Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10/4/2016
03:45 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

BSIMM Shows Secure Software Development Making Inroads

The long road to making secure software development a mainstream practice remains a work in progress for healthcare, other industries.

Data breaches continue to haunt big-name companies and government agencies, but a new report shows that secure software development programs are actually becoming integral to many businesses.

The newly published Build Security In Maturity Model (BSIMM) 7 report, which reports on how nearly 100 companies from a range of vertical markets measure up with their software security development lifecycles (SDLs), found businesses are using BSIMM earlier in their SDL programs than years past. This year's BSIMM for the first time also includes Internet of Things (IoT) and insurance companies.

BSIMM, whose founders describe it as a measuring stick for companies to compare their secure development programs against those of other organizations, studies how organizations run their software security programs in-house and provides benchmark information.

Nearly half of the organizations studied in this year's report come from the financial services sector, followed by software vendors, cloud providers, healthcare organizations, Internet of Things makers, and insurance companies. There also were a few telecommunications, security, retail, and energy firms. Among the big names that agreed to be identified publicly: Adobe, Aetna, Bank of America, Capital One, Cisco, Citigroup, Fannie Mae, Fidelity, Freddie Mac, General Electric, Horizon Healthcare Services, Inc., HSBC, JPMorgan Chase & Co., LinkedIn, Marks and Spencer, Principal Financial Group, Target, The Home Depot, U.S. Bank, Visa, Wells Fargo, and Zephyr Health.

Healthcare organizations were added to the BSIMM for the first time last year in the BSIMM6, and the number of healthcare participants this year grew by 50%. "They [the healthcare vertical] did slightly better than last year," says Gary McGraw, co-creator of the BSIMM and CTO at Cigital. "Some firms have grown a lot … but there's lots of work to do and being done."

Healthcare and insurance organizations were badly shaken by the massive Anthem breach and other related health insurer hacks in 2015, followed by the wave of ransomware campaigns that have hit several hospitals this year.

Chris Wysopal, co-founder and CTO of Veracode, says the 2015 breaches were a major wakeup call for the healthcare industry. His firm sees similar trends with BSIMM7.

"We are seeing many more of our customers come from the healthcare vertical in the past few years. Healthcare does lag other industries in their SDLC maturity," he says. "We see healthcare developers fixing about half as many flaws that they know about from our testing than other industry verticals. This shows their SDLCs are reducing less risk. This could be prioritizing speed over security, but I think a big part of it is lack of maturity in their processes."

Among the areas BSIMM measures are governance (compliance and policy, metrics, training); intelligence (attack models, security features and design in software, and standards); secure software development lifecycle touchpoints (architecture analysis, code review, security testing); and deployment (penetration testing, software environment, and configuration and vulnerability management).

Bug Track

BSIMM began tracking bug bounty programs as part of its benchmark in BSIMM6, which was released one year ago. To date, six of the 95 organizations from BSIMM7 run bug bounty programs. "Bug bounties do not play a major role in BSIMM," McGraw says.

So why the low-show of bug bounty programs among BSIMM members at a time when bug bounty programs are being announced regularly by high-profile organizations such as Facebook,  Google, Microsoft, the US Department of Defense, and Apple?

"That means the momentum in bug bounties has more to do with the marketing savvy of bug bounty vendors than it has to do with the reality of who's using it," McGraw says. "I think having a bug bounty setup is fine as long as you're doing other stuff in software security."

McGraw, like other security experts, points out that bug bounties can backfire if an organization is not prepared to fix and remediate the flaws that are found. "If you're paying people to find bugs for you and you do not have a way of not producing more bugs in the future, you just set yourself up to be paying out more money."

A recent Veracode bug bounty study found that 36% of IT decision-makers have invested in a bug bounty program, but most of them feel their organizations rely too heavily on it for finding and fixing software flaws. Veracode's Wysopal says there are likely fewer bug-bounty adopters in BSIMM7 due to the makeup of the organizations.

Around 18 of the BSIMM7 participants are in the technology arena, he says, which makes them most likely to have a bug bounty program. "A big part of a bug bounty is goodwill within the security community and a standardized way to interact with security researchers," he says. Several of the tech companies in BSIMM aren't as connected with the research community as, say, Adobe, he notes.

Software Security Groupies

Meanwhile, if an organization doesn't have a designated software security group, they don't make the first cut of being eligible to get measured by the BSIMM, McGraw says.

"If they come and say, 'we want to be measured by BSIMM,' we ask them, 'Who runs your software security group?' If they say there's no one in charge, we say, 'come back when you're read to be measured. You're too short to ride the ride'" without a software security team, McGraw says. "Firms who are serious about software security have a software security group."

Software security groups include security pros and software developers. "SSGs come in a variety of shapes and sizes. All good SSGs appear to include both people with deep coding experience and people with architectural chops," according to the BSIMM7 report. Supporting these groups are typically C-level executives plus "satellite" developers, testers, and architects who interface with the SSG.

Veracode's Wysopal says secure software development overall indeed is growing rapidly. "Most of our customers are now in the process of moving software security testing from a single point in time test at the end of development and moving it back into the build process and even onto the developer's workstation in their IDE," he says. "Developers are starting to accept security as part of the development process and that is helping greatly with adoption. These are exciting times for application security. The BSIMM shows we are making progress."

Related Content:

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GaryM2712105
0%
100%
GaryM2712105,
User Rank: Strategist
10/4/2016 | 6:20:00 PM
BSIMM is free under Creative Commons
Download the BSIMM document for free from bsimm.com 

gem
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...