Security information sharing gets even bigger with BSIMM6

The Building Security In Maturity Model helps developers engineer security into their products from the start, instead of trying to “bolt it on” later

The BSIMM (Building Security In Maturity Model) is gaining a measure of maturity itself – its sixth iteration went public earlier this week.

The fundamental goals remain what they were at the beginning, in 2009, according to Gary McGraw, CTO of Cigital, one of the cofounders and the BSIMM’s chief spokesman: To save software developers both headaches and money by building security into their products from the start, instead of trying to bolt it on later.

““It is a descriptive model, not prescriptive,” he said. “It doesn’t tell you what you should do. It tells you what other people are already doing.”

And BSIMM6 is able to tell you a lot more, from more verticals than in the past. Starting with a limited set of best practices culled from nine participating companies with software security initiatives in 2009, the organization now presents 112 “activities” from 78 companies – many of them among the biggest players in their respective industries. Those activities are grouped under four main “domains”: Governance, Intelligence, SSDL (Secure Software Development Lifecycle) and Deployment.

About 30 of them are common to more than two thirds of the participants. “We’re not saying you (developers) should do them all,” McGraw said, “but it lets you see what has already worked.”

Close to half the participating companies (33) are in financial services, but other major participants include independent software vendors (27) and consumer electronics (13). There are a smaller number of participants in insurance, telecommunications, security, retail and energy.

The most significant increase is in the healthcare industry, which went from a single participant three years ago to 10, and includes major names like Aetna, McKesson and Zephyr Health.


Gary McGraw, CTO, Cigital

Based on the data presented in the BSIMM6 report, authored by McGraw, Jacob West, chief architect at NetSuite, and Sammy Migues, principal at Cigital, healthcare falls significantly short in security practices, lagging behind every other sector – even consumer electronics, which is notorious for a lack of security because developers are more focused on trying to get new products out the door to maintain or gain market share than they are in making them secure.

In the press release announcing the launch, McGraw said the data show that healthcare organizations, “have plenty to learn from other industries when it comes to software security. Fortunately, the BSIMM community is set up to facilitate and accelerate that learning.”

But in an interview, McGraw said the shortcomings in healthcare should not be painted too broadly. “As a sector, they are behind,” he said. “But within that data, there are some seriously good leaders in software security, doing amazingly great things.”

He said one reason for the lag is the well-intentioned Health Insurance Portability and Accountability Act (HIPAA) law of 1996. “It told them (healthcare organizations) that they had to take care of patient privacy,” he said, “and they did, but then they said, ‘OK, we’re done.’”

But he said the industry is improving, now that more healthcare organizations have recruited leaders from the financial industry, which scores well above average in the BSIMM6 data for security practices.

The timing of the latest BSIMM launch is also interesting in light of its major focus – sharing of security information among diverse companies, some of which are fierce competitors but have common interests when it comes to security from cyber attacks.

That sounds, in some ways, like the goal of the Cyber Information Sharing Act (CISA) now pending in Congress and expected to come to a vote perhaps before the end of the month.

That bill is aimed at getting both private and public organizations to share cyber threat information, but has vocal and growing opposition from advocates who say it fails to protect privacy.

McGraw wouldn’t go so far as to say that wide adoption of BSIMM practices throughout the business world would make CISA unnecessary. But he did say that, “if everybody used BSIMM to do better software engineering, there definitely wouldn’t be as big a need to share information about attacks and breaches.”

Ultimately, it is not entirely about software security, however. The report emphasizes that it has to start with network security, with the following image: “Doing software security before network security is like putting on your pants before putting on your underwear.”

Join the CSO newsletter!

Error: Please check your email address.

More about CSONetSuiteSoftware DevelopmentWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place