Software Security: BSIMM's Holistic Approach
BSIMM 4 adds new practices for improving software security.
The path to building a secure enterprise begins with building secure software. One of the many ways that developers can build secure software is by following the tenets of the Building Security in Maturity (BSIMM) approach, now in its fourth generation.
While 109 best practices from the BSIMM 3 report carry over to the BSIMM 4, the latest report provides two new recommendations.
Gary McGraw, CTO of Cigital and one of the co-authors of BSIMM 4, told eSecurity Planet that BSIMM now recommends the use of a static analysis tool for code review. Static analysis can be used to look for malicious code that may have been put into software codebase by malicious developers, McGraw noted.
"There are now a lot of firms that use source code analysis to not just look for bugs, but to look for intentionally injected problems that could lead to insider attacks," McGraw said.
Another new practice that BSIMM 4 advocates is one that was pioneered by developers at Intel, to perform software disaster simulations. McGraw said that at Intel they have done a series of exercises that simulate a software security event. The events include the simulated discovery of an issue with a chipset, with a public zero-day disclosure.
"They do a tabletop exercise that includes the highest level executives, the marketing and PR people and software engineers," McGraw said. "So if such an event were to happen in the future, they won't find themselves with their pants down."
Educating Software Developers
One of the most common types of software security attack vectors is the use-after-free condition, where an attacker makes use of legitimately allocated memory to launch an attack.
The BSIMM 4 approach advocates using multiple layers of practices that can help limit the risks of such a vulnerability. Jacob West, CTO of Fortify Products and co-author of BSIMM 4, explained to eSecurity Planet that BSIMM takes a holistic approach.
One of the best practices advocated by BSIMM 4 is training and education.
"So you're teaching developers about a kind of bug they have experienced in the past and need to be aware of," West said. "Then BSIMM follows up on that with a one-two punch using security standards and giving developers concrete guidance and how to code securely and avoid that mistake."
Using a static analysis tool to then verify the code also provides a layer of mitigation against use-after-free and other common software defects.
"You really need a comprehensive approach to address software security problems," West said. "With that broad view, you can get good visibility into a combination of activities that an enterprise might need to address a specific problem like use-after-free."