Software Security In Healthcare, What We’ve Learned

Presenters: Jim RouthGreg BarnesSammy Migues

Software Security In Healthcare, What We’ve Learned

Presenters

Jim RouthCISO

Aetna

Greg BarnesCISO

Horizon Blue Cross Blue Shield

Sammy MiguesPrincipal Scientist

Cigital

1. How to sell the program to stakeholders (executives, development leads, direct leader, testing, infrastructure)

2. Selecting practices and activities

3. Initial results

▫ Approach 1= Greg Barnes, CISO Horizon Blue Cross/Blue Shield of NJ

▫ Approach 2= Jim Routh, CSO Aetna

4. Leveraging the BSIMM to Bring Change

Agenda

• Be the expert …• Align with Development Leadership (QA)

▫ Establish risk based approach to remediation▫ Establish training program and governance

• Communicate with Business Operations ▫ Minimize impact to delivery timelines▫ Resist pressure for exceptions▫ Transparent but Principled Communication = Trust and Partnership

• Integrate to Project Management Organization• Align with Compliance / Audit

Selling a Software Security Program Approach 1 (Grassroots)

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi5q6buxpfMAhXJyT4KHS3pDo4QjRwIBw&url=https://pixabay.com/en/photos/garden/?image_type%3Dvector&bvm=bv.119745492,d.cWw&psig=AFQjCNGi1Qtsuu9QY8hmSBMO2OEfzBy6rA&ust=1461047119683458

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwjTivOYx5fMAhUDzz4KHa7zCbUQjRwIBw&url=http://school21c.org/tag/intrinsic-motivation/&bvm=bv.119745492,d.cWw&psig=AFQjCNFpI0jiSa5sk3Ame3-w0WCnHmE_9A&ust=1461046816108070

• I used an economic-driven rationale, not risk avoidance

• I started with the CFO, then the CIO and ultimately the CEO

• Developers used to resist (10 years ago) but not today, they embrace the program – as long as you give them tools

• Development leads … they resist – Who is paying for remediation?

• Security defects are nothing more (or less) than functional defects during the development cycle

• Once in production – they are security incidents

How to Sell a Software Security Program – Approach 2

• Pen testing applications after they’ve been developed is the equivalent of banging out dents in cars after they roll off the assembly line.

Use a Manufacturing Analogy – Approach 2

• It makes more sense to fix the source of the dents by adjusting the robotic design so the dents don’t occur in the first place

Phase 1• Developer Enablement: Training and Awareness • Governance- Policy and Standards• Communication on Risk Approach• Service Definitions and Engagement Methods

Phase 2• Enhance Governance – expand program scope• Supply Chain Secure SDLC Reporting• Enhance open source software management

Practices and Activities Approach 1

Don’t try to improve every domain…

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwigg_3ExJfMAhUF2D4KHYFFDS8QjRwIBw&url=https://en.wikipedia.org/wiki/Quality_management&bvm=bv.119745492,d.cWw&psig=AFQjCNE1yeb6em669FtX0QYlFBYNJ9ifQA&ust=1461046492319211

12 Practices• Identify which practices should be targeted for

improvement• I use a bias toward early stage controls

112 Activities• Some activities are more important for some industries

over others• Some activities are essential

Choosing Practices and Activities Approach 2 Opportunity to invest

in control maturity

Selected / Key Domains 1. Config Mgmt/Vuln Mgmt

2. Security Testing

3. Sustainable Training

4. Coding Standards

5. Automating Metrics

Initial Results- Approach 1

• Low defect density scores

• Mobile security controls

• 3rd party software and mobile security

• Widespread adoption

• Security imbedded in dev/ops model

Characteristics of a Mature Program- Approach 2

Aetna’s Software Security Program places an emphasis on detecting and addressing the vast majority of defects in the ‘Code’ phase, as opposed to the ‘Test’ phase

• Net productivity gain for Security Defect – Remediation: 73 percent

• IT capacity freed up in 2015 to pursue other strategic enterprise initiatives: ~ 285,000 hours

Leveraging the BSIMM to Bring Change

• Software security is more than a set of security functions.▫ Not magic crypto fairy dust▫ Not silver-bullet security mechanisms

• Non-functional aspects of design are essential.

• Bugs and flaws are 50/50.

• Security is an emergent property of the entire system (just like quality).

• To end up with secure software, deep integration with the SDLC is necessary.

We Hold These Truths to Be Self-Evident

• Descriptive models describe what is actually happening.

• The BSIMM is a descriptive model that can be used to measure any number of prescriptive SSDLs.

Descriptive Models

• Prescriptive models describe what you should do.▫ SAFECode▫ SAMM▫ SDL▫ Touchpoints

• Every firm has a methodology they follow (often a hybrid).

• You need an SSDL.

Prescriptive Models

Prescriptive vs. Descriptive Models

• BIG idea: Build a maturity model from actual data gathered from 9 well-known large-scale software security initiatives.

▫ Create a software security framework.

▫ Interview 9 firms in-person.

▫ Discover 110 activities through observation (1 removed, 3 added later).

▫ Organize the activities in 3 levels.

▫ Build a scorecard.

• The model has been validated with datafrom 104 firms (78 in BSIMM6).

• There is no special snowflake.

Building BSIMM (2008)

78 Firms in BSIMM6 Community

BSIMM By the Numbers

Real World Data

Average percentage of SSG to dev. of 1.51% (1 person for every 75 devs.)

A Software Security Framework

[AA1.2] Perform design review for high-risk applications.

The organization learns about the benefits of architecture analysis by seeing real results for a few high-risk, high-profile applications. The reviewers must have some experience performing detailed design review and breaking the architecture being considered. In all cases, design review produces a set of architecture flaws and a plan to mitigate them. If the SSG is not yet equipped to perform an in-depth architecture analysis, it uses consultants to do this work. Ad hoc review paradigms that rely heavily on expertise may be used here, though in the long run they do not scale. A review focused on whether a software project has performed the right process steps will not generate expected results.

Example Activity

•Office for Civil Rights

•Federal Trade Commission

•Data Breach Class Action Lawsuits

• Insurance

•HIPAA

Why Have A Software Security Initiative?

Earth (78)

Earth (78) and Healthcare (10)

Top 12 activities in each practice• purple = good?• red = bad?

“Blue shift” = practices to emphasize

BSIMM6 Results

• 26 firms measured twice (an average of 24 months apart)• We know how firms improve

▫ An average of 29.6% activity increase

BSIMM Longitudinal: Improvement Over Time

Not All Business Units Mature Equally

•Vendor Free

•Moderated Mailing List

•Two Member Conferences Annually

•Quarterly Webinar Series

•Quarterly Community Newsletter

The BSIMM Community

Join the BSIMM Community at https://www.bsimm.com/

Build Security In