BSIMM US Community Conference 2020 and the State of Application Security
Many organizations are embracing and making significant progress in application security, but there are still many challenges to confront. Some related discussion points emerged at the BSIMM US Community Conference 2020, which took place October 21- 22 and educated attendees on a variety of topics, including the latest BSIMM activities, as well as the current strengths and weaknesses that security teams face today.
Mike Ware, Senior Director of Technology with Synopsys and a BSIMM coauthor, dove into the trends and insights from BSIMM11 for attendees and provided highlights on how the state of software security has evolved.
“Many groups are further along in their journeys than ever before,” said Ware. “It really is full steam ahead for many groups focused on DevSecOps.”
Ware also noted that BSIMM membership stands at 130 organizations today and detailed how this group has witnessed a period of growth for DevSecOps in recent years.
“In today’s modern architectures, software is so dynamic in nature and assets are so transient and short-lived that a lot of control processes and capabilities cannot keep up,” he said. “There has been an evolution to modern hybrid teams that bring together Dev and Ops and Sec and other groups in engineering.”
Ware further remarked that BSIMM officials this year are observing firms moving away from point-in-time testing activities to more of an automation- and event-driven process. As such, a new activity added to the model for BSIMM11 is to implement event-driven security testing in automation.
The other new activity this year is around publishing risk data for deployable artifacts. While few organizations are engaging in this task, it is an important one for enhancing a software security initiative (SSI).
Security through an engineering lens
A session on software-defined security governance led by John Steven, also a BSIMM coauthor, gave an overview of how organizations are increasingly relying on engineering-led security initiatives to provide teams with self-service and proactive software security capabilities.
“If you want to think about how to do software security in 2021, we need to look at things through an engineering lens.”
Steven noted that the cost-cutting driver in many security programs is IT self-service. Engineering teams have begun to take security initiatives and challenges and bring them back into their own environment, he said.
In “SSGs: An Evolutionary Step to DevSecOps,” BSIMM creator and a coauthor Sammy Migues, who is also principal scientist with Synopsys, took a closer look at how the BSIMM is evolving and where it is going.
“We have used the BSIMM as a science project and taken data in places where we didn’t have anything before,” said Migues.
He began his talk by overviewing the various activities that have become more and less popular over time in the BSIMM. For example, from a governance perspective, security sign-off went down. Similarly, using metrics to drive budgeting and resourcing has gone down, as have secure coding standards. These are just a few activities Migues reviewed.
“There are a variety of things we are seeing in the maelstrom of what an SSI is today,” he noted.
Migues then segued into his SWOT (strengths, weakness, opportunities, and threats) analysis of where things stand now.
Strengths included strong executive support for SSIs and engaged security champions in many organizations. Among the weaknesses were increased centralization, cloud and technical adoption occurring ahead of risk management, and lots of new technical debt. Opportunities included the concept of a center of excellence, automation, and infrastructure as a code. Current threats to SSIs were described as testing speed verse depth, analog debt, skills mismatch, and the favoring of skills over culture.
Human lives will soon be at stake
In a fireside chat, infosec writer Brian Krebs offered some of his perspectives on the state of security today, including the changing nature of the career.
“It is critical that we start to think about this role a little differently as we go forward,” said Krebs. “It’s probably easier to look at what is different now than compared to five years ago—for example, there are a lot more people looking for vulnerabilities and weaknesses than there were just five years ago, both researchers seeking recognition and a crazy number of bad guys.”
Krebs also cautioned that the stakes for application security are only going to be higher in the future as application exploitation could have potentially lethal implications.
“The current extortion attacks we are seeing are going to get a lot more expensive as human lives are at stake, not just data,” he cautioned.
Krebs further noted that he thinks security needs to increase its efforts to recruit a younger generation, as well as more women, into the field.
“The best way of changing the way we think about this problem is to influence and guide kids before they get corrupted by our way of doing things and thinking about things,” he said.
Krebs also took time to answer questions and noted that he observed many organizations being exploited through hardcoded credentials and the use of administrator passwords that aren’t updated after deployment. Other common mistakes he listed included the following:
- Failing to communicate about available updates or the severity of their changes
- Publishing API keys online
- Enabling most features by default
- Failing to give users the option to choose different levels of security
Other sessions at the conference this year looked at topics such as organizational culture, building an AppSec champions program, creating a bug bounty program, and a deep dive into banking appsec programs.
BSIMM member registrants can watch the content on-demand through the conference website through December 23rd. If you did not register for the conference, email email@example.com to set up your credentials to view the presentations.