Huawei completes BSIMM assessment of its software security capabilities

Huawei has become part of a select international group that has completed an assessment of its software security process and engineering capabilities with the Building Security in Maturity Model (BSIMM). At the end of Q1 2018, Huawei’s software security maturity had undergone multiple rounds of BSIMM measurement. Huawei achieved positive results in nine of the 12 BSIMM practice areas, including receiving credit for Level 3 activities — the most infrequently observed — and ranking among the highest across more than 100 ICT and other enterprises in the BSIMM data pool.

BSIMM is a software security research project launched by Cigital (now part of security software company Synopsys). The first version of BSIMM was built in 2008. It collects statistics based on the assessment of a large number of enterprises and categorizes the statistics to form a software security model that can be used for assessments. To date, the BSIMM model has been applied in more than 100 companies (including multinationals like Microsoft, Nokia, and a group acquired by Oracle) around the world, covering verticals such as financial services, independent software vendors, technology companies, cloud, media, security, communications, and Internet carriers.

Huawei started cooperation on a BSIMM assessment with Cigital in 2013 and selected product groups for security capability assessment on a yearly basis, covering security policy formulation, security training, security architecture design, and security testing. Huawei’s software security capability maturity has greatly improved through five consecutive years of assessment.

In a summary of its assessment, Cigital advisors commented, “Huawei has done a good job in software security and has made continuous progress. The establishment of security engineering capabilities requires the collaboration of people, tools, and processes. Huawei has achieved good performance in all three aspects.”

Chief Security Architect at Huawei, Fu Tianfu, said: “From the evolution of BSIMM security activity data, it can be found that the number of enterprises participating in the software assessment and the proportion of software security practitioners in each enterprise are increasing every year. This indicates that cybersecurity is attracting increasing attention in the product development process. Automation and tooling will become the basic assurance measures for software security. They can free security personnel from repetitious and cumbersome work to focus on more creative security activities.”