• Follow us

Technology

The Evolution of Software Security Best Practices | Best of ECT News

This story was originally published on LinuxInsider on Oct. 2, 2018, and is brought to you today as part of our Best of ECT News series.

Independent software vendors, along with Internet of Things and cloud vendors, are involved in a market transformation that is making them look more alike. The similarities are evident in the way they approach software security initiatives, according to a report from Synopsys.

Synopsys on Tuesday released its ninth annual Building Security in Maturity Model, or BSIMM9. The BSIMM project provides a de facto standard for assessing and then improving software security initiatives, the company said.

Based on 10 years of conducting the software study, it is clear that testing security correctly means being involved in the software development process, even as the process evolves, said Gary McGraw, vice president of security technology at Synopsys.

Using the BSIMM model, along with research from this year's 120 participating firms, Synopsys evaluated each industry, determined its maturity, and identified which activities were present in highly successful software security initiatives, he told LinuxInsider.

"We have been tracking each of these vendors separately over the years," McGraw said. "We are seeing that this whole cloud thing has moved beyond the hype cycle and is becoming real. As a result, the three categories of vendors are all beginning to look the same. They are all taking a similar approach to software security."

Targets on Businesses' Backs

The BSIMM is a multiyear study of real-world software security initiatives based on data gathered by more than 90 individuals in 120 firms. The report is a measuring stick for software security, according to Synopsys.

Its primary intent is to provide a basis for companies to compare and contrast their own initiatives with the model's data about what other organizations are doing. Companies participating in the study then can identify their own goals and objectives. The companies can refer to the BSIMM to determine which additional activities make sense for them.

Synopsys captured the data for the BSIMM. Oracle provided resources for data analysis.

Synopsys' new BSIMM9 report reflects the increasingly critical role that security plays in software development.

It is no exaggeration to say that from a security perspective, businesses have targets painted on their backs due to the value that their data assets represent to cybercriminals, noted Charles King, principal analyst at Pund-IT.

"Software can provide critical lines of defense to hinder or prevent incursions, but to be effective, security needs to be implemented across the development cycle," he told LinuxInsider. "The BSIMM9 report nails some high points by emphasizing the growing importance of cloud computing for businesses."

Security Status Quo

Rather than provide a how-to guide, this report reflects the current state of software security. Organizations can leverage it across various industries -- including financial services, healthcare, retail, cloud and IoT -- to directly compare and contrast their security approach to some of the best firms in the world.

The report explores how e-commerce has impacted software security initiatives at retail firms.

"The efforts by financial firms to proactively start Software Security Initiatives reflects how security concerns affect and are responded to differently by various industries and organizations," said King. "Overall, the new report emphasizes the continuing relevance, importance and value of the Synopsys project."

One key finding in the new report is the growing role played by cloud computing and its effects on security. For example, it shows more emphasis on things like containerization and orchestration, and ways of developing software that are designed for the cloud, according to McGraw.

Following are key findings from this year's report:

Cloud transformation has been impacting business approaches to software security; and Financial services firms have reacted to regulatory changes and started their SSIs much earlier than insurance and healthcare firms.

Retail, a new category for the report, experienced incredibly fast adoption and maturity in the space once retail companies started considering software security. In part, that is because they have been making use of BSIMM to accelerate faster.

In one sense, the report enables predicting the future, allowing users to become more like the firms that are the best in the world, according to McGraw.

"The bottom line is that we see the BSIMM is indicating a market transformation that is actually taking place. We are getting past the baloney into the brass tacks," he said.

Activities and Practices

Researchers established a BSIMM framework based on three levels of activities with 115 activities divided into 12 different practices.

Level one activities are pretty easy and a lot of firms undertake them, noted McGraw. Level two is harder and requires having done some level one activities first.

"It is not necessary, but that is what we usually see," he said. "Level three is rocket science. Only a few firms do level three stuff."

The researchers already had some idea of what is easy and what is hard in dealing with software security initiatives. They also know the most popular activities in each of the 12 practices.

