Risk

11/30/2010
10:29 PM
50%
50%

Expert: BSIMM Can Help Enterprises Build Secure App Development Processes

A look at the BSIMM framework, and how it has helped 30 companies to write safer code

[Excerpted from "Use BSIMM To Develop Safe Applications," a new commentary posted this week on Dark Reading's Vulnerability Management Tech Center.

Quick quiz: What do wireless devices, cell phones, PDAs, browsers, operating systems, servers, routers, personal computers, Web applications, public key infrastructure systems and firewalls have in common?

Give up? The answer is: software.

In the modern world, software is everywhere. It is software that allows our complex dynamic systems to function. It is software that has transformed our communications devices into digital computers. It is software that we count on to run our businesses.

Given these facts, where would you attack a modern system in order to compromise its integrity for nefarious gain? Same answer, of course: software.

We have been getting better at building secure software over the past past five years. But the problem of insecure software seems to be as big as ever. Why? More code.

Though we have fewer bugs per square inch, we have many more square miles of code. More code equals more bugs and flaws, and more bugs and flaws equals more security problems.

Probably the trickiest aspect of software security has to do with measurement. Everyone would love to have a magic security-o-meter that we could wave over software to determine whether it is secure. Unfortunately, the problem of directly measuring security is technically unsolvable, because software behavior is subject to such huge contextual effects, such as software environment, what kind of network the software is on, whether the software is easy to procure and whether it lives behind a firewall.

What we can do, however, is measure the software process and inspection of software artifacts created throughout the software development lifecycle (SDLC). We may get a better idea about the security properties of a piece of software by understanding how it was built, what kinds of security activities were carried out while it was built, and the results of various technical measurements of multiple development artifacts.

In this report, we will show how to use such an approach, the Building Security in Maturity Model (BSIMM), to measure your software security program against best practices of leading global organizations and build a more secure SDLC.

BSIMM (pronounced "bee-sim"), created by Cigital principal Sammy Migues, Fortify chief scientist Brian Chess and me, tackles this problem head-on. It is an observation-based scientif-ic model directly describing the collective software security activities of initiatives at 30 leading organizations.

BSIMM (actually BSIMM2, which expanded the model from nine to the current 30 leading organizations) can be used as a measuring stick for software security. A direct comparison of your organization’s practices using BSIMM is an excellent tool for devising a software security strategy. It may also be useful in understanding how your software vendors stack up in terms of IT security.

In contrast to prescriptive, "faith-based" approaches to software security, the BSIMM is directly descriptive. That is, it does not tell you what you should do; it tells you what leading organizations are actually doing. As a descriptive model, BSIMM has accumulated a number of observed facts.

To find out more about how BSIMM works, how it can help guide secure software development, and how to implement it in your enterprise, Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11358
PUBLISHED: 2019-04-20
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CVE-2019-11359
PUBLISHED: 2019-04-20
Cross-site scripting (XSS) vulnerability in display.php in I, Librarian 4.10 allows remote attackers to inject arbitrary web script or HTML via the project parameter.
CVE-2018-20817
PUBLISHED: 2019-04-19
SV_SteamAuthClient in various Activision Infinity Ward Call of Duty games before 2015-08-11 is missing a size check when reading authBlob data into a buffer, which allows one to execute code on the remote target machine when sending a steam authentication request. This affects Call of Duty: Modern W...
CVE-2019-11354
PUBLISHED: 2019-04-19
The client in Electronic Arts (EA) Origin 10.5.36 on Windows allows template injection in the title parameter of the Origin2 URI handler. This can be used to escape the underlying AngularJS sandbox and achieve remote code execution via an origin2://game/launch URL for QtApplication QDesktopServices ...
CVE-2019-11350
PUBLISHED: 2019-04-19
CloudBees Jenkins Operations Center 2.150.2.3, when an expired trial license exists, allows Cleartext Password Storage and Retrieval via the proxy configuration page.