Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Building Security in Maturity Model Expands for Cloud Era

    Written by

    Sean Michael Kerner
    Published October 2, 2018
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Synopsys released its BSIMM9 report on Oct. 2, providing new insight into how organizations are using additional controls to help secure cloud and container deployments.

      The Building Security in Maturity Model (BSIMM) is based on data from 120 firms and more than 7,800 software security professionals, collected over a 10-year period. The 78-page BSIMM9 report reveals that organizations are increasingly moving to the cloud and taking multiple steps, including using container orchestration platforms, to help secure workloads.

      “We started BSIMM a decade ago, and the idea was pretty straightforward, although revolutionary,” Gary McGraw, vice president of security technology at Synopsys and co-author of the BSIMM report, told eWEEK. “The idea was that instead of talking about what we think people ought to do in software security, why don’t we just go out there and find out what they’re actually doing.”

      Over its 10-year history, the BSIMM report has incrementally added new controls as organizations have expanded their security practices. In 2013, for example, BSIMM added bug bounty programs, while back in 2012, the use of static analysis tools for code review was first recommended.

      “We’ve collected a set of observations that we’ve organized into a measurement tool for software security,” McGraw said. “The tool is focusing on an organization and its abilities and not a particular piece of software.”

      Cloud

      BSIMM has been tracking things like DevOps and cloud architecture ever since its inception, but over the past year there has been a shift, according to McGraw.

      “What we noticed in this iteration of the BSIMM is that the cloud architecture stuff has gone past the baloney stage and into the ‘people are actually using it’ stage,” he said.

      Across three different industry verticals—independent software vendors (ISVs), internet of things (IoT) and cloud vendors—McGraw said that there was a strong similarity in the cloud controls used, which in his view is a signal that a market transformation is happening.

      The use of containers was already in prior BSIMM reports, but with BSIMM9, three new activities are starting to be tracked, including the use of orchestration platforms for containers and virtualized environments. In addition, BSIMM is adding enhanced application inventory technology tools usage, which provides information about what is contained with a given application or platform. The third new activity is basic cloud security.

      “The basics are slightly less basic than you might think,” McGraw said.

      Generally speaking, he said that cloud vendors such as Amazon Web Services, Microsoft Azure and Google Cloud Platform provide a basic raw machine that a user configures and puts applications on top of. He added that the cloud vendors tend to provide some basic security for those raw machines, for availability and access permissions.

      “But what they don’t have is a way of securing directly the application themselves,” McGraw said. “So by cloud security basics, we mean things like making sure that your application is installed with the correct permissions and basically customizing for software security.”

      GDPR Compliance

      One of the biggest security tasks many firms have had to deal with in the past year is the European Union’s General Data Protection Regulation (GDPR), which went into effect in May. McGraw said BSIMM already had multiple activities in the model to help organizations with their GDPR compliance efforts.

      For example, he said, BSIMM already had data classification as an activity, as well as tracking the use of personally identifiable information (PII) and data inventory.

      “We did see GDPR impact the firms that we were measuring, but generally speaking, it was a positive impact, where existing privacy controls and existing privacy activities were enhanced and juiced with a few more resources behind them,” McGraw said. 

      BSIMM vs. Data Breaches

      BSIMM is intended to be used as a tool to help firms understand and improve their software security posture. What’s not known, however, is the precise relationship between BSIMM success and data breach prevention.

      “No firm has ever done all of the activities identified in BSIMM,” McGraw said. “You have to realize that BSIMM activities are the union of all things in software security found at over 120 firms.”

      McGraw said the he doesn’t even recommend that organizations looking at BSIMM attempt to implement every control. In fact, the research over the years has shown that organizations can only add two or three new security activities over the course of year in a successful and sustainable manner.

      “You can’t just do something once and get a checkmark on the BSIMM; that’s not the way it works,” he said.

      While McGraw doesn’t have any hard statistics showing a correlation between data breach prevention and BSIMM adherence, he said such a correlation is likely. Measuring security posture is not an easy task and isn’t about any one tool. McGraw said that when he started out in the security industry, his view was it was possible to just scan code and then determine if it was secure.

      “But as I grew up, I realized that because we can’t directly measure security in software, we have to retreat to a second order measurement of activities, and then work on the hypothesis that these activities actually lead to more secure software,” he said.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and writer for several leading IT business web sites.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×