I recently came across the Synopsys Building Security In Maturity Model (BSIMM) report and found myself enthusiastically agreeing with a number of points that it makes. If you are not familiar, the report collects quantitative data from a number of companies each year around their security practices. In it, one of the things that they highlighted was “Security is becoming part of a quality practice, which is being recognized as part of reliability, all in pursuit of resilience”. Here at Cyral, we wholeheartedly agree that we all should secure early and often. In fact it was something that I first wrote about in Why I Joined Cyral.
The 11th BSIMM report collected data from 130 different large companies in a wide range of industries. The participants in this year’s report ranged from Adobe to Zendesk and included companies as wide ranging as Eli Lilly, HSBC, and Medtronic. “The purpose of the BSIMM is to quantify the activities carried out by various kinds of SSIs across many organizations.” They generate the report from the data of common security practices by surveying a wide range of companies. From there they group these into the 4 major categories of Governance, Intelligence, SSDL Touchpoints and Deployment. Each of these major categories is then broken down into sub categories such as Code Review. For each sub category, there are then 3 levels with 2 to 5 real world practices like “Use automated tools along with manual review” in Level 1 and “Automate malicious code detection” in Level 3. Based on interviews, they then assess each company to determine if they perform the task or not.
In the early part of the 2020 epoch, I and a former coworker of mine presented at BSidesSF about the intersection of security and quality assurance. We had a simple question, “Aren’t we all just hunting bugs?” One of the key takeaways was that from a user’s perspective it doesn’t matter whether the bug is classified as a security bug or not. Oftentimes, as practitioners we lose sight of the user experience. We are so caught up in the nuances of filing bugs in Jira, we miss the forest for the trees. Over the years, this has started to pervade through Silicon Valley, most notably being Facebook’s change in motto from “Move fast and break things” to “Move fast with stable infrastructure.” As with Facebook, so has the industry started to focus on not just speed, but also on stability and resilience.
The false dichotomy inherent in focusing on security bugs necessarily sets up gates. Security needs to become part of an overall quality program. Resilience can no longer just be seamlessly recovering from infrastructure outages. One of the key ways that we talked about at BSidesSF was to formally have Security and QA teams work closely together. This necessitated a shift left mentality. Today so many talk about Shift Left solely in the context of security issues, but it was actually “first introduced in 2001 by Larry Smith to encourage more comprehensive testing done by both developers and QA earlier in the process.” Security is part of an overall quality program and should be looked at holistically as such.
Here at Cyral, we believe that there are many opportunities to increase resilience and quality and reduce the impact of security issues. We are big fans of Security as Code as a concept and practically as we regularly feature new open source projects every TSD that epitomize the concept. We are committed to Security as Code in practice as well, releasing Approzium and BrewOPA to help others.