QA City

Join Hands to Build a Smarter India: Sign in | Join now
Most Popular

Five Principles for Software Security

By SiliconIndia   |   Wednesday, 10 October 2012, 00:42 Hrs
Print Email

Bangalore: The BSIMM (Building Security In Maturity Model) aims at helping a software tester understand and plan various initiatives involved in software security. It is a compilation of ideas and various activities that have been compiled after analyzing real world data.

Gary McGraw based on his experience in interpreting BSIMM for the past four years jointly came up with the Ten Commandments for software security with Cigital Principals including Paco Hope, Scott Matsumoto, Sammy Migues, and John Steven. Here are 5 of the Ten Commandments as posted on

1.    Lead your software security initiative (SSI) with a software security group (SSG)
Software Security Groups include people with good coding experience and architectural understanding. Thus, before adopting software security activities, companies should create a Software Security Group.

2.    Rely on risk management and objective measurement using the BSIMM—not “Top Ten Lists” and vulnerability counts—to define SSI success
The BSIMM provides various measures for adopting Software Security Initiatives. It provides a detailed snapshot of the SSI which can be understood by the executives in the higher levels. One can compare his/her activities with others to determine if they are leading with regards to the initiative undertaken or whether they are at par with others or if they are below the mark.  

3.    Communicate with executives, directly linking SSI success to business value and comparing your firm against its peers
Executives at the higher level expect to see key performance indicators which include the various aspects of the Software Security Initiative. Testers are expected to fix the security problems. If they are not doing anything to fix the problem, they may be seen as a part of the problem.

4.    Do not limit software security activity to only technical SDLC activities and especially not to penetration testing alone
It must be remembered that software security is not all about technical issues. Testers should take advantage of penetration testing but they must also know its limitations. The main limitation of penetration testing is that it is too expensive to fix a problem.

5.    Grow and nurture software security professionals for your SSG
The best software security professionals are difficult to find. Therefore, in order to have a team of the best SSG members, developers can be taught about security. Gary McGraw looks for a person who can review the codes apart from fixing security problems and who is well aware of penetration testing. 

Sign Up for QA Digest and Read the Day's Highlights
Don't Miss
Experts on QA
Sasank Taraka Kumar
QA Lead
RAM Informatics Ltd
Dr Sanjay  Gupta
Lean Leader
Sudhir  Patnaik
Director Engineering
Intuit India
Seetharama  Shetty
Sr QA Analyst
Arctern Consulting
Kiran  Rayachoti
Sr Program Manager
Sapient Corporation
Bobin Motti  Thomas
Sr Tech. Associate
Tech Mahindra
Saudagar  Shinde
General Manager
TTP Technologies Pvt
Ramesh  Loganathan
VP Products
Progress Software
Write your comment now
This report is the result of the largest public-private sector rese...
For those not familiar with the Coverity Scan™ service, i...
SiliconIndia About Us   |   Contact Us   |   Help   |   Community rules   |   Advertise with us   |   Sitemap   |  
News:       Technology   |   Enterprise   |   Gadgets   |   Startups   |   Finance   |   Business   |   Career   |   Magazine  |   Newsletter   |   News archive  
Cities:        CEO   |     Startup   |   Mobile   |   CIO   |   Women   |   BI   |   HR   |   SME   |   Cloud   |   Marketing   |   QA   |   Java   |   Web Developer  
Community:      Members   |   Blogs   |   Indian Entrepreneurs   |   Gyan   |   Advice   |   Community   |   Find   |   CXO Insights  
Job Board:      Jobs   |   Freshers   |   Companies   |   HR Speak   |   Forum  
Online Courses:   Web Developer   |   Java Developer   |   CCNA Training   |   SEO   |   SAS   |   SQL Server 2005   |   J2EE
Education:   MBA   |   MCA   |   Engineering   |   Training Institute
Life:          Real Estate   |   Travel   |   Finance   |   Gadgets   |   Movie Reviews   |    Jokes  
Send your feedback and help us continue to improve SiliconIndia
© 2015 InfoConnect Web Technologies India Pvt Ltd. all rights reserved