SlideShare uma empresa Scribd logo

Benchmark Your Software Security With 10 Tips

Marie Peters
Marie Peters
1 de 6
Baixar para ler offline
10 Things You Ought to Know Before You Benchmark Your Software Security Program DON’T JUST DRIFT IN THE WIND
© 2016 Cigital | www.cigital.com | a j c b 2 Evaluating the progress of your software security journey is essential, but it can be a considerable challenge. Tracking operational metrics doesn’t tell you whether you are doing the right things. Analyst reports are often too general to provide tactical direction. And companies hold their security plans so close to the vest, it makes competitive research nearly impossible. Benchmarking can help you get a new software security initiative off the ground or navigate an existing one. It is different from other measurement techniques because it focuses on excellence, includes detailed comparisons, and pools confidential information among numerous organizations. Benchmarking your software security initiative can tell you if you are keeping pace with your peers, or if you should accelerate your efforts to rise above the competition. The results of a benchmarking assessment can help you identify new security strategies and prioritize scarce resources to be most effective. Consider these 10 tips to get the most out of your benchmarking assessment. 1 Select the right instruments. When you choose a methodology to assess your program, make sure you select a transparent model that is commonly used by security experts and reflects the latest practices in the industry. The terminology will be more commonly understood, the assessment will be more comprehensive, and the results will gain more respect. 2 Evaluate real-world conditions. An assessment that is based on current data from real-world companies will be more accurate than a theoretical checklist. Look beyond the high-level findings and ask: What companies are included in the benchmarks? Do I consider them examples of companies I want to follow?
© 2016 Cigital | www.cigital.com | a j c b 3 3 Learn from experienced pilots. If you operate in an industry that has not historically invested in security, you may have an outdated idea of what is necessary to mitigate risk. Look to industries that are considered leaders to get inspired with ideas you can adapt to your own software security initiative. 4 Verify your launch point. Quick surveys such as online assessments are a great way to launch your benchmarking strategy. They can give you an initial read on where you stand. Unfortunately, they may give you a false sense of security. To capture your current security posture in detail, a follow-up assessment should include interviews with multiple parties and documented activities to verify specifics. You may find that elements of your security plan are not actually being carried out in practice or activities are different from what you expect. 5 Beware of over-inflation. Internal-only assessments can unintentionally inflate results based on assumptions and take you off course. A third party that has no stake in the outcome can evaluate your security processes with an unbiased perspective. 6 Weigh everything in your basket. You’ll want an aggregate assessment of your security posture, but you should also look at the details. For example, an “average” result may hide the fact that a single business unit has particular strengths while another has certain weaknesses. Deconstruct your results or consider separate assessments.
© 2016 Cigital | www.cigital.com | a j c b 4 7 Take a 360o view. Consider your results in context. Not every element of the framework you choose may apply to your business. For example, if you don’t rely on third parties to develop software, you don’t need to develop vendor service-level agreements. 8 Reflect on your journey. Don’t spend all of your time collecting and measuring data. Your results are simply numbers on a page until you devote time to analysis. Make sure you leave some room in your budget and your timeline to apply results and prepare your maneuvers. 9 Share your experience. Anytime you invest in an external audit of your business operations, executives will want to know what the results mean. Have a plan to communicate your results with business context to increase your leadership’s understanding of software security and build support for the resources you need to evolve your program. 10 Test the wind at different altitudes. Most companies find it makes sense to do an in-depth assessment about every two years to track their progress. During that time, you’ll be able to see improvements in more resource-intensive, time-consuming activities.
© 2016 Cigital | www.cigital.com | a j c b 5 The Building Software in Maturity Model (BSIMM) is an assessment framework based on data gathered from 100+ software security initiatives that are currently active. It categorizes 113 software security activities into three maturity “levels,” based on their rate of observation and complexity. A BSIMM assessment gives you insight into how other organizations value security activities and an unbiased perspective on the strengths and weaknesses of your own program. Start with a free online assessment to see how your software security initiative stacks up. Where are you on your software security journey? Benchmarking your security strategies against the activities of real-world organizations provides meaningful context to help you make decisions. ASSESS ME
Cigital is one of the world’s largest application security firms. We go beyond traditional testing services to help organizations identify, remediate, and prevent vulnerabilities in the applications that power their business. Our holistic approach to application security offers a balance of managed services, professional services, and products tailored to fit your specific needs. We don’t stop when the test is over. Our experts also provide remediation guidance, program design services, and training that empower you to build and maintain secure applications. For more information visit us at https://www.cigital.com THE CIGITAL DIFFERENCE

