Microsoft got the ball rolling on secure software development for the commercial world, and now many of the world’s largest enterprises are picking it up and running with it, forcing many software vendors to catch up or lose the game. Fidelity Investments is one of those businesses that literally programmed secure software development into its business strategy.

Fidelity is a participant in the Building Security In Maturity Model (BSIMM) program, an ongoing, in-depth study of real-world enterprises' software security initiatives that its founders say can be used as a real-live security measurement tool. BSIMM, which was launched by Cigital, now encompasses 51 companies across financial services, ISVs, technology, and other industries.

David Smith, vice president of application security for Fidelity, says the company actually began secure coding practices in 1997. "We started secure code review when we first started putting Web apps online many years ago," Smith says. "It's always been a challenge ... are you making the right priority decisions?"

[Input validation and prepared SQL statements crucial to preventing SQL injection attacks. See The Root Of All Database Security Evils = Input.]

Smith says when Cigital approached Fidelity in 2008 to recruit the financial services firm for the very first BSIMM survey, it gave the company an opportunity to not only share its experiences and practices, but also to see how it stacked up with other companies in secure coding. "We were surprised that we had so much more in common [with other firms] than differences. It did confirm that what we were doing was in line with the industry’s best, and we could also see opportunities to improve," Smith says. "And now we could use those results to help justify some of our [project requests] and to realign resources."

Among the adjustments Fidelity has made in the wake of BSIMM: ratcheting up its security testing and architecture, Smith says. "We did focus some attention in the areas of Security Testing and Security Architecture, based on how we originally scored on the BSIMM survey, and leveraged what other leaders were doing in this space as reference. I believe we now have one of the best-of-breed solutions in both of those important practices," he says.

Businesses are starting to pressure software vendors into supplying them with more secure code as their own in-house secure development programs mature. New data from Veracode found that the number of vendors getting their applications security-tested grew nearly 50 percent during that 18-month period, much of which was prompted by prospective or existing customers requiring it.

As a matter of fact, big enterprises are starting to mentor smaller independent software vendors on secure coding, says Sammy Migues, a principal at Cigital who works on the BSIMM. "We hear anecdotally that a lot of firms feel or claim or have numbers to back up that there are more bugs in others' code than in their own code," Migues says.

Fidelity uses penetration testing and static-code analysis tools to vet its software code. And Smith says his company has seen fewer vulnerabilities in its code. "We do measure the number of vulnerabilities per thousand lines of code. I can't give you the exact number, but we've seen that metric greatly improving," he says.

Key to that improvement has been security training of its developers, he says, as well as automating secure development procedures. Fidelity also has buy-in from the top levels of management: "Our culture takes security very seriously, and we have a lot of support from executive management," Smith says. "We require that all of our code gets secure code reviewed prior to adoption. When we find security issues ... those findings get CIO attention," he says. "And CIOs review on a monthly basis with the CISO the status of all the applications." But Smith notes that recruiting security-minded developers remains difficult. "The academic environment is still not producing enough adequately trained secure developers. So with newly hired developers we have assumed the role of training them how to develop more securely," he says.

Despite the regular flow of bugs and breaches, software overall is getting cleaner and more secure, experts say. But the volume of code is increasing, too.

"We are in face getting better at software security. That's what's subtly happening. The defect density ratio is going down: There are fewer bugs per square inch," says Gary McGraw, CTO of Cigital and one of the founders of BSIMM. "We are still building lots more software, so we have way more square miles of code than ever before."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.