Connect with us

News

SOFTWARE SECURITY BEST PRACTICES ARE CHANGING, FINDS NEW REPORT

Published

on

Independent software vendors, along with Internet of Things and cloud vendors, are involved in a market transformation that is making them look more alike. The similarities are evident in the way they approach software security initiatives, according to a report from Synopsys.

Synopsys on Tuesday released its ninth annual Building Security in Maturity Model, or BSIMM9. The BSIMM project provides a de facto standard for assessing and then improving software security initiatives, the company said.

Based on 10 years of conducting the software study, it is clear that testing security correctly means being involved in the software development process, even as the process evolves, said Gary McGraw, vice president of security technology at Synopsys.

Using the BSIMM model, along with research from this year’s 120 participating firms, Synopsys evaluated each industry, determined its maturity, and identified which activities were present in highly successful software security initiatives, he told LinuxInsider.

“We have been tracking each of these vendors separately over the years,” McGraw said. “We are seeing that this whole cloud thing has moved beyond the hype cycle and is becoming real. As a result, the three categories of vendors are all beginning to look the same. They are all taking a similar approach to software security.”

Report Parameters

The BSIMM is a multiyear study of real-world software security initiatives based on data gathered by more than 90 individuals in 120 firms. The report is a measuring stick for software security, according to Synopsys.

Its primary intent is to provide a basis for companies to compare and contrast their own initiatives with the model’s data about what other organizations are doing. Companies participating in the study then can identify their own goals and objectives. The companies can refer to the BSIMM to determine which additional activities make sense for them.

Synopsys captured the data for the BSIMM. Oracle provided resources for data analysis.

Synopsys’ new BSIMM9 report reflects the increasingly critical role that security plays in software development.

It is no exaggeration to say that from a security perspective, businesses have targets painted on their backs due to the value that their data assets represent to cybercriminals, noted Charles King, principal analyst at Pund-IT.

“Software can provide critical lines of defense to hinder or prevent incursions, but to be effective, security needs to be implemented across the development cycle,” he told LinuxInsider. “The BSIMM9 report nails some high points by emphasizing the growing importance of cloud computing for businesses.”

Report Results

Rather than provide a how-to guide, this report reflects the current state of software security. Organizations can leverage it across various industries — including financial services, healthcare, retail, cloud and IoT — to directly compare and contrast their security approach to some of the best firms in the world.

The report explores how e-commerce has impacted software security initiatives at retail firms.

“The efforts by financial firms to proactively start Software Security Initiatives reflects how security concerns affect and are responded to differently by various industries and organizations,” said King. “Overall, the new report emphasizes the continuing relevance, importance and value of the Synopsys project.”

One key finding in the new report is the growing role played by cloud computing and its effects on security. For example, it shows more emphasis on things like containerization and orchestration, and ways of developing software that are designed for the cloud, according to McGraw.

Following are key findings from this year’s report:

  • Cloud transformation has been impacting business approaches to software security; and
  • Financial services firms have reacted to regulatory changes and started their SSIs much earlier than insurance and healthcare firms.

Retail, a new category for the report, experienced incredibly fast adoption and maturity in the space once retail companies started considering software security. In part, that is because they have been making use of BSIMM to accelerate faster.

In one sense, the report enables predicting the future, allowing users to become more like the firms that are the best in the world, according to McGraw.

“The bottom line is that we see the BSIMM is indicating a market transformation that is actually taking place. We are getting past the baloney into the brass tacks,” he said.

Structural Design

Researchers established a BSIMM framework based on three levels of activities with 115 activities divided into 12 different practices.

Level one activities are pretty easy and a lot of firms undertake them, noted McGraw. Level two is harder and requires having done some level one activities first.

“It is not necessary, but that is what we usually see,” he said. “Level three is rocket science. Only a few firms do level three stuff.”

