A Secure Software Development Lifecycle Model Matures


It is one thing to say you have secure software, it is quite another to back that up with security best practices. Building Security In Maturity Model (BSIMM) is a secure software development lifecycle model that grew out of observations around software security practices at nine companies ranging from Adobe to Google, and Wells Fargo back in 2009. BSIMM's third iteration, released on Tuesday, now includes the best practices for secure software development from 42 companies, including 19 financial services companies, which co-creator Gary McGraw said are at least "five to seven years ahead of the federal government" in terms of security.

BSIMM 3 delineates 109 security activities related to 12 software practice areas, such as software environment, architecture analysis, attack models, strategy & metrics, and code review. McGraw, CTO at Cigital, said the report documents two or more real examples for each activity. Other BSIMM co-creators include Brian Chess at Fortify, and Sammy Migues at Cigital.

In addition to studying new companies, BSIMM 3 for the first time provides longitudinal data on the security process at eleven of the thirty companies profiled in May 2010. For example, McGraw mentioned that J.P. Morgan Chase has implemented BSIMM for vendors (vBSIMM) for all its contractors. This ensures that third-party contractors for Chase also follow secure software lifecycles themselves. In all, ten of the eleven revisited companies showed improvement.

For companies that want to begin the process of secure software development, the BSIMM model provides a loose framework that can be adapted to most any organization, large or small. All the tools can be downloaded from the BSIMM site for free. For example, Software Security Framework (SSF) is an adaptable security model that allows any organization to assess their current state of software development, to prioritize changes, and to chart progress.

BSIMM3 describes the work of 786 Software Security Group members working with a satellite of 1750 people to secure the software developed by a total of 185,316 developers. Companies in this year's report include Adobe, Aon, Bank of America, Capital One, The Depository Trust and Clearing Corporation (DTCC), EMC, Fannie Mae, Google, Intel, Intuit, McKesson, Microsoft, Nokia, QUALCOMM, Sallie Mae, SAP, Scrippsnetworks, Sony Ericsson, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, Visa, VMware, Wells Fargo, and Zynga.

From the report, Financial Services (shown in red) are more mature in compliance and policy, compared with Software (shown in blue), which are more mature in code review and vulnerability management. (source: BSIMM3)