theDocumentId => 1130529 Fortify, Cigital Release Software Security Program ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/6/2009
05:50 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Fortify, Cigital Release Software Security Program Benchmarks

Building Security In Maturity Model (BSIMM) pulls together a set of activities practiced by nine of the 25 most successful software security initiatives in the world

SAN MATEO, CA., and DULLES, VA " March 5, 2009 " Fortify Software, the market leader in Software Security Assurance solutions, and Cigital, the largest consulting firm specializing in software security, announced today the release of the "Building Security In Maturity Model (BSIMM)," the industry's first"ever set of benchmarks for developing and growing an enterprise"wide software security program.

Based on in"depth interviews with leading enterprises such as Adobe, EMC, Google, Microsoft, QUALCOMM, Wells Fargo, and Depository Trust & Clearing Corporation (DTCC), the BSIMM pulls together a set of activities practiced by nine of the 25 most successful software security initiatives in the world. Unlike some industry standards, BSIMM is a structured set of practices based on real"world data rather than philosophy and ideas. BSIMM provides insight on what successful organizations actually do to build security into their software and mitigate the business risk associated with insecure applications.

"Microsoft's Security Development Lifecycle (SDL) was one of the first real enterprise software security methodologies, and we are always eager to share our ideas and best practices with the industry," said Steve Lipner of Microsoft. "BSIMM provides a public 'yardstick' for measuring the progress of any organization's own software assurance program."

"Software security has turned the corner from a good idea to a business necessity. The industry has finally reached a point where enough real experience has been accumulated to compare notes and talk about what works," said Dr. Gary McGraw, CTO of Cigital and author of Software Security. "Using BSIMM, an organization can determine where its software security initiative stands, figure out how to evolve its initiative strategically, or even get a brand new initiative off the ground. BSIMM is a tool for identifying realistic business goals and implementing those technical software security activities that make the most sense for an organization."

"Virtually every organization today relies on software to operate, and at the same time the threat to that software is at an all"time high," said Dr. Brian Chess, co"founder and Chief Scientist of Fortify Software. "Businesses need software that doesn't leak millions of identity records, gin up huge legal liabilities, or allow secrets to fall into the wrong hands." Chess, McGraw and coauthor Sammy Migues collected data on each initiative's software security activities for strategy and metrics, training, standards and requirements, security testing, code review, etc., and uncovered a number of common themes among each of the successful initiatives, including:

The necessity of a Software Security Group: Each of the nine enterprises has a designated group of software security personnel"the SSG"tasked with carrying out and facilitating software security. Average SSG size is just over one percent of the size of the software development organization. Advocacy over audit: Successful SSGs, even in regulated industries, always emphasize security education, technical resources, and mentoring rather than policing for security errors and handing out punishments. Use of automated technologies: Each organization performs automated code review and deploys black box testing tools, but use of these technologies requires considerable SSG know"how. Training for development: All organizations have an institutionalized security training curriculum for programmers, QA engineers, and project managers.

"I was surprised by the amount of common ground discovered between the financial services organizations, ISVs, and technology companies in the BSIMM study," said Jim Routh, CISO of Depository Trust & Clearing Corporation (DTCC). "All software security initiatives are by no means identical, but these findings demonstrate that an organization isn't going it alone when it comes to software security"you can learn from your peers. The BSIMM encapsulates important lessons from the best programs around."

"Comprehensive software security involves a combination of people, processes, and technologies, and it almost always requires some change to the way the organization operates," said analyst Joe Feiman of Gartner. "As software security comes of age, using a maturity model will only help to accelerate your enterprise security initiative." The BSIMM is the first such maturity model created entirely from real"world data.

Over the next several months, Cigital and Fortify will gather data from other leading software security initiatives to enhance the study and provide additional insight on trends and activities particular to certain vertical industries and company sizes, among other factors.

The BSIMM is available under creative commons license here: http://bsi-mm.com.

About Fortify Software, Inc. Fortify''s Software Security Assurance products and services protect companies from the threats posed by security flaws in business"critical software applications. Its software security suite"Fortify 360"drives down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software's customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e"commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by world"class teams of software security experts and partners. More information is available at www.fortify.com or visit our blog.

Press Contact Katherine Nellums Merritt Group 415-247-1663 Nellums@merrittgrp.com

About Cigital Cigital, Inc. is the leading software security and quality consulting firm. Established in 1992, Cigital plans and implements initiatives that help organizations ensure their applications are secure and reliable while also improving how they build and deploy software. Our recognized experts apply a combination of proven methodologies, tools, and best practices to meet each client's unique requirements. Cigital is headquartered near Washington, D.C. with regional offices in the U.S. and India.

Media Contact: Terri Randolph Cigital 703-404-5757 trandolph@cigital.com

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-37436
PUBLISHED: 2021-07-24
Amazon Echo Dot devices through 2021-07-02 sometimes allow attackers, who have physical access to a device after a factory reset, to obtain sensitive information via a series of complex hardware and software attacks. NOTE: reportedly, there were vendor marketing statements about safely removing pers...
CVE-2021-32686
PUBLISHED: 2021-07-23
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and ...
CVE-2021-32783
PUBLISHED: 2021-07-23
Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy rem...
CVE-2021-3169
PUBLISHED: 2021-07-23
An issue in Jumpserver 2.6.2 and below allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets.
CVE-2020-20741
PUBLISHED: 2021-07-23
Incorrect Access Control in Beckhoff Automation GmbH & Co. KG CX9020 with firmware version CX9020_CB3011_WEC7_HPS_v602_TC31_B4016.6 allows remote attackers to bypass authentication via the "CE Remote Display Tool" as it does not close the incoming connection on the Windows CE side if t...