blog-go

BSIMM in the Age of Agile

Apr 13, 2017 By Paul Curran

Since 2009, the Build Security in Maturity Model (BSIMM) has been helping organizations across a wide range of verticals build long-term plans for software security initiatives based on actual observed data from the field provided by nearly 100 participating firms.

 

In the most recent BSIMM report, released in late 2016, BSIMM co-author and inventor Gary McGraw highlights the challenge organizations face when it comes to correctly implementing security in agile development environments. For organizations adopting continuous integration/continuous deployment (CICD) and DevOps, security may be seen an inhibitor, but it doesn’t need to be. Read on to find out why.

What is BSIMM?

 

First published in 2009 to counter the many emerging software security methodologies that were mainly based opinion rather than fact, the Build Security in Maturity Model (BSIMM) is a software security measurement framework that helps organizations gauge their software security.

 

“[The BSIMM] doesn’t tell you what you should do. It tells you what other people are already doing.” –Gary McGraw, co-author and inventor of the BSIMM

 

 

BSIMM allows organizations to build a maturity model based on actual data gathered from relevant, real-world software security initiatives.

 

BSIMM’s Mission:

 

“To quantify the activities carried out by real software security initiatives in order to help the wider software security community plan, carry out and measure initiatives of their own.”

 

Currently in its seventh iteration, the BSIMM is made up of 113 activities which are grouped into four domains: Governance, Intelligence, SSDL Touchpoints and Deployment.

 

Created for anyone who is responsible for creating and executing a software security initiative, the BSIMM gives organizations actual measurement data from the field, thus allowing them to build a long-term plan for a software security initiative while tracking progress against their plan.

 

BSIMM in the Age of Agile

“Bad software equals insecure software, and companies don’t have to accept this status quo,” surmises Tom Spring of ThreatPost when taking a high-level look at the goals and takeaways of the seventh, and most recent, annual Building Security in Maturity Model report which was released in October 2016.

 

Among the key challenges facing organizations which depend on rapid-release cycles is the question of how to fit security into their constantly evolving software development lifecycle.  

 

“More verticals are developing cloud software using CIDC (continuous integration and continuous development). This is a net plus, but a lot of companies are still struggling with how to adopt this software development approach,” McGraw notes in the 2016 BSIMM report.

 

When it comes to implementing security within CICD, and DevOps, environments, there are often stumbling blocks that stand in the way of security being implemented with confidence into the development as security is often viewed as an inhibitor.

 

Tackling the CICD Security Challenge

Security is seen as an inhibitor

 

Rather than looking at security as an inhibitor that will clog up the release pipeline, security teams need to find application security solutions that can speed up security without compromising speed or quality.

 

Static code analysis solutions which offer innovative features such as full IDE integration and quick setup processes don’t result in the broken processes that security teams may be wary of.

 

Features such incremental scanning and best fix location, both found in Checkmarx’s CxSAST, allow teams to exponentially reduce both scan time and remediation time as only new code is scanned and multiple vulnerabilities can be remediated at one junction in the code.

screen-shot-2017-04-13-at-2-34-19-pm

 

Additional Reading:

 

The following two tabs change content below.

Paul Curran

Content Specialist at Checkmarx
With a background in mobile applications, Paul brings a passion for creativity reporting on application security trends, news and security issues facing developers, organizations and end users to Checkmarx's content.

Latest posts by Paul Curran (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.