Earlier this week, Synopsys Inc. published the eleventh version of the Building Security In Maturity Model (BSIMM) looking at the software security practices across 130 different organisations in a variety of industries including financial services, FinTech, independent software vendors, cloud, healthcare, Internet of Things, insurance and retail. BSIMM11 outlines the work of over 8,000 software security professionals who are guiding the efforts of almost 500,000 developers.
BSIMM was created to help organisations plan, execute, measure and improve on their software security initiatives (SSIs). Through the community of other businesses using BSIMM, they are able to compare and contrast their own initiatives along with the data given from others. In the latest report, BSIMM11 shows how organisations are adapting their software security efforts to support digital transformation and modern software development paradigms like DevOps.
“The BSIMM is an excellent resource for security leaders interested in learning from the collective experiences of their peers, particularly to solve new or emerging challenges,” said Mike Newborn, CISO of Navy Federal Credit Union, a member organisation of the BSIMM community. “Today, most organisations face the challenge of securing a growing portfolio of applications against the backdrop of rapidly evolving and accelerating software development practices. BSIMM11 reflects how many of these organisations are adapting their software security strategies to protect themselves and their customers without stifling innovation or impeding the speed of development.”
There are some key trends that have emerged from BSIMM11. Firstly, it shows that CI/CD instrumentation and operations orchestration have become standard components of many businesses’ software security initiatives, influencing how they are organised, designed and executed. For example, software security teams are beginning to report into a technology team or CTO instead of reporting to an IT security team or CISO. Additionally, they are changing the way they recruit and organise their talent.
Secondly, organisations are beginning to automate their activities, converting human processes and decision-making to algorithms, triggered by events in CI/CD pipeline execution. This is one of the ways businesses are addressing resource constraints and cadence management problems.
Next, the “shift left” concept has advanced to carrying out security activities as soon as the artefacts to be reviewed are available. This could result in “shift left” becoming “shift everywhere” meaning that activities traditionally performed to the left move to the right, including in production.
Lastly, after a comprehensive review of the data pool, it became seemingly important that there be a separate category (FinTech) for firms that are ISVs specifically for financial services software due to the increase of data within the financial vertical.
“The way modern software is built and deployed has transformed dramatically over the past few years, so naturally the efforts required to secure that software are changing as well,” said Michael Ware, BSIMM co-author and senior director of technology at Synopsys. “Businesses are critically dependent on software, and modern methodologies have accelerated the speed of development. As a result, there is more software everywhere, and we still need to worry about all the pre-existing software. As a model that constantly evolves to represent the actual practices in use by hundreds of software security groups around the world—including some of the most advanced teams in the world—the BSIMM provides a near-real-time view into how these changes are being implemented to protect the growing software portfolios.”
Within the last year, the three activities that were added to BSIMM10 have grown exponentially. These were SM3.4 Integrated software-defined lifecycle governance, AM3.3 Monitor automated asset creation and CMVM3.5 Automate verification of operational infrastructure security. This growth reflects how businesses are working to accelerate their software security efforts to the pace of software delivery. Similarly, the BSIMM11 has added an additional two activities in the effort to continue this trend. These are ST3.6 Implementing event-driven security testing and CMVM3.6 Publishing risk data for deployable artefacts.
BSIMM provides an important insight into understanding and comparing the strengths and weaknesses of software security initiatives across different industries, driven by data. The three most mature verticals in the BSIMM11 data pool are cloud, Internet of Things and high technology firms. Similarly, it identifies the differences between the three top regulated verticals; financial services, healthcare and insurance with financial services being the most mature, having software security groups in place before the others.