For any company looking to improve the security of its software, it’s often difficult to know where to start or what to tackle next. What’s going to have the most impact? What are my peers in the industry doing?
To answer these questions, we asked the experts at Synopsys to share some of their research and best practices with us. The following is a guest post by Tom Stripling and Taylor Armerding from Synopsys.
Establishing security controls
Synopsys developed the Building Security In Maturity Model (BSIMM) as a measuring stick for software security initiatives. It tracks 122 security controls in 12 different domains, spanning organizational silos to get a comprehensive profile of a security program.
Using the BSIMM framework, Synopsys interviewed hundreds of firms to get a picture of the state of software security across the world in nine industries, including financial services, FinTech, independent software vendors, IoT, healthcare, cloud, insurance, and technology. Synopsys also publishes a unique BSIMM report that tracks the evolution of the software security industry every year.
Where to start: The top 5 security controls
How do you decide what to do first? To paraphrase George Orwell, although all activities are useful, some are more useful than others. To help you begin the software security maturity journey with the most fundamental activities, we’ve identified the top five controls from the BSIMM report. Nearly every firm Synopsys interviewed has implemented these five activities. If you’re not learning from these organizations, you may be missing something that you really should be doing.
1: Implement life cycle instrumentation and use to define governance
Software security leaders are dramatically shifting to using risk-based controls across their entire software portfolio, enabling development teams to find and fix flaws and defects earlier in the software development life cycle (SDLC). A large majority (92%) of BSIMM participants have implemented some form of this activity.
Secure software lifecycle processes are proactive approaches to building security into an application throughout development. In essence, “lifecycle instrumentation” advocates work software security into the application development process by collecting data at various stages of the SDLC and using that data to create and enforce software security policies.
2: Ensure host and network security basics are in place
Trying to implement software security before putting host and network security in place is like putting on shoes before your socks. Another large majority of participants (91%) show they realize the necessity of setting a good foundation for software security by ensuring that host and network security basics are in place across their data centers and networks.
3: Identify PII obligations
Securing personally identifiable information (PII) is—as it should be—a top priority for many organizations. A full 89% of participants are identifying their PII requirements, and 43% also have built a PII inventory. It’s important to note that outsourcing to hosted environments like the cloud doesn’t relax PII obligations and can even increase the difficulty of recognizing all associated obligations. Your company needs to understand where PII resides and prevent unauthorized disclosure of PII.
4: Perform security feature review
Security-aware organizations center their architecture analysis on a review of security features. Such a review would, for example, identify a system that was vulnerable to escalation of privilege attacks or a mobile application that incorrectly put PII in local storage. In BSIMM, 88% of participants have implemented this activity.
5: Use external penetration testers to find problems
While warnings from internal software security champions might go unheeded, external penetration testers can clearly demonstrate to an organization that it isn’t immune to security weaknesses—a reality that 87% of BSIMM participants have recognized.
Moving to automation
Overall, however, it is encouraging that just about all these top activities involve the move to automation, which means security testing is getting much better at keeping up with the exponential increase in the speed of development.
Where can I learn more?
Our colleagues at Synopsys will be writing more blog posts like this for us over the coming months. In the meantime, you can learn read about these top high severity security vulnerabilities that app developers should watch out for in this past blog post:
- Cross-site scripting.
- Cross-site request forgery.
- Https not enabled.
- Verbose error messages.