How many security officers should there be for each software developer? Turns out the answer is one for every 100. This and other best software security best practices are now part of a joint project between security vendor Fortify and the security consulting firm Cigital.
Entitled Building Security In Maturity Model (BSIMM), the project is not intended to be a "how to" nor even a one size fits all solution to writing secure code, according to Fortify. Rather, BSIMM is the result of conversations around software security practices that Fortify and Cigital had with companies such as Adobe, EMC, Google, Microsoft, QUALCOMM, Wells Fargo, and Depository Trust & Clearing Corporation (DTCC).
In many cases the companies were doing, in principal, some of the same things. For example, all the organizations interviewed have an institutionalized security training curriculum for programmers, QA engineers, and project managers. Each of the nine enterprises has a designated group of software security personnel-one per every hundred software developers. And all companies interviewed emphasize security education, technical resources, and mentoring rather than policing for security errors and handing out punishments.
The result is rare insight into what successful organizations actually do to build security into their software, and the tools on the site can be downloaded for free by organizations seeking to mitigate the business risk associated with insecure applications. For example, the Software Security Framework (SSF), included within the BSIMM, is an adaptable security model that allows any organization to assess their current state of software development, to prioritize changes, and to chart progress.
The model uses a dozen categories to illustrate all the steps between training to testing software after it is written. There's a list of activities within each category designed to help make a company's software more secure. The activities ask the company to provide examples from its own history to personalize the points.
If this sounds familiar, it is. Last summer Mozilla announced a similar project initiated by Window Snyder before she left the company. There, too, the best security practices used at Mozilla was to be modeled and taught to other companies. The Mozilla Metrics project is currently being run by Rich Mogull.