The best software security initiative is tuned to fit your organization and built to scale. Three SSI fundamentals are standards, policies, and metrics.
You take calculated risks every day. Just this morning, say, you might have decided to cross an empty street against the light because you were late for work. But if you had been with your child, you would have made a different decision.
We rely on our experiences, and those of people we trust, to set the bar for the risks we take on. Some risks are acceptable and some aren’t. Software security is no different. As a security practitioner, you’re in charge of assessing security risks that have an impact on your customers’ trust and your business’s reputation. So you can’t make arbitrary decisions.
A key finding from the annual BSIMM study is that many firms focus on high-risk applications, thinking this is enough to mitigate their risk of attack. But medium- and low-risk apps are also part of the attack surface. How do you decide which applications to secure and how to secure them?
You could do nothing and just hope your software and systems are secure. You could waste resources performing haphazard security testing on random applications. Or you could create a software security initiative (SSI), a program that helps you balance available resources against unacceptable risks.
Compliance and regulatory requirements are increasing, and high-profile breaches are raising awareness of software security. In response, organizations are investing in approaches to reduce risk, such as application security testing regimes. But these approaches vary widely. Some organizations perform penetration testing on a handful of apps once a year to meet minimal compliance requirements. Others have installed wireless application protocols (WAP) and monitoring programs to bolster firewall protection.
These approaches are valid. But they are not strategic.
“Proactive security saves time and money, but it is not going to be enough. A security program is what you need to put in place to lower your exposure across the board,” says Tyler Shields, senior analyst at Forrester Research, Inc.
A comprehensive software security initiative has multiple benefits. It will help you:
The most effective software security initiative is tuned to fit your organization and built to scale. It helps you “show your work” by creating a methodology for lowering your risk and explaining how you have made investment decisions.
The best way to develop a software security initiative is a three-pronged approach that includes security standards, security policies, and security metrics. Standards and policies drive cooperation toward a defined and shared goal. And metrics are crucial to ensure that you are achieving success with your security program.
Security standards provide developers and application testers with guidance on what your company will accept and what it won’t. They are essential to maintaining consistency across your supply chain.
When security standards are documented and widely communicated, developers understand rules for the type of code they may use (e.g., COTS, open source, libraries) and the security requirements they must incorporate in their programs (e.g., specific crypto algorithms they must use or coding practices they must avoid).
Security policies ensure that everyone involved shares a common definition of terms, understands roles and responsibilities, and has a set of operating procedures and governance rules to follow. Creating security policies paves the way for your team to follow the standards defined by your software security initiative.
Security policies typically cover:
To demonstrate the results of your software security initiative and track your progress over time, you must establish a defined set of metrics.
Some examples of strategic and operational metrics:
Your software security initiative must be customized to match your organization, portfolio, environment, and culture. It must be scalable so it can grow with you. And of course you want the program to be cost-effective and address your business’s specific level of unacceptable risk.
Whether you have a stand-alone software security group with security oversight or you embed responsibility for security within each engineering group or business unit, you can adapt this three-pronged model to create or evolve your software security initiative, and lower your risk of a security breach.