The latest Building Security in Maturity Model (BSIMM) report, released in September, detailed 111 software security initiatives being undertaken by participants. While the report is a descriptive model of current industry best practices rather than a set of recommendations, its authors recently highlighted some common activities included that can serve as guidelines for improving security even in organizations that are not members.
"If you're not doing them, you probably need to improve your security, and this is a way to get started," BSIMM co-author Gary McGraw told CSO Online. "You can see what is already working."
Twelve practices being employed by nearly all participants in the report include:
1. Identifying gate locations and gathering necessary artifacts that play a role in security to prepare to implement access controls
2. Cataloguing personally identifiable information and sensitive data in the organization
3. Providing awareness training by teaching developers the importance of security as well as usability features in a program
4. Gathering attack intelligence to better anticipate exploits
5. Building and publishing security features
6. Creating enforceable security standards for developers
7. Reviewing security features to ensure they are set up with an architecture to work correctly
8. Using automated tools in conjunction with manual code review
9. Ensuring quality assurance (QA) staff are testing security boundaries and approaching software from the mindset of attackers in addition to ensuring intended functions and features work correctly
10. Using external penetration testers to find problems in advance of release
11. Checking application hosting and network security basics before deployment
12. Identifying bugs and feeding them back to development to improve the process in the future in addition to creating a patch
McGraw and co-author Jacob West noted that even following all 111 BSIMM guidelines will not guarantee flawless development, but beginning with these 12 points can help organizations head in the right direction. West explained that building security into the development practice has become a "common practice" despite once being a point of objection.
Spotlight on static analysis
Of the 111 best practices mentioned in the BSIMM 4 report, 109 were also mentioned in BSIMM 3, eSecurity Planet reported. McGraw and West drew particular attention to the two new additions: Using a static analysis tool and performing security disaster simulations. Static analysis can be used not only to look for exploitable flaws but also to test for fully developed software security issues, McGraw noted.
"There are now a lot of firms that use source code analysis to not just look for bugs, but to look for intentionally injected problems that could lead to insider attacks," he told eSecurity Planet.
By rehearsing organizational response to a public zero-day disclosure, enterprises can also anticipate the effects of such problems and take steps toward mitigation. At the heart of practices such as simulations and static analysis is also a focus on training and education, West told eSecurity Planet.
"So you're teaching developers about a kind of bug they have experienced in the past and need to be aware of," he said. "Then BSIMM follows up on that with a one-two punch using security standards and giving developers concrete guidance and how to code securely and avoid that mistake."
Static analysis tools provide developers with immediate feedback about errors to help with this training process. Such source code analysis methods also improve coders' abilities to catch basic defects such as use-after-free bugs, West noted. Especially in conjunction with other security tools and practices, static analysis can be a valuable layer of risk mitigation and an integral part of the secure development life cycle.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.