The researchers already had some idea of what is easy and what is hard in dealing with software security initiatives. They also know the most popular activities in each of the 12 practices.

“So we can say if you are approaching code review and you are not doing this activity, you should know that pretty much everybody else is,” said McGraw. “You should then ask yourself, ‘Why?'”

That does not mean you have to do XYZ, he added. It just means maybe you should consider why you are not doing that.

Understanding the Process

The BSIMM9 report also gives a detailed explanation of the key roles in a software security initiative, the activities that now comprise the model, and a summary of the raw data collected. It is essential to recognize the target audience for the report.

The audience is anyone responsible for creating and executing a software security initiative. Successful SSIs typically are run by a senior executive who reports to the highest levels in an organization.

They lead an internal group the researchers call the “software security group,” or SSG, charged with directly executing or facilitating the activities described in the BSIMM. The BSIMM is written with the SSG and its leadership in mind.

“We are seeing for the first time a convergence of verticals — ISVs, IoT vendors and the cloud — that used to look different in the way they approached software security,” said McGraw. “They were all doing software security stuff, but they were not doing it exactly the same way.”

Fresh Look, New Perspectives

Each year researchers talk to the same firms as well as new participants. All of the data is refreshed each year. That provides a perspective of at least 12 months — but probably, on average, a much shorter time span. There is not that much of a lag indicator involved because of the scientific methods the researchers use, according to McGraw.

The BSIMM review provides a much more objective view of what is going on in the target groups than you would get by looking at a few case studies, he noted. That was one of the study’s goals when he initiated it years ago.

“The BSIMM is the result of wanting to have real objective data without overemphasizing technology or people of particular vendors or whoever paid us money,” McGraw said.

Funding Path Essential

Under the BSIMM’s charter, it is designed not to be a profit-making, but to help Synopsys break even. Firms pay for their participation in the study and sponsored events, said McGraw. Non-participants can view the report for free, but paying to participate gets the companies their own results.

This gives the paid participants a very intense look at their own software security and how it compares to others with their own data published for them, McGraw explained. The published report does not provide the data of individual firms, only collective data.

The most important outcome for participating is feedback from the community that developed among the participants, according to McGraw. Synopsys holds two annual conferences, one in the U.S. and one in the EU.

Bottom Line

Ten years ago security researchers did not know what everybody was doing regarding software security. Now firms can use the BSIMM data to guide their own firm’s approach to it, according to McGraw.

“We learned that all firms did software security slightly differently. There is no one correct way because the cultures of all the firms and their dev teams differed,” he said.

With a unified view of all the approaches used, researchers can describe in general how to approach software security and track particular activities, McGraw said.

“We didn’t come up with a particular set of prescriptive guidance. Instead, we came up with a descriptive set of facts that you can use to make great fast progress with software security,” he noted.

The Takeaway

BSIMM researchers recognize that the report data on software security never will eliminate data breaches and other software security concerns. Unfortunately, there is no first-order way to measure security, noted McGraw.

“You cannot throw software in a box that lights up red or green. We retreated to developing a look at what successful firms are doing as a way to guide other firms to be more like them,” he said, “but there is no way to measure that directly.”

Synopsys’ theory is that if you want to get out front, you first have to build better software, said McGraw. “Better security comes about with the way you build software.”

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

News

Apple joins streaming market, says can coexist with Netflix

Published

on

By

Far from being a Netflix Inc killer, Apple Inc envisions its forthcoming Apple TV+ streaming service as one that could sit alongside other services that viewers buy, Apple Chief Executive Tim Cook said on Tuesday.

Apple in March said it will launch a streaming service with original content from big names including Oprah Winfrey and Steven Spielberg. It plans to spend $2 billion on programming but has not said how much the service will cost.

Investors are keeping a close eye on Apple’s television efforts because subscription services are an increasingly important part of its financial results as iPhone sales decline.

