BSIMM Provides Real-World Data On Software Security Initiatives

Fortify Software, a provider of Software Security Assurance solutions, and Cigital, a consulting firm specialising in software security, have announced the release of the ‘Building Security In Maturity Model (BSIMM)’, a set of benchmarks for developing and growing an enterprise-wide software security programme.

Based on in-depth interviews with leading enterprises such as Adobe, EMC, Google, Microsoft, QUALCOMM, Wells Fargo, and Depository Trust and Clearing Corporation (DTCC), the BSIMM pulls together a set of activities practiced by nine of the most successful software security initiatives in the world.

BSIMM is a structured set of practices based on real-world data rather than philosophy and ideas. BSIMM provides insight on what successful organisations actually do to build security into their software and mitigate the business risk associated with insecure applications.

“Microsoft’s Security Development Lifecycle (SDL) was one of the first real enterprise software security methodologies, and we are always eager to share our ideas and best practices with the industry,” said Steve Lipner of Microsoft. “BSIMM provides a public ‘yardstick’ for measuring the progress of any organisation’s own software assurance programme.”

“Software security has turned the corner from a good idea to a business necessity. The industry has finally reached a point where enough real experience has been accumulated to compare notes and talk about what works,” said Dr Gary McGraw, CTO of Cigital and author of Software Security. “Using BSIMM, an organisation can determine where its software security initiative stands, figure out how to evolve its initiative strategically, or even get a brand new initiative off the ground. BSIMM is a tool for identifying realistic business goals and implementing those technical software security activities that make the most sense for an organisation.”

“Virtually every organisation today relies on software to operate, and at the same time the threat to that software is at an all-time high,” said Dr Brian Chess, co-founder and chief scientist of Fortify Software. “Businesses need software that doesn’t leak millions of identity records, gin up huge legal liabilities, or allow secrets to fall into the wrong hands.”

Chess, McGraw and co-author Sammy Migues collected data on each initiative’s software security activities for strategy and metrics, training, standards and requirements, security testing, code review, etc, and uncovered a number of common themes among each of the successful initiatives, including:

* The necessity of a Software Security Group: Each of the nine enterprises has a designated group of software security personnel – the SSG – tasked with carrying out and facilitating software security. Average SSG size is just over one percent of the size of the software development organisation.

* Advocacy over audit: Successful SSGs, even in regulated industries, always emphasise security education, technical resources, and mentoring rather than policing for security errors and handing out punishments.

* Use of automated technologies: Each organisation performs automated code review and deploys black box testing tools, but use of these technologies requires considerable SSG know-how.

* Training for development: All organisations have an institutionalised security training curriculum for programmers, QA engineers, and project managers.

“I was surprised by the amount of common ground discovered between the financial services organisations, ISVs, and technology companies in the BSIMM study,” said Jim Routh, CISO of Depository Trust and Clearing Corporation (DTCC). “All software security initiatives are by no means identical, but these findings demonstrate that an organisation isn’t going it alone when it comes to software security – you can learn from your peers. The BSIMM encapsulates important lessons from the best programmes around.”

“Comprehensive software security involves a combination of people, processes, and technologies, and it almost always requires some change to the way the organisation operates,” said analyst Joseph Feinman, VP and Gartner Fellow. “As software security comes of age, using a maturity model will only help to accelerate your enterprise security initiative.” The BSIMM is the first such maturity model created entirely from real-world data.

Over the next several months, Cigital and Fortify will gather data from other leading software security initiatives to enhance the study and provide additional insight on trends and activities particular to certain vertical industries and company sizes, among other factors.

The BSIMM is available under creative commons licence here: http://bsi-mm.com