Recomendados

7-lessons-learned-from-bsimm
7-lessons-learned-from-bsimm7-lessons-learned-from-bsimm
7-lessons-learned-from-bsimmMarie Peters
 
Forrester Infographic
Forrester Infographic Forrester Infographic
Forrester Infographic Thang Cao (He/Him)
 
7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMM7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMMCigital
 
Presenting Metrics to the Executive Team
Presenting Metrics to the Executive TeamPresenting Metrics to the Executive Team
Presenting Metrics to the Executive TeamJohn D. Johnson
 
Understanding the Security-Specific Purchase Process [Infographic]
Understanding the Security-Specific Purchase Process [Infographic]Understanding the Security-Specific Purchase Process [Infographic]
Understanding the Security-Specific Purchase Process [Infographic]IDG
 
State of the CSO 2015
State of the CSO 2015State of the CSO 2015
State of the CSO 2015IDG
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolioKaloyan Krastev
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security MetricsCigital
 

Recomendados

7-lessons-learned-from-bsimm
7-lessons-learned-from-bsimm7-lessons-learned-from-bsimm
7-lessons-learned-from-bsimmMarie Peters
 
Forrester Infographic
Forrester Infographic Forrester Infographic
Forrester Infographic Thang Cao (He/Him)
 
7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMM7 Lessons Learned From BSIMM
7 Lessons Learned From BSIMMCigital
 
Presenting Metrics to the Executive Team
Presenting Metrics to the Executive TeamPresenting Metrics to the Executive Team
Presenting Metrics to the Executive TeamJohn D. Johnson
 
Understanding the Security-Specific Purchase Process [Infographic]
Understanding the Security-Specific Purchase Process [Infographic]Understanding the Security-Specific Purchase Process [Infographic]
Understanding the Security-Specific Purchase Process [Infographic]IDG
 
State of the CSO 2015
State of the CSO 2015State of the CSO 2015
State of the CSO 2015IDG
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolioKaloyan Krastev
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security MetricsCigital
 
Transform Your Security Operations with Security Automation and Orchestration
Transform Your Security Operations with Security Automation and OrchestrationTransform Your Security Operations with Security Automation and Orchestration
Transform Your Security Operations with Security Automation and OrchestrationEnterprise Management Associates
 
Security Metrics
Security MetricsSecurity Metrics
Security MetricsPLN9 Security Services Pvt. Ltd.
 
Effective Security Metrics
Effective Security MetricsEffective Security Metrics
Effective Security MetricsInnoTech
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performanceAbhishek Sood
 
How Do You Define Continuous Monitoring?
How Do You Define Continuous Monitoring?How Do You Define Continuous Monitoring?
How Do You Define Continuous Monitoring?Tieu Luu
 
Cybersecurity's Impact on Innovation
Cybersecurity's Impact on InnovationCybersecurity's Impact on Innovation
Cybersecurity's Impact on InnovationSilicon Valley Bank
 
7 Undeniable Truths to Making Software Security Better
7 Undeniable Truths to Making Software Security Better7 Undeniable Truths to Making Software Security Better
7 Undeniable Truths to Making Software Security BetterSynopsys Software Integrity Group
 
Using Security Metrics to Drive Action
Using Security Metrics to Drive ActionUsing Security Metrics to Drive Action
Using Security Metrics to Drive ActionMighty Guides, Inc.
 
How to integrate risk into your compliance-only approach
How to integrate risk into your compliance-only approach How to integrate risk into your compliance-only approach
How to integrate risk into your compliance-only approachAbhishek Sood
 
Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Resolver Inc.
 
