The first hurdle to running any successful Application Security program is getting it adequately funded. This should come as no great surprise to anyone. Software security is no different than any other IT initiative. Even a willing security team who has considered the ways needs to find the means, and that involves making a compelling case to those that hold the purse strings.
For those of us currently dealing with funding challenges, luckily we can learn from those who have already walked a similar path. Perhaps the most enlightening insights have emerged from the BSIMM (pronounced “bee-sim”) study, an ongoing review of enterprise-wide software security initiatives developed from real-world experiences and benchmarking at the world’s leading enterprises.
Now in its 4th generation, the Building Security In Maturity Model study outlines a structured set of practices for executive management to follow from the outset to succeed at software security as other organizations have. The BSIMM data pool is comprised of software security groups chartered with running Application Security programs at 51 large end user organizations. BSIMM promotes itself as a “de facto standard” for the practice of AppSec in the information security market.
At BSIMM’s heart is the belief that effective programs pursue a strategy, and solid strategies are best fulfilled by industry best practices. Among the best practices examined is how organizations have managed to finance their AppSec initiatives. The study has observed four distinct sets of circumstances which work to secure funding:
BSIMM is not without its critics. One of the criticisms of the study is that it only reflects the experiences of the world’s largest (and hence, deep pocketed) companies – whose experiences are well outside the reach of the average small or medium business. Its relatively small sample size of 51 organizations indeed points out some best practices from forward-leaning AppSec practitioners, but is not large enough to be statistically valid across all industries. Critics have charged that the methodology is overly complex, detailing no less than 111 distinct activities organized across the 12 practices. Finally, BSIMM is closely associated with a single AppSec vendor firm, resulting in charges of bias from other vendors. A careful read of its website reveals the study is never described as “independent” or “objective”.
The folks behind BSIMM answer their critics by pointing out that the 51 firms it has profiled are at various levels of maturity in their approaches to AppSec practices, and that few of the organizations studied have completed all 111 activities. They explain that the study “does not tell you what you should do; instead it tells you what everyone else is actually doing.” Finally, they invite any organization to join the study and contribute, pointing out that the BSIMM4 data set has grown just over 20 percent since publication of BSIMM3, and is 9.5 times the size of the original publication. The study is freely distributed under a creative commons license.
Regardless of where opinions fall on BSIMM and the study’s methods, there is no denying that it has helped to legitimize the practice of Application Security over the last decade. It has helped to educate practitioners how simply teaching people to think about software security can actually change corporate culture. It is helping to change many an organization’s approach to AppSec to proactive from reactive (i.e. making funding method #1 more the exception than the rule).
The hard part shouldn’t be selling upper management on the problem, but rather selling upper management that you’re the right team with a plan to execute the program. Whether you ultimately follow BSIMM or a more streamlined program methodology, it is important to honestly assess your own organization’s investment model and how new initiatives have been funded in the past. There is no single formula that works in all cases. Your plan should at the very least define a clear and compelling roadmap, identify success metrics that will be reported, and set a reasonable budget to put your best foot forward when looking for a hand out.