Risk

5/12/2010
03:35 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Product Watch: 'Measuring Stick' For Software Security Gets An Update

Version 2 of Building Security In Maturity Model (BSIMM) includes 30 companies in seven industries

A new version of the Building Security In Maturity Model (BSIMM) released today adds three times the number of companies' secure software initiative practices than the original version, plus the project has recruited security executives from Microsoft, EMC, Intel, Adobe, and Nokia to serve on newly created advisory board.

BSIMM2 encompasses secure software initiatives from financial services firms such as Bank of America, software vendors, technology companies such as Google, healthcare, insurance, energy, and media firms, providing insight into the best practices of these organizations for their secure coding initiatives.

Gary McGraw, CTO at Cigital, which announced the BSIMM2 release, says the goal of BSIMM is to create a measuring stick for organizations to see where they stand in secure coding. Among the trends in those organizations highlighted in BSIMM is that those with the more mature software security initiatives have a more distributed approach to it, McGraw says. "Over time, the core software security group starts getting a satellite around it of developers, architects, product managers, and [those] in different areas of the business," he says. "In the beginning, they are very centralized" in the software security group, but over time, some pieces get passed on to the developers as well, says McGraw, a co-author of BSIMM.

BSIMM highlights the top 15 of 110 software security activities that are most commonly adopted. "They are 15 things everybody does," says Sammy Migues, director of knowledge management and training at Cigital and one of the co-authors of BSIMM. "Everybody hires penetration testers to come in and find problems," for example, he says, which can be used as baseline steps for organizations beginning to adopt these practices.

The study shows some common themes among successful secure software initiatives, including the need for a software security group (SSG), as well as SSGs organized by technical software development, operational, and business unit categories.

Meanwhile, the new BSIMM Advisory board comprises Steve Lipner, senior director of security engineering strategy for Microsoft; Eric Baize, senior director of the product security office at EMC; Jeff Cohen, head of product security assurance at Intel; Janne Uusilehto, director and head of product security at Nokia; and Brad Arkin, director of product security and privacy for Adobe.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11358
PUBLISHED: 2019-04-20
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CVE-2019-11359
PUBLISHED: 2019-04-20
Cross-site scripting (XSS) vulnerability in display.php in I, Librarian 4.10 allows remote attackers to inject arbitrary web script or HTML via the project parameter.
CVE-2018-20817
PUBLISHED: 2019-04-19
SV_SteamAuthClient in various Activision Infinity Ward Call of Duty games before 2015-08-11 is missing a size check when reading authBlob data into a buffer, which allows one to execute code on the remote target machine when sending a steam authentication request. This affects Call of Duty: Modern W...
CVE-2019-11354
PUBLISHED: 2019-04-19
The client in Electronic Arts (EA) Origin 10.5.36 on Windows allows template injection in the title parameter of the Origin2 URI handler. This can be used to escape the underlying AngularJS sandbox and achieve remote code execution via an origin2://game/launch URL for QtApplication QDesktopServices ...
CVE-2019-11350
PUBLISHED: 2019-04-19
CloudBees Jenkins Operations Center 2.150.2.3, when an expired trial license exists, allows Cleartext Password Storage and Retrieval via the proxy configuration page.