BSIMM7 was released October 4th, 2016. That’s just a few weeks before the seventh annual BSIMM Community Conference convened on Amelia Island, Florida.
This year’s BSIMM conference was well attended, with 160 participants representing 60 of 95 BSIMM firms from across the globe. The energy and enthusiasm at the conference was palpable. There is nothing on Earth like a psyched group of hard-core software security practitioners who also happen to be serious professional adults.
The BSIMM project is growing faster than ever before, and BSIMM7 includes detailed data from 95 firms. Keep in mind that these firms are from all over the world. Gathering 60 of the 95 BSIMM firms is quite a feat.
We have a few rules about attending the BSIMM Community Conference. Only firms participating in the BSIMM can attend, and once at the event, we operate under Chatham House rules. There is a reason for both: you have to show your own belly button before you get to see everyone else’s. Additionally, all of the presentations are given by highly experienced members of the BSIMM Community and are no-holds-barred reports of what works (and what doesn’t) in large software security initiatives.
We noticed another high water mark while at the conference: this year women gave 21% of the BSIMM Community Conference talks.
If forced to specify emerging themes that pervaded this year’s conference, it would have to be CI/CD. John Steven from Synopsys quipped, “If CI and CD were a drinking game cue, we would all be dead this week.” He was correct, with several talks about or touching on CI/CD. The second most emphasized theme was scale. By now we all know how to carry out many of the 113 BSIMM activities pretty well on an activity-by-activity basis, but how do we scale to thousands of developers?
In my opening talk, I presented an overview of new results in BSIMM7. Sammy Migues then delivered a talk packed with information—his vision of what software security may look like in 2019. Think carefully about “SSI as code,” and you may reach some of Sammy’s conclusions yourself.
Next up was a keynote talk delivered by Dr. Matthew Green, the world famous cryptographer from Johns Hopkins University. His presentation was both technical, captivating, and challenging. The brilliant conceit behind Matt’s talk can be summed up in two words—crypto prohibition. What are the implications of government mandated backdoors or security design flaws built right into the software we all use every day?
Like last year, we ran the conference as two tracks once the general session was over: the “Explorer” track for those mapping out their initiatives, and the “Next Level” track for those well on their way. Here is a brief overview of the tracks:
This session put “searching for secrets in code” up against DevSecOps. As a movement, DevSecOps is putting too much emphasis on code (and automated bug finding) and not enough on flaws. It is important that software security not devolve back to “code first, ask questions later” by explicitly confronting design review and threat modeling.
The second session had the Explorer track working through a fitness analogy (strength training for software security) up against another CI/CD talk. In this session, Antti Vähä-Sipilä spent plenty of time on design-level integration.
Session three was all about scale, scaling attack models, and scaling pen testing. In other words, does your pen testing solution scale to ALL of you apps? The key to scaling is automation, but don’t forget to think as well.
This session pitted scaling security testing against a CISO’s view of how to use the BSIMM. My favorite quote from the conference came from Citizens Bank’s Chauncey Holden who was once asked (by a Board member), “Other than you, who else thinks you are doing a good job?”
The fifth session explored what it is like for the same person to use the BSIMM in three different firms. The result? Culture matters. The Next Level track was about scaling architecture analysis through automation. Citi was kind enough to share their advanced approach.
Session six cut new ice on day two. This set of talks focused on scaling mobile testing and just plain old global scale. Turns out HSBC is a very big firm indeed.
The seventh session turned out to be an all female presenter track, with a “first 180 days as a new SSG leader” up against a solid presentation on how to leverage SSG office hours.
The final session featured a case study that was lifted from the BSIMM Europe Community Conference for re-presentation at the big BSIMM Community Conference in one track. The Next Level track was an outstanding talk by John Steven, hilariously subtitled “How I learned to quit worrying and fix the damn software.”
All together, the 16 track talks were superb and provided in-depth coverage of almost all aspects of a software security initiative. Thanks to all of our outstanding presenters for sharing their knowledge and experiences.
We wrapped up the conference with a panel of experts moderated by BSIMM co-author, Jacob West. The theme this year was people. Finding people. Retaining people. Growing people.
In my view, the BSIMM Community Conference remains the best technical conference I attend every year. I can’t wait for the next one.
The BSIMM Community has a vast amount of inherent knowledge and experience to tap. That’s a great thing because BSIMM is growing faster than ever. As it continues to grow, more “beginners” enter the population. In fact, adding firms with less experience has decreased overall maturity to 33.9 in BSIMM7 from 36.7 in BSIMM6! By leveraging the strength of the BSIMM Community, we can make sure that the new BSIMM firms advance in maturity more rapidly than ever.