A holistic approach to BMC Product Security
BMC develops enterprise software across multiple geographies, using multiple technologies and development methodologies. Our enterprise software solutions are summarized here. This whitepaper provides an overview of BMC's product security program and how security is built into every step of the Software Development Life Cycle (SDLC).
The security activities described below support an Autonomous Digital Enterprise's (ADE's) vision of building software that is secure and robust against cyberattacks. For a complete overview of the various dimensions of security, visit BMC Trust Center.
Our mission is to embed security and reliability in everything we build and deliver for the Autonomous Digital Enterprise.
Scope of the Product Security Program
The Product Security Program described here applies to all mission-critical BMC enterprise software solutions. Each BMC product undergoes thorough security reviews and security testing prior to release. BMC's Product Security Program uses criteria such as the OWASP Top Ten 1 , CERT secure coding standards 2 , WASC 3 , and SANS Top 25 4 to assess the security of BMC products. The overall program is a collection of technologies and processes to support people in the ADE organization.
Responsibility of the Product Security Program
The Product Security Group at BMC is responsible for upholding BMC's corporate standards of quality, especially as those standards relate to defining, evangelizing, and measuring all aspects of security within all product line development lifecycles. BMC has a governing policy, metrics, and guidelines for ensuring that all BMC products meet security standards.
At BMC, product security is an integral part of product architecture, development, and quality.
Security is a journey rather than an end goal or a final state. Our security practices continuously evolve to keep up with the growing threats in the digital economy. We adapt our tools and techniques to encompass new technologies and protect against newly discovered threats.
Secure Software Development Lifecycle
BMC uses a "build-security-in" model to treat security as an integral part of the software development lifecycle. This document provides details about security considerations through the Secure SDLC (SSDLC) of a BMC product. The SSDLC begins with a BMC product's initial conception and design and follows the product through development, testing, release, and operation.
By using an agile SSDLC process, BMC addresses security at each phase of the software development lifecycle by integrating security tools and processes throughout all the phases of the product's lifecycle. According to US-CERT, "The cost of correction of security flaws at the requirements level is up to 100 times less than the cost of correction of security flaws in fielded software." 5
Understanding that software is designed to follow industry best practices, including least privilege, failing securely, defense-in-depth, and separation of privilege, BMC incorporates threat modeling, attack surface analysis, security architecture analysis, and other techniques at the early phases of application conception. BMC's developers use a "shift-left" approach to security. Beginning with the early phases of development, tools for security assessments, threat modeling, security testing, and penetration testing are incorporated into the development process.
As of the date of this document, the following BMC products are subject to this product security program: ITSM, ITOM, Control-M solutions, and other mature products. These products are required to achieve quality certification when they are released. Security signoff for quality certification is issued only when a product, including all its components and dependencies, meets the relevant security requirements.
Security Testing for BMC products
Depending on its nature, each BMC product must go through Static Application Security Testing (SAST), manual penetration testing, and Dynamic Application Security Testing (DAST).
- SAST is performed on BMC products on a continuous basis to ensure secure code is delivered.
- Manual penetration testing of BMC products is performed by the internal penetration-testing team, external penetration-testing companies, or both.
- DAST is performed using industry-leading testing tools to analyse applications in their dynamic, running state during the testing phase of the product development lifecycle.
If these procedures identify any high-severity vulnerabilities, Common Vulnerability Scoring System (CVSS v3) 6 score higher than 7.0, the development team mitigates those vulnerabilities before releasing the product.
External Software and Dependencies
Software manufactured by BMC uses third-party open-source software and commercial software that has been scrutinized for security vulnerabilities and malicious code as described below.
- If a BMC product depends upon third-party or open-source software and components, scans are performed using an industry-leading, vulnerability-scanning engine.
- For each open-source software component and library, an automated scan against the National Vulnerability Database is performed to identify any known vulnerabilities in the specific version used in a BMC product.
- For third-party commercial software, a manual review of security reports is performed.
All findings of the security vulnerability review are rated according to the Common Vulnerability Scoring System (CVSS v3) 7 and handled according to their severity. Before the product is released, all critical and high severity vulnerabilities are patched or upgraded. Medium- and low-severity vulnerabilities are analysed for relevance and logged to be addressed in later releases if they are not remediated in the current release.
Security Design Reviews and Threat Modeling
To add security-focused human insight, the Product Security Group at BMC also conducts design reviews and threat modeling. This process enables us to identify and address potential security flaws during the design phase of product development. Automated tools and focused penetration testing consider threat vectors that are identified during threat modeling and design reviews.
To reduce the risk of introducing malicious code or malware into BMC products, the following measures are in place:
- Peer code reviews are conducted before source code check-in and product builds. This mechanism is enforced via the quality certification process.
- All product environments must meet corporate information security requirements. These requirements include endpoint protection, which is deployed on all build servers and engineering clients.
- Containers are scanned for malware and sensitive information before release.
Manual Application Penetration Testing
Manual application penetration testing is performed on each major release of each BMC product at least annually, independently of the product's quality review. The penetration testing team, a subgroup of the Product Security Group, performs this testing. Penetration testing comprises system-level tests, web application tests (including review according to an enhanced checklist based on OWASP Top 10 security vulnerabilities), client-server tests, API tests, binary scanning, and network scanning. Also, BMC frequently engages third-party firms to conduct manual penetration testing on certain BMC products.
