BSIMM12: Takeaways and Recommendations to Help Improve Your Software Security Program

By : By: Fred Bals, Senior Technical Writer, Synopsys Software Integrity Group | Tuesday, October 05 2021 - 10:25 IWST

 Synopsys Software Integrity Group
Synopsys Software Integrity Group

INDUSTRY.co.id - BSIMM12 gathers research on software security activities from real-life firms to create a guide that helps you navigate your software security initiative.

The popular business book, “The 7 Habits of Highly Effective People,” explores the theory that successful individuals share common qualities in achieving their goals, and that these qualities can be identified and applied by others.

Applying the premise to software security, the Building Security In Maturity Model project, better known as BSIMM, examines organisations’ software security initiatives, conducts in-person interviews on those organisations’ activities, and publishes its findings annually.

Now in its 12th iteration, the BSIMM report has grown from nine participating companies in 2008 to 128 in 2021, representing nearly 3,000 software security group members and over 6,000 satellite (aka Security Champion) members working with nearly 400,000 developers on over 150,000 applications.

The 2021 edition of the BSIMM report — BSIMM12 — examines anonymised data from the software security activities of 128 organisations across various verticals, including financial services, FinTech, independent software vendors, IoT, healthcare, and technology organisations.

Participating organisations include industry leaders such as Aetna, Bank of America, Citigroup, Freddie Mac, and Johnson & Johnson. 

BSIMM12 demonstrates that every business is in the software business 

Many of the organisations examined in BSIMM12 identify with traditional verticals, but all recognise that they are fundamentally in the software business. Software plays a leading role in every organisation’s operations.

Delays in software development and deployment affect product release dates, the lifeblood that drives revenue and profit. Businesses that sell software or sell products that include embedded software can’t afford to have security, compliance, or quality issues compromise their products. 

Even businesses not directly engaged in selling software or software-driven products are just as dependent on software quality and security. Software drives the administrative systems for their payroll, billing, receivables, sales tracking, and customer records.

Software controls their production, manages inventories, directs warehousing, and runs the distribution systems that keeps a business running. In service industries, software is used to analyse, optimise, model, interact with, and support customers.

The BSIMM12 findings tell us that software risk is business risk, and to effectively manage the second, you have to address the first.

Four top software security trends in BSIMM12

Software security groups are increasingly lending resources, staff, and knowledge to DevOps: There is a shift away from mandating software security behaviours to having security teams forge partnerships with development teams — with an objective of proactively including security efforts into the critical path for software delivery.

Continuous testing is on the rise: BSIMM12 data indicates that more firms are favouring continuous monitoring and reporting rather than using a point-in-time defect discovery approach and are then using security telemetry to drive improvements in software development and governance processes.

Decomposing tests into smaller, timely checks and running these more frequently: The imperative to identify software issues as early as possible remains, driving the need to decompose big testing events into smaller, timely checks.

But there is also a growing realisation among software security groups that sometimes deployment orchestration or the post-deployment environment reflects the earliest, best opportunity for some tests.

Applying policy-as-code, or governance-as-code, is sharply increasing: Governance-as-code moves security practices and adherence with compliance policies away from a manual approach to a more consistent, efficient, repeatable, and automated approach.

BSIMM data collected in earlier years indicated that organisations were beginning the process of replacing manual, human-driven governance activities with automation.

BSIMM12 observations now indicate the sole source of software security standards and policy is increasingly becoming human-readable configuration code or simplified code that conducts vulnerability discovery — the essence of software-defined life cycle governance.

News Comment

Today's Industry

NORD-DuoDrive.jpg: The innovative and patented DuoDrive geared motor reaches outstanding system efficiency Image: NORD DRIVESYSTEMS

Selasa, 17 Mei 2022 - 14:00 WIB

NORD DRIVESYSTEMS at LogiMAT in Stuttgart From 31st May to 2nd June 2022 NORD will present innovative drive solutions for intralogistics

The specialist LogiMAT exhibition in Stuttgart offers as comprehensive overview of the intralogistics and process management market. As one of the market leaders for drive technology, NORD presents…

President Jokowi attends the meeting between ASEAN leaders and American entrepreneurs at Intercontinental the Willard Hotel, Washington DC, Thursday (05/12). Photo by: Laily Rachev

Selasa, 17 Mei 2022 - 13:00 WIB

President Jokowi Invites US CEOs to Boost Cooperation with Indonesia

President Joko “Jokowi” Widodo has invited company CEOs in the United States to boost cooperation with ASEAN countries, particularly Indonesia.

President Jokowi, President Biden, and ASEAN Leaders on a group photo prior to the dinner, at the White House, Washington D.C., Thursday (05/12)

Selasa, 17 Mei 2022 - 12:28 WIB

President Jokowi, ASEAN Leaders Attend Dinner Hosted by US President

President Joko “Jokowi” Widodo Thursday (05/12) attended a dinner with the leaders of ASEAN countries hosted by President of the United States Joe Biden at the White House, Washington D.C.

(Photo: © 2022 KRAIBURG TPE)

Selasa, 17 Mei 2022 - 11:23 WIB

TPE unleashes benefits for pet accessories

The pet care market is rapidly expanding as pet ownership increases, as does spending on pet food, grooming tools, and accessories. Pet owners are significantly concerned about the prevalence…

Sergey Sedov, Founder and CEO of Robocash Group

Jumat, 13 Mei 2022 - 16:15 WIB

Robocash Group reached 2 BN USD of disbursement and issued audited financial report of 2021

Robocash Group publishes the audited combined financial statements for the year ended 31 December 2021. The Group reached an all-time high 2 BN USD of issued financing and is expected to increase…