Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/30/2010
10:29 PM
50%
50%

Expert: BSIMM Can Help Enterprises Build Secure App Development Processes

A look at the BSIMM framework, and how it has helped 30 companies to write safer code

[Excerpted from "Use BSIMM To Develop Safe Applications," a new commentary posted this week on Dark Reading's Vulnerability Management Tech Center.

Quick quiz: What do wireless devices, cell phones, PDAs, browsers, operating systems, servers, routers, personal computers, Web applications, public key infrastructure systems and firewalls have in common?

Give up? The answer is: software.

In the modern world, software is everywhere. It is software that allows our complex dynamic systems to function. It is software that has transformed our communications devices into digital computers. It is software that we count on to run our businesses.

Given these facts, where would you attack a modern system in order to compromise its integrity for nefarious gain? Same answer, of course: software.

We have been getting better at building secure software over the past past five years. But the problem of insecure software seems to be as big as ever. Why? More code.

Though we have fewer bugs per square inch, we have many more square miles of code. More code equals more bugs and flaws, and more bugs and flaws equals more security problems.

Probably the trickiest aspect of software security has to do with measurement. Everyone would love to have a magic security-o-meter that we could wave over software to determine whether it is secure. Unfortunately, the problem of directly measuring security is technically unsolvable, because software behavior is subject to such huge contextual effects, such as software environment, what kind of network the software is on, whether the software is easy to procure and whether it lives behind a firewall.

What we can do, however, is measure the software process and inspection of software artifacts created throughout the software development lifecycle (SDLC). We may get a better idea about the security properties of a piece of software by understanding how it was built, what kinds of security activities were carried out while it was built, and the results of various technical measurements of multiple development artifacts.

In this report, we will show how to use such an approach, the Building Security in Maturity Model (BSIMM), to measure your software security program against best practices of leading global organizations and build a more secure SDLC.

BSIMM (pronounced "bee-sim"), created by Cigital principal Sammy Migues, Fortify chief scientist Brian Chess and me, tackles this problem head-on. It is an observation-based scientif-ic model directly describing the collective software security activities of initiatives at 30 leading organizations.

BSIMM (actually BSIMM2, which expanded the model from nine to the current 30 leading organizations) can be used as a measuring stick for software security. A direct comparison of your organization’s practices using BSIMM is an excellent tool for devising a software security strategy. It may also be useful in understanding how your software vendors stack up in terms of IT security.

In contrast to prescriptive, "faith-based" approaches to software security, the BSIMM is directly descriptive. That is, it does not tell you what you should do; it tells you what leading organizations are actually doing. As a descriptive model, BSIMM has accumulated a number of observed facts.

To find out more about how BSIMM works, how it can help guide secure software development, and how to implement it in your enterprise, Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12855
PUBLISHED: 2019-06-16
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.