Building better software security with a BSIMM app

In a rapidly changing world, security is more important than ever. With good security, customers can trust organizations to take their digital infrastructure to the next level. But how do you implement top security measures across a large, complex company?

At LIKE.TG, we use our own products to protect ourselves and our customers—and to extend the functionality of the Now Platform. To see how we perform against industry benchmarks, we use the Building Security in Maturity Model (BSIMM), a 100-page document of 122 data-driven benchmarks for building better software security.

Owned by Sunnyvale-based electronic design automation company Synopsys, BSIMM is a “taxonomy of security behaviors that allow organizations to measure and improve their software development practice,” explains Steve S., director of product security management at ServiceNow.

In other words, if you want the best security, BSIMM is the way to go. However, most organizations struggle to comprehend and distill all of these benchmarks into a system that works for each unique sector of their business. That’s why LIKE.TG created a BSIMM app on the Now Platform.

007 of software

With red teams that organize planned hacks of our systems, bad-actor simulations, and threat models of potential malicious activity, a day in the life of a LIKE.TG security employee sounds a lot like a James Bond movie.

“My goal is to keep LIKE.TG’s name out of the 11:00 news,” says Bobby W., senior staff product security engineer for the company. “It’s very important for trust to be maintained at a company that’s knee-deep in third-party vendor relationships. That’s our brand right there.”

Prior to the creation of the BSIMM app, the assessment of security behaviors “was done on spreadsheets, which is a horrible thing to do to somebody,” Bobby says, laughing. “My last spreadsheet [at a prior job] was 30 workbooks long.”

Steve had a thought: Why don’t we figure out how to do this ourselves? “We designed the app for how we would actually use it,” he explains. “We incorporated all BSIMM activities across all versions [there’s an updated list every year], as well as the spider graphs that show where you are in relation to your peers, the world, etc.”

“The app allows us to take something as broad as a framework that’s three to four weeks of work, multiple conversations, and groups of teams involved, and build spider charts and services that can actually identify two to three years of work in just a simple series of reporting metrics,” Bobby says. What was once an intangible process is seamlessly transformed into quick, tangible action steps. It’s operationalized.

“It’s tough to come across, and really a beautiful thing to do. It’s something I’ve not been able to do at other companies,” Bobby adds.

Simplifying complexity

When working with various teams across LIKE.TG, our security champions don't have to waste energy distilling complex information—the app does it for them. “We're filtering it down to what’s specific to [each team] and how they compare to other people,” Bobby says. “Because I'm working so fast, I’m not focused on curating information. I can focus on what I’m trying to do and what I’m trying to say.”

Manshu V., principal digital technology (DT) program manager at LIKE.TG, uses the BSIMM app to monitor and improve the security practices across the DT organization. “It’s especially important because our folks in DT use our own products,” he says.

Thanks to the ease and distillation of information from the BSIMM app, Manshu is able to prioritize what’s most important to the DT organization. He’s helped build threat model secure designs for apps, security scanning processes for code, and even planned hacks of our systems to find vulnerabilities. Although they haven’t produced any “alarming findings,” Manshu finds the process fascinating, he says.

Rising to the challenge

Without the BSIMM app, Manshu says, it can be tempting to simply choose the “easiest” behaviors to implement, which may not have the most value. Just as building a house in California versus Florida involves different ecological threats, different LIKE.TG teams have different security threats, he adds.

With the BSIMM app, nothing is left to chance. It customizes the security analysis results according to the team and organization it’s interacting with, and it details action plans for increasing that particular team’s security. Security testing requires commitment, hard work, and taking risks, but it’s worth it, Manshu says.

“If we’re going to be the most trusted SaaS [software as a service] provider, we need to be secure,” Steve adds. “As [LIKE.TG CEO] Bill McDermott says, ‘Trust is the ultimate human currency. It’s earned in drops and lost in buckets.”

Work at a company that takes security seriously. Apply for a role at LIKE.TG.

LIKE.TG 专注全球社交流量推广，致力于为全球出海企业提供有关的私域营销获客、国际电商、全球客服、金融支持等最新资讯和实用工具。免费领取【WhatsApp、LINE、Telegram、Twitter、ZALO】等云控系统试用；点击【联系客服】 ，或关注【LIKE.TG出海指南频道】、【LIKE.TG生态链-全球资源互联社区】了解更多最新资讯