You all know by now that the BSIMM is a descriptive model and not a prescriptive one. We’re happy to give prescriptive advice about software security based on our experience as well. It’s what we do for a living. In fact, every prescriptive model (think the Touchpoints) needs to be measured with a measuring stick like the BSIMM.
Without further ado, the ten commandments for software security as invented by our Principals:
0. Thou shalt lead thy software security initiative (SSI) with a software security group (SSG).
1. Thou shalt rely on risk management and objective measurement using the BSIMM—not “top ten lists” and vulnerability counts—to define SSI success.
2. Thou shalt communicate with executives, directly linking SSI success to business value and comparing thy firm against its peers.
3. Thou shalt create and adopt an SSDL methodology like the Microsoft SDL or our Touchpoints that integrates security controls (including architecture risk analysis, code review, and penetration testing) and people smarter about software security than the tools they run.
4. Thou shalt not limit software security activity to only technical SDLC activities and especially not to penetration testing alone.
5. Thou shalt grow and nurture software security professionals for thy SSG (since there are not enough qualified people to go around).
6. Thou shalt consume direction from the business and intelligence from operations and incident response staff, and adjust SSI controls accordingly.
7. Thou shalt track thy data carefully and know where the data live regardless of how cloudy thy architecture gets.
8. Thou shalt not rely solely on security features and functions to build secure software as security is an emergent property of the entire system and thus relies on building and integrating all parts properly.
9. Thou shalt fix thy identified software defects: both bugs and flaws.
Gary McGraw is the former vice president of security technology at Synopsys (SNPS). He is a globally recognized authority on software security and the author of eight best-selling books on this topic. His titles include Software Security, Exploiting Software, Building Secure Software, Java Security, Exploiting Online Games, and six other books, and he is editor of the Addison-Wesley Software Security Series. Dr. McGraw has also written over 100 peer-reviewed scientific publications, authors a periodic security column for SearchSecurity, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of MaxMyInterest, Ntrepid, and RavenWhite. He has also served as Advisor to Dasient (acquired by Twitter), Fortify Software (acquired by HP), and Invotas (acquired by FireEye). He holds a dual Ph.D. in cognitive science and computer science from Indiana University, where he serves on the Dean’s Advisory Council for the School of Informatics. Gary served on the IEEE Computer Society Board of Governors and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy Magazine (syndicated by SearchSecurity).