Software security guides: Maybe not sexy but super significant
If you have never heard of the BSIMM or OWASP SAMM, you need to read this, if only to find out what the heck they stand for.
But more importantly, because they can help you keep your software secure. And that’s something you really need to do. Really.
As boring and esoteric as it may sound, software security is just as important—now even more so—than putting locks on your doors, making sure you don’t misplace your wallet and, for businesses, making sure only employees get into your building and keeping your intellectual property safe.
These days, both your physical and digital security depend on it. All that apparent gibberish — billions of lines of seemingly random strings of numbers, symbols, and letters — is what runs the apps on your phone and computer, the traffic signals on the roads, the safety components in your car, the functioning of your smart appliances, the purity of your water, the resilience of the electrical grid and on and on.
As has been said for a number of years now, everything is a computer. And every computer relies on software. But if there are vulnerabilities in that software — bugs or flaws that could be exploited by hackers, your finances, your identity and your personal safety could be put at risk.
Which is why expert advice on how to keep software secure has almost existential importance. For individuals, one pillar of that advice should now be familiar: When software updates are available to patch vulnerabilities in the products you use, install them. Quickly.
For organizations, it’s more complicated. Not all of them build software, of course, but as has also now become a cliché, if you are in business, you are a software company. You need an IT (information technology) department. If you’re not big enough to have one, you need to hire a qualified vendor to provide those services.
Help is here—for free
Fortunately, there is also free, comprehensive help on how to make the software your company uses and/or builds more secure.
Two of the best providers of that advice are the BSIMM and the SAMM.
The BSIMM (Building Security In Maturity Model), launched in 2008, is the subject of an annual report by the Synopsys Software Integrity Group on the evolution of software security initiatives (SSI). Its authors frequently call it a “science experiment that escaped the lab” that is designed to give organizations a free tool they can use to measure their own SSI once it’s created by comparing themselves to others in their own industry.
The BSIMM doesn’t prescribe a set way to do things. It’s primarily a “what’s happening now” guide, or a “descriptive” model. The latest report is based on observations of 130 participating companies, primarily in nine verticals and spanning multiple geographies.
SAMM (Software Assurance Maturity Model), a project of the Open Web Application Security Project (OWASP), began in 2009 and is a “prescriptive” model but does not insist that all organizations reach a certain maturity level.
Instead, as its website puts it, it offers “a means to know where your organization is on its journey towards software assurance and understand what is recommended to move to a next level of maturity. You (the organization) determine the target maturity level for each security practice that is the best fit for your organization and its needs.”
The goal of the project is to “help organizations analyze their current software security practices, build a security program in defined iterations, show progressive improvements in secure practices, and define and measure security-related activities.”
An obvious need—read the headlines
But whether you lean toward descriptive or prescriptive (or both), the need for greater maturity in software security is obvious, and not in a good way.
Here is just a sampling of stories from the past week or so about hacks and breaches enabled by weaknesses in software security.
- On the first day of the Pwn2Own 2021 hacking contest, contestants successfully exploited previously unknown vulnerabilities in Microsoft’s Windows 10 OS, the Exchange mail server, and the Teams communication platform. Fortunately, these were white hat (ethical) hackers. Nobody got hurt and the hackers won $440,000.
- VMware announced a “critical” vulnerability in its Carbon Black Cloud Workload, a data center security product, that could be exploited to bypass authentication and take control of vulnerable systems. The vulnerability is rated 9.1 out of a maximum of 10 in the Common Vulnerabilities Scoring System and affects all versions of the product prior to 1.0.1. VMware has released a patch, but of course users have to install it.
- The personal information of about 533 million Facebook users went up online at the beginning of the month, thanks to a bug that the company said it fixed in 2019 that allowed the “scraping” of such data. As blogger Cory Doctorow put it, the dataset that included phone numbers, full names, locations, email addresses, and biographical information — was published for free online. More than half a billion current and former Facebook users are now at high risk of various kinds of fraud,” he wrote.
- Vehicle emissions testing company Applus Technologies was hit with a malware attack March 30, which prevented vehicle inspections in eight states including Connecticut, Georgia, Idaho, Illinois, Massachusetts, Utah, and Wisconsin. As of last week, the company had issued a patch to customers but said
There are more — lots more — but you get the idea. Which should be more than enough to prompt some serious reflection and action from both individuals and organizations. Most people don’t have to be convinced to spend time and money on physical security for their homes and possessions. This is just as important. Yes, better software security will cost time and money, but it will save not only money but colossal headaches as well.
And advice on how to do it from both the BSIMM and SAMM is free. Both have always used the Creative Commons Attribution — Share Alike license.
A caveat: Following the guidance of these projects is no guarantee that you will never get breached. Nothing will make any person or organization bullet-proof. Just as there is no guarantee that the locks and other physical security measures protecting your business can’t be penetrated by skilled intelligence operatives of a nation state.
But it will make you a much more difficult target for malicious hackers. And most cyber criminals are looking for easy targets.
Advice, not mandates
So how do the models work? By presenting advice and then letting each organization decide what to do with it.
There is some structural variety between them. The BSIMM has always been described as a “roadmap” for SSIs. It doesn’t tell organizations what to do or how to do it. Instead, it shows them, in 121 ways, what others in their industry are doing or not doing and lets them pick the “route” to maturity that works best for them.
Since the project began in 2008, the BSIMM has done more than 500 assessments, and while the individual results are anonymized, the participants are grouped according to their industry.
The latest BSIMM presents data in a software security framework (SSF) starting with four “domains” — Governance, Intelligence, SSDL (Software Security Development Lifecycle) Touchpoints, Deployment — that are the key focus areas in an SSI.
Within those domains are 12 “practices” — three under each domain. For example, Governance includes strategy & metrics, compliance and policy, and training.
Finally, grouped within the 12 practices are 121 SSI “activities” that BSIMM evaluators have observed in participating organizations.
The SAMM model is organized in five “core business functions,” or categories of “activities related to the nuts and bolts of software development.” They are: Governance, Design, Implementation, Verification, and Operations.
Within each of those functions are three security practices, for a total of 15. For example, Governance includes strategy and metrics, policy and compliance, and education and guidance.
Finally, within each of those practices are three maturity levels as objectives.
The bottom line is that both models have unique advantages and can be used in whatever way an organization chooses. It’s possible to use one or the other, or both.
After all, they’re both free. And in this case, the old cliché “you get what you pay for” doesn’t apply. You get way more than what you pay for.