Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

BSIMM Shows Best SDLC Practices

An analysis of the secure software development programs at 30 top companies provides a gauge against which organizations can measure their own initiatives. The second version of Building Security in Maturity Model  (BSIMM "bee-sim"), released today, expands on the data set of last year's findings, which were based on interviews with nine companies. BSIMM is the work of three leading application security experts, Cigital's Gary McGraw and Sammy Migues and Fortify Software's Brian Chess.

"Everybody has software a [software security] methodology," said McGraw. "BSIMM is not a methodology; it's a measuring stick. So, Microsoft using their software development lifecycle (SDLC) can measure with BSIMM; EMC, which has its own home-brewed solution, can be measured with BSIMM; Bank of America using [Cigital's] Touchpoints can be measured with BSIMM."

The model is built around a software security framework defined by four broad domains, each of which is divided into 3 practices:

  • Governance: Strategy and metrics; compliance and policy; training
  • Intelligence: Attack models; security features and design; standards and requirements.
  • Software security development lifecycle (SSDL) touchpoints: Architecture analysis; code review; security testing.
  • Deployment: Penetration testing; software environment (i.e., things like OS and platform patching, application monitoring, change management); configuration and vulnerability management.

The heart of the model lies in the prevalent activities (defined as actions carried out in support of one of BSIMM's practices) the researchers found consistently applied across the 30 companies. The researchers identify 15 such activities that are carried out by at least 20 of the firms. The implication is that if at least two-thirds of the top software security programs are engaged in a particular activity, it's worth your attention.

For example, all 30 firms ensure that both network and host security basics are in place. "That's the most obvious one," said Chess. "People are also doing network and host-based security. If you haven't figured out your firewall, you're not ready to deal with code." Most of the firms also use external penetration testers, "even people who are pretty good at themselves," Chess noted. Other widely applied activities include policy creation, understanding compliance pressures, awareness training, identifying security gating check points, creating security standards, working with incident response and data classification and inventory.

This second round of interviews, adding information from 21 companies, is meant to "create a data set that is statistically significant," McGraw said. The additional data resulted in some changes in the 15 most prevalent activities, but only minor "tweaks" in the framework itself. "We found that the original model was surprisingly accurate," he said. They also included nine European companies in Round Two and found little differences between their practices and those of U.S. firms.

  • 1