"So we can say if you are approaching code review and you are not doing this activity, you should know that pretty much everybody else is," said McGraw. "You should then ask yourself, 'Why?'"

That does not mean you have to do XYZ, he added. It just means maybe you should consider why you are not doing that.

Key Roles

The BSIMM9 report also gives a detailed explanation of the key roles in a software security initiative, the activities that now comprise the model, and a summary of the raw data collected. It is essential to recognize the target audience for the report.

The audience is anyone responsible for creating and executing a software security initiative. Successful SSIs typically are run by a senior executive who reports to the highest levels in an organization.

They lead an internal group the researchers call the "software security group," or SSG, charged with directly executing or facilitating the activities described in the BSIMM. The BSIMM is written with the SSG and its leadership in mind.

"We are seeing for the first time a convergence of verticals -- ISVs, IoT vendors and the cloud -- that used to look different in the way they approached software security," said McGraw. "They were all doing software security stuff, but they were not doing it exactly the same way."

Objective Data

Each year researchers talk to the same firms as well as new participants. All of the data is refreshed each year. That provides a perspective of at least 12 months -- but probably, on average, a much shorter time span. There is not that much of a lag indicator involved because of the scientific methods the researchers use, according to McGraw.

The BSIMM review provides a much more objective view of what is going on in the target groups than you would get by looking at a few case studies, he noted. That was one of the study's goals when he initiated it years ago.

"The BSIMM is the result of wanting to have real objective data without overemphasizing technology or people of particular vendors or whoever paid us money," McGraw said.

Community Feedback

Under the BSIMM's charter, it is designed not to be a profit-making, but to help Synopsys break even. Firms pay for their participation in the study and sponsored events, said McGraw. Non-participants can view the report for free, but paying to participate gets the companies their own results.

This gives the paid participants a very intense look at their own software security and how it compares to others with their own data published for them, McGraw explained. The published report does not provide the data of individual firms, only collective data.

The most important outcome for participating is feedback from the community that developed among the participants, according to McGraw. Synopsys holds two annual conferences, one in the U.S. and one in the EU.

Unified View

Ten years ago security researchers did not know what everybody was doing regarding software security. Now firms can use the BSIMM data to guide their own firm's approach to it, according to McGraw.

"We learned that all firms did software security slightly differently. There is no one correct way because the cultures of all the firms and their dev teams differed," he said.

With a unified view of all the approaches used, researchers can describe in general how to approach software security and track particular activities, McGraw said.

"We didn't come up with a particular set of prescriptive guidance. Instead, we came up with a descriptive set of facts that you can use to make great fast progress with software security," he noted.

What Successful Firms Are Doing

BSIMM researchers recognize that the report data on software security never will eliminate data breaches and other software security concerns. Unfortunately, there is no first-order way to measure security, noted McGraw.

"You cannot throw software in a box that lights up red or green. We retreated to developing a look at what successful firms are doing as a way to guide other firms to be more like them," he said, "but there is no way to measure that directly."

Synopsys' theory is that if you want to get out front, you first have to build better software, said McGraw. "Better security comes about with the way you build software."

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software. Email Jack.

Read More



Leave A Comment

More News

TechNewsWorld

Apple Banishes Facebook Data Reaper From iPhones 2019-01-31 12:12:01Apple has blocked a Facebook app that paid users for total access to all network data. The controversy over use of the Facebook Research app erupted e

Apple Squashes FaceTime Eavesdropping Bug 2019-01-30 08:00:00Apple has suspended its Group FaceTime application following reports that a bug in the software allowed callers to eavesdrop on the people they were c

Apple Rumored Plotting a Game Subscription Service 2019-01-29 08:00:00A "Netflix for Games" type of service may be in Apple's future. Apple has been developing a subscription service that will function for games much

Why Intel Is in Such Horrid Condition 2019-01-28 14:22:29Intel released earnings last week. It beat expectations on the bottom line, but it missed big on the top line and the outlook was dismal. Looking unde

