View
348
Download
0
Category
Preview:
Citation preview
Presenters: Jim RouthGreg BarnesSammy Migues
Software Security In Healthcare, What We’ve Learned
Presenters
Jim RouthCISO
Aetna
Greg BarnesCISO
Horizon Blue Cross Blue Shield
Sammy MiguesPrincipal Scientist
Cigital
1. How to sell the program to stakeholders (executives, development leads, direct leader, testing, infrastructure)
2. Selecting practices and activities
3. Initial results
▫ Approach 1= Greg Barnes, CISO Horizon Blue Cross/Blue Shield of NJ
▫ Approach 2= Jim Routh, CSO Aetna
4. Leveraging the BSIMM to Bring Change
Agenda
• Be the expert …• Align with Development Leadership (QA)
▫ Establish risk based approach to remediation▫ Establish training program and governance
• Communicate with Business Operations ▫ Minimize impact to delivery timelines▫ Resist pressure for exceptions▫ Transparent but Principled Communication = Trust and Partnership
• Integrate to Project Management Organization• Align with Compliance / Audit
Selling a Software Security Program Approach 1 (Grassroots)
• I used an economic-driven rationale, not risk avoidance
• I started with the CFO, then the CIO and ultimately the CEO
• Developers used to resist (10 years ago) but not today, they embrace the program – as long as you give them tools
• Development leads … they resist – Who is paying for remediation?
• Security defects are nothing more (or less) than functional defects during the development cycle
• Once in production – they are security incidents
How to Sell a Software Security Program – Approach 2
• Pen testing applications after they’ve been developed is the equivalent of banging out dents in cars after they roll off the assembly line.
Use a Manufacturing Analogy – Approach 2
• It makes more sense to fix the source of the dents by adjusting the robotic design so the dents don’t occur in the first place
Phase 1• Developer Enablement: Training and Awareness • Governance- Policy and Standards• Communication on Risk Approach• Service Definitions and Engagement Methods
Phase 2• Enhance Governance – expand program scope• Supply Chain Secure SDLC Reporting• Enhance open source software management
Practices and Activities Approach 1
Don’t try to improve every domain…
12 Practices• Identify which practices should be targeted for
improvement• I use a bias toward early stage controls
112 Activities• Some activities are more important for some industries
over others• Some activities are essential
Choosing Practices and Activities Approach 2 Opportunity to invest
in control maturity
Selected / Key Domains 1. Config Mgmt/Vuln Mgmt
2. Security Testing
3. Sustainable Training
4. Coding Standards
5. Automating Metrics
Initial Results- Approach 1
• Low defect density scores
• Mobile security controls
• 3rd party software and mobile security
• Widespread adoption
• Security imbedded in dev/ops model
Characteristics of a Mature Program- Approach 2
Aetna’s Software Security Program places an emphasis on detecting and addressing the vast majority of defects in the ‘Code’ phase, as opposed to the ‘Test’ phase
• Net productivity gain for Security Defect – Remediation: 73 percent
• IT capacity freed up in 2015 to pursue other strategic enterprise initiatives: ~ 285,000 hours
Leveraging the BSIMM to Bring Change
• Software security is more than a set of security functions.▫ Not magic crypto fairy dust▫ Not silver-bullet security mechanisms
• Non-functional aspects of design are essential.
• Bugs and flaws are 50/50.
• Security is an emergent property of the entire system (just like quality).
• To end up with secure software, deep integration with the SDLC is necessary.
We Hold These Truths to Be Self-Evident
• Descriptive models describe what is actually happening.
• The BSIMM is a descriptive model that can be used to measure any number of prescriptive SSDLs.
Descriptive Models
• Prescriptive models describe what you should do.▫ SAFECode▫ SAMM▫ SDL▫ Touchpoints
• Every firm has a methodology they follow (often a hybrid).
• You need an SSDL.
Prescriptive Models
Prescriptive vs. Descriptive Models
• BIG idea: Build a maturity model from actual data gathered from 9 well-known large-scale software security initiatives.
▫ Create a software security framework.
▫ Interview 9 firms in-person.
▫ Discover 110 activities through observation (1 removed, 3 added later).
▫ Organize the activities in 3 levels.
▫ Build a scorecard.
• The model has been validated with datafrom 104 firms (78 in BSIMM6).
• There is no special snowflake.
Building BSIMM (2008)
78 Firms in BSIMM6 Community
BSIMM By the Numbers
Real World Data
Average percentage of SSG to dev. of 1.51% (1 person for every 75 devs.)
A Software Security Framework
[AA1.2] Perform design review for high-risk applications.
The organization learns about the benefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. The reviewers must have some experience performing detailed design review and breaking the architecture being considered. In all cases, design review produces a set of architecture flaws and a plan to mitigate them. If the SSG is not yet equipped to perform an in-depth architecture analysis, it uses consultants to do this work. Ad hoc review paradigms that rely heavily on expertise may be used here, though in the long run they do not scale. A review focused on whether a software project has performed the right process steps will not generate expected results.
Example Activity
•Office for Civil Rights
•Federal Trade Commission
•Data Breach Class Action Lawsuits
• Insurance
•HIPAA
Why Have A Software Security Initiative?
Earth (78)
Earth (78) and Healthcare (10)
Top 12 activities in each practice• purple = good?• red = bad?
“Blue shift” = practices to emphasize
BSIMM6 Results
• 26 firms measured twice (an average of 24 months apart)• We know how firms improve
▫ An average of 29.6% activity increase
BSIMM Longitudinal: Improvement Over Time
Not All Business Units Mature Equally
•Vendor Free
•Moderated Mailing List
•Two Member Conferences Annually
•Quarterly Webinar Series
•Quarterly Community Newsletter
The BSIMM Community
Join the BSIMM Community at https://www.bsimm.com/
Build Security In
Recommended