Allgress Brochure
Allgress BrochureAllgress Brochure
Allgress Brochurelinkedinlion11
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsJack Nichelson
 
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...NJVC, LLC
 
Are Your Cyber Defenses Strong Enough?
Are Your Cyber Defenses Strong Enough?Are Your Cyber Defenses Strong Enough?
Are Your Cyber Defenses Strong Enough?Cygilant
 
Infographic - Critical Capabilities of a Good Risk Management Solution
Infographic - Critical Capabilities of a Good Risk Management SolutionInfographic - Critical Capabilities of a Good Risk Management Solution
Infographic - Critical Capabilities of a Good Risk Management SolutionCorporater
 
MSSP - Security Orchestration & Automation
MSSP - Security Orchestration & AutomationMSSP - Security Orchestration & Automation
MSSP - Security Orchestration & AutomationSiemplify
 
Trust but Verify: Strategies for managing software supplier risk
Trust but Verify: Strategies for managing software supplier riskTrust but Verify: Strategies for managing software supplier risk
Trust but Verify: Strategies for managing software supplier riskTimothy Jarrett
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics ProgramCydney Davis
 
Security automation system
Security automation systemSecurity automation system
Security automation systemSiemplify
 
Trabajo de tecnología, semana santa
Trabajo de tecnología, semana santa Trabajo de tecnología, semana santa
Trabajo de tecnología, semana santa diegoalejandro231
 
Productos Organicos - OIA
Productos Organicos - OIAProductos Organicos - OIA
Productos Organicos - OIAoiacertificacion
 

Mais conteúdo relacionado

Mais procurados

Transform Your Security Operations with Security Automation and Orchestration
Transform Your Security Operations with Security Automation and OrchestrationTransform Your Security Operations with Security Automation and Orchestration
Transform Your Security Operations with Security Automation and OrchestrationEnterprise Management Associates
 
Effective Security Metrics
Effective Security MetricsEffective Security Metrics
Effective Security MetricsInnoTech
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performanceAbhishek Sood
 
How Do You Define Continuous Monitoring?
How Do You Define Continuous Monitoring?How Do You Define Continuous Monitoring?
How Do You Define Continuous Monitoring?Tieu Luu
 
Cybersecurity's Impact on Innovation
Cybersecurity's Impact on InnovationCybersecurity's Impact on Innovation
Cybersecurity's Impact on InnovationSilicon Valley Bank
 
Using Security Metrics to Drive Action
Using Security Metrics to Drive ActionUsing Security Metrics to Drive Action
Using Security Metrics to Drive ActionMighty Guides, Inc.
 
How to integrate risk into your compliance-only approach
How to integrate risk into your compliance-only approach How to integrate risk into your compliance-only approach
How to integrate risk into your compliance-only approachAbhishek Sood
 
Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Resolver Inc.
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsJack Nichelson
 
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...NJVC, LLC
 
Are Your Cyber Defenses Strong Enough?
Are Your Cyber Defenses Strong Enough?Are Your Cyber Defenses Strong Enough?
Are Your Cyber Defenses Strong Enough?Cygilant
 
Infographic - Critical Capabilities of a Good Risk Management Solution
Infographic - Critical Capabilities of a Good Risk Management SolutionInfographic - Critical Capabilities of a Good Risk Management Solution
Infographic - Critical Capabilities of a Good Risk Management SolutionCorporater
 
MSSP - Security Orchestration & Automation
MSSP - Security Orchestration & AutomationMSSP - Security Orchestration & Automation
MSSP - Security Orchestration & AutomationSiemplify
 
Trust but Verify: Strategies for managing software supplier risk
Trust but Verify: Strategies for managing software supplier riskTrust but Verify: Strategies for managing software supplier risk
Trust but Verify: Strategies for managing software supplier riskTimothy Jarrett
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics ProgramCydney Davis
 
Security automation system
Security automation systemSecurity automation system
Security automation systemSiemplify
 

Mais procurados (20)

Transform Your Security Operations with Security Automation and Orchestration
Transform Your Security Operations with Security Automation and OrchestrationTransform Your Security Operations with Security Automation and Orchestration
Transform Your Security Operations with Security Automation and Orchestration
 
Security Metrics
Security MetricsSecurity Metrics
Security Metrics
 
Effective Security Metrics
Effective Security MetricsEffective Security Metrics
Effective Security Metrics
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
 
How to measure your cybersecurity performance
How to measure your cybersecurity performanceHow to measure your cybersecurity performance
How to measure your cybersecurity performance
 
How Do You Define Continuous Monitoring?
How Do You Define Continuous Monitoring?How Do You Define Continuous Monitoring?
How Do You Define Continuous Monitoring?
 