MakuluLinux Core OS Debuts With Impressive Desktop Design 2019-01-28 08:00:00A new Linux OS gets to the core of Linux computing with a revamped desktop environment and a new way to have fun with your daily computing tasks. Deve

YouTube TV Hits Screens Across Most of the 2019-01-24 12:06:02YouTube TV will be rolling out to an additional 95 markets in the U.S., almost doubling its coverage. The streaming video service already covers the t

Netrunner's Unique Blackbird Soars to New Heights 2019-01-23 14:54:02Blackbird, Netrunner's version 19.01 release, hit the download servers on Jan. 14, and this distro deserves to be considered bleeding-edge. Netrunner

Dutch Doc Wins 'Forget My Suspension' Case 2019-01-23 13:06:48Google must remove search results about medical regulators' conditional suspension of a Dutch physician in the first "right to be forgotten" case o

Facebook Adds Petition Feature to Global Community-Building Effort 2019-01-22 08:00:00Facebook has begun rolling out a new feature that's bound to charm political activists. Community Actions lets Facebook members create a page where

Jaguar I-Pace vs. Tesla Model 3: Which Is 2019-01-21 14:06:02To suggest that electric cars are having a painful birth would be a colossal understatement. Tesla clearly plowed this field and quickly recognized th

The Evolution of Software Security Best Practices 2019-01-18 11:34:45Independent software vendors, along with Internet of Things and cloud vendors, are involved in a market transformation that is making them look more a

Lenovo, Verizon to Reincarnate Motorola Razr as Foldable 2019-01-17 08:00:00The Motorola Razr -- once the hottest flip phone available -- is being revived as a smartphone with a foldable screen, according to reports. It will b

PCWorld

Best water leak detectors for smart homes 2019-02-08 13:50:00Fires can be devastating, but water damage is a far more common risk. These smart devices will alert you if your home springs a leak, so you can take

Flo by Moen smart water valve review: The 2019-02-08 13:33:00The Flo Water Damage Prevention System monitors and reports on your home’s water usage. It can also shut off the water supply to prevent catastr

Best smart bulbs for your connected home 2019-02-08 12:07:00Today’s smart bulbs are brighter and easier to control than ever, but choosing the right one for your environment remains a challenge.

Upgrade your PC's storage and speed with this 2019-02-08 11:42:00A beefy SSD can make an old PC feel new again, and today, you can get a great deal on SanDisk's 960GB SSD Plus internal driveRemove non-product link.

Surprise, Opera's free VPN is back! Here's how 2019-02-08 11:29:00When Opera announced that it was shutting down its VPN app for iOS and Android last year, it appeared as though it was gone forever. In fact, Opera di

The Full Nerd ep. 84: Radeon VII review, 2019-02-08 11:17:00In this episode of the Full Nerd, Gordon Mah Ung, Brad Chacos, Alaina Yee, and Adam Patrick Murray review AMD’s enthusi

Best smart smoke detector to keep your home 2019-02-08 10:19:00Smart smoke and carbon monoxide detectors don’t just sound the alarm, they also alert your smart phone and more.

Humble's Intro to Code Bundle offers over $1,300 2019-02-08 10:13:00If you’ve ever wanted to learn how to code, you won't want to miss this Humble bundle. The Humble Intro to Code Bundle gives you access to up t

New World preview: Amazon's debut video game is 2019-02-08 09:39:00Amazon’s foray into the games industry is proof nobody can shortcut their way to a hit. It’s been fully five years since the online retail

Philips Hue Lily outdoor spotlight review: The perfect 2019-02-08 06:00:00This addition to the outdoor Hue line will really draw attention to your garden (so make sure your plants look their best).

