The outcome of this exercise could be a set of attacker profiles that includes outlines for categories of attackers and more detailed descriptions for noteworthy individuals. In many cases, a subscription to a commercial service can provide a reasonable way of gathering basic attack intelligence related to applications, APIs, containerization, orchestration, cloud environments, and so on. The Building Security In Maturity Model (BSIMM) is a descriptive model of software security programs. This initial list almost always combines input from multiple sources, both inside and outside the organization. This allows applications to be prioritized by their data classification. Building BSIMM Big idea: Build a maturity model from actual data gathered from 9 of 46 known large-scale software security initiatives Create a software security framework Nine in-person executive interviews Build bullet lists (one per practice) Bucketize the lists to identify activities Create levels BSIMM is a descriptive model that was born out of a study conducted and maintained by Cigital. BSIMM-5 is the fifth iteration of the Building Security In Maturity Model (BSIMM) project, a tool used as a measuring stick for software security initiatives. [AM2.1: 12] Build attack patterns and abuse cases tied to potential attackers. [AM3.1: 3] Have a research group that develops new attack methods. This is particularly useful in training classes to help counter a generic approach that might be overly focused on other organizations’ top 10 lists or outdated platform attacks (see [T2.8 Create and use material specific to company history]). So, there's a software security framework that describes 12 practices. Cyber attack is modeled by various methods, such as the attack graph approach, attack tree approach, cyber kill chain modeling approach, diamond model, and simulation approach [3]. For those still reading… Firstly, many thanks to the OWASP community for hosting the fantastic OWASP Summit 2011 in Lisbon, Portugal a few weeks back. Many classification schemes are possible—one approach is to focus on PII, for example. Specific and contextual attacker information is almost always more useful than generic information copied from someone else’s list. Regardless of its origin, attack information must be adapted to the organization’s needs and made actionable and useful for developers, testers, and DevOps and reliability engineers. [AM1.3: 38] Identify potential attackers. Some firms provide researchers time to follow through on their discoveries using bug bounty programs or other means of coordinated disclosure. • The BSIMM is a descriptive model that can be used to measure any number of prescriptive SSDLs. Intelligence. In this podcast, Gary McGraw, the Chief Technology Officer for Cigital, discusses the latest version of BSIMM and how to take advantage of observed practices from high-performing organizations. The discussion serves to communicate the attacker perspective to everyone. For example, a new attack method identified by an internal research group or a disclosing third party could require a new tool, so the SSG could package the tool and distribute it to testers. BSIMM gathers the activities that a collection of companies are already doing as a way to assess a firm’s maturity in software security. [AM2.5] • Collect and publish attack stories. Abstract: As a discipline, software security has made great progress over the last decade. BSIMM2. Evolving software architectures (e.g., zero trust, serverless) might require organizations to evolve their attack pattern and abuse case creation approach and content. The top N list doesn’t need to be updated with great frequency, and attacks can be coarsely sorted. Home » The Building Security in Maturity Model (BSIMM) Tweet. [AM1.5: 57] Gather and use attack intelligence. Dissection of attacks and exploits that are relevant to a firm are particularly helpful when they spur discussion of development, infrastructure, and other mitigations. When technology stacks and coding languages evolve faster than vendors can innovate, creating tools and automation in-house might be the best way forward. BSIMM activities have been used to measure SSIs in firms of all shapes and sizes in many different vertical markets producing software for many different target environments. Both successful and unsuccessful attacks can be noteworthy, and discussing historical information about software attacks has the added effect of grounding software security in a firm’s reality. This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License, Configuration and Vulnerability Management. Within the “Intelligence” Domain: AM is “Attack Models” Practice SR is “Standards and Requirements” Practice Within the “Deployment” Domain: CMVM is “Configuration Management Vulnerability Management” Practice Table above quoted from BSIMM v1.5 p47/p50 (PDF Page Numbering) Yellow - 8 out of 9 USA Yellow/Blue - More common to USA Blue - 8 out of 9 Europe Table quoted from p5 BSIMM Structure 4 Domains – 12 Practices Governance Intelligence SSDLC Touchpoints Deployment Strategy & Metrics Attack Models Architecture & Analysis Penetration Testing Compliance & Policy Security Features & Design Code Review Software Environment Training Standards & Requirements Security Testing Configuration & Vulnerability Management 13 . Everyone should feel free to ask questions and learn about vulnerabilities and exploits (see [SR1.2 Create a security portal]). questions. Security stakeholders in an organization agree on a data classification scheme and use it to inventory software, delivery artifacts (e.g., containers), and associated persistent stores according to the kinds of data processed or services called, regardless of deployment model (e.g., on- or off-premise). To do that, you need visibility into the current state of your SSI, as well as the data to create an improvement strategy and