Honeywell Uses BSIMM as Tool to Drive Improved Security Maturity for Our Products and Solutions
Honeywell Uses BSIMM as Tool to Drive Improved Security Maturity for Our Products and Solutions
Honeywell uses Building Security In Maturity Model (BSIMM) as our chief assessment tool for continuously improving the security maturity for our products and solutions. BSIMM is a maturity framework that organizations can use to help understand the maturity of their product security process and practice. The model is based on observational science around software security and is continuously being updated and evolving. It is conducted on organizations across many different industries.
Advantages of BSIMM Framework
BSIMM is a very good tool that has been built on real-world data and provides a foundation for measurement for how your software security initiatives compare against other organizations in your industry. It also provides clarity for your executive team on how security decisions and efforts are making a difference. When an organization adopts BSIMM, it provides:
- A framework for organizations to start a Software Security Initiative (SSI).
- A standard by which to measure and compare SSI against a domain and/or industry.
- A base for organizations so they can learn from their mistakes.
- A model based on scientific principles whereby organizations can measure their current state of security readiness, identify gaps and set priorities for improvement.
- A standard repeatable process.
- A larger community where you can compare notes and learn from others.
- For the organization to plan, execute and initiate on their own without having to onboard a third party.
- Clarity on what is the right path to follow.
BSIMM Framework: 4 Domains, 12 Core Activities and 113 Sub-Activities
The research and findings provide a common measuring stick with using 113 activities for organizations. The framework comprises four domains – Governance, Intelligence, SSDL Touchpoints, Deployment – that hold 12 practices.
Governance. Practices that help organize, manage and measure a software security initiative. Staff development is also a central governance practice. Governance practices include:
- Strategy & Metrics (SM). The Strategy & Metrics practice encompasses planning, assigning roles and responsibilities, identifying software security goals, determining budgets and identifying metrics and gates.
- Compliance & Policy (CP). The Compliance & Policy practice is focused on identifying controls for compliance regimens such as PCI DSS and HIPAA, developing contractual controls such as service-level agreements (SLAs) to help control COTS software risk, setting organizational software security policy, and auditing against that policy.
- Training (T). Training has always played a critical role in software security because software developers and architects often start with little security knowledge.
Intelligence. Practices that result in collections of corporate knowledge used in carrying out software security activities throughout the organization. Collections include both proactive security guidance and organizational threat modeling. Intelligence practices include:
- Attack Models (AM). Attack Models capture information used to think like an attacker: threat modeling, abuse case development and refinement, data classification and technology-specific attack patterns. Honeywell builds attack threat models as part of our secure software development across our entire product portfolio.
- Security Features & Design (SFD). The Security Features & Design practice is charged with creating usable security patterns for major security controls (meeting the standards defined in the Standards & Requirements practice), building middleware frameworks for those controls, and creating and publishing other proactive security guidance.
- Standards & Requirements (SR). The Standards & Requirements practice involves eliciting explicit security requirements from the organization, determining which COTS to recommend, building standards for major security controls (such as authentication, input validation and so on), creating security standards for technologies in use, and creating a standards review board.
SSDL Touchpoints. Practices associated with analysis and assurance of particular software development artifacts and processes. All software security methodologies include these practices. SSDL Touchpoint practices include:
- Architecture Analysis (AA). Architecture Analysis encompasses capturing software architecture in concise diagrams, applying lists of risks and threats, adopting a process for review (such as STRIDE or Architecture Risk Analysis), and building an assessment and remediation plan for the organization.
- Code Review (CR). The Code Review practice includes use of code review tools, development of tailored rules, customized profiles for tool use by different roles (for example, developers versus auditors), manual analysis and tracking/measuring results.
- Security Testing (ST). The Security Testing practice is concerned with prerelease testing, including integrating security into standard quality assurance processes. The practice includes use of black-box security tools (including fuzz testing) as a smoke test in QA, risk-driven white-box testing, application of the attack model, and code coverage analysis. Security testing focuses on vulnerabilities in construction.
