Companies pushing the cloud envelope are most likely to run safer cleaner code. On the flip side, as the healthcare industry embraces an increasingly software-driven business model, it is struggling to keep up with its peers when it comes to software security.
Those are some of the takeaways from participants in this year’s eighth annual Building Security in Maturity Model (BSSIMM8) report released today.
The annual report, which included data collected from 109 firms, serves as the software industry’s state of the union on trends impacting software security and the software development community.
“Why are cloud companies disproportionately doing a better job? In the cloud environment ‘write once and run everywhere’ isn’t just a slogan. It’s their business model and they have to have secure software,” said Gary McGraw, vice president for security technology at Synopsys, who helped author the report. “These companies are far and away more advanced than other companies when it comes to our records and data.”
The BSIMM8 report also revealed a groundswell of mature companies getting on board with beefing-up their software security practices for the first time. McGraw said software security is increasingly becoming a priority to many more well established companies.
“It wasn’t long ago that I could count on one hand the number of established companies that were part of the BSIMM and that were taking software reliability and security seriously,” McGraw said. “This is the first year we are seeing a lot of mature companies—not enlightened startups—focusing on building better software from the ground up.”
As with a trend that began last year, BSIMM8 revealed more verticals are developing cloud software using CIDC (continuous integration and continuous development) and adopting agile software development, an iterative and incremental software development methodology that emphasizes quality over quantity.
The report also highlights challenges. McGraw said that of all the commonalities shared between sectors, businesses are still grappling with seeing the bigger picture when it comes to software architecture and design.
“There are two kinds of software defects you can look for. There are bugs in the code. The other kind is flaws in the design,” McGraw said. Too often developers forget that software is part of a distributed system such as controlling the traffic between client and server or making sure code doesn’t run on untrusted devices.
“It’s about getting the design right from the start,” McGraw said using a house a a metaphor. “The bricks that you build a house with don’t just make a wall. They hold the house up and we need each brick to be solid and not be prone to termites.”
“In the past we were counting on firewalls to fix our broken stuff. As you know that’s a very silly way to do it. The only alternative is to get software right and make sure you are exercising software due diligence when it comes to security,” he said.