Sunday, January 9, 2011

Touchpoints and BSIMM hurt AppSec

Conjecture: BSIMM and Touchpoints are harmful to developers and organizations seeking cost effective application security based risk reduction.

Let’s start with the flaws of Touchpoints:

1. Touchpoints make security separate from development
2. Touchpoints are all verification, not build secure apps
3. Touchpoints are only SDLC (one app), not full boar appsec program planning across an entire application portfolio
4. Touchpoints makes security a cost, not an opportunity for improvement in other aspects of software dev
5. Touchpoints are negative vulnerability focused, not positive controls centric thinking
6. Touchpoints are basically hacking ourselves secure, not assurance evidence based
7. Touchpoints are trivial in the sense that they are just a concept with no backing... just a picture and a book. No meat!
8. Touchpoints are designed to sell tools - not totally, but somewhat
9. Touchpoints are not free and open (creative commons anyone?)

BSIMM continues with this tradition.

Does your organization really care if the software you are writing is secure, or is it a burden and a chore? No amount of process will fix not caring. BSIMM does almost nothing to create a culture of good security practices for developers. It’s again, 80% verification activities. It extends the tradition of the Touchpoints model which was 100% verification.

BSIMM and touchpoints do not go down and dirty to figure out how to actually make software secure.

And frankly, that’s what the entire world really needs right now.


Insanity said...

Do you think having QA is also bad? After all, they just verify the functional requirements.

That's not to be snarky. It's just that touchpoints/verificatoin doesn't take away or add to an organizations perception of carring. It simply provides a mechanism to "trust but verify". Isn't that one of the biggest credo's in security?

Jim Manico said...

I'm saying some fairly bold things here that need to be challenged, so no - you are not being snarky at all and I appreciate you feedback.

I think "trust but verify" is a foolish notion. As a control centric thinker, I prefer:

Empower developers with secure coding education, Empower developers with secure coding standards, Empower developers with secure coding libraries, still do not trust them, and yes verify.

The point I'm making is that assessment does nothing to secure an application; so when faced with limited resources, I prefer to invest in application security from a developer/control/builder-centric perspective.

Touchpoints/BSIMM is more of an "assessment-centric perspective" which I am not a fan of past the very earliest stages of application security organizational maturity.