BSIMM12: Takeaways and Recommendations to Help You Improve Your Software Security Program
BSIMM12 brings together research on the software security activities of real companies to create a guide that helps you navigate your software security initiative.
The popular business book, “The 7 Habits of Highly Effective People,” explores the theory that successful individuals share common qualities to achieve their goals, and that these qualities can be identified and applied by others. Applying the principle to software security, the Building Security In Maturity Model project, better known as BSIMM, reviews organizations’ software security initiatives, conducts in-person interviews on the activities of those organizations, and publishes its findings annually. Now in its 12th iteration, the BSIMM report has grown from nine participating companies in 2008 to 128 in 2021, representing nearly 3,000 members of the Software Security Group and over 6,000 Satellite Members (aka Security Champion) working with nearly 400 000 developers on more than 150,000 applications.
The 2021 edition of the BSIMM report – BSIMM12 – examines anonymized data from the software security activities of 128 organizations across various verticals, including financial services, FinTech, independent software publishers, IoT, health care, and technology organizations. Participating organizations include industry leaders such as Aetna, Bank of America, Citigroup, Freddie Mac, and Johnson & Johnson.
BSIMM12 demonstrates that every business is in the software industry
Many organizations examined in BSIMM12 identify with traditional verticals, but all recognize that they are fundamentally in the software industry. Software plays a major role in the operations of every organization. Delays in software development and deployment affect product release dates, the lifeblood that drives revenue and profit. Companies that sell software or products that include embedded software cannot afford security, compliance, or quality issues to compromise their products.
Even companies that are not directly involved in the sale of software or software-driven products are equally dependent on the quality and security of the software. The software drives administrative systems for payroll, invoicing, receivables, sales tracking and customer records. The software controls their production, manages inventory, directs warehousing and manages the distribution systems that keep a business running. In the service industries, software is used to analyze, optimize, model, interact with and support customers.
The results of the BSIMM12 tell us that software risk is business risk, and to effectively manage the second, you need to tackle the first.
Four major trends in software security in BSIMM12
Software security groups are increasingly lending more resources, personnel, and knowledge to DevOps.
We are moving away from the obligation of software security behaviors to have security teams forge partnerships with development teams, with the goal of proactively including security efforts in the critical path of software delivery.
Continuous testing is increasing.
BSIMM12 data indicates that more and more companies are prioritizing continuous monitoring and reporting rather than using a point-in-time fault discovery approach and then using safety telemetry to improve development processes. software and governance.
Break tests down into smaller, more timely checks and run them more frequently.
The imperative to identify software problems as early as possible remains, leading to the need to break down large test events into smaller, more timely checks. But there is also a growing awareness among software security groups that sometimes the orchestration of the deployment or the post-deployment environment reflects the best opportunity for certain testing.
The application of politics as a code, or governance as a code, is on the rise.
Governance as code shifts security practices and adherence to compliance policies from a manual approach to a more consistent, efficient, repeatable, and automated approach. BSIMM data collected in previous years indicated that organizations were beginning the process of replacing manual and human governance activities with automation. BSIMM12 observations now indicate the only source of software security standards and policies are increasingly becoming human-readable configuration code or simplified code that performs vulnerability discovery, the essence of software-defined lifecycle governance.
Following the Leaders: What BSIMM12 Says for Security Initiatives
Based on the BSIMM12 data, organizations in the process of building a software security initiative should consider the following key actions:
- Use security testing telemetry whenever possible to collect data such as tests performed and issues discovered to improve your software development lifecycle (SDLC) and governance processes.
- Move to the automation of security decisions with the end goal of governance as verifiable code. Governance as code moves security practices and compliance compliance from a manual approach to a more consistent, efficient, and repeatable automated approach.
- Create a complete software inventory (including a software nomenclature or BOM) of your assets, detailing both internally created code as well as open source and third-party code.
- Implement small incremental security activities throughout the SDLC, rather than using large, slow pass / fail gates that delay pipeline progress.
- Implement automated security tools that can identify and help you fix flaws, vulnerabilities, and malicious code in your organization’s critical software, whether that software was developed in-house or by contractors, whether it is commercial third-party software or is open source.
Your roadmap to a better software security initiative starts here
For the past 12 years, the BSIMM report has been used by organizations around the world as a measurement tool to compare their own ISS to the wider BSIMM community. Organizations can assess their maturity, from âemergingâ (or starting) to âmaturingâ (ie, âactivatingâ or refining their existing security practices to improve their security posture.
Wherever your organization is in its journey, let BSIMM12 provide you with a roadmap to help you achieve your goals.