First Alert Onelink Smart Smoke + Carbon Monoxide 2019-02-08 06:00:00We liked First Alert's first smart smoke/CO detector, but this iteration removes that model's best features and doesn't act much like a smart devic

5 ways to tidy up your Android phone, 2019-02-08 06:00:00If you’ve been watching Marie Kondo’s Netflix show, Tidying Up, you’ve no doubt caught the cleaning bug. Kondo’s organization

TIME » Time Sections »

Apple Has Released an Update to Fix FaceTime 2019-02-07 14:04:08The repair is included in the latest version of Apple's iOS 12 system

Facebook to Appeal German Ruling That Third-Party Customer 2019-02-07 11:44:25Facebook exploited its position in social media, German authorities ruled

Fortnite Is Still Wreaking Havoc On the Video 2019-02-06 10:57:40Game publishers have been thrown for a loop by the success of Fortnite

Spotify Made 2 Huge Acquisitions in a Move 2019-02-06 09:17:02It's buying Gimlet, a producer, and Anchor, which helps podcasts make money

Review: Casper’s Glow Nightlight Is Meant to Help 2019-02-05 11:43:07It gradually dims as you drift off to sleep

Flickr Is About to Delete Tons of Photos. 2019-02-04 17:57:07Flickr announced in November it would be changing its generous photo storage allotment for free users, restricting them to a 1,000-photo limit, and th

The Creator of the Egg That Became Instagram’s 2019-02-04 08:16:00'An egg has no gender, race or religion,' says creator Chris Godfrey

Elon Musk Has Revealed the First Firing of 2019-02-04 03:19:21The engine is supposed to power a rocket that might one day take people to Mars

Apple Apologizes For FaceTime Bug, Says Fix Due 2019-02-01 13:11:02"We appreciate everyone’s patience as we complete this process," Apple said in a statement

Google Doodle Honors Abolitionist Sojourner Truth for Start 2019-02-01 09:59:23The noted abolitionist and suffragist Sojourner Truth is being honored by a Google Doodle that kicks off Black History Month on Feb. 1. Truth, born en

Facebook Says It Removed 783 Iran-Linked Fake Pages 2019-01-31 16:05:55Facebook says the accounts spent about $30,000 on advertisements

The Most Disturbing Thing About Facebook’s Controversial Data 2019-01-30 13:12:22It's inherently exploitative

TechCrunch

‘Amazon Live’ is the retailer’s latest effort to 2019-02-08 14:05:00Amazon is taking on QVC with the launch of Amazon Live, which features live-streamed video shows from Amazon talent as well as those from br

One of Tesla’s biggest investors upped its stake 2019-02-08 13:58:30Baillie Gifford  & Co., the second-biggest shareholder of Tesla stock and the , has increased its stake in the electric automa

OakNorth raises $440 million from SoftBank and Clermont 2019-02-08 13:26:31British startup OakNorth has raised a $440 million funding round from SoftBank’s Vision Fund as well as the Clermont Group. The company is creat

Carbonite to acquire endpoint security company Webroot for 2019-02-08 13:07:47Carbonite, the online backup and recovery company based in Boston, announced late yesterday that it will be acquiring Webroot, an endpoint security ve

Amazon may be rethinking its New York City 2019-02-08 13:01:59Amazon’s decision to open HQ2 in New York City has been a controversial decision since day one. The company has been championing the estima

Daily Crunch: Bezos accuses National Enquirer of blackmail 2019-02-08 12:55:31The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox ever

Item tracking startup Adero is laying off 45% 2019-02-08 12:06:50Pivots can be the making of a startup, helping teams refocus on a good idea when previous things haven’t worked. But sometimes, they are just on

Uber’s JUMP bikes are seeing high utilization rates 2019-02-08 12:00:29In the past year, more than 63,000 people took 625,000 rides on JUMP bikes in San Francisco, JUMP announced today. Each JUMP bike in San Francisco saw

How to prepare for an investment apocalypse 2019-02-08 11:30:57Unlike 2000 and 2008, everyone in the startup world is expecting a crash to come at any moment. But few are taking concrete steps to prepare for it.

