Data breaches continue to haunt big-name companies and government agencies, but a new report shows that secure software development programs are actually becoming integral to many businesses.
The newly published Build Security In Maturity Model (BSIMM) 7 report, which reports on how nearly 100 companies from a range of vertical markets measure up with their software security development lifecycles (SDLs), found businesses are using BSIMM earlier in their SDL programs than years past. This year's BSIMM for the first time also includes Internet of Things (IoT) and insurance companies.
BSIMM, whose founders describe it as a measuring stick for companies to compare their secure development programs against those of other organizations, studies how organizations run their software security programs in-house and provides benchmark information.
Nearly half of the organizations studied in this year's report come from the financial services sector, followed by software vendors, cloud providers, healthcare organizations, Internet of Things makers, and insurance companies. There also were a few telecommunications, security, retail, and energy firms. Among the big names that agreed to be identified publicly: Adobe, Aetna, Bank of America, Capital One, Cisco, Citigroup, Fannie Mae, Fidelity, Freddie Mac, General Electric, Horizon Healthcare Services, Inc., HSBC, JPMorgan Chase & Co., LinkedIn, Marks and Spencer, Principal Financial Group, Target, The Home Depot, U.S. Bank, Visa, Wells Fargo, and Zephyr Health.
Healthcare organizations were added to the BSIMM for the first time last year in the BSIMM6, and the number of healthcare participants this year grew by 50%. "They [the healthcare vertical] did slightly better than last year," says Gary McGraw, co-creator of the BSIMM and CTO at Cigital. "Some firms have grown a lot … but there's lots of work to do and being done."
Healthcare and insurance organizations were badly shaken by the massive Anthem breach and other related health insurer hacks in 2015, followed by the wave of ransomware campaigns that have hit several hospitals this year.
Chris Wysopal, co-founder and CTO of Veracode, says the 2015 breaches were a major wakeup call for the healthcare industry. His firm sees similar trends with BSIMM7.
"We are seeing many more of our customers come from the healthcare vertical in the past few years. Healthcare does lag other industries in their SDLC maturity," he says. "We see healthcare developers fixing about half as many flaws that they know about from our testing than other industry verticals. This shows their SDLCs are reducing less risk. This could be prioritizing speed over security, but I think a big part of it is lack of maturity in their processes."
Among the areas BSIMM measures are governance (compliance and policy, metrics, training); intelligence (attack models, security features and design in software, and standards); secure software development lifecycle touchpoints (architecture analysis, code review, security testing); and deployment (penetration testing, software environment, and configuration and vulnerability management).
BSIMM began tracking bug bounty programs as part of its benchmark in BSIMM6, which was released one year ago. To date, six of the 95 organizations from BSIMM7 run bug bounty programs. "Bug bounties do not play a major role in BSIMM," McGraw says.
So why the low-show of bug bounty programs among BSIMM members at a time when bug bounty programs are being announced regularly by high-profile organizations such as Facebook, Google, Microsoft, the US Department of Defense, and Apple?
"That means the momentum in bug bounties has more to do with the marketing savvy of bug bounty vendors than it has to do with the reality of who's using it," McGraw says. "I think having a bug bounty setup is fine as long as you're doing other stuff in software security."
McGraw, like other security experts, points out that bug bounties can backfire if an organization is not prepared to fix and remediate the flaws that are found. "If you're paying people to find bugs for you and you do not have a way of not producing more bugs in the future, you just set yourself up to be paying out more money."
A recent Veracode bug bounty study found that 36% of IT decision-makers have invested in a bug bounty program, but most of them feel their organizations rely too heavily on it for finding and fixing software flaws. Veracode's Wysopal says there are likely fewer bug-bounty adopters in BSIMM7 due to the makeup of the organizations.
Around 18 of the BSIMM7 participants are in the technology arena, he says, which makes them most likely to have a bug bounty program. "A big part of a bug bounty is goodwill within the security community and a standardized way to interact with security researchers," he says. Several of the tech companies in BSIMM aren't as connected with the research community as, say, Adobe, he notes.
Software Security Groupies
Meanwhile, if an organization doesn't have a designated software security group, they don't make the first cut of being eligible to get measured by the BSIMM, McGraw says.
"If they come and say, 'we want to be measured by BSIMM,' we ask them, 'Who runs your software security group?' If they say there's no one in charge, we say, 'come back when you're read to be measured. You're too short to ride the ride'" without a software security team, McGraw says. "Firms who are serious about software security have a software security group."
Software security groups include security pros and software developers. "SSGs come in a variety of shapes and sizes. All good SSGs appear to include both people with deep coding experience and people with architectural chops," according to the BSIMM7 report. Supporting these groups are typically C-level executives plus "satellite" developers, testers, and architects who interface with the SSG.
Veracode's Wysopal says secure software development overall indeed is growing rapidly. "Most of our customers are now in the process of moving software security testing from a single point in time test at the end of development and moving it back into the build process and even onto the developer's workstation in their IDE," he says. "Developers are starting to accept security as part of the development process and that is helping greatly with adoption. These are exciting times for application security. The BSIMM shows we are making progress."