Enterprises are realizing they need to adjust their security initiatives, and as result, software security is finally becoming mainstream. But with the rise of new trends like the Internet of Things and containerization, it’s up to security teams to teach developers how to secure their code.
Cigital addresses these trends in BSIMM7, the latest version of its software security measurement tool. BSIMM7 looks at the value of software security, as well as industry changes surrounding security practices. The model it uses also has data on what firms are doing to stay secure, as well as the efforts to demonstrate what the companies are doing right.
The BSIMM7 model has expanded to include the largest amount of companies in its eight years of addressing software security, said Gary McGraw, CTO of Cigital.
The model now draws from 95 organizations in six areas: financial services, independent software vendors, cloud, healthcare, Internet of Things, and insurance. (The last two industries were added this year.)
Industries represented within those areas included telecommunications, security, retail and energy, and it covered companies like Aetna, Bank of America, EMC, JPMorgan Chase, Siemens, Target and Wells Fargo.
McGraw said that Cigital tracks many industries, but only reported the data when they have at least nine companies in an area. This way, Cigital can report the data without “outing” any particular firm, he said.
Last year, the BSIMM6 model introduced the healthcare industry to bolster the dataset and show other healthcare firms what’s at risk within their systems. During this time, Cigital found software security to be lagging here. While healthcare software security has improved lately, McGraw said it still has a way to go.
On the other hand, the insurance vertical is slightly more mature than healthcare, and firms that were not paying attention to software security are now trying to up their efforts, according to McGraw.
Just like healthcare, data breaches are a big security risk for insurance companies, said McGraw. As this industry goes through its own digital transformation, it will completely change it will operate, he said.
“You used to go into your local insurance agent once every long time, but now insurance companies are releasing apps, and they have mobile solutions,” said McGraw. “As they adopt these new technology, they need to be really careful [of vulnerabilities].”
The BSIMM7 model is based on observation, and it serves as a “measuring stick” for software security for product security teams or software security groups (SSGs), said McGraw. The BSIMM is meant for use by anyone responsible for creating and executing a software security initiative, but developers looking to gain more insight into software security can benefit from the report as well.
“We still have many more people to teach about software security and building security in,” said McGraw.
According to the report, 272,782 developers have been directly touched by the BSIMM. With new technologies like IoT and containers, McGraw said it’s up to the SSGs to teach developers how to implement security better as software changes.
“That’s the job of the SSG, it’s to teach developers how to build security better,” said McGraw. “And that’s what we do at Cigital all day, we teach armies of developers how to code better, how to review their code with modern tools, what they can do when transporting their code to the cloud, and how to design and architect their code to be secure. All of those things are described by the BSIMM.”