The first hurdle to running any successful Application Security program is getting it adequately funded. This should come as no great surprise to anyone. Software security is no different than any other IT initiative. Even a willing security team who has considered the ways needs to find the means, and that involves making a compelling case to those that hold the purse strings. For those of us currently dealing with funding challenges, luckily we can learn from those who have already walked a similar path. Perhaps the most enlightening insights have emerged from the BSIMM (pronounced “bee-sim”) study, an ongoing review of enterprise-wide software security initiatives developed from real-world experiences and benchmarking at the world’s leading enterprises.
What is the BSIMM study?
Now in its 4th generation, the Building Security In Maturity Model study outlines a structured set of practices for executive management to follow from the outset to succeed at software security as other organizations have. The BSIMM data pool is comprised of software security groups chartered with running Application Security programs at 51 large end user organizations. BSIMM promotes itself as a “de facto standard” for the practice of AppSec in the information security market. At BSIMM’s heart is the belief that effective programs pursue a strategy, and solid strategies are best fulfilled by industry best practices. Among the best practices examined is how organizations have managed to finance their AppSec initiatives. The study has observed four distinct sets of circumstances which work to secure funding:
- The IT security crew proved that a breach was not their fault, but rather a result of the firm’s applications. As a result, a software security person was appointed in the IT ranks.This approach is fundamentally reactive – meaning a hack or attack needed to occur before the organization was spurred to take action. It also assumes that incident response was able to trace root cause to a specific software application, which is no easy task. Finally, this funding model seems to imply that a single person is put in charge of application security – when the ideal approach involves a cross-functional team involving security, GRC and development.
- A charismatic software security entrepreneur (e.g., in the CIO, CTO, Legal, or governance groups) worked the system to get the ball rolling and then parleyed early successes into funding for an actual program.This is the “champion” model of technology adoption. If only we could find someone who can cut through the red tape and effortlessly navigate the politics necessary to get our project sponsored! If only our organization had one of these charismatic visionaries! The reality is that this is how most new technologies are proven and ultimately sold: with small pilots and proof-of-concepts that return hard data justifying further investment. The challenge is that it’s a long road, but fortune favors the bold.
- Executive management said “We will make secure software” and funded the means to do it.This method is akin to the “Gates memos” at Microsoft: periodic proclamations from the corner office that herald a certain strategy or vision of the future. If security is the coin of the realm, as it is in Banking or Finance, then application security programs might well be financed by royal decree. But for most industries, AppSec is more like insurance. It’s good risk management policy. Appeals to manage software risk similar to the way the organization handles business continuity and succession planning will probably work just as well, if not better.
- An established upper-management group responsible for some form of compliance determined that software security is a necessary expense in the firm’s governance processes.If yours is a heavily regulated industry, this approach is a winner. GRC audits are a standard and scheduled occurrence, so any initiative that eases this process will be welcome. Most government and industry mandates have specific guidance around data security and privacy, so piggybacking AppSec programs on these existing efforts may be a relatively frictionless approach to locating budget.
Criticisms of the BSIMM Model
BSIMM is not without its critics. One of the criticisms of the study is that it only reflects the experiences of the world’s largest (and hence, deep pocketed) companies – whose experiences are well outside the reach of the average small or medium business. Its relatively small sample size of 51 organizations indeed points out some best practices from forward-leaning AppSec practitioners, but is not large enough to be statistically valid across all industries. Critics have charged that the methodology is overly complex, detailing no less than 111 distinct activities organized across the 12 practices. Finally, BSIMM is closely associated with a single AppSec vendor firm, resulting in charges of bias from other vendors. A careful read of its website reveals the study is never described as “independent” or “objective”. The folks behind BSIMM answer their critics by pointing out that the 51 firms it has profiled are at various levels of maturity in their approaches to AppSec practices, and that few of the organizations studied have completed all 111 activities. They explain that the study “does not tell you what you should do; instead it tells you what everyone else is actually doing.” Finally, they invite any organization to join the study and contribute, pointing out that the BSIMM4 data set has grown just over 20 percent since publication of BSIMM3, and is 9.5 times the size of the original publication. The study is freely distributed under a creative commons license.
BSIMM and maturing the practice of Application Security
Regardless of where opinions fall on BSIMM and the study’s methods, there is no denying that it has helped to legitimize the practice of Application Security over the last decade. It has helped to educate practitioners how simply teaching people to think about software security can actually change corporate culture. It is helping to change many an organization’s approach to AppSec to proactive from reactive (i.e. making funding method #1 more the exception than the rule). The hard part shouldn’t be selling upper management on the problem, but rather selling upper management that you’re the right team with a plan to execute the program. Whether you ultimately follow BSIMM or a more streamlined program methodology, it is important to honestly assess your own organization’s investment model and how new initiatives have been funded in the past. There is no single formula that works in all cases. Your plan should at the very least define a clear and compelling roadmap, identify success metrics that will be reported, and set a reasonable budget to put your best foot forward when looking for a hand out.