News

First Data Based Security Maturity Model Released

• By John K. Waters
• March 17, 2009

A newly released maturity model could be the first to shed new light on how enterprises are implementing security initiatives in their internal software development efforts.

Security consulting firm Cigital and security solutions provider Fortify Software have together published the Building Security In Maturity Model (BSIMM), derived from the companies' study of the security initiatives of two large players in the financial services industry and seven major technology companies.

BSIMM (pronounced "bee-simm") is based on observations of enterprise security initiatives at Microsoft, Google, Qualcomm, Adobe Systems, EMC, Wells Fargo Bank and the Depository Trust & Clearing Corporation (DTCC). Two other companies who participated declined to be identified.

Gartner Fellow Joseph Feiman believes that the BSIMM is the first maturity model (a tool for describing and assessing an organization's processes) for security initiatives developed from real-world data. "It's a very good idea, and an important first step," Feiman said

A maturity model for security initiatives might help bridge the gap that typically separates businesspeople from technology people, he added. "Processes and methodologies are things that CIOs and department managers know," he said. "The BSIMM provides this maturity model, which would be accepted by those not on the security team."

The BSIMM is based on in-depth interviews with nine companies chosen from 35 organizations the authors considered as having implemented the most successful software security initiatives in the world. They collected a range of data on each organization's software security activities, including things like strategy and metrics, standards and requirements, security testing, code review, and training.

"Our goal was to build an empirical model for software security based on real, observed practices," said Gary McGraw, Cigital's CTO and co-author of the BSIMM.

Based on their observations, the authors compiled a list of 110 practices organized around a Software Security Framework (SSF), which provides a "conceptual scaffolding" for the BSIMM. McGraw emphasized that most organization shouldn't attempt to adopt all 110 practices. "Just do what's smart," he said.  

A place to start is with 10 activities the authors consider as the core model, said Sammy Migues, Cigital's director of knowledge management and a co-author of the BSIMM. According to the BSIMM, these 10 activities are:

• "Create evangelism role/internal marketing.
• Create policy.
• Provide awareness training.
• Create/use material specific to company history.
• Build/publish security features (authentication, role management, key management, audit/log, crypto, protocols).
• Have software security group lead review efforts.
• Use automated tools along with manual review.
• Integrate black box security tools into the QA process (including protocol fuzzing).
• Use external penetration testers to find problems.
• Ensure host/network security basics in place."

The willingness of most of the companies involved to allow their names to be used was a significant surprise, said Brian Chess, Fortify's co-founder and chief scientist and the third author of the BSIMM. "We were floored when we came back, showed them the BSIMM, and seven of the nine companies agreed to allow us to use their names," Chess said.

While companies like Microsoft have been straightforward about what they're doing about software security, others like Wells Fargo rarely disclose what they do around security, Chess said. "I hope this helps to build something that's really missing: a community of software security practitioners," he said.

Steve Lipner, senior director of security engineering strategy in Microsoft's Trustworthy Computing Group, sees the BSIMM as something of a validation of Microsoft's Security Development Lifecycle (SDL). "We do virtually all of the activities defined by the BSIMM," he said. "And about three-quarters of the BSIMM activities are covered by the SDL. The rest are covered by other internal Microsoft security and privacy policies."

The next step is to grow the model, McGraw said. "We want to get to the next nine companies. We might find a 111th activity that clarifies the picture even more."

The authors also want to take their maturity model down-market, Migues said. "We don't know how this model applies to smaller companies," he said. "This comprehensive set of activities appears to work really well for large, established software security groups. But when you have 50 or 100 developers and a small pocket book, and you don't have five or 10 years to evolve, what does that mean? We intend to find out."

Perhaps more important than size is finding out whether this can be applied to companies that are not as technology-focused as those who participated in the BSIMM, Feiman said. "What the BSIMM could use in the future is some recommendations for late technology adopters."

The BSIMM is available now under a Creative Commons license.