BSIMM14: Trends and recommendations to help improve your software security program

Wednesday, April 10, 2024

The latest BSIMM report, now in its 14th iteration, contains information from more than 130 companies in eight verticals about what’s working, what isn’t, what’s changing about the risks and threat landscapes they’re facing, and how they’re responding to those changes. This annual report by the Synopsys Software Integrity Group helps organizations maximize the benefits and minimize the pain of a world run by software.

And that information can help you do the same, from producing more-secure code to tracking your software supply chain. It’s all in the latest Building Security in Maturity Model (BSIMM) report, released this week.

No matter how mature your security program is, there’s always room for improvement. As digital transformation has accelerated, increasing the amount of code being written, borrowed, and bought across all sectors of the business landscape, cybercrime has kept pace. Hackers continue their nonstop quest to exploit vulnerabilities in your software, transforming its benefits into profits for themselves while damaging, or even destroying, their victims.

These ongoing realities are why the BSIMM report remains relevant. It tracks the evolution of the ways damage can be inflicted through software defects, and how defenses necessarily evolve as well.

About BSIMM14

The goal of the BSIMM report remains what it was when it was launched in 2008—to enable cooperation among organizations and help them build trust into their software, not by dictating what to do but by documenting what other organizations are doing within their own software security initiatives (SSIs).

That’s why the BSIMM report includes a free “roadmap” to help organizations improve the security of the software that runs their enterprises. It provides detailed information from more than 130 participating organizations in verticals including the cloud, financial services, financial technology, insurance, Internet of Things (IoT), healthcare, and technology. The participants include 11,100 security professionals who collectively help about 270,000 developers working on about 97,000 applications.

The point of the roadmap is that it leaves each organization free to choose its own maturity path. It provides numerous routes to a destination without mandating which one to take. However, each company needs an SSI that matches its risk profile and priorities, because threats are becoming more sophisticated all the time.

No software is inviolable, and as daily headlines remind us, hackers can exploit design flaws, bugs, and other defects in software to steal intellectual property and employee and customer personal information, raid corporate bank accounts, undermine building security, and take down an organization’s operations with ransomware attacks.

That means insecure software is a business risk—potentially an existential risk. And if you’re in business, you need to keep that software secure enough for you and your customers to trust it.

How security is changing

The annual BSIMM reports reflect trends in software security that are responses to the evolution of cybercrime. One of the top trends noted in BSIMM14 is increased focus on automation, as organizations are taking advantage of easy-to-use yet powerful automation available in modern toolchains to update security testing and touchpoints. This is allowing them to shift security everywhere throughout the software development life cycle (SDLC) instead of simply shifting left.

When automation makes security tasks easier, trends emerge around automated activities. Modern toolchains, for example, allow security testing in the QA stage to be automated, much like static application security testing (SAST) scans that happen earlier in the development process. Security teams that embraced the “shift everywhere” testing philosophy found that their pipelines were able to take scripted actions based on the results of those automated security tests. Firms are also using automation to better gather and use the intelligence provided by sensors throughout the SDLC to proactively prevent vulnerabilities before they become an issue for developers.

Four BSIMM software security trends

  • Moving from “shift left” to “shift everywhere” continues. While the “shift left” mantra, a term coined by the BSIMM report in its early years, was meant to encourage organizations to start their security testing earlier in the SDLC, it was never meant to be taken to mean shift only left. Shift everywhere is a philosophy; it’s an approach to security governance that acknowledges the reality that consistently achieving acceptably secure software is a shared responsibility. Each stakeholder has their own business processes to execute, but each also needs to do their version of security sign-off, which requires understandable and usable telemetry from the SDLC toolchain.
  • Expanding the scope of security. External pressures like government regulations and increased supply chain threats are leading organizations to extend risk management to the software that they integrate from outside sources, the toolchains used by their developers, and the software present in their operating environments.
  • Implementing product-specific security. A growing number of product companies have started referring to their centralized software security effort as a product security program, rather than application or software security. This naming trend seems to correlate with product vendors creating security programs to manage the risk associated with software that exists in hostile environments for years to decades (as compared to applications in private data centers).
  • Continuing to emphasize Security Champion programs. The oldest insight provided by BSIMM data is that the decision to build and operate a Security Champions program has a measurable impact on total BSIMM scores. In BSIMM14, firms with a Security Champions program scored on average 25% higher than firms without one.

Use the BSIMM to build an AppSec culture

Software security maturity is a journey, not an event. But the BSIMM report can get you started on that journey and help get you to the destination you want and need faster.

Best of all, the complete report is free and open, available under the Creative Commons Attribution-ShareAlike 3.0 license.

So if you haven’t started, start now. BSIMM14 means you’re out of excuses.

This post was originally posted in https://www.synopsys.com/blogs/software-security/bsimm-trends-and-recommendations.html

Reports

BSIMM14 Report

Get the latest edition

Building Security In Maturity Model (BSIMM) is a data-driven model developed through analysis of real-world software security initiatives. The BSIMM report represents the latest evolution of this detailed model for software security.