A New Hope for Software Security?
Security firms Fortify and Cigital introduce a new maturity model to help companies make software that's more secure than you can possibly imagine. But is the Force with them?
By Bill Brenner , Senior Editor
March 10, 2009 — CSO —
Certain scenes from Star Wars come to mind when pondering the long, bitter struggle for software security.
There's the X-Wing pilot who repeatedly chants "almost there" as he closes in on the Death Star's exhaust port, only to fire his torpedoes and watch them explode harmlessly on the surface. Security practitioners always try to seal holes in their IT infrastructure so attacks will fizzle on the surface, but the bad guys punch through anyway, leaving behind that "bad feeling" Luke Skywalker and Han Solo are always whining about.
In the world of software development, there's always going to be the risk that a flaw is left behind that can later be exploited by the dark side. But folks from security firms Cigital and Fortify have introduced a new maturity model they hope will help software writers build a more secure superstructure around their code. (See Security Experts ID Top 25 Programming Errors.)
The result is BSIMM -- the Building Security In Maturity Model. It's a set of best practices Cigital and Fortify developed by analyzing real-world data from nine leading software security initiatives and creating a framework based on common areas of success.
"Our hope is to help transform the concept of software security from alchemy to empirical science," says Cigital CTO Gary McGraw, a long-time advocate for more security in the code-writing process. "After a decade of trying to convince everyone that software security is important and there are best practices to follow, the time has come to study what companies are actually doing to get software secure."
By studying what the nine initiatives were doing, BSIMM's creators were able to build a best-practices model that's broken into 12 categories software makers can follow:
- 1. Strategy and metrics
- 2. Compliance and policy
- 3. Training
- 4. Attack models
- 5. Security features and design
- 6. Standards and requirements
- 7. Architecture analysis
- 8. Code review
- 9. Security testing
- 10. Penetration testing
- 11. Software environment
- 12. Configuration and vulnerability management
Delving deeper, the BSIMM model recommends such things as employing one dedicated security practitioner for every 100 software developers on a staff.
Fortify Co-Founder and Chief Scientist Brian Chess says he is already seeing some professionals latch onto that suggestion.
"We've seen some companies who are looking at layoffs use the BSIMM data to say hey, we're already behind on software security" and cutting security specialists will only make matters worse, Chess says.
The BSIMM Web site notes that while particular methodologies differ (OWASP CLASP, Microsoft SDL or Cigital Touchpoints, for example), many initiatives share common ground.
"This common ground is captured and described in BSIMM. As an organizing feature, we introduce and use a Software Security Framework (SSF) which provides a conceptual scaffolding for BSIMM," they say. "Properly used, BSIMM can help you determine where your organization stands with respect to real-world software security initiatives and what steps can be taken to make your approach more effective."
Read more about application security in CSOonline's Application Security section.
Other stories by Bill Brenner