Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/30/2010
10:29 PM
50%
50%

Expert: BSIMM Can Help Enterprises Build Secure App Development Processes

A look at the BSIMM framework, and how it has helped 30 companies to write safer code

[Excerpted from "Use BSIMM To Develop Safe Applications," a new commentary posted this week on Dark Reading's Vulnerability Management Tech Center.

Quick quiz: What do wireless devices, cell phones, PDAs, browsers, operating systems, servers, routers, personal computers, Web applications, public key infrastructure systems and firewalls have in common?

Give up? The answer is: software.

In the modern world, software is everywhere. It is software that allows our complex dynamic systems to function. It is software that has transformed our communications devices into digital computers. It is software that we count on to run our businesses.

Given these facts, where would you attack a modern system in order to compromise its integrity for nefarious gain? Same answer, of course: software.

We have been getting better at building secure software over the past past five years. But the problem of insecure software seems to be as big as ever. Why? More code.

Though we have fewer bugs per square inch, we have many more square miles of code. More code equals more bugs and flaws, and more bugs and flaws equals more security problems.

Probably the trickiest aspect of software security has to do with measurement. Everyone would love to have a magic security-o-meter that we could wave over software to determine whether it is secure. Unfortunately, the problem of directly measuring security is technically unsolvable, because software behavior is subject to such huge contextual effects, such as software environment, what kind of network the software is on, whether the software is easy to procure and whether it lives behind a firewall.

What we can do, however, is measure the software process and inspection of software artifacts created throughout the software development lifecycle (SDLC). We may get a better idea about the security properties of a piece of software by understanding how it was built, what kinds of security activities were carried out while it was built, and the results of various technical measurements of multiple development artifacts.

In this report, we will show how to use such an approach, the Building Security in Maturity Model (BSIMM), to measure your software security program against best practices of leading global organizations and build a more secure SDLC.

BSIMM (pronounced "bee-sim"), created by Cigital principal Sammy Migues, Fortify chief scientist Brian Chess and me, tackles this problem head-on. It is an observation-based scientif-ic model directly describing the collective software security activities of initiatives at 30 leading organizations.

BSIMM (actually BSIMM2, which expanded the model from nine to the current 30 leading organizations) can be used as a measuring stick for software security. A direct comparison of your organization’s practices using BSIMM is an excellent tool for devising a software security strategy. It may also be useful in understanding how your software vendors stack up in terms of IT security.

In contrast to prescriptive, "faith-based" approaches to software security, the BSIMM is directly descriptive. That is, it does not tell you what you should do; it tells you what leading organizations are actually doing. As a descriptive model, BSIMM has accumulated a number of observed facts.

To find out more about how BSIMM works, how it can help guide secure software development, and how to implement it in your enterprise, Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.