Synopsys
By Frank Morris, Managing Director, EMEA, Synopsys Software Integrity Group
Every business is now a software business, and software is now business risk. And if we are to survive this hostile environment, we must be careful in deciding those we seek for advice and whether to act on that guidance.
Rather than solicit feedback from one or two of your peers, what if you had detailed insights from more than 100 of them at your fingertips? What's worked, what's failed— perhaps most importantly, what's changed, and how have they responded to those changes.
That's why more than 130 of some of the most well-known organizations around the globe have undergone a BSIMM analysis to-date.
Established in 2008, the BSIMM—which stands for the Building Security In Maturity Model—observes 250 software security initiatives across four domains—Governance, Intelligence, SSDL Touchpoints, and Deployment—to examine how organizations build security into software development to combat a rapidly evolving digital threat landscape. Through this data-driven lens, the BSIMM holistically assesses the maturity of an organization's software security group to create a software security scorecard used to benchmark the maturity of their program.
BSIMM is also the subject of an annual report—now in its thirteenth iteration—that highlights trends observed in member organizations' software security initiatives to help the wider security community plan, execute and measure their organizations' initiatives. Understanding the latest BSIMM report trends can help you plan strategic improvements to your own security efforts.
One of the top trends noted in BSIMM13 is an increased focus on open source software and software supply chain security, which are ranked as top priorities for more than half (51%) of BSIMM organizations. Therefore, an encouraging data point noted in BSIMM13 is that 73% of cybersecurity teams surveyed have increased their efforts to secure their supply chains. As part of that effort, BSIMM13 also found a 30% increase in organizations creating SBOMs, which will allow their organization to respond quickly to any new disclosures of vulnerabilities within the open source components of their software.
BSIMM13 also shines light on a continuing trend in organizations deriving value from a "security champions programs." Security champions are a team of people who are not only security experts but who can also recruit developers, QA testers, architects, and DevOps engineers to become "software security champions" and enable a software security group to scale its efforts without having to expand the group's headcount. In BSIMM13, firms with such programs scored 35% better on average in BSIMM assessments than those without one.
But perhaps the most compelling figure from the BSIMM13 data is zero: as in, none of the 130 participant organizations had the exact same structure for its software security group.
There is no single, best route to maturing a software security program. The destination, however, is common to all: delivering software that can be trusted.
While it's certainly possible to arrive at this destination alone, having a little help from your friends can help ensure you get there safely.