Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

03:45 PM
Connect Directly

BSIMM Shows Secure Software Development Making Inroads

The long road to making secure software development a mainstream practice remains a work in progress for healthcare, other industries.

Data breaches continue to haunt big-name companies and government agencies, but a new report shows that secure software development programs are actually becoming integral to many businesses.

The newly published Build Security In Maturity Model (BSIMM) 7 report, which reports on how nearly 100 companies from a range of vertical markets measure up with their software security development lifecycles (SDLs), found businesses are using BSIMM earlier in their SDL programs than years past. This year's BSIMM for the first time also includes Internet of Things (IoT) and insurance companies.

BSIMM, whose founders describe it as a measuring stick for companies to compare their secure development programs against those of other organizations, studies how organizations run their software security programs in-house and provides benchmark information.

Nearly half of the organizations studied in this year's report come from the financial services sector, followed by software vendors, cloud providers, healthcare organizations, Internet of Things makers, and insurance companies. There also were a few telecommunications, security, retail, and energy firms. Among the big names that agreed to be identified publicly: Adobe, Aetna, Bank of America, Capital One, Cisco, Citigroup, Fannie Mae, Fidelity, Freddie Mac, General Electric, Horizon Healthcare Services, Inc., HSBC, JPMorgan Chase & Co., LinkedIn, Marks and Spencer, Principal Financial Group, Target, The Home Depot, U.S. Bank, Visa, Wells Fargo, and Zephyr Health.

Healthcare organizations were added to the BSIMM for the first time last year in the BSIMM6, and the number of healthcare participants this year grew by 50%. "They [the healthcare vertical] did slightly better than last year," says Gary McGraw, co-creator of the BSIMM and CTO at Cigital. "Some firms have grown a lot … but there's lots of work to do and being done."

Healthcare and insurance organizations were badly shaken by the massive Anthem breach and other related health insurer hacks in 2015, followed by the wave of ransomware campaigns that have hit several hospitals this year.

Chris Wysopal, co-founder and CTO of Veracode, says the 2015 breaches were a major wakeup call for the healthcare industry. His firm sees similar trends with BSIMM7.

"We are seeing many more of our customers come from the healthcare vertical in the past few years. Healthcare does lag other industries in their SDLC maturity," he says. "We see healthcare developers fixing about half as many flaws that they know about from our testing than other industry verticals. This shows their SDLCs are reducing less risk. This could be prioritizing speed over security, but I think a big part of it is lack of maturity in their processes."

Among the areas BSIMM measures are governance (compliance and policy, metrics, training); intelligence (attack models, security features and design in software, and standards); secure software development lifecycle touchpoints (architecture analysis, code review, security testing); and deployment (penetration testing, software environment, and configuration and vulnerability management).

Bug Track

BSIMM began tracking bug bounty programs as part of its benchmark in BSIMM6, which was released one year ago. To date, six of the 95 organizations from BSIMM7 run bug bounty programs. "Bug bounties do not play a major role in BSIMM," McGraw says.

So why the low-show of bug bounty programs among BSIMM members at a time when bug bounty programs are being announced regularly by high-profile organizations such as Facebook,  Google, Microsoft, the US Department of Defense, and Apple?

"That means the momentum in bug bounties has more to do with the marketing savvy of bug bounty vendors than it has to do with the reality of who's using it," McGraw says. "I think having a bug bounty setup is fine as long as you're doing other stuff in software security."

McGraw, like other security experts, points out that bug bounties can backfire if an organization is not prepared to fix and remediate the flaws that are found. "If you're paying people to find bugs for you and you do not have a way of not producing more bugs in the future, you just set yourself up to be paying out more money."

A recent Veracode bug bounty study found that 36% of IT decision-makers have invested in a bug bounty program, but most of them feel their organizations rely too heavily on it for finding and fixing software flaws. Veracode's Wysopal says there are likely fewer bug-bounty adopters in BSIMM7 due to the makeup of the organizations.

Around 18 of the BSIMM7 participants are in the technology arena, he says, which makes them most likely to have a bug bounty program. "A big part of a bug bounty is goodwill within the security community and a standardized way to interact with security researchers," he says. Several of the tech companies in BSIMM aren't as connected with the research community as, say, Adobe, he notes.

Software Security Groupies

Meanwhile, if an organization doesn't have a designated software security group, they don't make the first cut of being eligible to get measured by the BSIMM, McGraw says.

"If they come and say, 'we want to be measured by BSIMM,' we ask them, 'Who runs your software security group?' If they say there's no one in charge, we say, 'come back when you're read to be measured. You're too short to ride the ride'" without a software security team, McGraw says. "Firms who are serious about software security have a software security group."

Software security groups include security pros and software developers. "SSGs come in a variety of shapes and sizes. All good SSGs appear to include both people with deep coding experience and people with architectural chops," according to the BSIMM7 report. Supporting these groups are typically C-level executives plus "satellite" developers, testers, and architects who interface with the SSG.

Veracode's Wysopal says secure software development overall indeed is growing rapidly. "Most of our customers are now in the process of moving software security testing from a single point in time test at the end of development and moving it back into the build process and even onto the developer's workstation in their IDE," he says. "Developers are starting to accept security as part of the development process and that is helping greatly with adoption. These are exciting times for application security. The BSIMM shows we are making progress."

Related Content:


Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Strategist
10/4/2016 | 6:20:00 PM
BSIMM is free under Creative Commons
Download the BSIMM document for free from bsimm.com 

What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Post a Comment
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-14
DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTR...
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.