Apple turns Ariana Grande and other musicians into 2019-02-08 10:36:12Just in time for the Grammy Awards, Apple has unveiled three new ads for Apple Music, featuring new singles from Ariana Grande, Khalid and Florida Geo

Mixtape podcast: Instacart’s apologetic week 2019-02-08 10:33:50It’s that time of the week again when Megan Rose Dickey and I talk about the good and could-be-better tech companies. This week, we talked

Luxury handbag marketplace Rebag raises $25M to expand 2019-02-08 10:13:44Rebag, an online resale marketplace for luxury handbags, is getting another infusion of capital as it prepares to expand its offline retail operations

FOX News

Jeff Bezos’ investigator believes ‘government entity’ may have 2019-02-08 02:47:54A security consultant for Amazon founder and Washington Post owner Jeff Bezos believes the CEO’s lurid intimate photos may have been acquired by

Jeff Bezos: National Enquirer's parent company threatened to 2019-02-07 18:52:49Amazon founder and Washington Post owner Jeff Bezos wrote a scathing letter to American Media Inc. (AMI), the parent company of the National Enquirer,

Twitter sees monthly users plunge, will stop reporting 2019-02-07 15:53:22Twitter’s monthly user base slipped 9 million year-over-year, according to the company’s fiscal fourth-quarter results, which were release

Apple releases update to prevent FaceTime spying 2019-02-07 15:12:50SAN FRANCISCO (AP) — Apple has released an iPhone update to fix a software flaw that allowed people to eavesdrop on others while using FaceTime.

WATCH: Hunters claim 'Bigfoot' sighting in Utah mountains 2019-02-07 14:53:58It's been a while since we've "heard" from the legendary creature known as Bigfoot. Now, a new video has surfaced that purportedly shows the

Lost city in South Africa revealed in stunning 2019-02-07 14:20:24Experts have created a stunning digital reconstruction of a centuries-old lost city discovered in South Africa.

Facebook slammed by Germany as watchdog slaps data 2019-02-07 11:33:23Authorities in Germany have ruled that Facebook should not be allowed to use customer data from other apps and websites to help target advertisements

Popular iPhone apps are secretly recording your screen 2019-02-07 09:40:04Several major companies are secretly recording your every move on their iPhone apps without your permission or even your knowledge, a new investi

'Fortnite' is killing the rest of the video 2019-02-07 08:20:49It was “game over” for video gaming stocks on Wednesday after two of the biggest industry names reported weak quarterly guidance in the fa

Army soldiers use 'Macbook'-sized tablet to operate multiple 2019-02-07 07:29:04The Army is refining new small drone combat tactics to accommodate emerging technologies such as AI-enabled command and control, higher resolution sen

Kayleigh McEnany says Instagram removed her Elizabeth Warren 2019-02-06 17:57:39The national spokesperson of the GOP claims Instagram banned her access from the social media site after she posted a photo of Sen. Elizabeth Warren'

NYPD to Google: Stop revealing the location of 2019-02-06 13:59:09The NYPD is calling on Google to yank a feature from its Waze traffic app that tips off drivers to police checkpoints — warning it could be cons

SlashGear

Nintendo’s commitment to 3DS may turn sales drop 2019-02-08 13:37:52The 3DS has had an interesting eight-year life cycle thus far. Sales of the handheld started out weak, prompting Nintendo to drop its price not long a

2019 iPhone XI changes: Less slippery coating, new 2019-02-08 13:36:32Let me tell you how important it is to me that my smartphone is not slippery. Every single time I’ve reviewed a phone in the past almost-decade

FaceTime bug-finding teen gets bounty cash from Apple 2019-02-08 12:11:12Yesterday, Apple delivered an iOS update that fixed an alarming Group FaceTime bug. The issue potentially allowed callers to hear audio and see video

Galaxy S10: The latest leaked prices, colors, and 2019-02-08 12:02:30The Samsung Galaxy S10 leaked enough that we’re able to show not just the specs, but the colors and the expected price options too. Now, just be

AT&T’s fake 5G icon is now the subject 2019-02-08 10:48:24Back in December, AT&T started rolling out “5G E” branding to some of the phones on its network. 5G E, as AT&T claims, stands for

MIT scientists develop a drug capsule that can 2019-02-08 08:23:38One of the most common diseases in the world is diabetes and some people suffering from the condition are insulin dependent. The biggest problem that