Cybersecurity's Impact on Innovation
Cybersecurity's Impact on InnovationCybersecurity's Impact on Innovation
Cybersecurity's Impact on Innovation
 
7 Undeniable Truths to Making Software Security Better
7 Undeniable Truths to Making Software Security Better7 Undeniable Truths to Making Software Security Better
7 Undeniable Truths to Making Software Security Better
 
Using Security Metrics to Drive Action
Using Security Metrics to Drive ActionUsing Security Metrics to Drive Action
Using Security Metrics to Drive Action
 
How to integrate risk into your compliance-only approach
How to integrate risk into your compliance-only approach How to integrate risk into your compliance-only approach
How to integrate risk into your compliance-only approach
 
Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security Why Corporate Security Professionals Should Care About Information Security
Why Corporate Security Professionals Should Care About Information Security
 
Allgress Brochure
Allgress BrochureAllgress Brochure
Allgress Brochure
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
 
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
 
Are Your Cyber Defenses Strong Enough?
Are Your Cyber Defenses Strong Enough?Are Your Cyber Defenses Strong Enough?
Are Your Cyber Defenses Strong Enough?
 
Infographic - Critical Capabilities of a Good Risk Management Solution
Infographic - Critical Capabilities of a Good Risk Management SolutionInfographic - Critical Capabilities of a Good Risk Management Solution
Infographic - Critical Capabilities of a Good Risk Management Solution
 
MSSP - Security Orchestration & Automation
MSSP - Security Orchestration & AutomationMSSP - Security Orchestration & Automation
MSSP - Security Orchestration & Automation
 
Trust but Verify: Strategies for managing software supplier risk
Trust but Verify: Strategies for managing software supplier riskTrust but Verify: Strategies for managing software supplier risk
Trust but Verify: Strategies for managing software supplier risk
 
Security Metrics Program
Security Metrics ProgramSecurity Metrics Program
Security Metrics Program
 
Security automation system
Security automation systemSecurity automation system
Security automation system
 

Destaque

Trabajo de tecnología, semana santa
Trabajo de tecnología, semana santa Trabajo de tecnología, semana santa
Trabajo de tecnología, semana santa diegoalejandro231
 
Equipo 3 (complemento)
Equipo 3 (complemento)Equipo 3 (complemento)
Equipo 3 (complemento)RosarioFL
 
Carley presentation for pitch
Carley presentation for pitchCarley presentation for pitch
Carley presentation for pitchCarley Armstrong
 
Rh Marketing & Consulting (English version)N
Rh Marketing & Consulting (English version)NRh Marketing & Consulting (English version)N
Rh Marketing & Consulting (English version)NAli Akbar
 
Centre Isles final presentation
Centre Isles final presentationCentre Isles final presentation
Centre Isles final presentationKensonSunBernade
 
15 ARDELL GROVE JAN 16-2017
15 ARDELL GROVE JAN 16-201715 ARDELL GROVE JAN 16-2017
15 ARDELL GROVE JAN 16-2017KensonSunBernade
 
Alimentos orgánicos
Alimentos orgánicosAlimentos orgánicos
Alimentos orgánicosAbigail1507
 
moringa oleifera y otras forrageras tropicales manual
moringa oleifera y otras forrageras tropicales manualmoringa oleifera y otras forrageras tropicales manual
moringa oleifera y otras forrageras tropicales manualEmerson Arcos
 
Ntureza: Criatividade coletiva na Prática
Ntureza: Criatividade coletiva na PráticaNtureza: Criatividade coletiva na Prática
Ntureza: Criatividade coletiva na PráticaSandra Braconnot
 

