• Follow us

Technology

The Evolution of Software Security Best Practices | Best of ECT News

This story was originally published on LinuxInsider on Oct. 2, 2018, and is brought to you today as part of our Best of ECT News series.

Independent software vendors, along with Internet of Things and cloud vendors, are involved in a market transformation that is making them look more alike. The similarities are evident in the way they approach software security initiatives, according to a report from Synopsys.

Synopsys on Tuesday released its ninth annual Building Security in Maturity Model, or BSIMM9. The BSIMM project provides a de facto standard for assessing and then improving software security initiatives, the company said.

Based on 10 years of conducting the software study, it is clear that testing security correctly means being involved in the software development process, even as the process evolves, said Gary McGraw, vice president of security technology at Synopsys.

Using the BSIMM model, along with research from this year's 120 participating firms, Synopsys evaluated each industry, determined its maturity, and identified which activities were present in highly successful software security initiatives, he told LinuxInsider.

"We have been tracking each of these vendors separately over the years," McGraw said. "We are seeing that this whole cloud thing has moved beyond the hype cycle and is becoming real. As a result, the three categories of vendors are all beginning to look the same. They are all taking a similar approach to software security."

Targets on Businesses' Backs

The BSIMM is a multiyear study of real-world software security initiatives based on data gathered by more than 90 individuals in 120 firms. The report is a measuring stick for software security, according to Synopsys.

Its primary intent is to provide a basis for companies to compare and contrast their own initiatives with the model's data about what other organizations are doing. Companies participating in the study then can identify their own goals and objectives. The companies can refer to the BSIMM to determine which additional activities make sense for them.

Synopsys captured the data for the BSIMM. Oracle provided resources for data analysis.

Synopsys' new BSIMM9 report reflects the increasingly critical role that security plays in software development.

It is no exaggeration to say that from a security perspective, businesses have targets painted on their backs due to the value that their data assets represent to cybercriminals, noted Charles King, principal analyst at Pund-IT.

"Software can provide critical lines of defense to hinder or prevent incursions, but to be effective, security needs to be implemented across the development cycle," he told LinuxInsider. "The BSIMM9 report nails some high points by emphasizing the growing importance of cloud computing for businesses."

Security Status Quo

Rather than provide a how-to guide, this report reflects the current state of software security. Organizations can leverage it across various industries -- including financial services, healthcare, retail, cloud and IoT -- to directly compare and contrast their security approach to some of the best firms in the world.

The report explores how e-commerce has impacted software security initiatives at retail firms.

"The efforts by financial firms to proactively start Software Security Initiatives reflects how security concerns affect and are responded to differently by various industries and organizations," said King. "Overall, the new report emphasizes the continuing relevance, importance and value of the Synopsys project."

One key finding in the new report is the growing role played by cloud computing and its effects on security. For example, it shows more emphasis on things like containerization and orchestration, and ways of developing software that are designed for the cloud, according to McGraw.

Following are key findings from this year's report:

Cloud transformation has been impacting business approaches to software security; and Financial services firms have reacted to regulatory changes and started their SSIs much earlier than insurance and healthcare firms.

Retail, a new category for the report, experienced incredibly fast adoption and maturity in the space once retail companies started considering software security. In part, that is because they have been making use of BSIMM to accelerate faster.

In one sense, the report enables predicting the future, allowing users to become more like the firms that are the best in the world, according to McGraw.

"The bottom line is that we see the BSIMM is indicating a market transformation that is actually taking place. We are getting past the baloney into the brass tacks," he said.

Activities and Practices

Researchers established a BSIMM framework based on three levels of activities with 115 activities divided into 12 different practices.

Level one activities are pretty easy and a lot of firms undertake them, noted McGraw. Level two is harder and requires having done some level one activities first.

"It is not necessary, but that is what we usually see," he said. "Level three is rocket science. Only a few firms do level three stuff."

The researchers already had some idea of what is easy and what is hard in dealing with software security initiatives. They also know the most popular activities in each of the 12 practices.

"So we can say if you are approaching code review and you are not doing this activity, you should know that pretty much everybody else is," said McGraw. "You should then ask yourself, 'Why?'"

That does not mean you have to do XYZ, he added. It just means maybe you should consider why you are not doing that.

