Software security consulting firm Cigital is issuing the fourth version of its Building Security In Maturity Model (BSIMM), Tuesday marking an expansion of the project, which assessed 51 firms to get an accurate snapshot of their software security activities.
I think it's important that our developers know this team exists and we're looking for this code written for malicious intent.
David Smith, vice president of the application security group, Fidelity
BSIMM4 is a measuring stick that gauges the differences in product security between the participating firms. It helps anyone responsible for creating and executing a software security initiative to understand the commonalities and differences in the software security activities among the firms studied.
BSIMM4 includes two new activities identified by the BSIMM assessment team: Malicious Code Detection, which is used to identify dangerous code written by malicious in-house developers or outsource providers, and Software Security Crisis Simulation activities, which evaluate how the incident response team and product groups can effectively respond to incidents.
The study assesses the firms against 95 distinct measurements, said Gary McGraw, chief technology officer of Dulles, Va.-based Cigital. The study found that of the firms studied, two people are doing software security full time for every 100 developers, McGraw said. Of more than 3,000 people identified as performing software-security-related activities in their firms, nearly 975 were identified as directly working in their software security group every day, full time, according to McGraw.
"If you use software on any given day, it's very likely you'll use software that BSIMM had directly impacted," McGraw said. "If your firm is not doing software security, you are behind and are getting further behind every day."
McGraw said BSIMM is being used to justify expenditures on software security by savvy executives because it can show how a particular firm compares to its peers. The study is big enough that it now enables software security pros to compare their firms' performance against their industry peers, according to McGraw. For example, 19 financial services firms can be assessed against each other.
"When people can compare what they are doing to their peer group, it is powerful and helpful to the field," McGraw said.
Intel undergoes software simulation drills
Jeffrey Cohen, head of product security assurance at Santa Clara, Calif.-based Intel Corp., indicated that Intel is one of several firms that experienced the newly identified activity: software simulation drills. As the lead of Intel's product security incident response team (PSIRT), Cohen said he organizes table-top exercises with the company's product groups, walking through different hypothetical scenarios to see how teams respond.
"These simulations help build awareness of what some of the risks might be. It makes it more concrete when you're looking at an actual scenario," Cohen said. "You learn things about how teams might respond to a real issue and how they might respond better. That helps improve response plans."
Intel was first assessed by the BSIMM in early 2010, several years after having established their formal company-wide product security initiative. “The two day BSIMM assessment was rigorous,” Cohen said. “More than a dozen people were interviewed as part of the assessment, getting a sampling of individuals that support software security activities at the company.”
Cohen said the BSIMM helped Intel to assess and advance its capabilities.
"The BSIMM assessment seemed to be a reasonable assessment of how we stacked up against the different measurements in the model and really helped accelerate our understanding of our peers," Cohen said. "One of things that makes Intel different is that we address hardware and software as part of our security program. The BSIMM itself and its different measurements work quite well, whether you're talking about anything from a Web app to a driver to a piece of hardware. The same kinds of principles apply."
Cohen also participates in a mailing list and an annual conference of BSIMM participants, where software security experts share ongoing activities, new initiatives and some of the challenges they are encountering. “In my opinion, prior to the BSIMM study, communication between security-conscious software experts in the industry was more "hit-or-miss," Cohen said. The BSIMM community has created a forum of like-minded people to get together and share their experiences, he said.
Participants in the BSIMM are finding that if 30 to 40 other companies are doing an activity, a firm can determine whether it too would gain any benefit in implementing an activity. It helps guide an organization's focus and gives supporting data to managers that control budgets and can invest in new initiatives.
Fidelity adds malicious code detection team
Fidelity created a malicious code detection team to be proactive about monitoring in-house developers and outsource providers who work for the financial giant, said David Smith, vice president of the application security group at Fidelity. The code review uses automated tools to look for insider threats versus external hacker threats.
"I think it's important that our developers know this team exists and we're looking for this code written for malicious intent," Smith said.
Fidelity continues to invest in new software security activities because executive management values it and has created a security-aware culture, Smith said. Executive support and creating an environment where security can thrive is difficult for firms getting a program started, he said.
Smith said he was able to strengthen his group's architectural design and security testing processes, following a BSIMM assessment. The program improvements reduced security vulnerabilities by half, he said. The company uses the BSIMM results to identify areas for improvement in its program and as evidence that an independent third party has assessed its program compared to the industry's best, he said.
"BSIMM gave me the ammo to show why certain areas were important," Smith said. "Armed with BSIMM data, we proposed some programs, and it's proved very fruitful."