Destaque (16)

Trabajo de tecnología, semana santa
Trabajo de tecnología, semana santa Trabajo de tecnología, semana santa
Trabajo de tecnología, semana santa
 
Productos Organicos - OIA
Productos Organicos - OIAProductos Organicos - OIA
Productos Organicos - OIA
 
Equipo 3 (complemento)
Equipo 3 (complemento)Equipo 3 (complemento)
Equipo 3 (complemento)
 
Fortalecer las capacidades y potencialidades de la ciudadanìa
Fortalecer las capacidades y potencialidades de la ciudadanìaFortalecer las capacidades y potencialidades de la ciudadanìa
Fortalecer las capacidades y potencialidades de la ciudadanìa
 
Kunal
KunalKunal
Kunal
 
Equipo 1.3
Equipo 1.3Equipo 1.3
Equipo 1.3
 
Carley presentation for pitch
Carley presentation for pitchCarley presentation for pitch
Carley presentation for pitch
 
Rh Marketing & Consulting (English version)N
Rh Marketing & Consulting (English version)NRh Marketing & Consulting (English version)N
Rh Marketing & Consulting (English version)N
 
Centre Isles final presentation
Centre Isles final presentationCentre Isles final presentation
Centre Isles final presentation
 
Matriz foda
Matriz fodaMatriz foda
Matriz foda
 
15 ARDELL GROVE JAN 16-2017
15 ARDELL GROVE JAN 16-201715 ARDELL GROVE JAN 16-2017
15 ARDELL GROVE JAN 16-2017
 
черга до нвк7
черга до нвк7черга до нвк7
черга до нвк7
 
Alimentos orgánicos
Alimentos orgánicosAlimentos orgánicos
Alimentos orgánicos
 
moringa oleifera y otras forrageras tropicales manual
moringa oleifera y otras forrageras tropicales manualmoringa oleifera y otras forrageras tropicales manual
moringa oleifera y otras forrageras tropicales manual
 
Molecular docking
Molecular dockingMolecular docking
Molecular docking
 
Ntureza: Criatividade coletiva na Prática
Ntureza: Criatividade coletiva na PráticaNtureza: Criatividade coletiva na Prática
Ntureza: Criatividade coletiva na Prática
 

Semelhante a Benchmark Your Software Security With 10 Tips

managed-services-buying-guide
managed-services-buying-guidemanaged-services-buying-guide
managed-services-buying-guideMarie Peters
 
Behavioral-Based Safety – Predictive Analytics and a Safe Workplace
Behavioral-Based Safety – Predictive Analytics and a Safe Workplace Behavioral-Based Safety – Predictive Analytics and a Safe Workplace
Behavioral-Based Safety – Predictive Analytics and a Safe Workplace McKenney's Inc
 
Building a business case for expanding your AppSec Program
Building a business case for expanding your AppSec ProgramBuilding a business case for expanding your AppSec Program
Building a business case for expanding your AppSec ProgramNicolas Gohmert
 
Five steps to achieve success with application security
Five steps to achieve success with application securityFive steps to achieve success with application security
Five steps to achieve success with application securityIBM Security
 
White paper pragmatic safety solutions
White paper pragmatic safety solutionsWhite paper pragmatic safety solutions
White paper pragmatic safety solutionsCraig Tappel
 
Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5justinklooster
 
2015 Tackling This Year's Audit Hot Spots
2015 Tackling This Year's Audit Hot Spots2015 Tackling This Year's Audit Hot Spots
2015 Tackling This Year's Audit Hot SpotsRon Steinkamp
 
Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Synopsys Software Integrity Group
 
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016CBIZ, Inc.
 