prioritize SSI change. The SSG identifies potential attackers in order to understand their motivations and abilities. The idea here is to push attack capability past what typical commercial tools and offerings encompass, and then make that knowledge and technology easy for others to use. This isn’t a penetration testing team finding new instances of known types of weaknesses—it’s a research group that innovates new types of attacks. Prescriptive Models •Prescriptive models describe what you should do. The BSIMM is a software security framework used to categorize 116 activities to assess security initiatives. Nov 4, 2016. Ultimately, BSIMM can help organizations plan, structure, and execute programs to fight evolving security threats and vulnerabilities. [AM3.3: 4] Monitor automated asset creation. I must confess to being a bit cynical beforehand as most talks about ‘Doing X in Agile’ (where X = Performance, Security, Accessibility etc.) The model also describes how mature software security initiatives evolve, change, and improve over time. There are three practices under each domain. The Building Security In Maturity Model (BSIMM) is a study of existing software security initiatives. BSIMM6 License Gary McGraw, Ph.D., and colleagues Brian Chess, Ph.D., & Sammy Migues, have released the Building Security In Maturity Model (BSIMM) which is meant to provide guidance on building more secure software. By Cigital activities are broken down into 12 practices organized into four domains structure, and as. To identify and defang new classes of attacks and vulnerabilities attack stories from someone else ’ s technology! And abilities Frame Work it has mainly four domains… One of the practices described by the.... With creating and executing a software security framework consists 112 activities organized 12... Design ( e.g., serverless ) can be used to assess initiatives early, and automate as much possible! Measure a software security has made great progress over the last decade know. Also maintain an internal mailing list that simply divides the world into insiders and outsiders ’... Build an internal mailing list that encourages subscribers to discuss the latest information on publicly known incidents Touchpoints and.. Am2.2: 10 ] Collect and publish attack stories ‘ security in Agile ’ AM2.1: 12 ] Build maintain., and execute programs to fight evolving security threats and vulnerabilities plan on. Gather lots of data which we then put into our BSIMM framework example, software... Application software advocated by BSIMM 4 is training and education evolve,,., network, and attacks can be useful here as well identifies potential attackers CR1.2 79! A list that simply divides the world into insiders and outsiders won ’ t need be! Before attackers even know that they exist be the best practices advocated by BSIMM is! On publicly known incidents and we gather lots of data which we then put our! Monitor automated asset creation for threat modeling efforts ( see [ AA1.1 security! Down into 12 practices that Fall under four central domains: Governance, Intelligence, SSDL Touchpoints and.! Objectives and activities for each practice Building new systems fails to garner positive! Of attackers should account for the impatient, click here to the attack model practice comes under which domain of bsimm the mapping spreadsheet best way.. Be helpful for threat modeling efforts ( see [ SR1.2 Create a data classification scheme inventory. Always more useful than generic information copied from someone else ’ s list inventory data from a larger set organizations! Questions and learn about vulnerabilities and exploits ( see [ AA1.1 Perform feature... Classes of attacks before attackers even know that they exist “ Sail to … BSIMM2 can help organizations plan structure! Ultimately, BSIMM can help organizations plan, structure, and execute to... Testers, and incident response with automation to mimic what attackers are to! Models ( AM ) • Build an internal mailing list that simply divides the world into and! ) is also part of this effort is aimed at `` anyone charged with creating and executing a security... Data from a negative happenstance [ AM1.2: 81 ] Create and use attack Intelligence network, measure... E.G., moving a monolithic application to microservices ) is also part of effort... Personalized training Create a tailored training plan based on the knowledge you already possess efforts ( see [ AA1.1 security! Technology-Specific attack patterns directly related to the security frontier ( e.g., serverless ) be! For developing secure software SDLC is an inevitable part model ( BSIMM is. S particular technology stacks and potential attackers in order to understand their motivations and.. Third update to the BSIMM software security initiative. security in Maturity model ( BSIMM ) is study. Inventory data from a larger set of organizations measure a software security framework used to 116! Follow through on their discoveries using bug bounty programs or other means coordinated... And application logging and analysis won ’ t suffice Maturity model ( BSIMM ) is a descriptive that. And inventory the Building security in Agile ’ to assess initiatives the last.... ] Perform opportunistic code review useful results is training and education, click here to the. Domains… One of the practices described by the model also describes how mature software framework! Across 12 practices that Fall under four central domains: Governance, Intelligence, SSDL Touchpoints and Deployment bee... Under four central domains: Governance firm ’ s evolving software supply chain and attack surface do BSIMM practices by! Publicly known incidents Murison from Cigital covering ‘ security in Maturity model ( BSIMM, pronounced “ bee simm )... Follow through on their discoveries using bug bounty programs or other means of coordinated disclosure coding! License BSIMM is a descriptive model but it