The wraps are off a maturity model for software security that gives the low-down on successful strategies and which could provide organisations with a yardstick for measuring the progress of their security initiatives.
The details of the Building Security In Maturity Model (BSIMM) have been released by Fortify Software and the security consulting firm of Cigital, following a study that draws on data from nine leading software security initiatives at businesses such as Adobe, EMC, Google, Microsoft, Qualcomm, Wells Fargo, and The Depository Trust and Clearing Corporation.
The nine were chosen because they were considered to be some of most advanced large-scale software security initiatives currently underway, said Gary McGraw CTO of Cigital.
He explained that the BSIM model maps a set of benchmarks that detail which security activities work well, and what processes need to be in place to support them.
“We set out with the intention of building an empirical model for software security, rather than something that comes across as alchemy. We wanted to build a model that fits all cases and is based on what leaders in the field do, and on their real experiences of what works best.”
As an organising feature, the researchers used a Software Security Framework (SSF), which provided them with a conceptual scaffolding for BSIMM.
During the study the two sponsoring companies managed to tease out of discussions with executives leading their organisation’s software security initiatives several guiding practices.
“We didn’t go in with a checklist, but we did find that the participants were telling us the same things over and over about how they handle the security process,” Brian Chess, chief scientist and founder of Fortify told us.
All of the companies were found to have created standard approaches to security, for one, they all collect and publish attack stories for another, and they always feed back to the development group the details of software bugs found in operations monitoring.
“Some of this sounds pretty straight-forward” McGraw said, “but sadly some organisations are not going about the business of building in software security in the right way.”
According to the findings of the study there are ten core activities that all of the top software security teams are doing, and doing well.
The data suggests that any software security group would be well advised to consider these as guiding principles.
Some of the core activities are issues of culture and business process: build support throughout the organisation and create an evangelism or internal marketing role for software security; or meet regulatory needs or customer demand with a policy and a unified approach.
Other core activities suggest a need for automated security tools: use an encapsulated attacker perspective and integrate black box security tools into the quality assurance process (including protocol fuzzing); or demonstrate that your organisation’s code needs help by using external penetration testers to find problems.
Chess and McGraw intend to continue developing the model as more participants share data. “Properly used, BSIMM can help you determine where your organisation stands with respect to real-world software security initiatives and what steps can be taken to make your approach more effective,” Chess said.
This work is being licensed under the Creative Commons Attribution-Share Alike scheme and organisations are invited to participate.