Invest in Specialty Skills and Other Tips for Internal Audit Planning
Invest in Specialty Skills and Other Tips for Internal Audit PlanningInvest in Specialty Skills and Other Tips for Internal Audit Planning
Invest in Specialty Skills and Other Tips for Internal Audit PlanningCBIZ Risk & Advisory Services
 
ISO-27001-Beginners-Guide.pdf guidline for implementation
ISO-27001-Beginners-Guide.pdf guidline for implementationISO-27001-Beginners-Guide.pdf guidline for implementation
ISO-27001-Beginners-Guide.pdf guidline for implementationIrmaBrkic1
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013Bee_Ware
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee StudyHiten Sethi
 
Svmk investor presentation november 2019
Svmk investor presentation november 2019Svmk investor presentation november 2019
Svmk investor presentation november 2019EmilyGreenstein4
 
1 p 03-0214-competitive-intelligence-blue-paper
1 p 03-0214-competitive-intelligence-blue-paper1 p 03-0214-competitive-intelligence-blue-paper
1 p 03-0214-competitive-intelligence-blue-paper4imprint
 
Top 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxTop 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxinfosec train
 
Role of the virtual ciso
Role of the virtual cisoRole of the virtual ciso
Role of the virtual cisoMichael Ball
 

Semelhante a Benchmark Your Software Security With 10 Tips (20)

managed-services-buying-guide
managed-services-buying-guidemanaged-services-buying-guide
managed-services-buying-guide
 
Behavioral-Based Safety – Predictive Analytics and a Safe Workplace
Behavioral-Based Safety – Predictive Analytics and a Safe Workplace Behavioral-Based Safety – Predictive Analytics and a Safe Workplace
Behavioral-Based Safety – Predictive Analytics and a Safe Workplace
 
Building a business case for expanding your AppSec Program
Building a business case for expanding your AppSec ProgramBuilding a business case for expanding your AppSec Program
Building a business case for expanding your AppSec Program
 
Five steps to achieve success with application security
Five steps to achieve success with application securityFive steps to achieve success with application security
Five steps to achieve success with application security
 
eob_dec14.artok
eob_dec14.artokeob_dec14.artok
eob_dec14.artok
 
White paper pragmatic safety solutions
White paper pragmatic safety solutionsWhite paper pragmatic safety solutions
White paper pragmatic safety solutions
 
Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5
 
SECURITY
SECURITYSECURITY
SECURITY
 
2015 Tackling This Year's Audit Hot Spots
2015 Tackling This Year's Audit Hot Spots2015 Tackling This Year's Audit Hot Spots
2015 Tackling This Year's Audit Hot Spots
 
Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative
 
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
 
Invest in Specialty Skills and Other Tips for Internal Audit Planning
Invest in Specialty Skills and Other Tips for Internal Audit PlanningInvest in Specialty Skills and Other Tips for Internal Audit Planning
Invest in Specialty Skills and Other Tips for Internal Audit Planning
 
ISO-27001-Beginners-Guide.pdf guidline for implementation
ISO-27001-Beginners-Guide.pdf guidline for implementationISO-27001-Beginners-Guide.pdf guidline for implementation
ISO-27001-Beginners-Guide.pdf guidline for implementation
 
7 Steps To Developing A Cloud Security Plan
7 Steps To Developing A Cloud Security Plan7 Steps To Developing A Cloud Security Plan
7 Steps To Developing A Cloud Security Plan
 
Website Security Statistics Report 2013
Website Security Statistics Report 2013Website Security Statistics Report 2013
Website Security Statistics Report 2013
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
 
Svmk investor presentation november 2019
Svmk investor presentation november 2019Svmk investor presentation november 2019
Svmk investor presentation november 2019
 
1 p 03-0214-competitive-intelligence-blue-paper
1 p 03-0214-competitive-intelligence-blue-paper1 p 03-0214-competitive-intelligence-blue-paper
1 p 03-0214-competitive-intelligence-blue-paper
 
Top 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxTop 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptx
 
Role of the virtual ciso
Role of the virtual cisoRole of the virtual ciso
Role of the virtual ciso
 

