Building Security in Maturity Model Expands for Cloud Era

The ninth iteration of the BSIMM best practices for security model, adds new components for cloud control, including the use of container orchestration frameworks.


Synopsys released its BSIMM9 report on Oct. 2, providing new insight into how organizations are using additional controls to help secure cloud and container deployments.

The Building Security in Maturity Model (BSIMM) is based on data from 120 firms and more than 7,800 software security professionals, collected over a 10-year period. The 78-page BSIMM9 report reveals that organizations are increasingly moving to the cloud and taking multiple steps, including using container orchestration platforms, to help secure workloads.

"We started BSIMM a decade ago, and the idea was pretty straightforward, although revolutionary," Gary McGraw, vice president of security technology at Synopsys and co-author of the BSIMM report, told eWEEK. "The idea was that instead of talking about what we think people ought to do in software security, why don't we just go out there and find out what they're actually doing."

Over its 10-year history, the BSIMM report has incrementally added new controls as organizations have expanded their security practices. In 2013, for example, BSIMM added bug bounty programs, while back in 2012, the use of static analysis tools for code review was first recommended.

"We've collected a set of observations that we've organized into a measurement tool for software security," McGraw said. "The tool is focusing on an organization and its abilities and not a particular piece of software."


BSIMM has been tracking things like DevOps and cloud architecture ever since its inception, but over the past year there has been a shift, according to McGraw.

"What we noticed in this iteration of the BSIMM is that the cloud architecture stuff has gone past the baloney stage and into the 'people are actually using it' stage," he said.

Across three different industry verticals—independent software vendors (ISVs), internet of things (IoT) and cloud vendors—McGraw said that there was a strong similarity in the cloud controls used, which in his view is a signal that a market transformation is happening.

The use of containers was already in prior BSIMM reports, but with BSIMM9, three new activities are starting to be tracked, including the use of orchestration platforms for containers and virtualized environments. In addition, BSIMM is adding enhanced application inventory technology tools usage, which provides information about what is contained with a given application or platform. The third new activity is basic cloud security.

"The basics are slightly less basic than you might think," McGraw said.

Generally speaking, he said that cloud vendors such as Amazon Web Services, Microsoft Azure and Google Cloud Platform provide a basic raw machine that a user configures and puts applications on top of. He added that the cloud vendors tend to provide some basic security for those raw machines, for availability and access permissions.

"But what they don't have is a way of securing directly the application themselves," McGraw said. "So by cloud security basics, we mean things like making sure that your application is installed with the correct permissions and basically customizing for software security."

GDPR Compliance

One of the biggest security tasks many firms have had to deal with in the past year is the European Union's General Data Protection Regulation (GDPR), which went into effect in May. McGraw said BSIMM already had multiple activities in the model to help organizations with their GDPR compliance efforts.

For example, he said, BSIMM already had data classification as an activity, as well as tracking the use of personally identifiable information (PII) and data inventory.

"We did see GDPR impact the firms that we were measuring, but generally speaking, it was a positive impact, where existing privacy controls and existing privacy activities were enhanced and juiced with a few more resources behind them," McGraw said. 

BSIMM vs. Data Breaches

BSIMM is intended to be used as a tool to help firms understand and improve their software security posture. What's not known, however, is the precise relationship between BSIMM success and data breach prevention.

"No firm has ever done all of the activities identified in BSIMM," McGraw said. "You have to realize that BSIMM activities are the union of all things in software security found at over 120 firms."

McGraw said the he doesn't even recommend that organizations looking at BSIMM attempt to implement every control. In fact, the research over the years has shown that organizations can only add two or three new security activities over the course of year in a successful and sustainable manner.

"You can't just do something once and get a checkmark on the BSIMM; that's not the way it works," he said.

While McGraw doesn't have any hard statistics showing a correlation between data breach prevention and BSIMM adherence, he said such a correlation is likely. Measuring security posture is not an easy task and isn't about any one tool. McGraw said that when he started out in the security industry, his view was it was possible to just scan code and then determine if it was secure.

"But as I grew up, I realized that because we can't directly measure security in software, we have to retreat to a second order measurement of activities, and then work on the hypothesis that these activities actually lead to more secure software," he said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.