We are reaching the time of year when millions of people who started the New Year with heartfelt resolutions to lose weight and get into shape begin to waiver in their resolve. Valentine’s Day marks the traditional point where health clubs see a substantial drop from January attendance spikes. Anyone who really understands healthy living (and is not selling a diet plan) will tell you that these short-term commitments aren’t effective. Only a change in lifestyle and the adoption of better habits will create long-term, meaningful results.
Businesses fall into the same trap with application security, binging on diets of software testing in an attempt for a quick fix. And just as there is no shortage of people ready to sell you a new diet program, there are vendors ready to offer an “easy button” approach to testing.
software security initiative
In a recent conversation with an industry analyst, I was told that over two thirds of the calls received about application security were from organizations that were either:
• Unsatisfied with the quality of the findings from their application security testing (AST) or
• Seeking a more disciplined, “properly functioning” AST program.
The analyst was conveying anecdotal information, so the data is not in a formal analysis that I can cite as a source. But the information is consistent with what I see in the market.
Buying a gym membership won’t get you into shape. You have to commit and actually go to the gym. In the same way, simply running application security tests is not a program – it never has been. At best, it is an outward indicator that the organization may have some form of a software security group (SSG) or software security initiative (SSI). However, the probability of success in securing applications can be traced to the existence of the habits and structure that are represented by these two terms.
An SSI is the set of activities necessary to build secure software. The SSI represents the habits and organizational lifestyle elements required to build security into the development process, rather than the reactive process of bolting security onto existing software. An SSI is the disciplined program that organizations told the analysts they needed, according to my recent conversation with an industry analyst. In our diet and fitness analogy, an SSI is a commitment to a security lifestyle.
An SSG is the formalized group of people commissioned for making the SSI work. They manage operations, provide resources or help others train resources, provide policies and processes, and manage the interfacing between the involved groups such as the development team and IT Security. They make sure that the organization understands the habits required and provides the leadership to integrate these habits into daily activities. In our diet and fitness analogy, they are the personal trainers.
The first question I ask when meeting a new organization is simply, “Do you have an SSG?” The conversation immediately bifurcates:
• A “yes” answer means they have a program with budgets and people committed to software security. Someone has the authority to make it work, and is answerable to management if it does not. It also implies they have some form of SSI in place, which is an important distinction.
• A “no” answer means no budget, no authority, no guidelines, no metrics, and no expectations. It becomes easy to predict the state of their software security.
Organizations with no SSI or SSG may employ application testing without a plan or structure, which is the equivalent of combining a new gym membership with the latest fad diet. It feels good for a short time, but the lack of discipline and rigor will soon show itself in the form of poor results. Tests generate findings, and those findings must be reviewed, confirmed, prioritized, and applied. These organizations soon find that testing is not a program.
If there is no buy-in from the development team, the findings may simply be ignored in the interest of meeting development timelines. This often happens when IT Security runs the tests without setting up the appropriate communication channels and expectations with the development teams. If management has not bought into the process, the developers know they are incentivized to write code by their deadlines, not write secure code.
Further resistance is encountered when the developers have received no security training and therefore have no idea of what to do with the findings they receive. It is like being thrown into a room of elaborate and complicated exercise machines without instruction. You are told to “work on your legs today,” but have no idea of the proper machine to use, how to use it effectively, the proper weight to apply, or how many repetitions of the exercise to perform.
For firms with an SSI/SSG, habits and process are the critical success factors. Staff is not only trained, but incentivized to raise their security IQ. There are clear paths of communication between the security team and the developers. Experienced organizations learn that security is not a drag on performance, but can provide productivity gains by eliminating security vulnerabilities early in the development process. Effective metrics are produced to demonstrate to management the value of the program and reduction of risk.
Want to see what these habits look like? The current Building Security In Maturity Model (BSIMM) is a measurement of the activities of 78 organizations and their SSGs. The BSIMM reflects the observations made of these organizations for 112 activities that emerge as critical habits for software security. It provides a way for organizations to assess their status and see how they compare to the entire data set or organizations within their industry. This empowers organizations to identify needed areas of improvement and set their priorities and resources accordingly. The BSIMM is no secret—it is available online to everyone at https://www.BSIMM.com.
The BSIMM exists because the activities associated with a successful software security initiative are observable, measurable, and consistent. When taken together, these activities represent commitment, structure, and process. They are not a fad, the next super food, or a quick fix. So like diet and fitness, the path is well defined. Success comes from changing your habits to make the commitment to secure software a lifestyle.
By Jim Ivers