Benchmark Your Software Security With 10 Tips

  • 1. 10 Things You Ought to Know Before You Benchmark Your Software Security Program DON’T JUST DRIFT IN THE WIND
  • 2. © 2016 Cigital | www.cigital.com | a j c b 2 Evaluating the progress of your software security journey is essential, but it can be a considerable challenge. Tracking operational metrics doesn’t tell you whether you are doing the right things. Analyst reports are often too general to provide tactical direction. And companies hold their security plans so close to the vest, it makes competitive research nearly impossible. Benchmarking can help you get a new software security initiative off the ground or navigate an existing one. It is different from other measurement techniques because it focuses on excellence, includes detailed comparisons, and pools confidential information among numerous organizations. Benchmarking your software security initiative can tell you if you are keeping pace with your peers, or if you should accelerate your efforts to rise above the competition. The results of a benchmarking assessment can help you identify new security strategies and prioritize scarce resources to be most effective. Consider these 10 tips to get the most out of your benchmarking assessment. 1 Select the right instruments. When you choose a methodology to assess your program, make sure you select a transparent model that is commonly used by security experts and reflects the latest practices in the industry. The terminology will be more commonly understood, the assessment will be more comprehensive, and the results will gain more respect. 2 Evaluate real-world conditions. An assessment that is based on current data from real-world companies will be more accurate than a theoretical checklist. Look beyond the high-level findings and ask: What companies are included in the benchmarks? Do I consider them examples of companies I want to follow?
  • 3. © 2016 Cigital | www.cigital.com | a j c b 3 3 Learn from experienced pilots. If you operate in an industry that has not historically invested in security, you may have an outdated idea of what is necessary to mitigate risk. Look to industries that are considered leaders to get inspired with ideas you can adapt to your own software security initiative. 4 Verify your launch point. Quick surveys such as online assessments are a great way to launch your benchmarking strategy. They can give you an initial read on where you stand. Unfortunately, they may give you a false sense of security. To capture your current security posture in detail, a follow-up assessment should include interviews with multiple parties and documented activities to verify specifics. You may find that elements of your security plan are not actually being carried out in practice or activities are different from what you expect. 5 Beware of over-inflation. Internal-only assessments can unintentionally inflate results based on assumptions and take you off course. A third party that has no stake in the outcome can evaluate your security processes with an unbiased perspective. 6 Weigh everything in your basket. You’ll want an aggregate assessment of your security posture, but you should also look at the details. For example, an “average” result may hide the fact that a single business unit has particular strengths while another has certain weaknesses. Deconstruct your results or consider separate assessments.
  • 4. © 2016 Cigital | www.cigital.com | a j c b 4 7 Take a 360o view. Consider your results in context. Not every element of the framework you choose may apply to your business. For example, if you don’t rely on third parties to develop software, you don’t need to develop vendor service-level agreements. 8 Reflect on your journey. Don’t spend all of your time collecting and measuring data. Your results are simply numbers on a page until you devote time to analysis. Make sure you leave some room in your budget and your timeline to apply results and prepare your maneuvers. 9 Share your experience. Anytime you invest in an external audit of your business operations, executives will want to know what the results mean. Have a plan to communicate your results with business context to increase your leadership’s understanding of software security and build support for the resources you need to evolve your program. 10 Test the wind at different altitudes. Most companies find it makes sense to do an in-depth assessment about every two years to track their progress. During that time, you’ll be able to see improvements in more resource-intensive, time-consuming activities.
  • 5. © 2016 Cigital | www.cigital.com | a j c b 5 The Building Software in Maturity Model (BSIMM) is an assessment framework based on data gathered from 100+ software security initiatives that are currently active. It categorizes 113 software security activities into three maturity “levels,” based on their rate of observation and complexity. A BSIMM assessment gives you insight into how other organizations value security activities and an unbiased perspective on the strengths and weaknesses of your own program. Start with a free online assessment to see how your software security initiative stacks up. Where are you on your software security journey? Benchmarking your security strategies against the activities of real-world organizations provides meaningful context to help you make decisions. ASSESS ME
  • 6. Cigital is one of the world’s largest application security firms. We go beyond traditional testing services to help organizations identify, remediate, and prevent vulnerabilities in the applications that power their business. Our holistic approach to application security offers a balance of managed services, professional services, and products tailored to fit your specific needs. We don’t stop when the test is over. Our experts also provide remediation guidance, program design services, and training that empower you to build and maintain secure applications. For more information visit us at https://www.cigital.com THE CIGITAL DIFFERENCE