Application Security
10/4/2016
03:45 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

BSIMM Shows Secure Software Development Making Inroads

The long road to making secure software development a mainstream practice remains a work in progress for healthcare, other industries.

Data breaches continue to haunt big-name companies and government agencies, but a new report shows that secure software development programs are actually becoming integral to many businesses.

The newly published Build Security In Maturity Model (BSIMM) 7 report, which reports on how nearly 100 companies from a range of vertical markets measure up with their software security development lifecycles (SDLs), found businesses are using BSIMM earlier in their SDL programs than years past. This year's BSIMM for the first time also includes Internet of Things (IoT) and insurance companies.

BSIMM, whose founders describe it as a measuring stick for companies to compare their secure development programs against those of other organizations, studies how organizations run their software security programs in-house and provides benchmark information.

Nearly half of the organizations studied in this year's report come from the financial services sector, followed by software vendors, cloud providers, healthcare organizations, Internet of Things makers, and insurance companies. There also were a few telecommunications, security, retail, and energy firms. Among the big names that agreed to be identified publicly: Adobe, Aetna, Bank of America, Capital One, Cisco, Citigroup, Fannie Mae, Fidelity, Freddie Mac, General Electric, Horizon Healthcare Services, Inc., HSBC, JPMorgan Chase & Co., LinkedIn, Marks and Spencer, Principal Financial Group, Target, The Home Depot, U.S. Bank, Visa, Wells Fargo, and Zephyr Health.

Healthcare organizations were added to the BSIMM for the first time last year in the BSIMM6, and the number of healthcare participants this year grew by 50%. "They [the healthcare vertical] did slightly better than last year," says Gary McGraw, co-creator of the BSIMM and CTO at Cigital. "Some firms have grown a lot … but there's lots of work to do and being done."

Healthcare and insurance organizations were badly shaken by the massive Anthem breach and other related health insurer hacks in 2015, followed by the wave of ransomware campaigns that have hit several hospitals this year.

Chris Wysopal, co-founder and CTO of Veracode, says the 2015 breaches were a major wakeup call for the healthcare industry. His firm sees similar trends with BSIMM7.

"We are seeing many more of our customers come from the healthcare vertical in the past few years. Healthcare does lag other industries in their SDLC maturity," he says. "We see healthcare developers fixing about half as many flaws that they know about from our testing than other industry verticals. This shows their SDLCs are reducing less risk. This could be prioritizing speed over security, but I think a big part of it is lack of maturity in their processes."

Among the areas BSIMM measures are governance (compliance and policy, metrics, training); intelligence (attack models, security features and design in software, and standards); secure software development lifecycle touchpoints (architecture analysis, code review, security testing); and deployment (penetration testing, software environment, and configuration and vulnerability management).

Bug Track

BSIMM began tracking bug bounty programs as part of its benchmark in BSIMM6, which was released one year ago. To date, six of the 95 organizations from BSIMM7 run bug bounty programs. "Bug bounties do not play a major role in BSIMM," McGraw says.

So why the low-show of bug bounty programs among BSIMM members at a time when bug bounty programs are being announced regularly by high-profile organizations such as Facebook,  Google, Microsoft, the US Department of Defense, and Apple?

"That means the momentum in bug bounties has more to do with the marketing savvy of bug bounty vendors than it has to do with the reality of who's using it," McGraw says. "I think having a bug bounty setup is fine as long as you're doing other stuff in software security."

McGraw, like other security experts, points out that bug bounties can backfire if an organization is not prepared to fix and remediate the flaws that are found. "If you're paying people to find bugs for you and you do not have a way of not producing more bugs in the future, you just set yourself up to be paying out more money."

A recent Veracode bug bounty study found that 36% of IT decision-makers have invested in a bug bounty program, but most of them feel their organizations rely too heavily on it for finding and fixing software flaws. Veracode's Wysopal says there are likely fewer bug-bounty adopters in BSIMM7 due to the makeup of the organizations.

Around 18 of the BSIMM7 participants are in the technology arena, he says, which makes them most likely to have a bug bounty program. "A big part of a bug bounty is goodwill within the security community and a standardized way to interact with security researchers," he says. Several of the tech companies in BSIMM aren't as connected with the research community as, say, Adobe, he notes.

Software Security Groupies

Meanwhile, if an organization doesn't have a designated software security group, they don't make the first cut of being eligible to get measured by the BSIMM, McGraw says.

"If they come and say, 'we want to be measured by BSIMM,' we ask them, 'Who runs your software security group?' If they say there's no one in charge, we say, 'come back when you're read to be measured. You're too short to ride the ride'" without a software security team, McGraw says. "Firms who are serious about software security have a software security group."

Software security groups include security pros and software developers. "SSGs come in a variety of shapes and sizes. All good SSGs appear to include both people with deep coding experience and people with architectural chops," according to the BSIMM7 report. Supporting these groups are typically C-level executives plus "satellite" developers, testers, and architects who interface with the SSG.

Veracode's Wysopal says secure software development overall indeed is growing rapidly. "Most of our customers are now in the process of moving software security testing from a single point in time test at the end of development and moving it back into the build process and even onto the developer's workstation in their IDE," he says. "Developers are starting to accept security as part of the development process and that is helping greatly with adoption. These are exciting times for application security. The BSIMM shows we are making progress."

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GaryM2712105
0%
100%
GaryM2712105,
User Rank: Strategist
10/4/2016 | 6:20:00 PM
BSIMM is free under Creative Commons
Download the BSIMM document for free from bsimm.com 

gem
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.