Deployment. Practices that interface with traditional network security and software maintenance organizations. Software configuration, maintenance and other environment issues have direct impact on software security and Honeywell takes into consideration how our products will be used by our customers and builds security into the product. Deployment practices include:
- Penetration Testing (PT). The Penetration Testing practice involves standard outside-in testing of the sort carried out by security specialists. Penetration testing focuses on vulnerabilities in the final configuration and provides direct feeds to defect management and mitigation.
- Software Environment (SE). The Software Environment practice concerns itself with OS and platform patching, web application firewalls, installation and configuration documentation, application monitoring, change management and ultimately, code signing.
- Configuration Management & Vulnerability Management (CMVM). The Configuration Management & Vulnerability Management practice concerns itself with patching and updating applications, version control, defect tracking and remediation, and incident handling.
Operational Intelligence: An Example of How Honeywell Builds Security Its Products
Honeywell’s Operational Intelligence is backed by the Honeywell Product Security Platform. Our security platform is based on knowledge that in today’s connected world, threat actors are working around the clock to identify vulnerabilities and ultimately harm your business. When you choose Honeywell, you’ll know your products and solutions are secure by design, informed by intelligence and defended with vigilance so you can operate with confidence that both your data and operations are secure.
Secure by Design. Honeywell’s Secure System Design Lifecycle (SSDL) drives the development of our products and solutions. The Honeywell SSDL gathers critical information from numerous sources, including current cybersecurity standards like the ISA 62443. This information is used to create security requirements that products must meet from their inception. Our security efforts also include detailed architectural analysis, code review and security testing, with each iteration building on giving you the benefit of current security fixes and patches.
Honeywell Operational Intelligence adheres to standards from organizations such as the Cloud Security Alliance Control Matrix and the European Union Agency for Network and Information Security to ensure confidentiality, integrity and availability of your data on our platform. Honeywell has worked to ensure that we have minimized the attack surface area, established secure defaults from the very start, and are defending with depth our cloud infrastructure. Honeywell treats the security of Operational Intelligence as a foundational feature that is built into every other functionality of our offering. Continuously working and evolving our DevSecOps, while aligning our cybersecurity program to the BSIMM v9 framework.
BSIMM v9 Framework. Honeywell Operational Intelligence is hosted on the Microsoft Azure platform in the United States, and can be deployed on Amazon AWS, Google Cloud or any other cloud infrastructure provider. Security controls around business continuity and disaster recovery have been built into the platform from its inception. As the platform is easily scalable, resilient and portable, Honeywell has ensured that our infrastructure providers meet the latest advancements in cybersecurity protections for customer data.
Honeywell has been working to ensure a cohesive DevSecOps strategy throughout our software development lifecycle and Operational Intelligence inherits controls that have made Honeywell a trusted partner for governmental organizations and customers in the national security and critical infrastructure domains.
Role-based access controls and workflows have been well-defined and architected to ensure auditing around actions taken by users throughout the platform. Tenant level and permissions are controlled at the customer level with permissions for each feature layer.
We took a holistic approach to securing the solution as a cloud platform and have gone through our SSDL to ensure security requirements, threat modeling and penetration testing have all been baked in from the very beginning. Our privacy impact assessment process has been closely aligned with regulatory requirements such as the European Union General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) to ensure compliance and best practices for securely storing data. Honeywell has taken care to ensure that no sensitive or personally identifiable information is stored on our cloud infrastructure.
Informed by Intelligence. Honeywell’s large footprint in multiple industries gives us a broad view of emerging cybersecurity threats in their earliest stages. This allows us to identify issues, develop countermeasures and deploy them to our customers earlier than the competition. We also leverage relationships to receive pre-disclosures of vulnerabilities from industry councils and partners including Intel, Qualcomm and Google. Also, Honeywell’s size and strength allows us to leverage the broad investment in security across our enterprise.
Honeywell is involved in 70 industry sectors often involving critical infrastructure and national security. Honeywell Operational Intelligence has inherited from the body of knowledge and work being done in cybersecurity by the 300 dedicated cybersecurity professionals that work across our company.
Honeywell Operational Intelligence has been put through its paces. A group of dedicated white-hat penetration testers (OSCE/OSCP certified), completely independent from the engineering team, continuously test our solution to ensure we have the strictest standards for defense.
