Software travels. From the product that you buy or the software you create. From the cloud it lives on, to the designers that “think it up” and the developers that created it. Software lives and moves through a birth and death lifecycle. Software is defined by this lifecycle. It is the journey that it traverses that is known as the Software Development Lifecycle(sdlc).
As a security practitioner, consultant, etc…, Security Practices and Controls are assessed for and are applied with a security-first mindset. Practices are reviewed and matured. Then the cycle repeats.
When considering Software Security, the approach should also include a software security-maturity mindset. Knowing that all applications are at some level of risk. Knowing that practices can be measured and improved. Knowing that simply some teams do not understand the strategic aggregate of their security practices or have a clue about a future roadmap for improving them.
With uneducated teams creating bad software and skilled teams looking for continuous improvement, the B-SIMM can help. (Build Security In Maturity Model by Cigital)
The B-SIMM is a collection of all identified security practices that are found in any Software Security Initiative, across Industries and Sectors (ISV, Retail, Financial, …). These practices result in reduction of Application Risk and measure the level of maturity in any Software Initiative. The power of this meta-data allows you to compare and contrast your security practices against yourself and other industry leaders across those Industries and Sectors.
When applied through the lens of an assessor, programs can be evaluated on the set of security practices used and how properly applied they are providing an understanding of the level of risk taken when a Product or Service is purchased or whenever Software is involved.
A well run SDLC with software security practices applied, demonstrate how well security is built in to the practice of building and delivering Software. Not all SDLCs will look the same but it is the rigor and skill-set of the program that can provide a view of its strengths and the evolution of its maturity.
So what do the teams and organizations do with code that it creates for their applications and services? The following posts will provide the detail on how to discover that.