Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

11/14/2019
03:00 PM
Sammy Migues
Sammy Migues
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

BSIMM10 Shows Industry Vertical Maturity

The Building Security In Maturity Model is the only detailed measuring stick for software security initiatives, and it continues to evolve.

The Building Security In Maturity Model (BSIMM) is now in its 10th iteration. It continues to evolve as the only detailed and sophisticated "measuring stick" for software security initiatives (SSIs), also known as application or product security programs.

The BSIMM is an observational model. While it's useful for some industry experts and pundits to prescriptively document what worked for them that one time in that one situation, the BSIMM took a different path. The BSIMM observes what's happening in hundreds of organizations and tells everyone how firms are actually spending their time and money to achieve an appropriate level of software security across their entire software portfolio. Since its creation over a decade ago, this data-driven approach has evolved through the analysis of nearly 200 SSIs globally. BSIMM10 represents real-world data from 122 organizations over eight industry verticals: cloud, Internet of Things (IoT), independent software vendors (ISVs), high technology, healthcare, insurance, financial services, and retail.

The BSIMM started in 2008 with a set of 110 activities. Over time, one activity was removed and 10 activities were added. Why? Because that's what we observed in the world of software security. To help everyone understand how frequently each of the 119 BSIMM10 activities are observed across the current 122 firms, we use frequency analysis to sort the activities into levels. Commonly observed activities — across all verticals — are tagged as level 1, while sparsely observed activities are level 3.

That means we can use a high-water mark diagram such as the one below to illustrate how frequently various levels of activities are observed in firms participating in the BSIMM study as well as in a particular firm. The diagram shows that the current 122 firms are collectively putting effort into more activities in Strategy & Metrics, Compliance & Policy, and Standards & Requirements compared with Attack Models and Architecture Analysis, whereas the ExampleFirm places value on Attack Models, Code Review, and Penetration Testing. This view acts as a proxy for overall maturity but can also be broken down on an industry vertical basis to observe effort across activities and growth differences between various industries.

 

In highly regulated industries such as financial services, for instance, it's not surprising to see a spike around Compliance & Policy, whereas we typically don't see that spike with ISVs or IoT. Most verticals measured currently within the BSIMM have a good handle on the foundational security activities.

We're seeing some verticals collectively doing more than others in various areas for a variety of reasons. In certain industries, effort in particular activities is driven by legal reasons relating to regulations, statutes, and contracts. In others, customer expectations and preferences, along with perceptions of privacy, may drive which of the 119 BSIMM10 activities are emphasized over others.

Let's take medical device manufacturers as an example. The software built into the monitors and devices produced for hospitals and doctors' offices is going to be out there for 20 years, perhaps even longer. Imagine what software attacks are going to look like in 20 years! Now, imagine doing that 20 years ago and predicting what software security mechanisms would be needed for today. As you can see, this is a very complex problem and different firms in the vertical approach the problem differently.

Different verticals emphasize different security activities based on their different perceptions of risk. We see that reflected in their spider diagrams, which in turn reflects the foundational activities and the more uncommon activities they implement to help build out their particular SSI.

It isn't reasonable to say that Healthcare Company X is more mature than Retail Company Y because this would be like comparing apples to oranges. Why? Because each firm will build the right program for its needs. Even if they are in the same business, a firm doing 30 activities and a firm doing 50 activities might have the same overall maturity relative to their software portfolios. However, we can say that one group of firms within a specific industry vertical does things that seem to be collectively important throughout the vertical, while another group of companies in another industry vertical carries out completely different activities that seem to be important to them. They're not the same things necessarily, and yet there are trends among each industry.

BSIMM10 is the first iteration of the study to formally reflect changes in SSI culture, observed in a new wave of engineering-led software security efforts originating bottom-up in the deployment and operations teams rather than top-down from a centralized software security group. Engineering-led security culture has shown itself to be a means of establishing and growing meaningful software security efforts in some organizations, though it struggled to do so even just a few years ago.

Along these cultural lines, BSIMM data also show that the DevOps movement, along with the growth in continuous integration/continuous development (CI/CD) tooling and digital transformation, is affecting the way firms approach software security for their software portfolios. BSIMM10 includes three new activities for this reason.

In recent years, as organizations have started using DevOps practices that pushed software to the cloud, we're seeing that this is a big change agent in most firms. As DevOps culture and CI/CD toolchains intersect with cloud deployments, we're realizing this is a game-changer in terms of software security. We don't yet understand the full impact as we're still in the early phases of the evolution of these technologies and strategies. Upcoming iterations of the BSIMM will certainly shed more light on what organizations are doing to get from DevOps to DevSecOps and to secure their cloud deployments. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Account Fraud Harder to Detect as Criminals Move from Bots to 'Sweat Shops'."

Sammy Migues is a Principal Scientist at Synopsys. He is an information security visionary with a proven record of entrepreneurial innovation, intellectual capital development, practical business solutions, and performance optimization. Migues is the co-author of the Building ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "This is the last time we hire Game of Thrones Security"
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4428
PUBLISHED: 2019-12-09
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....
CVE-2019-4611
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
CVE-2019-4612
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
CVE-2019-4621
PUBLISHED: 2019-12-09
IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.
CVE-2019-19230
PUBLISHED: 2019-12-09
An unsafe deserialization vulnerability exists in CA Release Automation (Nolio) 6.6 with the DataManagement component that can allow a remote attacker to execute arbitrary code.