Key Roles

The BSIMM9 report also gives a detailed explanation of the key roles in a software security initiative, the activities that now comprise the model, and a summary of the raw data collected. It is essential to recognize the target audience for the report.

The audience is anyone responsible for creating and executing a software security initiative. Successful SSIs typically are run by a senior executive who reports to the highest levels in an organization.

They lead an internal group the researchers call the "software security group," or SSG, charged with directly executing or facilitating the activities described in the BSIMM. The BSIMM is written with the SSG and its leadership in mind.

"We are seeing for the first time a convergence of verticals -- ISVs, IoT vendors and the cloud -- that used to look different in the way they approached software security," said McGraw. "They were all doing software security stuff, but they were not doing it exactly the same way."

Objective Data

Each year researchers talk to the same firms as well as new participants. All of the data is refreshed each year. That provides a perspective of at least 12 months -- but probably, on average, a much shorter time span. There is not that much of a lag indicator involved because of the scientific methods the researchers use, according to McGraw.

The BSIMM review provides a much more objective view of what is going on in the target groups than you would get by looking at a few case studies, he noted. That was one of the study's goals when he initiated it years ago.

"The BSIMM is the result of wanting to have real objective data without overemphasizing technology or people of particular vendors or whoever paid us money," McGraw said.

Community Feedback

Under the BSIMM's charter, it is designed not to be a profit-making, but to help Synopsys break even. Firms pay for their participation in the study and sponsored events, said McGraw. Non-participants can view the report for free, but paying to participate gets the companies their own results.

This gives the paid participants a very intense look at their own software security and how it compares to others with their own data published for them, McGraw explained. The published report does not provide the data of individual firms, only collective data.

The most important outcome for participating is feedback from the community that developed among the participants, according to McGraw. Synopsys holds two annual conferences, one in the U.S. and one in the EU.

Unified View

Ten years ago security researchers did not know what everybody was doing regarding software security. Now firms can use the BSIMM data to guide their own firm's approach to it, according to McGraw.

"We learned that all firms did software security slightly differently. There is no one correct way because the cultures of all the firms and their dev teams differed," he said.

With a unified view of all the approaches used, researchers can describe in general how to approach software security and track particular activities, McGraw said.

"We didn't come up with a particular set of prescriptive guidance. Instead, we came up with a descriptive set of facts that you can use to make great fast progress with software security," he noted.

What Successful Firms Are Doing

BSIMM researchers recognize that the report data on software security never will eliminate data breaches and other software security concerns. Unfortunately, there is no first-order way to measure security, noted McGraw.

"You cannot throw software in a box that lights up red or green. We retreated to developing a look at what successful firms are doing as a way to guide other firms to be more like them," he said, "but there is no way to measure that directly."

Synopsys' theory is that if you want to get out front, you first have to build better software, said McGraw. "Better security comes about with the way you build software."

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software. Email Jack.

Read More



Leave A Comment

More News

TechNewsWorld

Apple Banishes Facebook Data Reaper From iPhones 2019-01-31 12:12:01Apple has blocked a Facebook app that paid users for total access to all network data. The controversy over use of the Facebook Research app erupted e

Apple Squashes FaceTime Eavesdropping Bug 2019-01-30 08:00:00Apple has suspended its Group FaceTime application following reports that a bug in the software allowed callers to eavesdrop on the people they were c

Apple Rumored Plotting a Game Subscription Service 2019-01-29 08:00:00A "Netflix for Games" type of service may be in Apple's future. Apple has been developing a subscription service that will function for games much

Why Intel Is in Such Horrid Condition 2019-01-28 14:22:29Intel released earnings last week. It beat expectations on the bottom line, but it missed big on the top line and the outlook was dismal. Looking unde

MakuluLinux Core OS Debuts With Impressive Desktop Design 2019-01-28 08:00:00A new Linux OS gets to the core of Linux computing with a revamped desktop environment and a new way to have fun with your daily computing tasks. Deve

YouTube TV Hits Screens Across Most of the 2019-01-24 12:06:02YouTube TV will be rolling out to an additional 95 markets in the U.S., almost doubling its coverage. The streaming video service already covers the t

