Software security provider Cigital have published BSIMM7, the latest version of the industry’s first and only software security measurement tool built on real-world data and reflecting the current state of software security.
This year’s iteration of the annual report shows that software security is becoming mainstream and organizations across all industries are now deploying software security initiatives to address ongoing software security challenges. The BSIMM facilitates building security in by assessing, comparing and contrasting software security initiatives with others in the industry.
This year, BSIMM7 grew to include the largest number of participating companies in its eight-year history, and notably marks the addition of a BSIMM activity to address application containers and the growing use of the Cloud as part of the secure development process. The study shows that the average Software Security Group age continues to decline, demonstrating that firms are integrating BSIMM earlier into their software security initiatives. With the emergence of IoT and the spread of software across different spectrums of the enterprise, BSIMM7 shows that software security is becoming a major component of day-to-day operations.
“Software is influencing more and more of our daily lives as consumers, professionals and humans embrace a digital experience,” said Jim Routh, CSO, Aetna. “Leading organizations that use BSIMM to benchmark their software security resiliency practices have a significant competitive advantage in the marketplace.”
Industry Shift
New verticals added to BSIMM7 include Internet of Things and insurance, which deepens the BSIMM data set and provides an essential view of the value of software security as the security industry changes. Although the expanded healthcare vertical includes some mature outliers, the data shows that healthcare continues to lag behind in software security, similar to the BSIMM6 analysis. BSIMM7’s expanded dataset included a greater number of firms with newer software security initiatives and verticals that have less software security experience. These industries consistently showed less maturity than cloud, financial services and independent software verticals.
“We’re proud of the growth of the BSIMM data set as it shows the continued evolution of the market as more organizations understand the need for effective processes to address software security concerns,” said Dr. Gary McGraw, CTO of Cigital. “We’re now seeing even more companies using the BSIMM strategically and inquiring about the latest data. By working with organizations we have firsthand insight into the challenges they’re facing and ways these problems can be solved. In addition, we were able to conduct a second set of interviews with several companies to identify how software security has changed over time.”
Dr. McGraw, along with Jacob West, chief architect at NetSuite, and Sammy Migues, principal at Cigital, analyzed data collected during the past eight years of software security research. Participating companies include Adobe, Cisco, Lenovo, Qualcomm and Siemens.