Apple is entering a crowded field, including Walt Disney Co’s $6.99 per month service launching this fall. At the other end of the price spectrum, Alphabet Inc’s YouTube this month said that it was raising the price of its YouTube TV online service, a cable-like bundle of more than 70 channels, to $49.99 per month.

On a conference call with investors on Tuesday, Cook indicated that Apple will not try to give viewers everything they want.

“There’s a huge move from the cable bundle to over-the-top,” Cook told investors during a call on Tuesday, referring to streaming television services delivered over the internet rather than a traditional cable service.

“We think that most users are going to get multiple over-the-top products, and we’re going to do our best to convince them that the Apple TV+ product should be one of them.”

Source: https://www.nan.ng/news/apple-joins-streaming-market-says-can-coexist-with-netflix/

Continue Reading

News

Apple Watch helps save 80-year-old woman in Germany

Published

on

By

The ECG feature on the Apple Watch Series 4 gets the lion’s share of headlines about potentially life-saving incidents. However, it’s the wearable’s fall-detecting ability which is the hero of the latest story of this kind.

In Munich, Germany, an 80-year-old woman fell in her apartment. Fortunately, her Apple Watch recognized what had happened and called emergency services.

report (translated) notes that:

“The watch transmitted the coordinates of the accident scene. The police used the data to identify an address to which an ambulance had been alerted. The ambulance crew found that the door was locked and the retiree could not open it. Then they called for the fire department, which opened the apartment door by force. During this action, the smartwatch alarmed the son, who had deposited his phone number as an emergency number. Since the woman was not injured, the ambulance crew cared her only until the arrival of the son. He took over the further care.”

This isn’t the only similar story of this kind that we’ve heard. Earlier this year, a 67-year-old man in Norway was home alone when he fainted and suffered a hard fall in his bathroom. Luckily, he was wearing an Apple Watch Series 4, which alerted first responders.

Apple Watch fall detection

Fall detection was introduced as a feature with last year’s Apple Watch Series 4. It uses data from your device’s accelerometer and gyroscope to identify when users have suffered a fall. When an incident like this happens, the Apple Watch will then initiate a call to emergency services. If the user is unresponsive after 60 seconds, the emergency call is placed automatically. Your emergency contacts will also be notified and sent your location.

For anyone with elderly relatives, this could be a massive game-changer. It’s the kind of technology which truly justifies owning an Apple Watch. Check out Apple’s video about the feature below.

Continue Reading

News

New sets of Samsung phones enter Nigeria

Published

on

By

Samsung has revealed the new Galaxy A Series, designed with incredible improvements to the essential device features.This includes immersive viewing experiences, longer lasting performance and ground-breaking cameras.

The new phones include Samsung Galaxy A70, A50, A30, A20 and A10.

According to Head of Information and Mobile Technology, Samsung Electronics West Africa, Adetunji Taiwo, “this is a series that has also embraced affordability in a big way and is set to capture the imagination of more people, in many more ways. Ultimately, the new Galaxy A Series is designed for the way that people are connecting today – sharing, capturing and consuming live content on-the-go.”

The new series offers diverse, powerful devices that can keep up with these spontaneous, collaborative interactions.

To the Managing Director at Samsung Electronics West Africa, David Suh, the firm is committed to providing meaningful innovation to everyone for a better mobile experience, which starts with the all new Galaxy A Series. “People are changing the way they connect, and their smartphones need to keep up. Our new Galaxy A Series offers improvements to the essential features that will support these live interactions, with diverse options to meet their ever-changing needs,” he added.

With the Galaxy A Series, consumers can also seamlessly experience the Galaxy ecosystem using key services such as Samsung Health, Samsung Members, and Bixby. The all-new Galaxy A Series is filled with enhanced features across the range.

The entire A series is power-packed with innovations and upgrades that empower people to do so much more. The series will also bring better value to more people, effortlessly.

Continue Reading
Advertisement

Trending

%d bloggers like this: