With the advent of cloud and mobile technologies, enterprise security is no longer simply about strengthening the network perimeter with the right combination of firewalls. Some intruders will almost inevitably make it through. Because of this, there is a growing emphasis on making software that is less vulnerable to attack.
“If you put a lock on the door but don’t put any locks on the windows, what is the point?” said Gary McGraw, CTO of security consulting firm Cigital and author of several books on software security.
In collaboration with HP, McGraw and other executives from Cigital helped create the Building Security in Maturity Model (BSIMM), a security measurement tool based on real-world data collected from companies including Adobe, Goldman Sachs, McAfee, Microsoft, PayPal and Thomson Reuters.
More Secure Software for All
Launched in 2008 with data from nine firms, the fifth and latest version of the BSIMM, introduced this week, includes 67 firms. They are large enterprises with security budgets to match. The BSIMM framework has a “definite bias,” McGraw said. “I want to change the world and would prefer to change the world 30,000 developers at a time versus six developers at a time.”
But, he added, small firms can use the BSIMM as well. “If big firms can turn giant battleships, surely you can turn your speedboat. The BSIMM has real examples that any firm can adopt; they just have to have the will to do it.”
The BSIMM includes 112 activities organized into 12 practices that fall under four central domains: Governance, Intelligence, SSDL Touchpoints and Deployment. According to the BSIMM website, for each activity the BSIMM includes an objective, a description and one or more real examples that show how organizations used it.
If that sounds overwhelming, it shouldn’t. McGraw encourages security professionals to think of the BSIMM framework as a toolbox. “We’ve got all kinds of tools you can use. You don’t have to use them all, but there are some damn good ones in there,” he said.
“The BSIMM is an instrumental tool to determine the maturity and effectiveness of an organization’s software security activities, and we use it to measure the progress in improving software security year over year,” said Jim Routh, CISO of Aetna.
Data vs. Theory
Too often, McGraw said, software security methodologies are based on unproven theories and hunches. The BSIMM is meant to counter that, with its emphasis on hard data. “A lot of people in computer security are hacker boys with opinions and can throw grok, but when it comes to actually doing security engineering, this is a job for adults. We are taking a serious, principled and scientific approach to software security.”
The BSIMM is designed to be a dynamic model, McGraw explained. If a new security activity is observed at several participating firms, it is added to the BSIMM so it can be tracked more closely for future versions. “It’s not static. It changes with the data,” he said.
“Sheer desperation” leads companies to try new activities, McGraw said. BSIMM-V, introduced this week, adds one new activity: operating a bug bounty program.
Some companies are concluding that “It might be better to have the people doing the hacking on their payroll,” McGraw said, emphasizing that the activity is far from widespread. “Some firms are picking it up; others are picking it up, looking at it and putting it right back.”
Released under a Creative Commons license, the BSIMM is free for anyone to use.
The BSIMM Community also hosts a private mailing list and an annual conference where attendees can gather in an off-the-record forum to discuss day-to-day administration of software security initiatives. This year’s BSIMM Community Conference is scheduled for Nov. 12-14 near Washington, D.C.
Ann All is the editor of eSecurity Planet and Enterprise Apps Today. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.eee
