In a world with millions of cyberattacks daily, the Building Security in Maturity Model (BSIMM) won't make an enterprise bullet-proof. But it will help move a company in that direction, say its founders and members.
BSIMM is a set of best security practices developed by analyzing what different companies have tried and found effective. It began in September 2009, when founders Gary McGraw and Sammy Migues of Cigital and Brian Chess of Fortify went public with the results of nine software security initiatives.
Its latest annual report, this past September, included 51 initiatives and 111 specific activities, about 30 of which are common to more than two thirds of the participants, which include some of the biggest names in finance, software and information technology: Capital One, Bank of America, Fidelity, Fannie Mae, Microsoft, Nokia, Google, Adobe, Symantec, Intel, Intuit, Visa and Wells Fargo.
McGraw and Jacob West, CTO of Fortify Products at HP, told CSO Online this week that one of the best things about the growth is that the model has reached a critical mass, meaning it can now provide a credible guide to improve security even for those who are not members. The information is free under the Creative Commons License.
[See related: A new hope for software security?]
As McGraw has said in the past, the BSIMM does not present a set of instructions. "It is a descriptive model, not prescriptive. It doesn't tell you what you should do. It tells you what other people are already doing," he said.
Or, in this case, it represents what pretty much everyone in the club is doing. Of the 111 activities in the latest, McGraw and West are promoting 12 that are being practiced by almost all the membership, which has expanded to 59 since the September report was released.
That means IT leaders of companies can take a look at the end of the year and compare their own security practices with the 12 most common activities used by the BSIMM members. "If you're not doing them, you probably need to improve your security, and this is a way to get started," McGraw said. "You can see what is already working."
The top 12 activities are:
- Identify gate locations and gather necessary artifacts, but don't enforce it immediately. This, said McGraw, is about getting people ready for it, so when it is turned on, those that should get past it are able to.
- Identify PII (personally identifiable information). "That means figuring out what data is sensitive and how it needs to be protected," West said.
- Provide awareness training - teach developers why security, as well as features, is important.
- Gather attack intelligence. This can be done, McGraw said, "through subscription services that provide those data. You can do it yourself, but some get help from the outside. You can only build secure stuff if you know who your attackers are."
- Build and publish security features.
- Create security standards. "This is a little bureaucratic," McGraw said, "but if you tell people what's expected, you can enforce standards."
- Do a security feature review. "Architecture analysis is the most difficult part of software security," West said. "So this means just focusing on the security features to make sure you do them right."
- Use automated tools along with manual review. "You get the code and run it though a tool looking for bugs," West said. "But tools aren't perfect -- you need a human to be checking it as well."
- Ensure that QA (quality assurance team) supports edge/boundary value condition testing. "QA people focus on functions and features, to make sure they're working," McGraw said. "This is to make them think about what the bad guys would do -- to make them ask what happens when the wrong thing happens on purpose."
- Use external penetration testers to find problems. This, West said, is not a "bug bounty system," where a company offers a reward to hackers or others to find flaws in software. "This is about black-box testing at the end of the (development) life cycle," he said.
- Ensure host and network security basics are in place. This is about making sure that the connection between software and the rest of the system is in place. "It's similar to putting your underwear on before your pants," McGraw said.
- Identify software bugs found through operations monitoring and feed them back to development. McGraw, an evangelist for "building security in," said even the best efforts to do that are not going to be perfect. "Software is going to have problems," he said. "But you don't bolt something on. You fix the development life cycle -- the process."
Both McGraw and West say doing these activities -- even doing all 111 of the activities approved through the BSIMM collaboration -- is not going to make companies immune from every cyber attack. But they said it is going to help companies be proactive about security, instead of reacting and trying to contain the damage after having been breached and compromised.
"Windows 8 is not perfect, but it's way better than Windows 95 in terms of security," McGraw said.
West said it was difficult a decade ago to convince enterprise executives of the need for security, "and now it's common practice.
"It's not going to happen anytime soon," McGraw said. "But the good guys are going to win."