Software security consulting company Cigital has issued the third version of its Building Security In Maturity Model (BSIMM), expanding the scope of the project to assess 42 firms, double the previous measurement of BSIMM2. The goal of the document is to enable other firms to compare their software security initiatives to enterprises with mature models and develop a list of priorities to make incremental improvements.
The focus here is not on the exact route an organization should take up the mountain, but how high an organization can get up the mountain.
Gary McGraw, CTO, Cigital
BSIMM3 participants come from eight vertical industries: financial services, independent software vendors, technology firms, telecommunications, insurance, energy, media and health care. Some well-known names include Adobe Systems, Bank of America, EMC Corp., Google, Microsoft, SAP, Symantec and Thomson Reuters.
The BSIMM study found that no matter what industry they were in, organizations with mature software development operations typically have a senior executive in charge of software security. All of the participants had created a software security group (SSG) to structure and manage the development program.
In addition, the study found leading firms on average employ two full-time software security specialists for every 100 developers. Organizations with successful secure software development programs also take a balanced approach, creating processes that measure progress while addressing compliance and policy, architecture analysis, code review, security testing, penetration testing and configuration management.
Business software giant SAP AG has been a participating member of BSIMM since the study began. The software maker, which has very mature secure coding practices by the BSIMM measurements, had to inject more security into its process beginning about a decade ago when business systems started to become more closely connected to the Internet. Up until then, the focus at SAP had been almost solely on authentication and authorization, he said.
SAP found that having a set of rigid secure coding process to follow was helpful in getting product management teams and developers moving in the same direction, said Gunter Bitz, senior manager of product security governance at SAP. Bitz heads a dedicated team responsible for making sure secure development processes are run correctly and measure whether new initiatives are working. He said the formalized processes must be followed throughout a product's lifecycle or the product won’t ship.
“We implemented many processes to focus on getting security tightly integrated with the software development process," Bitz said.
Many firms took a lesson from Microsoft, which began documenting the improvements to its secure software development processes in 2002 following a stream of virulent malware that were targeting Windows systems, such as Melissa, Code Red and Nimda.
But BSIMM shows one size does not fit all when it comes to secure software development programs, said Gary McGraw, CTO of Cigital, who created the BSIMM project with Sammy Migues of Cigital and Brian Chess of software security firm, HP Fortify. For BSIMM3, the team revisited 11 participating firms to document how large-scale software security initiatives change over time.
“We measured 42 firms and ended up with 42 distinct and very diverse approaches to software security,” McGraw said. “The focus here is not on the exact route an organization should take up the mountain, but how high an organization can get up the mountain.”
BSIMM helped EMC confirm its secure coding practices and processes were significant and in-line with other forward thinking organizations, said Eric Baize, senior director in the office of strategy and technology at RSA, the security division of EMC Corp. The storage and security giant was among the first participants interviewed by the BSIMM team in 2009.
“It’s been helpful in benchmarking ourselves as relates to specific activities and then applying what we learned to improve and work on new practices,” he said. “BSIMM validates what we’re doing and whether we are the only organizations doing it.”