Netrunner's Unique Blackbird Soars to New Heights 2019-01-23 14:54:02Blackbird, Netrunner's version 19.01 release, hit the download servers on Jan. 14, and this distro deserves to be considered bleeding-edge. Netrunner

Dutch Doc Wins 'Forget My Suspension' Case 2019-01-23 13:06:48Google must remove search results about medical regulators' conditional suspension of a Dutch physician in the first "right to be forgotten" case o

Facebook Adds Petition Feature to Global Community-Building Effort 2019-01-22 08:00:00Facebook has begun rolling out a new feature that's bound to charm political activists. Community Actions lets Facebook members create a page where

Jaguar I-Pace vs. Tesla Model 3: Which Is 2019-01-21 14:06:02To suggest that electric cars are having a painful birth would be a colossal understatement. Tesla clearly plowed this field and quickly recognized th

The Evolution of Software Security Best Practices 2019-01-18 11:34:45Independent software vendors, along with Internet of Things and cloud vendors, are involved in a market transformation that is making them look more a

Lenovo, Verizon to Reincarnate Motorola Razr as Foldable 2019-01-17 08:00:00The Motorola Razr -- once the hottest flip phone available -- is being revived as a smartphone with a foldable screen, according to reports. It will b

PCWorld

Logitech Wireless Keyboard K350 review: This ergonomic keyboard 2019-02-07 17:00:00The Logitech Wireless Keyboard K350 boasts a slightly curved, contoured keyboard. It could be just the thing for typists with aching wrists and t

Best true wireless earbuds: Free yourself from the 2019-02-07 16:53:00Truly wireless earbuds let you ditch all cables in our post-headphone jack world, but like with anything else, their quality varies. Our top picks off

The best SSDs of 2019 2019-02-07 16:42:00Switching to a solid-state drive is the best upgrade you can make for your PC. These wondrous devices obliterate long boot times, speed up how fast yo

The best online courses for learning Python 2019-02-07 15:30:00If you’re looking to learn coding or want to pick up another programming language, Python is a good choice. One of the terrific things about Pyt

Dash cam reviews: Catch the maniacs and meteors 2019-02-07 14:27:00Dash cams are already essential in many countries because of scam artists who try to create accidents so they can sue you. They’ve also proven u

Skype's cool, useful background-blurring feature goes live for 2019-02-07 13:31:00Microsoft has rolled its long-awaited background-blur feature to Skype for the PC and Mac, returning the focus to you and away from the clutter that c

Watch The Full Nerd talk about the Radeon 2019-02-07 13:17:00Join The Full Nerd gang as they talk about the latest PC hardware topics. In today's show we are diving deep into the Radeon VII reviews for both gam

4 ways the LG G8 ThinQ's time-of-flight front 2019-02-07 13:00:00With just a couple weeks left until Mobile World Congress, a clearer picture—quite literally—is beginning to emerge of LG's next flagship

Amazon's Echo Dot Kids Edition is just $35 2019-02-07 11:07:00Amazon’s Echo devices kicked off the smart speaker craze, with a variety of options to fit any connected home. The Amazon Echo Kids Edition is n

Apple is removing the Do Not Track toggle 2019-02-07 10:23:00The next update to Safari will remove the useless "Ask websites not to track me" as Apple implements stricter and smarter anti-tracking tools.

Get Your First Month Of NordVPN, Dashlane, and 2019-02-07 09:59:00From hacking attacks to viruses and system crashes, there's a myriad of threats out there that can put a major damper on your online experience. In o

The awesome Blue Yeti microphone is just $100 2019-02-07 09:41:00If you’re about to get into live streaming, creating YouTube videos for the masses, or simply want great sound out of a microphone, then today&r

FOX News

Twitter sees monthly users plunge, will stop reporting 2019-02-07 15:53:22Twitter’s monthly user base slipped 9 million year-over-year, according to the company’s fiscal fourth-quarter results, which were release

Apple releases update to prevent FaceTime spying 2019-02-07 15:12:50SAN FRANCISCO (AP) — Apple has released an iPhone update to fix a software flaw that allowed people to eavesdrop on others while using FaceTime.

