News
A New Hope for Software Security?
Security firms Fortify and Cigital introduce a new maturity model to help companies make software that's more secure than you can possibly imagine. But is the Force with them?
By Bill Brenner, Senior Editor
March 10, 2009 — CSO —
Certain scenes from Star Wars come to mind when pondering the long, bitter struggle for software security.
There's the X-Wing pilot who repeatedly chants "almost there" as he closes in on the Death Star's exhaust port, only to fire his torpedoes and watch them explode harmlessly on the surface. Security practitioners always try to seal holes in their IT infrastructure so attacks will fizzle on the surface, but the bad guys punch through anyway, leaving behind that "bad feeling" Luke Skywalker and Han Solo are always whining about. [See: Security Lessons from the Movies]
In the world of software development, there's always going to be the risk that a flaw is left behind that can later be exploited by the dark side. But folks from security firms Cigital and Fortify have introduced a new maturity model they hope will help software writers build a more secure superstructure around their code. [See: Security Experts ID Top 25 Programming Errors]
The result is BSIMM -- the Building Security In Maturity Model. It's a set of best practices Cigital and Fortify developed by analyzing real-world data from nine leading software security initiatives and creating a framework based on common areas of success.
"Our hope is to help transform the concept of software security from alchemy to empirical science," says Cigital CTO Gary McGraw, a long-time advocate for more security in the code-writing process. "After a decade of trying to convince everyone that software security is important and there are best practices to follow, the time has come to study what companies are actually doing to get software secure."
By studying what the nine initiatives were doing, BSIMM's creators were able to build a best-practices model that's broken into 12 categories software makers can follow:
- 1. Strategy and metrics
- 2. Compliance and policy
- 3. Training
- 4. Attack models
- 5. Security features and design
- 6. Standards and requirements
- 7. Architecture analysis
- 8. Code review
- 9. Security testing
- 10. Penetration testing
- 11. Software environment
- 12. Configuration and vulnerability management
Delving deeper, the BSIMM model recommends such things as employing one dedicated security practitioner for every 100 software developers on a staff.
Fortify Co-Founder and Chief Scientist Brian Chess says he is already seeing some professionals latch onto that suggestion.
"We've seen some companies who are looking at layoffs use the BSIMM data to say hey, we're already behind on software security" and cutting security specialists will only make matters worse, Chess says.
The BSIMM Web site notes that while particular methodologies differ (OWASP CLASP, Microsoft SDL or Cigital Touchpoints, for example), many initiatives share common ground.
software security
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
Digital ID World
-
September 14 - 16, 2009Rio Hotel and CasinoRegister Now »
Las Vegas, Nevada
(ISC)2 members can earn up to 24 CPE Credits!
Reference priority code ONLINE and attend the full conference for the reduced rate of $995!
