November 17, 2021

Strong Supply Chain Security Starts with Secure Software

By Emilyann Fogarty
Supply Chain

Why Using a Secure Application Development Framework Matters

In the past year or so, supply chain attacks have become more prevalent than ever, making vendor security a top-of-mind concern for many organizations. Today, MSPs are in a position where they are faced with determining how secure their upstream suppliers are, in order to protect their business and downstream customers.

How does it happen? Many of these attacks are made possible due to weaknesses in software security development processes. Many applications these days are built for speed, performance and ease of use, prioritizing agility over security. Because of this, security is often an afterthought when it comes to application development, yet the application layer continues to be a soft target as evidenced by the majority of attacks targeted against it. According to a recently commissioned research report authored by the Cyentia Institute, “56% of the largest incidents of the last 5 years tie back to some form of web application security issue…” In fact, many high-profile breaches today are a direct result of the following web application attacks:

  • Vulnerable Access Controls – Where an unauthorized user or hacker gains access to modify or delete content, or worse, gains full control over a web application.
  • Injection and Cross-site Scripting Attacks – Where malicious code is injected into a web application, often leading to data loss, deletion, denial of service or even complete system compromise.
  • Server-Side Request Forgery Flaws – Here, an attacker gets a web application to return a server response to a different or unknown destination, bypassing firewalls of access control lists.
  • Unpatched, Unsupported, and Out of Date Applications – Over time, hackers find weaknesses to exploit in even the most robust applications, driving the need to make sure applications and management systems are supported and up to date.

It is more clear than ever that software applications are critical to the operations of IT service providers today. The majority of applications have access to valuable data, therefore damage caused by the exploitation of an insecure web application has the potential to be enormous. Whether it’s RMM or a Business Continuity solution, we cannot underestimate the importance of ensuring applications are built with security in mind.

Datto Adopted the Building Security in Maturity Model (BSIMM)

Datto has always put security first. As part of our commitment to protecting MSPs and their customers, we set out on a mission to define the channel security gold standard for software supply chains. As such, we maintain a high level of security throughout the software development cycle and are constantly assessing and improving our application development processes to align with the highest security standards.

With supply chain security becoming more important than ever, we see application development security as a necessary and strategic component of our business and therefore have adopted the BSIMM framework to demonstrate our commitment to the channel community as a secure vendor and partner.

What Is BSIMM?

The Building Security In Maturity Model (BSIMM) is a study of current (point in time) software security initiatives that quantify application security (appsec) development. BSIMM helps organizations plan, implement and measure their security software initiatives. A BSIMM assessment provides an objective, point-in-time, data-driven evaluation so that developers can continuously improve the security of their applications.

BSIMM observations use a framework of 12 software security practices organized under four domains, Governance, Intelligence, SSDL Touchpoints, and Deployment, which currently embraces 122 unique activities across three levels of maturity. The Governance domain, for example, includes activities that fall under the organization, management, and measurement practices of a software security initiative.

Why did we select BSIMM and not other frameworks?

  • BSIMM is the world’s software security yardstick: There are many application security frameworks, yet BSIMM is the only application security framework that allows organizations to formally assess the maturity of their application security program compared to other leading programs, leveraging real world observational data from a neutral party.
  • BSIMM is always relevant: The model is uniquely updated yearly based on continuous observation of BSIMM activities of participating firms.
  • BSIMM provides independent assessment data: This allows us to communicate the software security posture to our customers, partners, and regulators with independent, quantitative data to back it up.
  • The BSIMM community: By participating in BSIMM, we have direct access to resources, community members and annual conferences that allow us to stay abreast of the latest and greatest trends in application security, collaboration on solving technical challenges and contribution to improving the application security practices as a whole.

Datto Takes Top Ranking

Knowing that secure application development is crucial to the overall security posture of any business, Datto committed to implementing the BSIMM software security benchmark tool and framework.

In conducting the first BSIMM assessment for Datto Remote Monitoring and Management (RMM), Datto came out with a stellar ranking, rivalling secure application processes and application development only achieved by 128 of the industry’s most secure app developers used at leading IT, financial institutions and Fortune 500 enterprises.

Chart, radar chart  Description automatically generated

Datto RMM Assessment Summary

  • Datto’s results exceeded the original goal, achieving a score that is above average in 8 of the 12 practices
  • Ranked in the top 20% of firms undergoing their first assessment
  • Its score ranks in the top 5 of firms that have a software security group less than two years of age
  • Datto is performing the single most important activity related to improving software security: it has a dedicated SSG that can get resources and drive organizational change

Compared to the average high-water marks of all BSIMM12 participants, Datto stands above the average in Strategy & Metrics, Compliance & Policy, Training, Attack Models, Code Review, Security Testing, Penetration Testing, and Configuration Management & Vulnerability Management. Datto marks appear near the average in Standards & Requirements, and Software Environment. The results of this observation also convey that Datto’s forward-looking plans and priorities are well aligned with the recommendation and guidance of BSIMM in pursuance of a well-rounded software security initiative.

“Datto is performing the single most important activity related to improving software security: it has a dedicated software security group that can get resources and drive organizational change.”

This initial assessment is a proof point of Datto’s continuous commitment to secure code development, and testament that Datto is the only IT vendor dedicated to the MSP community to not only attain BSIMM validation, but also achieve this level of BSIMM scoring.

Making informed decisions about security software has never been more important nor has shown to have such critical downstream consequences.

Contact us to learn more about Datto’s BSIMM assessment.

Suggested Next Reads

What is a Zero-Day Vulnerability?

A zero-day vulnerability is a software flaw that is unknown to the vendor and subject to exploitation. Learn how to identify them and prevent zero-day attacks.