Musings on Software Engineering and Application Security from Jim Manico
Conjecture: BSIMM and Touchpoints are harmful to developers and organizations seeking cost effective application security based risk reduction.
Let’s start with the flaws of Touchpoints:
1. Touchpoints make security separate from development2. Touchpoints are all verification, not build secure apps3. Touchpoints are only SDLC (one app), not full boar appsec program planning across an entire application portfolio4. Touchpoints makes security a cost, not an opportunity for improvement in other aspects of software dev5. Touchpoints are negative vulnerability focused, not positive controls centric thinking6. Touchpoints are basically hacking ourselves secure, not assurance evidence based7. Touchpoints are trivial in the sense that they are just a concept with no backing... just a picture and a book. No meat!8. Touchpoints are designed to sell tools - not totally, but somewhat9. Touchpoints are not free and open (creative commons anyone?)
BSIMM continues with this tradition.
Does your organization really care if the software you are writing is secure, or is it a burden and a chore? No amount of process will fix not caring. BSIMM does almost nothing to create a culture of good security practices for developers. It’s again, 80% verification activities. It extends the tradition of the Touchpoints model which was 100% verification.
BSIMM and touchpoints do not go down and dirty to figure out how to actually make software secure.
And frankly, that’s what the entire world really needs right now.