Lessons from BSIMM 9: How cloud affects software security

Cloud transformation isn't just affecting how businesses operate—it's affecting how they protect their software, too. That was evident in the latest release of the BSIMM (Building Security in Maturity Model).

The BSIMM was launched in 2008 as a measuring stick for software security. It includes 116 activities any organization can implement to improve the security of its software. Companies participating in the model can tally the number of activities implemented and compare their security positions with those of their peers.

BSIMM 9, released in October by Synopsys, found that as firms move their workloads and development pipelines to the cloud, they also need to change their approaches to software security.

Here are the main lessons from BSIMM 9 for security teams.

Application Security Research Update: The State of App Sec in 2018

Adapting security to the cloud

When observing BSIMM activities among three of the most prominent vertical sectors in the study—independent software vendors, Internet of Things (IoT) companies, and cloud firms—those activities are beginning to converge, suggesting that common cloud architectures require similar software security approaches, said Jeff Williams, CTO and co-founder of Contrast Security, a maker of self-protecting software products.

"Moving applications to the cloud is like Bambi moving out of the forest. While the benefits are obvious, leaving the safety of the firewall-enforced perimeter to a world of containers, serverless architectures, APIs, elasticity, and DevOps changes the dangers dramatically."
Jeff Williams

Most organizations are responding by adapting their security practices, Williams said. "They’re using instrumentation-based runtime defenses, adding automated security to their development pipelines, shifting left, and carefully examining their use of open source."

Moving to the cloud also requires that security teams expand the scope of their monitoring activities, said Rishi Bhargava, co-founder of Demisto, a provider of security automation, orchestration, and response technology.

"Since cloud-first architectures are likely to have third-party data processing and retention services, firms have to look out for the security of the entire ecosystem rather than just internal security."
Rishi Bhargava

Traditional security tools also don't always work in the cloud. When companies adopt cloud, they at the same time often adopt technologies such as containers, said Ali Golshan, CTO and co-founder of StackRox, a provider of security for containerized, cloud-native applications.

"With containers, a lot of existing security products have limited functionality. You still need a firewall, of course, but you can't put a traditional firewall in between containers. So you need another tack."
Ali Golshan

Applications in the cloud are no longer monolithic. Often they use microservices, which allow them to scale and be managed independently. What that means is security can't be monolithic because applications are being scaled up and down rapidly, and from one server to another, said Chenxi Wang, a cloud security expert and founder and general partner of Rain Capital.

"Security has to be as scalable and as portable as the workload it's protecting."
Chenxi Wang

New tasks for new paradigm

BSIMM, too, had to be adapted for the brave new world of the cloud. BSIMM 9 added new activities to the assessment, bringing the total to 116.

One of those is to use orchestration for containers and virtualized environments. Since containers and virtual machines can be created and spun down rapidly, orchestration can address those changes by ensuring that new containers and virtual machines meet predetermined security requirements.

Another new task is to enhance application inventory with an operations bill of materials.

The BSIMM has recommended tracking application inventories since it started. "A list of applications alone is not good enough anymore, because in today's modern distributed cloud architectures, applications can have all sorts of parts out there in the world that you may or may not control," said Gary McGraw, vice president of security technology at Synopsys, an electronic design automation company. Those parts might include APIs, open-source libraries, and services controlled by others or by others in your organization.

"Now that application architecture is distributed all over the place it means that you have to keep track of all those pieces of the application and make sure they are up to date and that they're not being actively compromised by others. The way to do that is to enhance your application inventory."
Gary McGraw

The third new addition is to ensure cloud security basics.

Cloud providers, such as AWS, Azure, or Google Cloud, give their customers tools for basic network security. Customers, though, are responsible for the security of their applications. "There are a number of network security things you have to get right when you're doing cloud deployments at the application level," McGraw explained. They include permissions, security features, and security controls of the applications.

Retail makes a strong showing

BSIMM began with nine companies. This year 120 companies participated in the process. The 120 participating organizations are drawn from eight verticals (with some overlap): financial services (50), independent software vendors (42), technology (22), healthcare (19), cloud (17), IoT (16), insurance (10), and a new vertical, retail (10).

Although it's a new vertical, retail was strong out of the gate. "We were surprised that retail, at its debut, is actually a pretty strong vertical," McGraw said. "Retail is better than the BSIMM average. We find that remarkable."

Retail may be taking advantage of all the work of BSIMM over the last 10 years. "You can think of BSIMM as a map," McGraw said. "Because of that map, firms just getting started with software security can go faster than firms that had to draw the map in the first place a decade ago."

On the other hand, retail may also just be reacting to reality. "There were some spectacular data leakage problems in some high-profile retail firms—some part of the BSIMM now—and it taught them a very important lesson about getting their security act together: Software security isn't a 'nice to have'; it is an 'absolutely necessary to have,'" McGraw continued.

"As a result of being burned, [retail] ran like crazy to catch up, and they did an incredible job of getting software security going."
—Gary McGraw

BSIMM limitations

Contrast Security's Williams said he doesn't believe that BSIMM is a good lens for understanding the state of security. He contends it's just an encyclopedia of application security practices without any strategic guidance. "Real application security programs require careful thought and strategy," he said.

Not everyone agrees with Williams. "BSIMM is a very good lens to understand the state of security because it's a descriptive model," said Caroline Wong, vice president of security strategy at Cobalt Labs, a penetration testing company.

"It will give you incredible detail about what is being done in software security for the 120 firms in the world that they have done detailed interviews with," said Wong, adding that she performed more than three dozen BSIMM assessments when she worked for Cigital, before it was bought by Synopsis.

"The question it does not answer is—and the one every BSIMM customer would like to have answered—what should we be doing in software security?"
Caroline Wong

Topics: Security