Nerd For Tech
Published in

Nerd For Tech

Software security guides: Maybe not sexy but super significant

Photo by FLY:D on Unsplash

If you have never heard of the BSIMM or OWASP SAMM, you need to read this, if only to find out what the heck they stand for.

But more importantly, because they can help you keep your software secure. And that’s something you really need to do. Really.

As boring and esoteric as it may sound, software security is just as important—now even more so—than putting locks on your doors, making sure you don’t misplace your wallet and, for businesses, making sure only employees get into your building and keeping your intellectual property safe.

These days, both your physical and digital security depend on it. All that apparent gibberish — billions of lines of seemingly random strings of numbers, symbols, and letters — is what runs the apps on your phone and computer, the traffic signals on the roads, the safety components in your car, the functioning of your smart appliances, the purity of your water, the resilience of the electrical grid and on and on.

As has been said for a number of years now, everything is a computer. And every computer relies on software. But if there are vulnerabilities in that software — bugs or flaws that could be exploited by hackers, your finances, your identity and your personal safety could be put at risk.

Which is why expert advice on how to keep software secure has almost existential importance. For individuals, one pillar of that advice should now be familiar: When software updates are available to patch vulnerabilities in the products you use, install them. Quickly.

For organizations, it’s more complicated. Not all of them build software, of course, but as has also now become a cliché, if you are in business, you are a software company. You need an IT (information technology) department. If you’re not big enough to have one, you need to hire a qualified vendor to provide those services.

Help is here—for free

Fortunately, there is also free, comprehensive help on how to make the software your company uses and/or builds more secure.

Two of the best providers of that advice are the BSIMM and the SAMM.

The BSIMM (Building Security In Maturity Model), launched in 2008, is the subject of an annual report by the Synopsys Software Integrity Group on the evolution of software security initiatives (SSI). Its authors frequently call it a “science experiment that escaped the lab” that is designed to give organizations a free tool they can use to measure their own SSI once it’s created by comparing themselves to others in their own industry.

The BSIMM doesn’t prescribe a set way to do things. It’s primarily a “what’s happening now” guide, or a “descriptive” model. The latest report is based on observations of 130 participating companies, primarily in nine verticals and spanning multiple geographies.

SAMM (Software Assurance Maturity Model), a project of the Open Web Application Security Project (OWASP), began in 2009 and is a “prescriptive” model but does not insist that all organizations reach a certain maturity level.

Instead, as its website puts it, it offers “a means to know where your organization is on its journey towards software assurance and understand what is recommended to move to a next level of maturity. You (the organization) determine the target maturity level for each security practice that is the best fit for your organization and its needs.”

The goal of the project is to “help organizations analyze their current software security practices, build a security program in defined iterations, show progressive improvements in secure practices, and define and measure security-related activities.”

An obvious need—read the headlines

But whether you lean toward descriptive or prescriptive (or both), the need for greater maturity in software security is obvious, and not in a good way.

Here is just a sampling of stories from the past week or so about hacks and breaches enabled by weaknesses in software security.

  • On the first day of the Pwn2Own 2021 hacking contest, contestants successfully exploited previously unknown vulnerabilities in Microsoft’s Windows 10 OS, the Exchange mail server, and the Teams communication platform. Fortunately, these were white hat (ethical) hackers. Nobody got hurt and the hackers won $440,000.
  • VMware announced a “critical” vulnerability in its Carbon Black Cloud Workload, a data center security product, that could be exploited to bypass authentication and take control of vulnerable systems. The vulnerability is rated 9.1 out of a maximum of 10 in the Common Vulnerabilities Scoring System and affects all versions of the product prior to 1.0.1. VMware has released a patch, but of course users have to install it.
  • The personal information of about 533 million Facebook users went up online at the beginning of the month, thanks to a bug that the company said it fixed in 2019 that allowed the “scraping” of such data. As blogger Cory Doctorow put it, the dataset that included phone numbers, full names, locations, email addresses, and biographical informationwas published for free online. More than half a billion current and former Facebook users are now at high risk of various kinds of fraud,” he wrote.
  • Vehicle emissions testing company Applus Technologies was hit with a malware attack March 30, which prevented vehicle inspections in eight states including Connecticut, Georgia, Idaho, Illinois, Massachusetts, Utah, and Wisconsin. As of last week, the company had issued a patch to customers but said

There are more — lots more — but you get the idea. Which should be more than enough to prompt some serious reflection and action from both individuals and organizations. Most people don’t have to be convinced to spend time and money on physical security for their homes and possessions. This is just as important. Yes, better software security will cost time and money, but it will save not only money but colossal headaches as well.

And advice on how to do it from both the BSIMM and SAMM is free. Both have always used the Creative Commons Attribution — Share Alike license.

A caveat: Following the guidance of these projects is no guarantee that you will never get breached. Nothing will make any person or organization bullet-proof. Just as there is no guarantee that the locks and other physical security measures protecting your business can’t be penetrated by skilled intelligence operatives of a nation state.

But it will make you a much more difficult target for malicious hackers. And most cyber criminals are looking for easy targets.

Advice, not mandates

So how do the models work? By presenting advice and then letting each organization decide what to do with it.

There is some structural variety between them. The BSIMM has always been described as a “roadmap” for SSIs. It doesn’t tell organizations what to do or how to do it. Instead, it shows them, in 121 ways, what others in their industry are doing or not doing and lets them pick the “route” to maturity that works best for them.

Since the project began in 2008, the BSIMM has done more than 500 assessments, and while the individual results are anonymized, the participants are grouped according to their industry.

The latest BSIMM presents data in a software security framework (SSF) starting with four “domains” — Governance, Intelligence, SSDL (Software Security Development Lifecycle) Touchpoints, Deployment — that are the key focus areas in an SSI.

Within those domains are 12 “practices” — three under each domain. For example, Governance includes strategy & metrics, compliance and policy, and training.

Finally, grouped within the 12 practices are 121 SSI “activities” that BSIMM evaluators have observed in participating organizations.

The SAMM model is organized in five “core business functions,” or categories of “activities related to the nuts and bolts of software development.” They are: Governance, Design, Implementation, Verification, and Operations.

Within each of those functions are three security practices, for a total of 15. For example, Governance includes strategy and metrics, policy and compliance, and education and guidance.

Finally, within each of those practices are three maturity levels as objectives.

The bottom line is that both models have unique advantages and can be used in whatever way an organization chooses. It’s possible to use one or the other, or both.

After all, they’re both free. And in this case, the old cliché “you get what you pay for” doesn’t apply. You get way more than what you pay for.




NFT is an Educational Media House. Our mission is to bring the invaluable knowledge and experiences of experts from all over the world to the novice. To know more about us, visit

Recommended from Medium

Multiple Vulnerabilities including Account Takeover, Bypass OTP etc.

FBI warns of some cyber risks for nation’s food supply, but misses others

What happens when you type in your browser and press Enter?

Our Journey to Support STIX 2.1

5 Cyberthreat Tips for Business Email — Individuals keep reading too!

Skinny dipping is so DeFi Summer…We’re 4x dipping

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Taylor Armerding

Taylor Armerding

I’m a security advocate at the Synopsys Software Integrity Group. I write mainly about software security, data security and privacy.

More from Medium

ECESCON 15 years later…

A look under the hood of Emberly’s real-time collaboration framework

What happens when you type in your browser and press Enter

Identify, Track and Manage Contract Obligations to Prevent Revenue Leakage