The latest BSIMM report, now in its 14th iteration, contains information from more than 130 companies in eight verticals about what’s working, what isn’t, what’s changing about the risks and threat landscapes they’re facing, and how they’re responding to those changes. This annual report by the Synopsys Software Integrity Group helps organizations maximize the benefits and minimize the pain of a world run by software.
And that information can help you do the same, from producing more-secure code to tracking your software supply chain. It’s all in the latest Building Security in Maturity Model (BSIMM) report, released this week.
No matter how mature your security program is, there’s always room for improvement. As digital transformation has accelerated, increasing the amount of code being written, borrowed, and bought across all sectors of the business landscape, cybercrime has kept pace. Hackers continue their nonstop quest to exploit vulnerabilities in your software, transforming its benefits into profits for themselves while damaging, or even destroying, their victims.
These ongoing realities are why the BSIMM report remains relevant. It tracks the evolution of the ways damage can be inflicted through software defects, and how defenses necessarily evolve as well.
The goal of the BSIMM report remains what it was when it was launched in 2008—to enable cooperation among organizations and help them build trust into their software, not by dictating what to do but by documenting what other organizations are doing within their own software security initiatives (SSIs).
That’s why the BSIMM report includes a free “roadmap” to help organizations improve the security of the software that runs their enterprises. It provides detailed information from more than 130 participating organizations in verticals including the cloud, financial services, financial technology, insurance, Internet of Things (IoT), healthcare, and technology. The participants include 11,100 security professionals who collectively help about 270,000 developers working on about 97,000 applications.
The point of the roadmap is that it leaves each organization free to choose its own maturity path. It provides numerous routes to a destination without mandating which one to take. However, each company needs an SSI that matches its risk profile and priorities, because threats are becoming more sophisticated all the time.
No software is inviolable, and as daily headlines remind us, hackers can exploit design flaws, bugs, and other defects in software to steal intellectual property and employee and customer personal information, raid corporate bank accounts, undermine building security, and take down an organization's operations with ransomware attacks.
That means insecure software is a business risk—potentially an existential risk. And if you’re in business, you need to keep that software secure enough for you and your customers to trust it.
The annual BSIMM reports reflect trends in software security that are responses to the evolution of cybercrime. One of the top trends noted in BSIMM14 is increased focus on automation, as organizations are taking advantage of easy-to-use yet powerful automation available in modern toolchains to update security testing and touchpoints. This is allowing them to shift security everywhere throughout the software development life cycle (SDLC) instead of simply shifting left.
When automation makes security tasks easier, trends emerge around automated activities. Modern toolchains, for example, allow security testing in the QA stage to be automated, much like static application security testing (SAST) scans that happen earlier in the development process. Security teams that embraced the “shift everywhere” testing philosophy found that their pipelines were able to take scripted actions based on the results of those automated security tests. Firms are also using automation to better gather and use the intelligence provided by sensors throughout the SDLC to proactively prevent vulnerabilities before they become an issue for developers.
Software security maturity is a journey, not an event. But the BSIMM report can get you started on that journey and help get you to the destination you want and need faster.
Best of all, the complete report is free and open, available under the Creative Commons Attribution-ShareAlike 3.0 license.
So if you haven’t started, start now. BSIMM14 means you’re out of excuses.
Building Security In Maturity Model (BSIMM) is a data-driven model developed through analysis of real-world software security initiatives. The BSIMM report represents the latest evolution of this detailed model for software security.