Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Building Security in Maturity Model Expands for Cloud Era

    By
    Sean Michael Kerner
    -
    October 2, 2018
    Share
    Facebook
    Twitter
    Linkedin
      BSIMM9

      Synopsys released its BSIMM9 report on Oct. 2, providing new insight into how organizations are using additional controls to help secure cloud and container deployments.

      The Building Security in Maturity Model (BSIMM) is based on data from 120 firms and more than 7,800 software security professionals, collected over a 10-year period. The 78-page BSIMM9 report reveals that organizations are increasingly moving to the cloud and taking multiple steps, including using container orchestration platforms, to help secure workloads.

      “We started BSIMM a decade ago, and the idea was pretty straightforward, although revolutionary,” Gary McGraw, vice president of security technology at Synopsys and co-author of the BSIMM report, told eWEEK. “The idea was that instead of talking about what we think people ought to do in software security, why don’t we just go out there and find out what they’re actually doing.”

      Over its 10-year history, the BSIMM report has incrementally added new controls as organizations have expanded their security practices. In 2013, for example, BSIMM added bug bounty programs, while back in 2012, the use of static analysis tools for code review was first recommended.

      “We’ve collected a set of observations that we’ve organized into a measurement tool for software security,” McGraw said. “The tool is focusing on an organization and its abilities and not a particular piece of software.”

      Cloud

      BSIMM has been tracking things like DevOps and cloud architecture ever since its inception, but over the past year there has been a shift, according to McGraw.

      “What we noticed in this iteration of the BSIMM is that the cloud architecture stuff has gone past the baloney stage and into the ‘people are actually using it’ stage,” he said.

      Across three different industry verticals—independent software vendors (ISVs), internet of things (IoT) and cloud vendors—McGraw said that there was a strong similarity in the cloud controls used, which in his view is a signal that a market transformation is happening.

      The use of containers was already in prior BSIMM reports, but with BSIMM9, three new activities are starting to be tracked, including the use of orchestration platforms for containers and virtualized environments. In addition, BSIMM is adding enhanced application inventory technology tools usage, which provides information about what is contained with a given application or platform. The third new activity is basic cloud security.

      “The basics are slightly less basic than you might think,” McGraw said.

      Generally speaking, he said that cloud vendors such as Amazon Web Services, Microsoft Azure and Google Cloud Platform provide a basic raw machine that a user configures and puts applications on top of. He added that the cloud vendors tend to provide some basic security for those raw machines, for availability and access permissions.

      “But what they don’t have is a way of securing directly the application themselves,” McGraw said. “So by cloud security basics, we mean things like making sure that your application is installed with the correct permissions and basically customizing for software security.”

      GDPR Compliance

      One of the biggest security tasks many firms have had to deal with in the past year is the European Union’s General Data Protection Regulation (GDPR), which went into effect in May. McGraw said BSIMM already had multiple activities in the model to help organizations with their GDPR compliance efforts.

      For example, he said, BSIMM already had data classification as an activity, as well as tracking the use of personally identifiable information (PII) and data inventory.

      “We did see GDPR impact the firms that we were measuring, but generally speaking, it was a positive impact, where existing privacy controls and existing privacy activities were enhanced and juiced with a few more resources behind them,” McGraw said. 

      BSIMM vs. Data Breaches

      BSIMM is intended to be used as a tool to help firms understand and improve their software security posture. What’s not known, however, is the precise relationship between BSIMM success and data breach prevention.

      “No firm has ever done all of the activities identified in BSIMM,” McGraw said. “You have to realize that BSIMM activities are the union of all things in software security found at over 120 firms.”

      McGraw said the he doesn’t even recommend that organizations looking at BSIMM attempt to implement every control. In fact, the research over the years has shown that organizations can only add two or three new security activities over the course of year in a successful and sustainable manner.

      “You can’t just do something once and get a checkmark on the BSIMM; that’s not the way it works,” he said.

      While McGraw doesn’t have any hard statistics showing a correlation between data breach prevention and BSIMM adherence, he said such a correlation is likely. Measuring security posture is not an easy task and isn’t about any one tool. McGraw said that when he started out in the security industry, his view was it was possible to just scan code and then determine if it was secure.

      “But as I grew up, I realized that because we can’t directly measure security in software, we have to retreat to a second order measurement of activities, and then work on the hypothesis that these activities actually lead to more secure software,” he said.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×