Last week, Synopsys Inc. released BSIMM11 which explores software security practices across 130 corporations in industries including financial services, FinTech, independent software vendors, cloud, healthcare, Internet of Things, insurance and retail
This study details the work of 8,457 software security experts who are advising the efforts of over 490,000 developers.
The Building Security in Maturity Model (BSIMM) was developed to aid corporations to organise, perform, measure and enhance their software security initiatives (SSIs). Business are able to compare and contrast their initiatives with the data from other businesses within the BSIMM network. In its latest report, BSIMM11 outlines how organisations are adjusting their software security efforts in order to support the digital transformation and modern software development models like DevOps.
Mike Newborn, CISO of Navy Federal Credit Union, a member organisation of the BSIMM community said “The BSIMM is an excellent resource for security leaders interested in learning from the collective experiences of their peers, particularly to solve new or emerging challenges,” he continues saying “Today, most organizations face the challenge of securing a growing portfolio of applications against the backdrop of rapidly evolving and accelerating software development practices. BSIMM11 reflects how many of these organizations are adapting their software security strategies to protect themselves and their customers without stifling innovation or impeding the speed of development.”
BSIMM11 outlines some key emerging trends:
· CI/CD instrumentation and operations orchestration have become standard elements of numerous businesses’ SSIs, effecting how they are structured, designed and implemented. For example, software security teams are increasingly reporting to technology teams or CTO rather than an IT security team or CISO as well as changing the way they recruit talent.
· Organisations are increasingly automating their activities, changing human processes and decision making to algorithms, sparked by events in CI/CD pipeline execution. This is one way organisations are tackling resource constraints and management issues.
· The “shift left” idea has progressed to carrying out security operations as soon as the artefacts become available. This could lead to “shift left” becoming “shift everywhere” resulting in activities that are traditionally performed to the left to move to the right, including production.
· After an extensive appraisal of the data pool, it seemed necessary for there be a separate category for FinTech verticals due to the growth of data within the general financial vertical.
“The way modern software is built and deployed has transformed dramatically over the past few years, so naturally the efforts required to secure that software are changing as well,” said Michael Ware, BSIMM co-author and senior director of technology at Synopsys. “Businesses are critically dependent on software, and modern methodologies have accelerated the speed of development. As a result, there is more software everywhere, and we still need to worry about all the pre-existing software. As a model that constantly evolves to represent the actual practices in use by hundreds of software security groups around the world—including some of the most advanced teams in the world—the BSIMM provides a near-real-time view into how these changes are being implemented to protect the growing software portfolios.”
The three activities that were added to BSIMM10 have grown rapidly over the last year, reflecting how businesses are working to increase their software security efforts to match the pace of software delivery. These three activities were SM3.4 Integrated software-defined lifecycle governance, AM3.3 Monitor automated asset creation and CMVM3.5 Automate verification of operational infrastructure security. This year, BSIMM11 has added two more activities in the effort to continue this growth. These are ST3.6 Implementing event-driven security testing and CMVM3.6 Publishing risk data for deployable artefacts.
The BSIMM presents important information that is driven by data into the understanding of and the strengths and weaknesses of SSIs across different verticals. BSIMM11 identifies the cloud, Internet of Things and high technology firms as the three most mature verticals. In addition, it also determines the differences between the top three regulated verticals (financial services, healthcare and insurance) as being the most developed because they have set up software security groups before any of the others.