What To Know
- Organizations all over the world use the BSIMM as a yardstick to evaluate their own efforts in relation to those of the BSIMM as a whole.
- It can be used to understand the level of maturity in a variety of development security activities as observed across multiple development teams,” said Todd Wiedman, CISO at Landis+Gyr, a member organisation of the BSIMM community.
Editor’s brief: One of America’s founding father and polymath, Benjamin Franklin, once said, “tell me and I forget, teach me and I may remember, but involve me and I learn”. Likewise, in the increasingly complex world of DevOps and cybersecurity, where emerging and ongoing threats are immense, the “shift left” paradigm of designing software right and secure from the start make perfect sense. What then, can we learn and adopt from the best practices of 128 luminary organizations, in the form of BSIMM12 (Building Security in Maturity Model), now in the 12th edition running? Read more below.
SINGAPORE – Synopsys, Inc. (Nasdaq: SNPS) today published BSIMM12, the latest version of the Building Security In Maturity Model (BSIMM) report, created to help organisations plan, execute, measure, and improve their software security initiatives.
BSIMM12 summarizes the software security practices of 128 companies across a wide range of sectors, including the financial services, independent software vendors, cloud, healthcare, and Internet of Things. BSIMM12 describes the work of nearly 3,000 software security group members and over 6,000 satellite members. Organizations all over the world use the BSIMM as a yardstick to evaluate their own efforts in relation to those of the BSIMM as a whole.
Data from BSIMM12 shows that in the past two years, software security groups’ ability to recognize and control open source has increased by 61%. This is likely attributable to the increasing prevalence of open source components in modern software and the increase in attacks that use popular open source projects as vectors.
The dramatic effect these technologies have had on how organizations use and secure software is demonstrated by the increase in activities related to cloud platforms and container technologies. For instance, over the past two years, there was a 560% increase in reports of “use orchestration for containers and virtualized environments.”
“Over the last 18 months, organisations experienced a massive acceleration of digital transformation initiatives. This has resulted in increased adoption of software-defined approaches for deploying and managing software environments and cloud technology stacks,” said Mike Ware, Information Security Principal at Navy Federal Credit Union, a member organisation of the BSIMM community. “Given the complexity and pace of these changes, it’s never been more important for security teams to have the tools which allow them to understand where they stand and have a reference for where they should pivot next. The BSIMM is a management tool for serving such a purpose. The BSIMM provides a unique lens into how organisations are shifting strategies for implementing software-defined security features like policy as code to align with modern software development principles and practices.”
“The BSIMM study allows organisations to benchmark their current security practices so that they may establish priorities and maintain perspective in response to the emerging trends in the security landscape,” said Mathieu Chevalier, Lead Security Architect, Genetec Inc., a member organisation of the BSIMM community. “The descriptive model of the BSIMM helps organisations to determine how to get started building a software security initiative and to mature it effectively. BSIMM12’s observations concerning shared responsibility models in particular should encourage security leaders to consider how they’re evolving to meet and mitigate any potential gaps in their security strategy.”
“The BSIMM study is very aligned in terms of accessing industry best practices. It can be used to understand the level of maturity in a variety of development security activities as observed across multiple development teams,” said Todd Wiedman, CISO at Landis+Gyr, a member organisation of the BSIMM community. “With rapidly accelerating software development practices, BSIMM12 data illustrates the actual shifts taking place in security development programs. With this information, organisations can adapt their own strategies to protect their organization and customers without dampening innovation.”
“As part of our Product and Data Security Program we have been using the BSIMM framework to help us in advancing our security strategy,” said Vinod Raghavan, Director, Product & Data Security Program at Finastra, a member organisation of the BSIMM community. “It has been instrumental in helping us to benchmark against other organisations in both financial services and other industries, supporting security maturity.”
Emerging trends in BSIMM12
- High-profile ransomware and software supply chain disruptions are driving increased attention on software security. Over the past two years, BSIMM data shows a 61% increase in the “identify open source” activity and a 57% increase in the “create SLA boilerplates” activity among participant organisations.
