Software Integrity Blog


How proactive is your software security initiative?

A proactive software security initiative helps protect your organization. Does your SSI measure up? Take our short quiz, based on the BSIMM, to find out.

how high does your software security initiative fly?

The bad news is that software gets hacked. The defects or vulnerabilities that attackers take advantage of to hack software can be made by an organization internally, or by their vendors or partners. The good news is that remediation methods to resolve these defects and vulnerabilities are well known. Organizations with a mature software security initiative (SSI) have processes and guidance in place that go beyond a basic “penetrate and patch” approach. These processes will set up a prevention approach that stops some defects from ever being created and ensures other defects are fixed during development rather than right before, or even after, release. So, how proactive is your software security initiative?

The below questions are inspired by the Building Security In Maturity Model (BSIMM) and highlight activities commonly observed in real software security initiatives. They weren’t thought up in a classroom or around a conference table, but were observed being performed by real companies who consider security a worthwhile investment.

How to use the BSIMM to measure your software security initiative

1. What level of security training does your organization provide?

It all starts with knowing. While organizations with an advanced training program provide on-demand training based on an employee’s role within the organization, most organizations offer some software security training.

59 out of the 78 BSIMM6 participants provide basic software security awareness training.

2. Does your organization have software security standards?

In order to finish the race, you have to know where the finish line is. In order to achieve security, standards have to set the goals for organizations and their engineering teams.

57 of the 78 BSIMM6 participants create or adapt their own software security standards.

3. When designing applications, does your team review how security features might fail or be bypassed in the application?

Security features are tools and the hammer that pounds the nail can easily crush your thumb. Development teams and security-aware architects should ensure that the security features they use can’t be easily bypassed by attackers.

67 of the 78 BSIMM6 participants perform reviews to see how their security features might fail or be implemented incorrectly.

4. Do you use external penetration testers or submit your applications for external review?

Good external penetration testers will approach your application the same way hackers do. By bringing in third-party experts, you are bringing both new expertise and an unbiased eye to your testing efforts.

69 of the 78 BSIMM6 participants use external penetration testers to some degree.

5. Do you use automated tools to review your source code for security issues?

Bugs crawl around the source code. A great way to kill them is with a review. Automated tools ensure a consistent level of security expertise that supplements manual code review effort.

55 of the 78 BSIMM6 participants use an automated code review tool along with an established set of rules.

6. Do your QA cycles include test cases that comprehensively look at security features?

Software that functions insecurely isn’t software that functions well. The designers of an application will know the potential weak points of the software and should direct testers to evaluate the security of those areas, particularly the design and implementation of security features.

66 of the 78 BSIMM6 participants create test cases to evaluate security features and security requirements.

7. Do you have a data classification scheme used to annotate an application inventory?

When everything is a priority, nothing is a priority. Organizations will have a limited budget and one way of allocating those limited dollars can be by ranking applications according to the data they handle.

51 of the 78 BSIMM6 participants have a data classification scheme and prioritize applications within their inventory according to the scheme.

8. Does your organization maintain a repository of pre-built security features?

Some problems are best solved only once. After a while, teams and organizations will start solving standard problems with standard solutions, whether internally-built or integrated COTS.

61 of the 78 BSIMM6 participants have pre-approved solutions available for developers.

9. Does your organization perform analysis of privacy obligations?

Privacy is a hot topic. The decision to collect, or not collect, personally identifiable information (PII) data can be a big one and by accepting certain pieces of information, your organization may be opening itself up to additional risk.

61 of the 78 BSIMM6 participants identify PII obligations and define best practices surrounding PII.

10. Does your organization ensure that application host environments are configured securely?

While a secure network and host aren’t a complete security solution, insecure infrastructure and servers can let hackers access your application in ways never intended. Ensure that servers, networks, and other infrastructure follow approved environment and configuration guidelines for additional depth of defense.

69 of the 78 BSIMM6 participants analyze the server and network configurations to prevent vulnerabilities at those levels.

11. Is there a formal way for security defects found in operations to be reported to and fixed by developers?

Nobody is perfect. Having a good communication flow between developers and operations is a great way to close the loop on the bugs that make it past all the safeguards.

73 of the 78 BSIMM6 participants have open channels of communication for relaying security defects back to the developers and improving processes.

12. Does your organization’s SDLC include security checkpoints for software development projects?

When developers know when the test will be, they can be better prepared. Organizations should perform tests at regular stages of development to ensure that software is being developed securely.

66 of the 78 BSIMM6 participants set security gates and check security-related artifacts during the SDLC.

It takes a village to raise a child and it takes an entire organization to ensure success with an emergent property such as security. Small changes and safeguards can improve security at every step of the way. While not every activity is right for every organization, if you aren’t doing at least a few of these activities, your organization is subjecting itself to easily addressable risk from the unknown.

How high does your SSI fly?

Learn more about the BSIMM

About the author

Jamie Boote is a security consultant with Synopsys. He works with organizations to ensure their developers understand how to write secure code. Jamie believes that software security doesn’t happen in isolation and needs effective communication between all levels of a company. When he’s not advocating for the dinosaurs in any Perl vs. Python argument, Jamie can be found chasing his sons around Southern Florida.


More by this author