Why using a secure application development framework is important
Over the past year or so, supply chain attacks have become more frequent than ever, making supplier security a major concern for many organizations. Today, MSPs are able to determine the level of security of their upstream suppliers, in order to protect their business and their downstream customers.
How’s it going ? Many of these attacks are made possible because of weaknesses in software security development processes. Many applications these days are designed for speed, performance, and ease of use, prioritizing agility over security. Because of this, security is often an afterthought when it comes to application development, but the application layer continues to be an easy target, as evidenced by the majority of attacks that target it. According to a recently commissioned research report written by the Cyentia Institute, “56% of the most significant incidents in the past 5 years are related to some form of web application security issue…” In fact, many high-profile breaches today ‘hui are a direct result of the following web application attacks:
- Vulnerable access controls – When an unauthorized user or hacker gets access to edit or delete content, or worse, gets full control over a web application.
- Cross-site injection and scripting attacks – When malicious code is injected into a web application, often resulting in data loss, deletion, denial of service or even total system compromise.
- Server-side request forgery defects – Here, an attacker obtains a web application to return a response from the server to a different or unknown destination, bypassing ACL firewalls.
- Unpatched, unsupported, and obsolete applications – Over time, hackers discover weaknesses to exploit, even in the most robust applications, hence the need to ensure that applications and management systems are supported and up to date.
It’s clearer than ever that software applications are essential to the operations of IT service providers today. The majority of applications have access to valuable data. Therefore, the damage caused by operating an insecure web application can be enormous. Whether it’s RMM or a business continuity solution, we can’t underestimate the importance of ensuring that applications are designed with security in mind.
Datto adopted the Building Security in Maturity Model (BSIMM)
Datto has always put safety first. As part of our commitment to protect MSPs and their customers, we’ve made it our mission to set the gold standard in channel security for software supply chains. As such, we maintain a high level of security throughout the software development cycle and constantly evaluate and improve our application development processes to align with the highest security standards.
With supply chain security becoming more important than ever, we view application development security as a necessary and strategic component of our business and therefore have adopted the BSIMM framework to demonstrate our commitment to the channel community as a as a secure supplier and partner.
What is BSIMM?
The Building Security In Maturity Model (BSIMM) is a study of current software security initiatives (at a given point in time) that quantify the development of application security (appsec). BSIMM helps organizations plan, implement, and measure their security software initiatives. A BSIMM assessment provides an objective, point-in-time, data-driven assessment so that developers can continuously improve the security of their applications.
BSIMM’s observations use a framework of 12 software security practices organized into four areas, Governance, Intelligence, SSDL Touchpoints, and Deployment, which currently encompasses 122 unique activities across three maturity levels. The Governance domain, for example, includes activities that fall under the organization, management, and measurement practices of a software security initiative.
Why did we choose BSIMM and not other frameworks?
- BSIMM is the global benchmark in software security: There are many application security frameworks out there, but BSIMM is the only application security framework that allows organizations to formally assess the maturity of their application security program against other leading programs, drawing from real-world observation data to a neutral party.
- BSIMM is still relevant: The model is uniquely updated annually based on continuous observation of the BSIMM activities of participating companies.
- BSIMM provides independent assessment data: This allows us to communicate the software security posture to our customers, partners and regulators with independent quantitative data to back it up.
- The BSIMM community: By participating in BSIMM, we have direct access to resources, community members and annual conferences that allow us to stay on top of the latest and greatest in application security, working together to solve technical challenges. and contributing to the improvement of application security practices as a whole.
Datto tops the table
Knowing that the development of secure applications is crucial to the overall security posture of any business, Datto is committed to implementing the BSIMM software security tool and framework.
By performing Datto’s first BSIMM for Remote Monitoring and Management (RMM) assessment, Datto achieved an outstanding ranking, rivaling the secure application processes and application development only performed by 128 application developers. most secure in the industry used by major IT professionals, financial institutions and Fortune 500 companies.
Summary of the Datto RMM assessment
Datto’s results exceeded initial target, scoring above average in 8 of 12 practices
Ranked in the top 20% of companies submitted for their first assessment
Its score ranks in the top 5 of companies that have a software security group less than two years old
Datto performs the most important activity related to improving software security: it has a dedicated SSG that can secure resources and drive organizational change
Compared to the high average scores of all BSIMM12 participants, Datto ranks above average in strategy and metrics, compliance and policy, training, attack models, code review, security testing, penetration testing and configuration management and vulnerability management. Datto brands appear near average in Standards & Requirements and Software Environment. The results of this observation also indicate that Datto’s forward-looking plans and priorities are well aligned with BSIMM recommendations and guidance as part of a well-balanced software security initiative.
“Datto performs the most important business related to improving software security – it has a dedicated software security group that can secure resources and drive organizational change. “
This initial assessment is proof of Datto’s continued commitment to secure code development, and a testament that Datto is the alone IT provider dedicated to the MSP community to not only achieve BSIMM validation, but also achieve this BSIMM rating level.
Making informed decisions about security software has never been more important and has never had such critical downstream consequences.
To learn more about Datto’s BSIMM assessment, please contact your Datto sales representative.
Datto Holding Corp. published this content on November 17, 2021 and is solely responsible for the information it contains. Distributed by Public, unedited and unmodified, on Nov 17, 2021 05:59:12 PM UTC.