the lifeblood of industry
• Software is in our power grid, our cars, our finances, and
our communications
• Software is eating the world
• Oh, and most software is broken
5. Perimeter Security is Failing Us
Today’s computer and
network security
mechanisms are like the
walls, moats, and
drawbridges of medieval
times. At one point, effective
for defending against isolated
attacks, mounted on
horseback. Unfortunately,
today’s attackers have
access to predator drones
and laser-guided missiles!
See: “Firewalls, Fairy Dust and
Forensics Fail”
http://bit.ly/1kluC7F
6. Magic Crypto Fairy Dust is not Security
“years ago I wrote another book: Applied Cryptography. I went so far as to write: ‘It
is insufficient to protect ourselves with laws; we need to protect ourselves with
mathematics.’
It’s just not true. Cryptography can’t do any of that.“
- Bruce Schneier
Applied Cryptography
Protocols, Algorithms and Source Code in C
Bruce Schneier
1996 John Wiley & Sons.
Security is not a THING
7. COST OF MITIGATION COST OF BREACHES
OPTIMAL SECURITY AT MINIMUM COST
TOTAL COST
COST ($)
0%
SECURITY LEVEL
100%
Modern Security is Risk Management
• There is no such thing as 100% secure
• Proactive security is about building things properly
9. Who should DO software security?
NOBODY
IN THE MIDDLE
Super rad developer dudes
Network security ops guys
10.
Requirements
and Use Cases
Architecture
and Design
Test Plans
Code
Test and
Test Results
Feedback from
the field
Abuse
Cases
Security
Requirements
Risk
Analysis
External
Review
Risk-Based
Security Test
Code Review
(Tools)
Risk
Analysis
Penetration
Testing
Security
Operations
Software Security Touchpoints in the SDLC
1. Code review (with a tool)
2. Architectural risk analysis
3. Penetration testing
12. Fix the Dang Software
• Software security and application security are myopically
concerned with finding bugs
• The time has come to stop over focusing on new bugs to
add to the (infinite) list
• Work on fixing the bugs (and the other defects too)
13. Move Past the Bug Parade
• Software security and application security tools over
focus on simple bugs
• Design level flaws account for 50% of security defects
• Software security is about fixing design and
implementation as code is created
15. What is the BSIMM?
• A measurement stick for software security initiatives
• A science project that escaped the lab
• A framework for building and tailoring Software Security
Initiatives
• The world’s most powerful Community of software
security practitioners and executives
• http://bsimm.com
17. How do you measure software security?
• Badness-ometer != security meter
• A simple tool can’t do it
• Measure the effort in a software security initiative
18. What good does a BSIMM measurement do?
• Shows a firm where they stand relative to their peers
19. What good does a BSIMM measurement do?
• Describes observed
common activities
from the real world
• Demonstrates gaps
clearly
• Provides real data
and measurement
to set SSI strategy
• Shows progress
over time
22. Resources
• THANK YOU
• Join the BSIMM Community today http://bsimm.com
• http://www.cigital.com/~gem/writings
•
@cigitalgem
Notas do Editor
Perimeter security is only effective if you have a perimeter. Today there are many factors causing the perimeter to disappear, including: massively distributed systems, cloud computing, BYOD, and mobile computing.
The old paradigm is failing: http://bit.ly/1kluC7F
Even Bruce Schneier knows that security is not a feature or function but a process…and he wrote the book on crypto.
Much of the narrative in application security and software security focuses on the best way to find defects. Some favor dynamic analysis (testing of a completed system, including penetration testing). Some favor static analysis (looking through source code or executables for security vulnerabilities). Some like a combination of many different methods.
As experts in all of these methods, Cigital consultants believe the time has come to focus more attention on FIXING security problems. The way things stand, many organizations are finding more defects than they can fix. The way forward is to identify problems as early as possible and then fix them.
When it comes to finding versus fixing, we come down on the side of fixing. Unfortunately, current tools do almost nothing to correct the problems they find, leaving everyone frustrated and exposed to liability.