BSIMM Shows Best SDLC Practices

An analysis of the secure software development programs at 30 top companies provides a gauge against which organizations can measure their own initiatives. The second version of Building Security in Maturity Model  (BSIMM "bee-sim"), released today, expands on the data set of last year's findings, which were based on interviews with nine companies. BSIMM is the work of three leading application security experts, Cigital's Gary McGraw and Sammy Migues and Fortify Software's Brian Chess.

"Everybody has software a [software security] methodology," said McGraw. "BSIMM is not a methodology; it's a measuring stick. So, Microsoft using their software development lifecycle (SDLC) can measure with BSIMM; EMC, which has its own home-brewed solution, can be measured with BSIMM; Bank of America using [Cigital's] Touchpoints can be measured with BSIMM."

The model is built around a software security framework defined by four broad domains, each of which is divided into 3 practices:

The heart of the model lies in the prevalent activities (defined as actions carried out in support of one of BSIMM's practices) the researchers found consistently applied across the 30 companies. The researchers identify 15 such activities that are carried out by at least 20 of the firms. The implication is that if at least two-thirds of the top software security programs are engaged in a particular activity, it's worth your attention.

For example, all 30 firms ensure that both network and host security basics are in place. "That's the most obvious one," said Chess. "People are also doing network and host-based security. If you haven't figured out your firewall, you're not ready to deal with code." Most of the firms also use external penetration testers, "even people who are pretty good at themselves," Chess noted. Other widely applied activities include policy creation, understanding compliance pressures, awareness training, identifying security gating check points, creating security standards, working with incident response and data classification and inventory.

This second round of interviews, adding information from 21 companies, is meant to "create a data set that is statistically significant," McGraw said. The additional data resulted in some changes in the 15 most prevalent activities, but only minor "tweaks" in the framework itself. "We found that the original model was surprisingly accurate," he said. They also included nine European companies in Round Two and found little differences between their practices and those of U.S. firms.A constant through all 30 companies is a formal software security group (SSG). The group may be highly centralized in some organizations, more distributed in others, and have different lines of reporting (CIO, CISO, CFO, CEO, etc.), but they are the foundation of every program. The rule of thumb, the research showed, was one SSG member for every 100 developers in an organization.

The 30 companies encompass seven verticals--financial services, independent software vendors, technology firms, healthcare, insurance, energy and media. Those that agreed to be identified include: Adobe, Aon, Bank of America, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, Google, Intel, Intuit, Microsoft, Nokia, QUALCOMM, Sallie Mae, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, VMware and Wells Fargo

McGraw, Chess and Migues plan to build on their research, to try to develop ways of measuring the effectiveness of security software programs, and make more granular comparisons, for example, between practices among companies in the same vertical. Representatives of 22 of the corporate SSGs met at the RSA Conference in March, and the researchers hope to have an annual meeting. They have started a moderated mailing list and created an advisory board. "A community is emerging," said Mcgraw. "People who run software security are very psyched to meet like-minded individuals in other companies. They all have challenges and have a lot to learn from each other."