Static Application Security Testing
The primary objective of Static Application Security Testing (SAST) is to find vulnerabilities in the source code of an application early on during development (shift-left approach). At BMC, all product source-code is scanned continuously, and SAST tools are integrated into the continuous integration/continuous delivery (CI/CD) process. Reported vulnerabilities are fixed and the fixes are verified within the development cycle.
BMC's container security program is designed to identify vulnerabilities in container images early during the SDLC and to harden the containers before they are deployed for use. Several hardening measures are undertaken such as:
- Base images from trusted sources are used.
- Base images and packages are updated on a continuous basis.
- Container configurations are scanned using SAST tools.
- Container images are scanned using industry-leading container security tools.
- Reported vulnerabilities are fixed and the fixes are verified within the SDLC.
BMC follows NIST-recommended guidelines for secure cryptography use for its products. BMC's cryptography policy requires the use of:
- AES-256-bit encryption with GCM mode or RSA with OAEP padding for data at rest
- PBKDF2 with HMAC SHA-512 or PBKDF2 with HMAC SHA-256 for end-user credentials
- TLSv1.2 and later for data in transit
Our focus on cryptography is consistent with the cyber security tenets of ADE. Accordingly, BMC is committed to the protection of customer data in both its SaaS and on-premise offerings.
Product Security Consulting
The Product Security Group provides security-related consulting services to all of BMC's product development groups. Typical consulting engagements include security design reviews, architectural advice, and security implementation advice. We also offer guidance on the use of security scanning tools and the interpretation of their results.
Secure Development Education
BMC has partnered with an industry-leading security training firm to provide a training program for the education of the entirety of BMC's developer community. The program includes, among other things, mandatory training on the OWASP Top 10 security vulnerabilities. This program emphasizes the theoretical and practical aspects of writing secure code as well as designing secure and reliable systems.
To date, more than 550 developers at BMC have undergone training on the first three domains of the ISC2 Certified Secure Software Lifecycle Professional (CSSLP) secure coding program. CSSLP certification recognizes application security experts who can incorporate security practices into each phase of the software development lifecycle. Additionally, a subset of developers have achieved the ISC2 Secure Software Practitioner (SSP) certification, which recognizes professionals who are prepared to develop secure software and enhance BMC product's overall security posture.
Security Response and Communication
- Product vulnerabilities disclosed by third parties, such as security researchers, are handled according to the procedure described at https://www.bmc.com/corporate/trust-center/vulnerability-disclosure.html.
- Publicly disclosed vulnerabilities in third-party and open-source software components embedded within or shipped with BMC products can affect multiple product lines. When such vulnerabilities are discovered, the Product Security Group orchestrates efforts across product lines to assess the risk to the BMC products that include such components.
- The Product Security Group follows a formal escalation process for vulnerability disclosures regardless of their source (researcher, customer, internal QA team, or others). Based on the severity of the vulnerability, each disclosed vulnerability is directed to the senior management of the relevant product's development team, remediated by that product development team, and communicated to affected customers by the product support team.
- The Product Security Bulletin & Security Updates page provides timely security-related information and vulnerability information for BMC products.
The Product Security Group at BMC uses an incident management procedure that enables swift response to any potential incident. This incident management procedure is integrated within the overall corporate cyber incident response plan. This procedure covers emergency incidents, escalation, and public vulnerability disclosure. BMC's practices include a procedure for documenting the incident in detail and producing a report for management attention and future reference.
- If you are a BMC customer, follow your established support process to report security vulnerabilities as you would any other support concern, which will help us prioritize your report and understand its context.
- If you are an external researcher or anyone else with no access to BMC support and have a security inquiry related to a BMC website or hosted service, please contact our IT security team at firstname.lastname@example.org.
- If you are an external researcher or anyone else with no access to BMC support who discovers a security issue related to a BMC product, please contact our Product Security Group at email@example.com.
- For more details regarding Security, Privacy, Compliance and Availability you can visit the BMC Trust Center.
1 OWASP Top Ten Security Vulnerabilities, https://owasp.org/www-project-top-ten/
2 SEI CERT Coding Standards, SEI CERT Coding Standards - CERT Secure Coding - Confluence (cmu.edu)
3 WASC Threat Classification v2.0, http://projects.webappsec.org/w/page/13246978/Threat%20Classification
4 CWE/SANS TOP 25 Most Dangerous Software Errors, https://www.sans.org/top25-software-errors/
5 US-CERT Estimating Benefits from Investing in Secure Software Development, https://www.us-cert.gov/bsi/articles/knowledge/business-case-models/estimating-benefits-from-investing-in-secure-software-development
6 NIST Information Technology Laboratory National Vulnerability Database Vulnerability Metrics, https://nvd.nist.gov/vuln-metrics/cvss
7 NIST Information Technology Laboratory National Vulnerability Database CVSS Calculator Version 3, https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
BMC, BMC Software, the BMC logo, and other BMC marks are the exclusive properties of BMC Software, Inc. and are registered or may be registered with the U.S. Patent and Trademark Office or in other countries.
©Copyright 2021 BMC Software, Inc.
BMC—Run and Reinvent