BSIMM6 Reflects the State of Software Security

It's been seven years since a group of software security mavens set out to create a "fact-based" set of best practices for developing and growing an enterprise-wide software security program. That set of practices, known today as the Building Security In Maturity Model (BSIMM ), was the first maturity model for security initiatives created entirely from real-world data.

"Our goal was to build an empirical model for software security based on real, observed practices," Gary McGraw, CTO of app security firm Cigital and co-author of the original BSIMM, told me at the time. "We believe that the time has come to put away the bug-parade boogey man, the top-twenty-five tea leaves, the black-box web-app goat sacrifice, and the occult reading of pen-testing entrails. This is an entirely data-driven model. If we didn't observe an activity, it didn't get into the model."

This week, McGraw and co-authors Sammy Migues, principal at Cigital, and Jacob West, chief architect at cloud-based business management software provider NetSuite, released BSIMM6. The latest edition was based on the real-world security initiatives reported by 78 companies, including Adobe Systems, Bank of America, Box, EMC, LinkedIn, PayPal, Salesforce, The Home Depot and VMware. The number of participating companies has grown every year since the first edition was published in 2008, based on studies of nine software security initiatives.

More companies actually participated this year, but the authors chose to focus on firms with data that were 42 months old or younger, McGraw told me. This year's model also includes data from two new verticals: healthcare and consumer electronics. (The other two are financial services and independent software vendors.) The inclusion of data from healthcare organizations was especially timely, following the recent Anthem and UCLA Health data breaches.

"It was interesting to expand the study into health care," McGraw said. "And it's pretty clear that vertical as a whole has some work to do, though there are some very good outliers in the population." McGraw points to managed health care company Aetna and its chief information security officer, Jim Routh, as an example of such an outlier.

"BSIMM continues to be the authoritative source of observed practices and activities from the most mature software security programs across industries," Routh said in a statement, "and BSIMM6 offers excellent trend analysis compared with past data points indicating the evolution of software security maturity." Routh also serves as chairman of NH-ISAC, which is a nonprofit organization responsible for cyber security in the healthcare sector.

A "maturity model" describes the capability of an organization's processes in a range of areas, from software engineering to personnel management. The Capability Maturity Model (CMM) is a well-known example from software engineering. The BSIMM (pronounced "bee-simm") serves as a kind of measuring stick, its authors say, which is best used "to compare and contrast your own initiative with the data about what other organizations are doing contained in the model."

The BSIMM is organized into a software security framework that comprises a set of 112 activities grouped under four domains:

• Governance, which includes practices that help organize, manage and measure a software security initiative. Staff development is also a central governance practice.
• Intelligence, which includes practices that result in collections of corporate knowledge used in carrying out software security activities throughout the organization. Collections include both proactive security guidance and organizational threat modeling.
• SSDL Touchpoints, which includes Software Security Development Lifecycle practices associated with analysis and assurance of particular software development artifacts and processes. All software security methodologies include these practices.
• Deployment, which includes practices that interface with traditional network security and software maintenance organizations. Software configuration, maintenance and other environment issues have direct impact on software security.

The data in this and other BSIMM releases shows that highly mature initiatives are "well-rounded" and carry out 12 core activities, including:

• Identifying gate locations and gathering necessary artifacts.
• Identifying PII (personally identifiable information) obligations.
• Providing awareness training.
• Creating a data classification scheme and inventory.
• Building and publishing security features.
• Creating security standards.
• Performing security feature review.
• Using automated tools along with manual review.
• Driving tests with security requirements and security features.
• Using external penetration testers to find problems.
• Ensuring host and network security basics are in place.
• Identifying software bugs found in operations monitoring and feeding them back to development.

"We're getting to the stage in the model where, now that we have 29 times more data than we started with, we understand what firms should be doing," McGraw said. "That's the good news; the bad news is, not everybody is doing it yet. We've measured 104 firms with the BSIMM, but there are a lot more companies out there than that."

The BSIMM is a useful reflection of the current state of software security initiatives in the enterprise, and, given how hard it can be to get any organization to communicate honestly about its security practices, something of a miracle. As McGraw likes to say, it was a science experiment that escaped the test tube to become a de facto standard.

"That's very gratifying, personally," McGraw said, "but the important thing is the emphasis here of real data, and the use of facts in computer security. I think we've finally moved past the witchdoctor days in software security."

There's much, much more in the free report, which I consider a must-read. Also, Cigital has scheduled a BSIMM6 webinar for Tuesday, Nov. 10, which organizers say will cover how companies can apply the BSIMM information to their security programs. The event will be led by Cigital's Paco Hope.

Posted by John K. Waters on October 20, 2015