Bad software equals insecure software, and companies don’t have to accept this status quo.
That’s both the takeaway and goal of Cigital’s seventh annual Building Security in Maturity Model report released Tuesday. The report reveals that the cloud, application containers, and agile software development are playing a more important role with a broader mix of technology verticals when it comes to building security into the cyber defenses of companies.
This year’s study also revealed a growing acceptance within the software development space that institutional security – such as preventing a data breach or warding off network vulnerabilities – can be tied to rooting out bad software at the development stage – and not after the fact.
Ninety-five technology firms from six different sectors – financial services, independent software vendors, cloud and healthcare – shared their latest efforts to combat security vulnerabilities for BSIMM7. Intel from companies in the Internet of Things and insurance verticals were added to this year’s report for the first time.
According to Gary McGraw, chief technology officer at Cigital, the report shows the world is catching on that the best way to approach security and make systems more secure is to build things right instead of trying to protect and patch the broken things.
“You can’t just find problems in the software; you have to fix them,” McGraw told Threatpost. “If you spend all your time cleaning up the mess while your machine is busy making an even bigger mess for you to clean up later, you aren’t approaching the problem right.”
This year’s survey shows a growing emphasis on companies using cloud technologies such as containers and agile software development.
“More verticals are developing cloud software using CIDC (continuous integration and continuous development). This is a net plus, but a lot of companies are still struggling with how to adopt this software development approach,” McGraw said.
McGraw said he was also encouraged by new study participants, like insurance giant Aetna and electronics behemoth LG Electronics.
“Software security isn’t new for these firms, but the beauty of the BSIMM is that it breaks down the silos. Now IoT companies can learn from their peers in the financial services or healthcare domains and compare best practices and gauge how they are doing.”
The report also highlights challenges. McGraw said that for all the commonalities shared between sectors, businesses are still trying to balance threat modeling, code review and penetration testing. For example, despite the popularity of bug bounty programs, only 6 percent of BSIMM7 participants said they were operating one.
“What the BSIMM7 does is cut through the hype and reveals the facts of what people are actually doing,” McGraw said.
Most pressing for BSIMM7 participants moving forward, McGraw said, are issues such as cryptography.
“We found there are massive unanswered questions about cryptography with regard to thing like key escrows, backdoors, what the federal government wants versus what businesses need to protect. These are very thorny issues that are going to need some airing out and exactly why the BSIMM7 survey and community is so important.”