Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/30/2010
10:29 PM
50%
50%

Expert: BSIMM Can Help Enterprises Build Secure App Development Processes

A look at the BSIMM framework, and how it has helped 30 companies to write safer code

[Excerpted from "Use BSIMM To Develop Safe Applications," a new commentary posted this week on Dark Reading's Vulnerability Management Tech Center.

Quick quiz: What do wireless devices, cell phones, PDAs, browsers, operating systems, servers, routers, personal computers, Web applications, public key infrastructure systems and firewalls have in common?

Give up? The answer is: software.

In the modern world, software is everywhere. It is software that allows our complex dynamic systems to function. It is software that has transformed our communications devices into digital computers. It is software that we count on to run our businesses.

Given these facts, where would you attack a modern system in order to compromise its integrity for nefarious gain? Same answer, of course: software.

We have been getting better at building secure software over the past past five years. But the problem of insecure software seems to be as big as ever. Why? More code.

Though we have fewer bugs per square inch, we have many more square miles of code. More code equals more bugs and flaws, and more bugs and flaws equals more security problems.

Probably the trickiest aspect of software security has to do with measurement. Everyone would love to have a magic security-o-meter that we could wave over software to determine whether it is secure. Unfortunately, the problem of directly measuring security is technically unsolvable, because software behavior is subject to such huge contextual effects, such as software environment, what kind of network the software is on, whether the software is easy to procure and whether it lives behind a firewall.

What we can do, however, is measure the software process and inspection of software artifacts created throughout the software development lifecycle (SDLC). We may get a better idea about the security properties of a piece of software by understanding how it was built, what kinds of security activities were carried out while it was built, and the results of various technical measurements of multiple development artifacts.

In this report, we will show how to use such an approach, the Building Security in Maturity Model (BSIMM), to measure your software security program against best practices of leading global organizations and build a more secure SDLC.

BSIMM (pronounced "bee-sim"), created by Cigital principal Sammy Migues, Fortify chief scientist Brian Chess and me, tackles this problem head-on. It is an observation-based scientif-ic model directly describing the collective software security activities of initiatives at 30 leading organizations.

BSIMM (actually BSIMM2, which expanded the model from nine to the current 30 leading organizations) can be used as a measuring stick for software security. A direct comparison of your organization’s practices using BSIMM is an excellent tool for devising a software security strategy. It may also be useful in understanding how your software vendors stack up in terms of IT security.

In contrast to prescriptive, "faith-based" approaches to software security, the BSIMM is directly descriptive. That is, it does not tell you what you should do; it tells you what leading organizations are actually doing. As a descriptive model, BSIMM has accumulated a number of observed facts.

To find out more about how BSIMM works, how it can help guide secure software development, and how to implement it in your enterprise, Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...