In a digitally-driven world, the importance of secure software has taken on new significance. Recent hacks have placed the spotlight firmly on the security practices of organisations and the security failures of software. The reality is that security defects can arise in any part of a software development lifecycle, from setting initial requirements, through design and implementation, and into production. Getting software right means building security in from the outset in each lifecycle stage. Software security is a process that encompasses activities by all the stakeholders involved in the software development lifecycle.
No one wants to create software that is vulnerable to the next hack, so how can organisations ensure they adopt the right processes and that their software security is good enough? What are the secrets of the world’s most security-conscious organisations? Collective wisdom has a significant role to play here and observing and learning from the efforts of the world’s best can benefit any organisation on the path to strengthening their own software security initiative (SSI).
Learning from the community
The BSIMM (Building Security in Maturity Model) provides exactly this insight. It’s the industry’s first and only software security measurement tool built on real-world data about the activities of leading organisations such as the US Bank, Salesforce, and HSBC. Rather than functioning as a prescriptive model, which is usually a one-size-fits-all approach to telling organisations what they should be doing, its primary function is to provide a fact-based, descriptive model organisations can use to see how they compare to others in their industry.
The BSIMM data set is comprehensive and growing: the most recent version, BSIMM6, includes data gathered through over 200 assessments in 78 organisations and comprises the efforts of more than 287,000 software developers working on nearly 70,000 applications. The 112 activities it documents are organised into 12 practices that fall under four central domains: governance, intelligence, SSDL touchpoints, and deployment.
A BSIMM assessment is the globally-accepted way of gaining insight into the real software security activities of any organisation. From this, it’s down to each organisation to examine their business objectives and determine which BSIMM activities are best suited to their operations. Whilst no firm will adopt all the activities listed in the framework, the model can be used to help organisations establish their own SSI or, for organisations that already have an SSI, it may point the way to activities they can include to strengthen their processes.
One of the real advantages of this framework is that it’s regularly updated. Over time, the list of activities included in the report has changed so it provides an insight into what organisations are doing now. This is particularly important as the security landscape is changing fast and organisations must respond with security built in at the software layer.
Software security groups
Whilst this framework is not a prescriptive model, there is a common denominator within the BSIMM community. This essential part of an SSI is the Software Security Group (SSG), an internal group focused on software security. Carrying out the activities without an SSG is very unlikely and, as the BSIMM points out, has not been observed in the field to date. Good SSGs are likely to have a combination of people with deep coding experience and strong architectural capabilities. A further sign of maturity in a software security initiative is identifying and fostering a strong satellite – a group of individuals with an interest in software security, but who are not part of the SSG. In BSIMM6, all 10 firms with the highest BSIMM scores have a satellite and of the 10 firms with the lowest scores, none had a satellite.
Access to information on what the best in the industry are actually doing can empower organisations in their own SSI efforts. A data-driven approach to software security gives organisations the chance to assess how they measure up and provides insight into how they can get ahead of the game, strengthen their own practices, and map their progress over time. Being part of the BSIMM community and participating in private conferences where members discuss real solutions is the best way to determine how your peers—and everyone else—are dealing with the same issues as you.
Sammy Migues, Principal, Cigital