Synopsys Publishes BSIMM11 Study Highlighting Fundamental Shifts in Software Security

By : Krishna Anindyo | Monday, September 21 2020 - 18:30 IWST

Published BSIMM11, The Latest Version of The BSIMM (Photo by EEJournal)
Published BSIMM11, The Latest Version of The BSIMM (Photo by EEJournal)

INDUSTRY.co.id - Singapore - Synopsys, Inc. (Nasdaq: SNPS) today published BSIMM11, the latest version of the Building Security In Maturity Model (BSIMM), created to help organisations plan, execute, measure, and improve their software security initiatives (SSIs).

BSIMM11 reflects the software security practices observed across 130 firms from multiple industry verticals including financial services, FinTech, independent software vendors, cloud, health care, Internet of Things, insurance, and retail.

BSIMM11 describes the work of 8,457 software security professionals who guide the efforts of over 490,000 developers.

BSIMM is used by organisations as a measuring stick to compare and contrast their own initiatives with the data from the broader BSIMM community.

BSIMM11 shows that many organisations are adapting their software security efforts to support digital transformation and modern software development paradigms like DevOps.

Read the BSIMM11 Digest or download the full BSIMM11 study.

"The BSIMM is an excellent resource for security leaders interested in learning from the collective experiences of their peers, particularly to solve new or emerging challenges,” said Mike Newborn, CISO of Navy Federal Credit Union, a member organisation of the BSIMM community.

"Today, most organisations face the challenge of securing a growing portfolio of applications against the backdrop of rapidly evolving and accelerating software development practices. BSIMM11 reflects how many of these organisations are adapting their software security strategies to protect themselves and their customers without stifling innovation or impeding the speed of development."

Emerging trends in BSIMM11

Engineering-led software security efforts are successfully contributing to DevOps value streams in pursuit of resiliency. 

BSIMM11 shows that CI/CD instrumentation and operations orchestration have become standard components of many organisations’ software security initiatives, and are influencing how they are organised, designed, and executed.

For example, software security teams increasingly report into a technology group or CTO (as opposed to an IT security team or CISO) and are changing how they recruit and organise talent internally.

Software-defined security governance is no longer just aspirational. Organisations are replacing some high-friction, out-of-band security activities with automated activities triggered by events in the CI/CD pipeline execution.

Converting human processes and decision-making to algorithms is one of the ways organisations are increasingly addressing resource constraints and cadence management problems. 

“Shift left” is becoming “shift everywhere.” The implementation of the “shift left” concept has evolved from the literal interpretation of performing some security testing earlier in the development cycle to performing security activities as soon as the artifacts to be reviewed are available.

That could mean to the left of where activities have historically been performed, but often, it’s to the right, including in production. 

Introduction of FinTech vertical to BSIMM data pool. Upon carefully reviewing the growing data pool of firms in the financial vertical, it became apparent that there was a need to add a separate vertical to account for firms that are effectively ISVs specifically for financial services software.

"The way modern software is built and deployed has transformed dramatically over the past few years, so naturally the efforts required to secure that software are changing as well,” said Michael Ware, BSIMM co-author and senior director of technology at Synopsys.

"Businesses are critically dependent on software, and modern methodologies have accelerated the speed of development. As a result, there is more software everywhere, and we still need to worry about all the pre-existing software. As a model that constantly evolves to represent the actual practices in use by hundreds of software security groups around the world—including some of the most advanced teams in the world—the BSIMM provides a near-real-time view into how these changes are being implemented to protect the growing software portfolios."

New activities in the BSIMM represent a shift toward DevSecOps

The three activities added to BSIMM10 saw exceptional growth within the past year (SM3.4 Integrate software-defined lifecycle governance, AM3.3 Monitor automated asset creation, CMVM3.5 Automate verification of operational infrastructure security).

This reflects how some organisations are actively working to accelerate software security efforts to match the pace of software delivery.

Furthermore, the two activities added in BSIMM11 represent a continuation of that trend (ST3.6 Implementing event-driven

security testing, CMVM3.6 Publishing risk data for deployable artifacts).

News Comment

Today's Industry

President Jokowi on Thursday (10/06) inspected mass COVID-19 vaccination at Kampung Rambutan Bus Station, Jakarta. Photo by: BPMI of Presidential Secretariat/ Muchlis Jr

Kamis, 10 Juni 2021 - 22:15 WIB

President Jokowi Inspects Mass COVID-19 Vaccination at Kampung Rambutan Bus Station

President Joko “Jokowi” Widodo on Thursday (10/06) inspected mass COVID-19 vaccination at Kampung Rambutan Bus Station, Jakarta.

President Joko Widodo

Kamis, 10 Juni 2021 - 21:00 WIB

President Jokowi: Limited Face-to-Face Learning Will Be Done With Extra Caution

The Government has announced plan to allow face-to-face learning at schools in the new academic year in the upcoming July. Related to this plan, President Joko “Jokowi” Widodo has ordered…

President Jokowi inspects mass vaccination at Indoor Stadium of KElapa Dua Sport Center in Tangerang regency, Banten province, Wednesday (09/06/2021). (Photo: Bureau of Press, Media, and Information of Presidential Secretariat/Muchlis Jr)

Kamis, 10 Juni 2021 - 20:00 WIB

Gov’t Aims for One Million Vaccinations Per Day in July

The Government has announced target to give 700,000 jabs of vaccine per day in June and one million jabs per day in July. During inspection at mass COVID-19 vaccination site on Wednesday (09/06)…

President Jokowi inspects mass COVID-19 vaccination at RSUI Depok, West Java, Wednesday (9/6). (Photo by: BPMI/Muchlis Jr)

Kamis, 10 Juni 2021 - 19:00 WIB

President Jokowi Inspects Mass COVID-19 Vaccination at Universitas Indonesia Hospital in W. Java

President Joko “Jokowi” Widodo, on Wednesday (9/6), inspected mass COVID-19 vaccination at Universitas Indonesia Hospital (RSUI), Depok, West Java.

President Jokowi inspects the first stage of Jabodebek LRT construction, Wednesday (09/06/2021) morning. (Photo: Bureau of Press, Media, and Information of Presidential Secretariat/Laily Rachev)

Kamis, 10 Juni 2021 - 17:55 WIB

President Jokowi Inspects Jabodebek LRT Construction

President Joko “Jokowi” Widodo Wednesday (09/6) inspected the construction of Light Rail Transit (LRT) with tracks connecting the cities of Jakarta, Bogor, Depok, and Bekasi (Jabodebek).