New Study Provides Real-World Data on Leading Software Security Initiatives
First-ever Maturity Model Details Success of Microsoft, Google and others
Based on in-depth interviews with leading enterprises such as Adobe, EMC, Google, Microsoft, QUALCOMM, Wells Fargo, and Depository Trust & Clearing Corporation (DTCC), the BSIMM pulls together a set of activities practiced by nine of the 25 most successful software security initiatives in the world. Unlike some industry standards, BSIMM is a structured set of practices based on real-world data rather than philosophy and ideas. BSIMM provides insight on what successful organizations actually do to build security into their software and mitigate the business risk associated with insecure applications.
"Microsoft's Security Development Lifecycle (SDL) was one of the first real enterprise software security methodologies, and we are always eager to share our ideas and best practices with the industry," said Steve Lipner of Microsoft. "BSIMM provides a public 'yardstick' for measuring the progress of any organization's own software assurance program."
"Software security has turned the corner from a good idea to a business necessity. The industry has finally reached a point where enough real experience has been accumulated to compare notes and talk about what works," said Dr. Gary McGraw, CTO of Cigital and author of Software Security. "Using BSIMM, an organization can determine where its software security initiative stands, figure out how to evolve its initiative strategically, or even get a brand new initiative off the ground. BSIMM is a tool for identifying realistic business goals and implementing those technical software security activities that make the most sense for an organization."
"Virtually every organization today relies on software to operate, and at the same time the threat to that software is at an all-time high," said Dr. Brian Chess, co-founder and Chief Scientist of Fortify Software. "Businesses need software that doesn't leak millions of identity records, gin up huge legal liabilities, or allow secrets to fall into the wrong hands."
Chess, McGraw and coauthor Sammy Migues collected data on each initiative's software security activities for strategy and metrics, training, standards and requirements, security testing, code review, etc., and uncovered a number of common themes among each of the successful initiatives, including:
- The necessity of a Software Security Group: Each of the nine enterprises has a designated group of software security personnel-the SSG-tasked with carrying out and facilitating software security. Average SSG size is just over one percent of the size of the software development organization.
- Advocacy over audit: Successful SSGs, even in regulated industries, always emphasize security education, technical resources, and mentoring rather than policing for security errors and handing out punishments.
- Use of automated technologies: Each organization performs automated code review and deploys black box testing tools, but use of these technologies requires considerable SSG know-how.
- Training for development: All organizations have an institutionalized security training curriculum for programmers, QA engineers, and project managers.
"I was surprised by the amount of common ground discovered between the financial services organizations, ISVs, and technology companies in the BSIMM study," said Jim Routh, CISO of Depository Trust & Clearing Corporation (DTCC). "All software security initiatives are by no means identical, but these findings demonstrate that an organization isn't going it alone when it comes to software security-you can learn from your peers. The BSIMM encapsulates important lessons from the best programs around."
"Comprehensive software security involves a combination of people, processes, and technologies, and it almost always requires some change to the way the organization operates," said analyst Joe Feiman of Gartner. "As software security comes of age, using a maturity model will only help to accelerate your enterprise security initiative." The BSIMM is the first such maturity model created entirely from real-world data.
Over the next several months, Cigital and Fortify will gather data from other leading software security initiatives to enhance the study and provide additional insight on trends and activities particular to certain vertical industries and company sizes, among other factors.
The BSIMM is available under creative commons license here: http://bsi-mm.com.
Cigital, Inc. is the leading software security and quality consulting firm. Established in 1992, Cigital plans and implements initiatives that help organizations ensure their applications are secure and reliable while also improving how they build and deploy software. Our recognized experts apply a combination of proven methodologies, tools, and best practices to meet each client's unique requirements. Cigital is headquartered near Washington, D.C. with regional offices in the U.S. and India.