WATCH: Hunters claim 'Bigfoot' sighting in Utah mountains 2019-02-07 14:53:58It's been a while since we've "heard" from the legendary creature known as Bigfoot. Now, a new video has surfaced that purportedly shows the

Lost city in South Africa revealed in stunning 2019-02-07 14:20:24Experts have created a stunning digital reconstruction of a centuries-old lost city discovered in South Africa.

Facebook slammed by Germany as watchdog slaps data 2019-02-07 11:33:23Authorities in Germany have ruled that Facebook should not be allowed to use customer data from other apps and websites to help target advertisements

Popular iPhone apps are secretly recording your screen 2019-02-07 09:40:04Several major companies are secretly recording your every move on their iPhone apps without your permission or even your knowledge, a new investi

'Fortnite' is killing the rest of the video 2019-02-07 08:20:49It was “game over” for video gaming stocks on Wednesday after two of the biggest industry names reported weak quarterly guidance in the fa

Army soldiers use 'Macbook'-sized tablet to operate multiple 2019-02-07 07:29:04The Army is refining new small drone combat tactics to accommodate emerging technologies such as AI-enabled command and control, higher resolution sen

Kayleigh McEnany says Instagram removed her Elizabeth Warren 2019-02-06 17:57:39The national spokesperson of the GOP claims Instagram banned her access from the social media site after she posted a photo of Sen. Elizabeth Warren'

NYPD to Google: Stop revealing the location of 2019-02-06 13:59:09The NYPD is calling on Google to yank a feature from its Waze traffic app that tips off drivers to police checkpoints — warning it could be cons

Apple’s HomePod struggles in crowded smart speaker market 2019-02-06 08:48:38Apple is cranking out smart speakers, but tech heads aren’t listening.

Facebook Messenger finally gets an unsend feature 2019-02-06 08:47:00You can now retract messages on Facebook Messenger—but act fast.

TechCrunch

How to prepare for an investment apocalypse 2019-02-08 11:30:57Micah Rosenbloom Contributor Micah Rosenbloom is a venture partner at Founder Collective. More posts by this contributor Business school grads and qua

Apple turns Ariana Grande and other musicians into 2019-02-08 10:36:12Just in time for the Grammy Awards, Apple has unveiled three new ads for Apple Music, featuring new singles from Ariana Grande, Khalid and Florida Geo

Mixtape podcast: Instacart’s apologetic week 2019-02-08 10:33:50It’s that time of the week again when Megan Rose Dickey and I talk about the good and could-be-better tech companies. This week, we talked

Luxury handbag marketplace Rebag raises $25M to expand 2019-02-08 10:13:44Rebag, an online resale marketplace for luxury handbags, is getting another infusion of capital as it prepares to expand its offline retail operations

Extend Fertility banks $15M Series A to help 2019-02-08 10:00:04Regal Healthcare Capital Partners backs Extend Fertility with $15 million to help the egg-freezing service expand to new markets.

AMI defends ‘good faith negotiations’ with Jeff Bezos 2019-02-08 09:47:04It’s the morning after the night before for AMI. And what a night it was. The company is officially in damage control mode after it release

Sprint calls AT&T’s 5G E label ‘false advertising’ 2019-02-08 09:38:56While it’s true that it’s going to take some time before most of us will actually be able to enjoy the benefits of 5G, that doesn’t

Opera adds a free VPN to its Android 2019-02-08 09:10:59Opera became the first browser-maker to bundle a VPN with its service, and now that effort is expanding to mobile. The company announced today that it

Spotify 2019-02-08 09:00:53Hello, and welcome back to Equity, TechCrunch’s venture capital-focused podcast, where we unpack the numbers behind the headlines. This wee

Thousands of industrial refrigerators can be remotely defrosted, 2019-02-08 07:45:48Security researchers have found thousands of exposed internet-connected industrial refrigerators that can be easily remotely instructed to defrost. Mo

Spotify will now suspend or terminate accounts it 2019-02-08 07:37:35Spotify will take a harder stance on ad blockers in its updated terms of service. In an email to users today, the streaming music and podcast platform

Dixa, the ‘customer friendship’ platform, raises $14M 2019-02-08 04:00:10Dixa, a Copenhagen-based startup that offers a platform to help companies provide better and more consistent customer service across multiple channels


Disclaimer and Notice:WorldProNews.com is not responsible of these news or any information published on this website.