Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/6/2009
05:50 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Fortify, Cigital Release Software Security Program Benchmarks

Building Security In Maturity Model (BSIMM) pulls together a set of activities practiced by nine of the 25 most successful software security initiatives in the world

SAN MATEO, CA., and DULLES, VA " March 5, 2009 " Fortify Software, the market leader in Software Security Assurance solutions, and Cigital, the largest consulting firm specializing in software security, announced today the release of the "Building Security In Maturity Model (BSIMM)," the industry's first"ever set of benchmarks for developing and growing an enterprise"wide software security program.

Based on in"depth interviews with leading enterprises such as Adobe, EMC, Google, Microsoft, QUALCOMM, Wells Fargo, and Depository Trust & Clearing Corporation (DTCC), the BSIMM pulls together a set of activities practiced by nine of the 25 most successful software security initiatives in the world. Unlike some industry standards, BSIMM is a structured set of practices based on real"world data rather than philosophy and ideas. BSIMM provides insight on what successful organizations actually do to build security into their software and mitigate the business risk associated with insecure applications.

"Microsoft's Security Development Lifecycle (SDL) was one of the first real enterprise software security methodologies, and we are always eager to share our ideas and best practices with the industry," said Steve Lipner of Microsoft. "BSIMM provides a public 'yardstick' for measuring the progress of any organization's own software assurance program."

"Software security has turned the corner from a good idea to a business necessity. The industry has finally reached a point where enough real experience has been accumulated to compare notes and talk about what works," said Dr. Gary McGraw, CTO of Cigital and author of Software Security. "Using BSIMM, an organization can determine where its software security initiative stands, figure out how to evolve its initiative strategically, or even get a brand new initiative off the ground. BSIMM is a tool for identifying realistic business goals and implementing those technical software security activities that make the most sense for an organization."

"Virtually every organization today relies on software to operate, and at the same time the threat to that software is at an all"time high," said Dr. Brian Chess, co"founder and Chief Scientist of Fortify Software. "Businesses need software that doesn't leak millions of identity records, gin up huge legal liabilities, or allow secrets to fall into the wrong hands." Chess, McGraw and coauthor Sammy Migues collected data on each initiative's software security activities for strategy and metrics, training, standards and requirements, security testing, code review, etc., and uncovered a number of common themes among each of the successful initiatives, including:

The necessity of a Software Security Group: Each of the nine enterprises has a designated group of software security personnel"the SSG"tasked with carrying out and facilitating software security. Average SSG size is just over one percent of the size of the software development organization. Advocacy over audit: Successful SSGs, even in regulated industries, always emphasize security education, technical resources, and mentoring rather than policing for security errors and handing out punishments. Use of automated technologies: Each organization performs automated code review and deploys black box testing tools, but use of these technologies requires considerable SSG know"how. Training for development: All organizations have an institutionalized security training curriculum for programmers, QA engineers, and project managers.

"I was surprised by the amount of common ground discovered between the financial services organizations, ISVs, and technology companies in the BSIMM study," said Jim Routh, CISO of Depository Trust & Clearing Corporation (DTCC). "All software security initiatives are by no means identical, but these findings demonstrate that an organization isn't going it alone when it comes to software security"you can learn from your peers. The BSIMM encapsulates important lessons from the best programs around."

"Comprehensive software security involves a combination of people, processes, and technologies, and it almost always requires some change to the way the organization operates," said analyst Joe Feiman of Gartner. "As software security comes of age, using a maturity model will only help to accelerate your enterprise security initiative." The BSIMM is the first such maturity model created entirely from real"world data.

Over the next several months, Cigital and Fortify will gather data from other leading software security initiatives to enhance the study and provide additional insight on trends and activities particular to certain vertical industries and company sizes, among other factors.

The BSIMM is available under creative commons license here: http://bsi-mm.com.

About Fortify Software, Inc. Fortify''s Software Security Assurance products and services protect companies from the threats posed by security flaws in business"critical software applications. Its software security suite"Fortify 360"drives down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software's customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e"commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by world"class teams of software security experts and partners. More information is available at www.fortify.com or visit our blog.

Press Contact Katherine Nellums Merritt Group 415-247-1663 [email protected]

About Cigital Cigital, Inc. is the leading software security and quality consulting firm. Established in 1992, Cigital plans and implements initiatives that help organizations ensure their applications are secure and reliable while also improving how they build and deploy software. Our recognized experts apply a combination of proven methodologies, tools, and best practices to meet each client's unique requirements. Cigital is headquartered near Washington, D.C. with regional offices in the U.S. and India.

Media Contact: Terri Randolph Cigital 703-404-5757 [email protected]

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.