[Excerpted from "Use BSIMM To Develop Safe Applications," a new commentary posted this week on Dark Reading's Vulnerability Management Tech Center.
Quick quiz: What do wireless devices, cell phones, PDAs, browsers, operating systems, servers, routers, personal computers, Web applications, public key infrastructure systems and firewalls have in common?
Give up? The answer is: software.
In the modern world, software is everywhere. It is software that allows our complex dynamic systems to function. It is software that has transformed our communications devices into digital computers. It is software that we count on to run our businesses.
Given these facts, where would you attack a modern system in order to compromise its integrity for nefarious gain? Same answer, of course: software.
We have been getting better at building secure software over the past past five years. But the problem of insecure software seems to be as big as ever. Why? More code.
Though we have fewer bugs per square inch, we have many more square miles of code. More code equals more bugs and flaws, and more bugs and flaws equals more security problems.
Probably the trickiest aspect of software security has to do with measurement. Everyone would love to have a magic security-o-meter that we could wave over software to determine whether it is secure. Unfortunately, the problem of directly measuring security is technically unsolvable, because software behavior is subject to such huge contextual effects, such as software environment, what kind of network the software is on, whether the software is easy to procure and whether it lives behind a firewall.
What we can do, however, is measure the software process and inspection of software artifacts created throughout the software development lifecycle (SDLC). We may get a better idea about the security properties of a piece of software by understanding how it was built, what kinds of security activities were carried out while it was built, and the results of various technical measurements of multiple development artifacts.
In this report, we will show how to use such an approach, the Building Security in Maturity Model (BSIMM), to measure your software security program against best practices of leading global organizations and build a more secure SDLC.
BSIMM (pronounced "bee-sim"), created by Cigital principal Sammy Migues, Fortify chief scientist Brian Chess and me, tackles this problem head-on. It is an observation-based scientif-ic model directly describing the collective software security activities of initiatives at 30 leading organizations.
BSIMM (actually BSIMM2, which expanded the model from nine to the current 30 leading organizations) can be used as a measuring stick for software security. A direct comparison of your organization’s practices using BSIMM is an excellent tool for devising a software security strategy. It may also be useful in understanding how your software vendors stack up in terms of IT security.
In contrast to prescriptive, "faith-based" approaches to software security, the BSIMM is directly descriptive. That is, it does not tell you what you should do; it tells you what leading organizations are actually doing. As a descriptive model, BSIMM has accumulated a number of observed facts.
To find out more about how BSIMM works, how it can help guide secure software development, and how to implement it in your enterprise, Dark Reading's editors directly, send us a message.