1 / 15

A Quick Walk Through BSIMM7 Software Security Framework

BSIMM is a software security measurement framework established to help organisations compare their software security to other organisations initiatives and find out where they stand. <br><br>The Building Security In Maturity Model is a study of existing software security initiatives. By quantifying the practices of many different organizations, we can describe the common ground shared by many as well as the variation that makes each unique.

hack2secure
Télécharger la présentation

A Quick Walk Through BSIMM7 Software Security Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BSIMM7 Software Security Framework A Quick Walk through ON How Hack2Secure SERVICES ARE ALLIGNED WITH THE FRAMEWORK

  2. What is BSIMM? • BSIMM (Building Security in Maturity Model) is a software security measurement framework established to help organisations compare their software security to other organisations initiatives and find out where they stand. 

  3. “The Building Security In Maturity Model is a study of existing software security initiatives. By quantifying the practices of many different organizations, we can describe the common ground shared by many as well as the variation that makes each unique”.[Source: BSIMM] • The model is based on the study done on organisations across the industries like financial service sectors, Healthcare sectors, Software sectors, cloud providers and more.

  4. Why HACK2Secure supports to adopt BSIMM7 framework: • Enables organizations to start a Software Security Initiative (SSI) • Provide standard measuring criteria  to measure and comparing SSI within domain or Industry • Helps organisations to learn from other’s mistakes.  • It will help them to plan, execute and measure initiate of their own without having on board any third party for the same.  • It gives you the clarity on what is “the right thing to do”. • It helps in Cost reduction through standard, repeatable processes.

  5. BSIMM Framework • BSIMM7 Framework includes 113 different activities of 4 domains consisting 12 Practices:  • Hack2Secure  assist organization in the adoption of BSIMM framework along with evaluation and implementation of Security controls across Secure SDLC phases.

  6. BSIMM Software Security Framework (SSF) A. Governance Strategy & Metrics (SM) Compliance & Policy (CP) Training (T) B. Intelligence 4. Attack Models (AM) 5. Security Features & Design (SFD) 6. Standards & Requirements (SR) C. SSDL Touchpoints 7. Architecture Analysis (AA) 8. Code Review (CR) 9. Security Testing (ST) D. Deployment 10. Penetration Testing (PT) 11. Software Environment (SE) 12. Configuration Management & Vulnerability Management (CMVM)

  7. A. Domain: Governance • These are practices assisting companies to organise, manage and measure a Software Security Initiatives (SII).  • Strategy & Metrics (SM):  • Ensures Security Process planning and publication assisting in defining Software Security Goals and required measurement metrics. 

  8. 2. Compliance & Policy (CP): • Focus on regulatory or compliance drivers such as PCI DSS and HIPPA. 3. Training (T): • Training is required to have basic security knowledge for all level of participants in SSDLC. 

  9. B. Domain: Intelligence • These are practices results in collection and identification of corporate intelligence related with SSI.  4. Attack Models (AM): • Developer think like an attacker and create knowledge of technology specific attack patterns.  • These knowledge will then guide decisions about code and controls. 

  10. 5. Security Features & Design (SFD):  • Provides guidance of building, reviewing and publication of proactive security features, building or providing pointers to secure-by-design frameworks along with mature design patterns for major security controls. . 6. Standards & Requirements (SR):  • Explains the standard explicit security requirements for the organisations. • Assist in both building recommendation and tracking of standard Security Controls to be used aligned with Industry standards. 

  11. C. Domain: SSDL Touchpoints • Talks about essential security best practices required in Software development phases (SDLC).  7. Architecture Analysis (AA):  • Build the quality control, by performing security feature and design review process for high-risk applications.

  12. 8. Code Review (CR):  • includes activities related with Secure Code implementation and review process. 9. Security Testing (ST): • Deals with activities related different Security Testing methods like Black-box, Fuzzing, Automation, Risk driven White Box Analysis etc.

  13. D. Domain: Deployment • Includes practices that deals with network security and software maintenance requirements.  10. Penetration Testing (PT):  • Build the quality control, by performing security feature and design review process for high-risk applications.

  14. 11. Software Environment (SE): • Includes activities related with Secure Software Deployment and maintenance. • Also talks about mechanism related with application behaviour monitoring and diagnostics.  12. Configuration Management & Vulnerability Management (CMVM): • Aims to track activities related with patching, version control and change management. • Deals with building Incident Handling plans and simulate responses in software crisis. 

  15. BSIMM standards are highly accepted by organisations across the industries and it is also helping them to compare their software security initiations with industry peers.  • This is helping them to increase their business units, and drive their budgeting. • According to number of Security reports, the computer security industry as a whole is growing fast at a rate of about 8.9% per year, generating between $20 and $40 billion in revenue annually. 

More Related