Orange you sad Mazda’s MX-5 Miata 30th Anniversary 2019-02-08 07:46:19Yesterday Mazda pulled the wraps off a very special MX-5 Miata 30th Anniversary Edition at the Chicago Auto Show. The car was to be a very limited edi

UK’s new Mars rover isn’t called Rovy McRoverface 2019-02-08 07:11:07Over the years the Brits have given us some cool things like Lotus, James Bond, and Emily Blunt. Probably the coolest thing the Brits have done is vot

Android phones vulnerable to maliciously crafted PNG images 2019-02-08 06:38:14Apple may have had the bulk of attention thanks to its FaceTime bug that may be because it rarely gets such serious flaws. Or at least they rarely get

HomePods might someday have gesture, face recognition 2019-02-08 01:57:30There’s no denying that Apple was terribly late to the smart speaker market. Despite marketing it less as a smart speaker and more as a premium

Huawei P30, P30 Pro design leaked by case 2019-02-08 01:18:07Huawei might be waiting for MWC 2019 to pass before making its own big splash, but some accessory makers are already getting ahead of themselves. It&r

Apex Legends only took 3 days to reach 2019-02-08 00:44:05Apparently, gamers aren’t tired of battle royales just yet. The young genre, led by the likes of Epic Games’ Fortnite and lone wolf PUBG,

Electrek

Green Deals: Stanley 2150PSI Electric Pressure Washer $140, 2019-02-07 13:50:29 Amazon offers the Stanley 2150PSI Electric Pressure Washer for $139.99 shipped. Also at Walmart. For comparison, it usually sells for around $16

Self-driving startup Aurora secures $530 million investment from 2019-02-07 12:24:34 Self-driving startup Aurora, which was founded by the leads of all the main self-driving programs (Tesla, Waymo, Uber, and more) announced today that

Green New Deal resolution unveiled by Democrats Alexandra 2019-02-07 11:23:45 The wait is over. Rep. Alexandria Ocasio-Cortez, D-N.Y., and Sen. Ed Markey, D-Mass., are ready to formally introduce a resolution Thursday for a &ld

Arcimoto opens retail sales for electric ‘Fun Utility 2019-02-07 11:21:19 Oregon-based Arcimoto’s three-wheeled electric vehicle has been in the works for nearly a decade. After beginning small scale production of the

Tesla to release ‘Sentry Mode’ next week as 2019-02-07 09:10:23 Tesla CEO Elon Musk says that they are now aiming to release “Sentry Mode’ as soon as next week as Tesla vehicles are still heavily 

EGEB: Wind in the Americas, Puerto Rico energy 2019-02-07 09:00:50 Electrek Green Energy Brief: A daily technical, financial, and political review/analysis of important green energy news. Today in EGEB, wind power in

Study shows electric cars lose 41% of range 2019-02-07 05:46:23 AAA research released a new study about the effect of temperature on electric vehicle range and they claim that the average electric car range drops

Tesla reopens Amazon store again after weird launch 2019-02-06 20:27:48 Tesla is launching a new Amazon store to sell its merchandise outside of its own store, which hasn’t been Tesla’s most liked retail effor

Tesla starts Model 3 deliveries in Europe, with 2019-02-06 18:58:09 Tesla has now officially started deliveries in Europe today – though only in low volume as they ran into some issues during their first day. mo

Republican senators push new bill to kill electric 2019-02-06 16:35:36 A group of Republican senators have introduced a new bill to kill the federal electric vehicle tax credit completely and add a new annual tax fo

Norway’s EV sales are about to skyrocket to 2019-02-06 16:03:10 Norway is no stranger to breaking EV adoption records, but it’s about to go to an all new level of electric vehicle sales with the arrival of T

Green Deals: 8-pack EcoSmart A19 LED Light Bulbs 2019-02-06 13:50:17 Home Depot offers an 8-pack of EcoSmart 60W A19 LED Light Bulbs for $9.94 shipped. That works out to around $1.25 per bulb and right at that mag


Disclaimer and Notice:WorldProNews.com is not responsible of these news or any information published on this website.