The BSIMM (Building Security In Maturity Model) is gaining a measure of maturity itself – its sixth iteration went public earlier this week.
The fundamental goals remain what they were at the beginning, in 2009, according to Gary McGraw, CTO of Cigital, one of the cofounders and the BSIMM’s chief spokesman: To save software developers both headaches and money by building security into their products from the start, instead of trying to bolt it on later.
““It is a descriptive model, not prescriptive,” he said. “It doesn’t tell you what you should do. It tells you what other people are already doing.”
And BSIMM6 is able to tell you a lot more, from more verticals than in the past. Starting with a limited set of best practices culled from nine participating companies with software security initiatives in 2009, the organization now presents 112 “activities” from 78 companies – many of them among the biggest players in their respective industries. Those activities are grouped under four main “domains”: Governance, Intelligence, SSDL (Secure Software Development Lifecycle) and Deployment.
About 30 of them are common to more than two thirds of the participants. “We’re not saying you (developers) should do them all,” McGraw said, “but it lets you see what has already worked.”
Close to half the participating companies (33) are in financial services, but other major participants include independent software vendors (27) and consumer electronics (13). There are a smaller number of participants in insurance, telecommunications, security, retail and energy.
The most significant increase is in the healthcare industry, which went from a single participant three years ago to 10, and includes major names like Aetna, McKesson and Zephyr Health.
Based on the data presented in the BSIMM6 report, authored by McGraw, Jacob West, chief architect at NetSuite, and Sammy Migues, principal at Cigital, healthcare falls significantly short in security practices, lagging behind every other sector – even consumer electronics, which is notorious for a lack of security because developers are more focused on trying to get new products out the door to maintain or gain market share than they are in making them secure.
In the press release announcing the launch, McGraw said the data show that healthcare organizations, “have plenty to learn from other industries when it comes to software security. Fortunately, the BSIMM community is set up to facilitate and accelerate that learning.”
But in an interview, McGraw said the shortcomings in healthcare should not be painted too broadly. “As a sector, they are behind,” he said. “But within that data, there are some seriously good leaders in software security, doing amazingly great things.”
He said one reason for the lag is the well-intentioned Health Insurance Portability and Accountability Act (HIPAA) law of 1996. “It told them (healthcare organizations) that they had to take care of patient privacy,” he said, “and they did, but then they said, ‘OK, we’re done.’”
But he said the industry is improving, now that more healthcare organizations have recruited leaders from the financial industry, which scores well above average in the BSIMM6 data for security practices.
The timing of the latest BSIMM launch is also interesting in light of its major focus – sharing of security information among diverse companies, some of which are fierce competitors but have common interests when it comes to security from cyber attacks.
That sounds, in some ways, like the goal of the Cyber Information Sharing Act (CISA) now pending in Congress and expected to come to a vote perhaps before the end of the month.
That bill is aimed at getting both private and public organizations to share cyber threat information, but has vocal and growing opposition from advocates who say it fails to protect privacy.
McGraw wouldn’t go so far as to say that wide adoption of BSIMM practices throughout the business world would make CISA unnecessary. But he did say that, “if everybody used BSIMM to do better software engineering, there definitely wouldn’t be as big a need to share information about attacks and breaches.”
Ultimately, it is not entirely about software security, however. The report emphasizes that it has to start with network security, with the following image: “Doing software security before network security is like putting on your pants before putting on your underwear.”