News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 3/15/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.
03/16/2010 01:10 PM EST

People Power enters the green technology market
People Power launches SuRF Developer's Kit for developers looking to get into green technology.
03/16/2010 11:51 AM EST

Windows Phone 7 will not support HTML 5
Windows Phone 7 will not support HTML 5.
03/15/2010 05:51 PM EST

SharePointPro Summit & Expo

3/16/2010 to 3/19/2010
Las Vegas
Penton Media

TheServerSide Java Symposium

3/17/2010 to 3/19/2010
Las Vegas
TechTarget

EclipseCon

3/22/2010 to 3/25/2010
Santa Clara, Calif.
The Eclipse Foundation

DevConnections

4/12/2010 to 4/14/2010
Las Vegas
Penton Media

MySQL Conf. and Expo

4/12/2010 to 4/15/2010
Santa Clara, Calif.
O'Reilly Media

HOME ALL STORIES LATEST NEWS COLUMNS OPINIONS EDITORIALS GUEST VIEWS SHORT TAKES DATA WATCH SPECIAL REPORTS ZEICHICK'S TAKE SD TIMES 100 EDITORS' BLOG

RSS FEEDS

FACEBOOK

TWITTER

WHITE PAPERS SPONSORED PROFILES JOB BOARD WEBINAR CENTER FREE SOFTWARE BZ RESEARCH ALMSHAREPOINT EVENTS CALENDAR PRINT/PDF EDITION PRINT/PDF BACK ISSUES

SUBSCRIBE TODAY CUSTOMER SERVICE EDITORIAL CALENDAR EDITORIAL BEATS GUEST VIEW GUIDE SD TIMES 100 GUIDE EVENTS CALENDAR ADVERTISING ARTICLE REPRINTS REPORT A BUG SITE MAP

ABOUT US BZ MEDIA NEWS BZ RESEARCH SYSMANNEWS SPTECHCON ESDC IPHONEDEVCON PRIVACY POLICY CONTACT US

Printable version

HOME >> LATEST NEWS

Most Read Latest News Blog Resources

Mono brings .NET to Android
At Microsoft MIX, Mono will unveil the ability to port .NET applications to the Android op...

Even with its success, .NET causes some consternation
Despite its popularity, the developer community believes that .NET isn't being fully serve...

Going 'all in' on .NET as default runtime
Programmers for Windows Phone 7 will need to use Silverlight and XNA for development

Mono brings .NET to Android
At Microsoft MIX, Mono will unveil the ability to port .NET applications to the Android op...

Gomez delivers cross-browser performance monitoring
Focusing on the wide variety of browsers for both PCs and mobile devices, Gomez provides a...

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.

People Power enters the green technology market
People Power launches SuRF Developer's Kit for developers looking to get into green technology.

Windows Phone 7 will not support HTML 5
Windows Phone 7 will not support HTML 5.

Overcoming Development Challenges with Open Source Open source software can help you with your application development challenges. It doesn’t...

Accelerate Services and the Cloud Business units, functional groups, and different divisions of companies across industries...

Enterprise Mashup Platforms for Today’s Increasingly Complex and Real-Time Context Enterprise Mashups offer your company a new way to connect data from inside and outside yo...

Technorati

Digg

Slashdot

Facebook

Friendfeed

Twitter

del.icio.us

BSIMM lays out security blueprint

By Jeff Feinman

March 27, 2009 —

Cigital and Fortify Software have put together a new maturity model, the Building Security In Maturity Model (BSIMM), to stimulate a cultural change when it comes to creating secure software.

Representatives from Cigital and Fortify conducted interviews and collected data from nine enterprise companies, such as Adobe, EMC, Google and Microsoft. The model is divided into 12 practices, falling under the categories of governance, intelligence, software security development life cycle (SSDL) touch points, and deployment.

According to the BSIMM, an integral piece of governance should be everyone involved in creating and deploying software attaining a common understanding of strategy, along with direction around security objectives. Proper compliance and policy must be in place and appropriate training should be given.

To gain knowledge of potential attacks, a software initiative must identify potential attackers, as well as document the attacks that have already happened and that caused the greatest organizational concern. The initiative must also provide security features and education on security and coding standards. The BSIMM lists architecture analysis, code review and security testing as the key SSDL touch points.

During deployment, software security professionals need to carry out penetration testing and monitor input to the software they run to spot attacks. Additionally, security professionals should ensure their ability to track unauthorized changes to applications and to detect unauthorized activity, according to the BSIMM.

When talking about the BSIMM, Cigital and Fortify stressed the importance of a strong software security group. An average software security group size should be about 1% of the size of the software development organization.

“Every single one of the nine companies that we studied to build the model has an active software security group,” said Gary McGraw, CTO of Cigital. “This suggests that if you’re trying to have software security in your organization carried out by the developers or network security, you should think about what [notable] companies are doing.”

The BSIMM states that software security groups should emphasize security education and mentoring rather than policing for security errors. It preaches the use of automated code review and black box testing.

McGraw said that the steps laid out in the BSIMM are not intended for software developers. Instead, they are intended for people that are trying to teach software developers how to do proper software security.

“Whoever runs your organization that’s worried about the ramifications of bad software security and business impact, that’s the person who needs to understand this work,” he said. “It’s about how to institute a cultural change to create, plan and execute a large scale software security initiative.”

“I don’t know of any other instance where the range of companies that we’re talking about have been willing to discuss their security activities,” said Brian Chess, cofounder and chief scientist of Fortify. “We can say if [that] you’re not doing something out of this core set of activities, you are an outlier. And you need to think about whether that’s a good thing or a bad thing.”

Related Search Term(s): Cigital, security

Share this link: http://www.sdtimes.com/link/33377

Cigital, Fortify tailor security model for Europe Similar to its North American counterpart, BSIMM Europe takes in security actions practices by nine European software firms

Cigital releases a set of rules to boost Java security The Java Security Rulepack adds on to Fortify's vulnerability category base. The rules are open source, allowing users to modify them as needed, and include a group of security checks that work with source Code Analyzer 4.5 and up.

News Briefs: January 15, 2009 Cigital and Coverity partner together to improve each other's products, Scio Consulting creates services for SaaS environments and AmberPoint integrates its SOA governance and management precuts with Microsoft the Microsoft platform.

Add comment

Name*
Email*
Country

Comment
Preview

BSIMM lays out security blueprint

By Jeff Feinman

Related Articles

Add comment