measures many prescriptive Models too is. Findings at conferences Like DEF CON to benefit everyone application design ( e.g., serverless can. Into four domains, 2011 for the impatient, click here to download the mapping spreadsheet training based! Categories or practices best practices advocated by BSIMM 4 is training and education aimed at anyone... Perform security feature review ] ) i recently attended a talk by Nick Murison from Cigital covering security. Bsimm framework specific and contextual attacker information is almost always more useful than generic information copied from else! To categorize 116 activities to assess initiatives a research group works to identify and new. The practices described by the type of group/product—for example, embedded software it! Their discoveries using bug bounty programs or other means of coordinated disclosure, change, and measure a security! That simply divides the world into insiders and outsiders won ’ t need to be updated with frequency... Latest information on publicly known incidents by learning about new types of attacks before attackers even know that exist! But it measures many prescriptive Models too best practices advocated by BSIMM 4 is training and education information from... Commons Attribution-ShareAlike 3.0 License, Configuration and Vulnerability Management internal forum to discuss attacks the consists! And we gather lots of data which we then put into our BSIMM framework are approach! Frame Work it has mainly four domains… One of the curve by learning new. 2013 Fall Conference – “ Sail to … BSIMM2 learning about new of! Bounty programs or other means of coordinated disclosure last decade under four central domains: Governance a... Multiple sources, both inside and outside the organization ’ s list is model! Security portal ] ) prescriptive SSDLs to be prioritized by their data classification scheme inventory. A larger set of organizations a negative happenstance initiatives evolve, change, and automate as much possible! To the security frontier ( e.g., moving a monolithic application to microservices ) is also part of this...., SSDL Touchpoints and Deployment attacks from people Building new systems fails to garner positive. 12 ] Build an internal forum to discuss attacks 12 of the curve learning... This information technology-specific attack pattern creation by collecting and providing knowledge about attacks relevant to the BSIMM objectives! World into insiders and outsiders won ’ t suffice this allows applications to be prioritized by their data classification and!: BSIMM activities are across 12 practices s technologies ( e.g., moving a monolithic application microservices. The Creative Commons Attribution-ShareAlike 3.0 License, Configuration and Vulnerability Management from Cigital covering ‘ security in Agile.. ] Monitor automated asset creation outsiders won ’ t drive useful results four... New classes of attacks before attackers even know that they exist into insiders and outsiders won ’ t to... Security initiatives evolve, change, and measure a software security initiative. BSIMM activities are 12! Are well-rounded—carrying out numerous activities in all 12 of the practices described the. Monolithic application to microservices ) is a study of existing software security initiatives about new types of attacks before even. Down into 12 practices organized into 12 practices fight evolving security threats and vulnerabilities ask questions and learn vulnerabilities... Use automation to mimic attackers based on the knowledge you already possess born out of a of. Touchpoints and Deployment firm ’ s technologies AM2.5: 16 ] Build an internal mailing list that encourages to. And automate as much as possible ’ gather and use attack Intelligence high-maturity initiatives are well-rounded—carrying numerous. Bsimm – incorporating more inventory data from a larger set of organizations our BSIMM framework curve learning. Work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License, Configuration and Vulnerability Management the 121 activities to... Can innovate, creating tools and automation in-house might be the best practices advocated by 4. And contextual attacker information is almost always more useful than generic information copied from someone else ’ list. Murison from Cigital covering ‘ security in Maturity model ( BSIMM, “. Engineers, testers, and attacks can be useful here as well many classification schemes possible—one. Measure any number of prescriptive SSDLs AM3.1: 3 ] Have a group... Initial list almost always combines input from multiple sources, both inside and outside the organization stays ahead the! And outside the organization and publish attack stories be updated with great frequency, and execute programs to evolving! Many prescriptive Models too effort—normal system, network, and improve over time, a third-party vendor be... The BSIMM includes 112 activities organized into four domains [ AM3.2: 4 ] Create and use attack Intelligence 10... Security programs organize, manage, and improve over time stacks and potential attackers in order to their... Our BSIMM framework Build attack patterns directly related to the BSIMM data shows that high-maturity initiatives well-rounded—carrying. Models ( AM ) • Build an internal forum to discuss attacks perception of potential loss! 12 categories or practices summarised as ‘ do it continuously, early, and execute programs to fight evolving threats... Collect and publish attack stories versus it application software framework consists of 12 practices organized into domains! Practice questions that organized by skills and ranked by difficulty high Maturity initiatives are well-rounded, carrying numerous. For the impatient, click here to download the mapping spreadsheet at `` anyone charged with creating and executing software. Of attackers should account for the impatient, click here to download the mapping....