Gary McGraw says he's on a mission with dozens of others to improve application security.
The noted software security expert and author has been documenting the software development processes at major firms to find out how security is effectively applied. The data collected is then analyzed and formatted so other firms can use some of the security methods in their own development organizations.
"What you get as a result is something driven completely by observation, completely by data and thus, it makes a really good measuring stick for comparing initiatives to eachother," McGraw said. "A lot of people believed that independent software vendors would do software security differently than financial services firms; it turned out we were wrong."
McGraw, chief technology officer of software security consultancy Cigital Inc., released version 2 of the Building Security in Maturity Model (BSIMM), expanding the number of companies analyzed from nine in the original version released last year to 30. He and his team, which includes Sammy Migues, an expert and principal at Cigital and Brian Chess of Fortify Software Inc., interviewed dozens of firms and confirmed many similarities and also noted differences in their software security processes. The security framework within BSIMM software security model lists 109 "activities" companies can take, from training and code review to penetration testing and standards and requirements, and ranks them by the number of firms using them.
McGraw said the industry has made significant progress on bolstering software security.
"Fifteen years ago you would have been hard pressed to find 30 software security initiatives on the whole planet and now we think we've only covered about half of the ones that we know about," McGraw said. "We're continuing to grow the BSIMM and we'll continue to add even more data as other firms get involved in the study."
Application security news and tips:
Improving software with the Building Security in Maturity Model (BSIMM): Learn about the Building Security in Maturity Model (BSIMM), a software security framework that emphasizes attack models, software security testing, code review and compliance policies.
Researchers aim to smarten Web application security scanners: Adding the "human element" to scanners could help pen testers evaluate a larger portion of an application's attack surface, according to two researchers at SOURCE Boston 2010.
Using application quality control tools for auditing applications: For auditing applications, most enterprises will find application quality control and assurance tools helpful.
A dozen of the firms studied by the team are in the financial services industry, known for beign a step ahead in software security. Software development experts at independent software vendors, including Microsoft were also interviewed, but the list includes a mixture of technology firms, healthcare, media companies and others. The list includes dozens of well known names including Adobe Systems Inc., Bank of America, Google, and Sallie Mae.
McGraw said BSIMM is different from other models like the COBIT best practices framework in that it doesn't make any recommendations. Critics of models say they are very paper-driven and companies often fall short when it's time to execute on a recommendation. But, BSIMM was designed to lay out the data collected in a way that enables organizations to decide what areas need to be addressed, Migues said.
"There were a lot of prescriptive things out there; things that tell you what to do," Migues said. "We went out and interviewed firms and built a descriptive model on what they're actually doing. And we needed to create it in such a way that you could actually use the data to figure out what you might want to do next and how you might compare yourself to your peers."
The only two prerequisits for success, identified similarities among all the 30 firms studied by the BSIMM team, was the presence of a senior executive to manage operations and a sizeable software security group (SSG). On average most organizations had approximately one SSG member for every 100 developers making code, McGraw said. The SSG is typically centralized in the beginning but becomes distributed throughout the company as secure software development processes mature, he said.
"You might have every software group using a static analysis tool or a dynamic testing tool in QA. That activity is helped along by the SSG, but they don't review every single line of code," McGraw said. "So we're talking about a lot of people doing software security, which is pretty cool." BSIMM gains advisory board, annual conference
McGraw has added an advisory board to share best practices and further improve the model. Members include Steve Lipner, senior director of security engineering at Microsoft, Eric Baize, senior director, product security office, EMC Corp., Jeff Cohen, head of product security assurance at Intel Corp. Janne Uusilehto, director and head of product security at Nokia, and Brad Arkin, director of product security and privacy at Adobe.
The organization is planning a software security conference this year in Washington D.C.