BSIMM7 Software Security Framework A Quick Walk through
With the continuous increase in data breach, organisations have started taking Security seriously and have also introduced Secure Software Development (SDLC) programs in their systems. But the dilemma is that they don’t know where to start from. Even though they are investing into security activities, measuring the impact of these security services are often overlooked. Which results in over investment on low-impact activities. There are many standards and frameworks developed for such organisations to measure their state of Software security. One such Framework is called The Building Security in Maturity Model (BSIMM).
What is BSIMM?
BSIMM is a software security measurement framework established to help organisations compare their software security to other organisations initiatives and find out where they stand.
“The Building Security In Maturity Model is a study of existing software security initiatives. By quantifying the practices of many different organizations, we can describe the common ground shared by many as well as the variation that makes each unique”.
The model is based on the study done on organisations across the industries like financial service sectors, Healthcare sectors, Software sectors, cloud providers and more.
How does BSIMM work?
The model is based on observational science around software security. Over the years of research and findings, it provides a common measuring stick with using 113 activities for organizations. These activities are broken into 12 practices organized into 4 Domains viz. Governance, Intelligence, SSDL Touchpoints and Deployment. BSIMM’s Software Security Framework (SSF) and activity description provides a common mechanism to explain elements of Software security initiatives, thus enabling organizations to uniformly compare their maturity model accordingly. BSIMM7 is the 7th major version of BSIMM model.
Advantages of adopting BSIMM7 framework:
- Enables organizations to start a Software Security Initiative (SSI)
- Provide standard measuring criteria to measure and comparing SSI within domain or Industry
- Helps organisations to learn from other’s mistakes. So that they don’t repeat the same. It helps the members of The BSIMM community by bringing together people from companies who've measured and they can compare notes and realize that often they have the same problems.
- It will help them to plan, execute and measure initiate of their own without having on board any third party for the same. The analysis consists of around 100 big companies like Microsoft, EMC, Google etc, which can help you leverage the years of experience captured in the model and help you improve your own software security initiative.
- It gives you the clarity on what is “the right thing to do”.
- This model will helps industries and business units, measure the current state of their software security initiative, identify gaps, prioritize change, by applying scientific principles and determine how and where to apply resources for immediate improvement by comparing it with other existing Security Software initiative organisations.
- It helps in Cost reduction through standard, repeatable processes.
BSIMM7 Framework is the study 113 different activities of 4 domains consisting 12 Practices:
A. Domain: Governance
These are practices assisting companies to organise, manage and measure a Software Security Initiatives (SII).
1. Strategy & Metrics (SM):
This practice ensures Security Process planning and publication assisting in defining Software Security Goals and required measurement metrics. Identify Quality Gates along with definition on roles and responsibilities. It also talks about Awareness related education programs especially for Management/Executives to ensure well-informed decision making
2. Compliance & Policy (CP):
As name suggest, Compliance and Policy practice has focus on regulatory or compliance drivers such as PCI DSS and HIPPA. It consist of activities related with PII obligation identification, defining Security Policy and processes to fulfil such requirements like defining SLA, Contracts, audit scope etc.
3. Training (T):
Training is required to have basic security knowledge for all level of participants in SSDLC. Awareness Training should be mandatory for all along with identification training requirement based on individual Role and Responsibility.
B. Domain: Intelligence
These are practices results in collection and identification of corporate intelligence related with SSI. Pro-active Security Guidance along with processes like Threat Modeling define different activities.
4. Attack Models (AM):
In this practise developer think like an attacker and create knowledge of technology specific attack patterns. These knowledge will then guide decisions about code and controls. Data Classification, collecting information on technology-specific attack patterns, building possible attack list and related case studies etc are some of the major activities as part of defining Attack Models.
5. Security Features & Design (SFD):
SFD practice provides guidance of building, reviewing and publication of proactive security features, building or providing pointers to secure-by-design frameworks along with mature design patterns for major security controls.
6. Standards & Requirements (SR):
This practice explains the standard explicit security requirements for the organisations. It assist in both building recommendation and tracking of standard Security Controls to be used aligned with Industry standards. Creation of review board, SLA checkpoints and policies to handle open source risk are part of same.
C. Domain: SSDL Touchpoints
This domain is the most familiar of the four. It talks about essential security best practices required in Software development phases (SDLC).
[Also Read: Integrating Security across SDLC Phases]
7. Architecture Analysis (AA):
Primary goal of this practice is to build the quality control, by performing security feature and design review process for high-risk applications.
8. Code Review (CR):
As name suggest, this practices includes activities related with Secure Code implementation and review process. Defining different Roles involved in Code review process, Standards to follow in Coding along with process for Defect management is part of same. It also provides track for both manual and automated code review process.
9. Security Testing (ST):
This practice deals with activities related different Security Testing methods like Black-box, Fuzzing, Automation, Risk driven White Box Analysis etc. It deals with vulnerabilities in application construction.
D. Domain: Deployment
This domain includes practices that deals with network security and software maintenance requirements. Software configuration, maintenance and other environment issues and their impact are detailed in this domain.
10. Penetration Testing (PT):
This practice involves the activities related with vulnerability discovery and correction of security defects, on to the software that has moved to deployment. This needs to be done adhering to standards and reuse of approved security features. Handling external Penetration Testing process and defining scope for same is part of such activities.
11. Software Environment (SE)
This practice includes activities related with Secure Software Deployment and maintenance. Usage of Code protection mechanism, publication of Installation and Secure deployment practice/guides, Configuration documentation etc are part of such activities. It also talks about mechanism related with application behaviour monitoring and diagnostics.
12. Configuration Management & Vulnerability Management (CMVM):
The goal of this practice is track activities related with patching, version control and change management. It also deals with building Incident Handling plans and simulate responses in software crisis.
BSIMM standards are highly accepted by organisations across the industries and it is also helping them to compare their software security initiations with industry peers. This is helping them to increase their business units, and drive their budgeting. According to number of Security reports, the computer security industry as a whole is growing fast at a rate of about 8.9% per year, generating between $20 and $40 billion in revenue annually. Currently, Software Security accounts for 10% in that growth and is growing at twice the rate per year.
Hack2Secure assist organization is adoption of BSIMM framework along with evaluation and implementation of Security controls across Secure SDLC phases.