Defended with Vigilance. To maintain the highest level of vigilance, Honeywell employs a team of analysts working diligently to identify and report potential security risks. To stay ahead, you’ll receive security patches on a consistent basis, based on updates from Honeywell and our partners. With this continual monitoring of systems’ security, you can be confident Honeywell is in the know and stands ready to partner with you in the protection of your critical resources and data.
Honeywell Operational Intelligence is constantly being monitored by our team of professionals using up-to-the-minute centralized logging and alerting methodologies to ensure constant access to your critical data. Additionally, Operational Intelligence relies strictly on encrypted protocols to transmit data, and Transparent Data Encryption to store data that is encrypted. These two methodologies warrant that multi-tenancy and segmentation of your data is assured.
Honeywell's Pillars to a Foundation of Trust
Every day, around the world, businesses are at risk of cyberattacks. Honeywell acknowledges the risk and believes the best way to minimize attacks and the losses that result from them is to take a pervasive and holistic approach to security. Pervasive means Honeywell approaches security from multiple angles, which include gathering intelligence on cyber events in multiple industries, building protections directly into devices and software, and maintaining a 24/7 level of vigilance on the cyber climate. A holistic approach to security means that we need to pay attention to the entire picture and individual aspects of a product offering.
Honeywell aims to integrate all these elements designed to safeguard an organization to empower our customers to build a solution with security built in from the beginning. We focus on protecting you and our products (e.g., mobile computers, scanners and printers) against sophisticated attacks at all levels, from low-level opportunistic hackers to industrial espionage and cyber criminals. Honeywell is a founding member of the ISA Global Security Alliance, which means that all of our products go through ISA62433 security requirements from their inception.
Honeywell’s story begins 100+ years ago as a global leader in industrial manufacturing and advanced technology. We have used that expertise to drive cybersecurity innovation with over 15 years as a key leader in industrial cybersecurity solutions helping transform and protect the world’s most critical infrastructures. Our broad portfolio includes Operational Technology (OT) cybersecurity software products and services that allow customers to simplify, strengthen and scale industrial cybersecurity across an enterprise.
Our global team of 300+ Certified Cybersecurity Experts have successfully implemented 5,000+ cybersecurity projects, managed 400+ industrial cybersecurity sites, conducted hundreds of risk assessments and have the breadth of resources to help execute projects of every size and complexity across 70 industry sectors often involving critical infrastructure and national security. These include: supply chain, healthcare, oil and gas, refining, pulp and paper, industrial power generation, chemicals and petrochemicals, biofuels, life sciences, CPG, F&B, utilities, water/waste, metals, minerals and mining industries.
Honeywell’s large footprint in multiple industries gives us a broad view of emerging cybersecurity threats in their earliest stages in industries where the typical cybersecurity offerings are not usually present. This allows us to identify issues, develop countermeasures and deploy them to our customers earlier than our competition in this industry that usually does not receive attention. We also leverage relationships to receive pre-disclosures of vulnerabilities from industry councils and partners including Intel, Qualcomm and Google as well as from our participation and work with various organizations such as ICS-CERT (concentrated around Industrial Controls), NVD, DHS CISA and many more. Furthermore, Honeywell’s size, strength and global presence allows us to leverage the broad investment in security across our enterprise.
Cybersecurity is core to Honeywell. We design security into our products, policies and processes. Our baked-in-from-inception approach to cybersecurity, design-to-delivery process has a strong emphasis on building security into products to anticipate and mitigate risk before a breach can happen. We do this by embedding deep domain knowledge, product testing and security requirements of industry-leading security practices throughout our full design and development process to ensure our solutions are as secure as possible from the start.
We aim to make our solutions as free of vulnerabilities and attack surface as possible through such measures as continuous testing, authentication safeguards and adherence to best programming practices. We believe security must evolve with the product that our customers purchase. A group of dedicated white-hat penetration testers with industry-leading certifications such as OSCE/OSCP, completely independent from the engineering team, continuously test our solutions to ensure we have the highest standards for defense.
Contact a Honeywell Solutions Expert today! Call 1-800-934-3163.
Copyright © 2020 Honeywell International Inc. All rights reserved.