- Businesses are learning how to translate risk into numbers. Organisations are exerting more effort to collect and publish their software security initiative data, demonstrated by a 30% increase of the “publish data about software security internally” activity over the past 24 months.
- Increased capabilities for cloud security. Increased executive attention, likely combined with engineering-driven efforts, has also resulted in organisations developing their own capabilities for managing cloud security and evaluating their shared responsibility models. There was an average of 36 new observations over the past two years across activities typically related to cloud security.
- Security teams are lending resources, staff, and knowledge to DevOps practices.BSIMM data shows a shift by software security groups away from mandating software security behaviours and toward a partnership role—providing resources, staff, and knowledge to DevOps practices with an objective to include security efforts in the critical path for software delivery.
- Software Bill of Materials activities increased by 367%. BSIMM data shows an increase in capabilities focused on inventorying software; creating a software Bill of Materials (BOM); understanding how the software was built, configured, and deployed; and increasing the organisation’s ability to re-deploy based on security telemetry. Demonstrating that many organisations have taken to heart the need for a comprehensive, up-to-date software BOM, the BSIMM activity related to those capabilities (“enhance application inventory with operations Bill of Materials”) grew from 3 to 14 observations over the past two years—a 367% increase.
- “Shift left” progresses to “shift everywhere.” The concept of “shift left” focuses on moving security testing earlier in the development process. “Shift everywhere” extends the idea to making security testing continuous throughout the software lifecycle, including smaller, faster, pipeline-driven security tests conducted at the earliest opportunity, which might be during design or even all the way over in production.
The move away from maintaining traditional operational inventories and toward automated asset discovery and creating Bills of Material includes adding “shift everywhere” activities such as using containers to enforce security controls, orchestration, and scanning infrastructure as code. Increased BSIMM observation rates of activities such as “enhance application inventory with operations Bill of Materials,” “use orchestration for containers and virtualised environments,” and “monitor automated asset creation” all demonstrate this trend.
“Since 2008, BSIMM consulting, research, and data experts have been gathering data on the different paths that organisations take to address the challenges of securing software,” said Jason Schmitt, general manager of the Synopsys Software Integrity Group. “With an average age of 4.4 years, BSIMM participating organisations’ software security initiatives reflect how organisations are adapting their approaches to address the new dynamics of modern development and deployment practices. With this information, organisations can then adapt their own strategies to protect their organisation and customers without dampening innovation.”
Acknowledgments
Sammy Migues, principal scientist at Synopsys, Eli Erlikhman, managing principal at Synopsys, Jacob Ewers, principal security consultant at Synopsys, and Kevin Nassery, director of application security at Gemini authored BSIMM12 after analysing data collected over nearly 13 years of software security research. Some of the companies participating in the BSIMM study include: AARP, Adobe, Aetna, Alibaba, Ally Bank, Autodesk, Axway, Bank of America, Bell, Black Knight Financial Services, Canadian Imperial Bank of Commerce, Cisco, Citigroup, Depository Trust & Clearing Corporation, Eli Lilly, eMoney Advisor, EQ Bank, Equifax, F-Secure, Fannie Mae, Finastra, Freddie Mac, Genetec, Global Payments, HCA Healthcare, Highmark Health Solutions, Honeywell, HSBC, iPipeline, Johnson & Johnson, Landis+Gyr, Lenovo, MassMutual, McKesson, Medtronic, MediaTek, Morningstar, Navient, Navy Federal Credit Union, NCR, NEC Platforms, NetApp, NewsCorp, NVIDIA, Oppo, PayPal, Pegasystems, Principal Financial Group, RB, SambaSafety, ServiceNow, Synopsys, TD Ameritrade, Teradata, The Home Depot, The Vanguard Group, Trainline, Trane, U.S. Bank, Veritas, Verizon Media.
###