New Synopsys Research Reveals Significant Increase in Practices to Strengthen Software Supply Chain Security
BSIMM13 Data Reveals Nearly 50% Increase in Activities Securing Open Source Components and Integrating Security into Developer Toolchains
MOUNTAIN VIEW, Calif., September 21, 2022 /PRNewswire/ — Synopsys, Inc. (Nasdaq: SNPS), today released BSIMM13, the latest edition of the annual Building Security In Maturity Model (BSIMM) report analyzing software security practices at 130 organizations, including Adobe, PayPal and Lenovo—in their combined efforts to secure more than 145,000 applications created and maintained by nearly 410,000 developers.
The results highlight a significant increase in activities that indicate that BSIMM member organizations are implementing a “change everywhere” approach to perform automated and continuous security testing throughout the software development life cycle (SDLC) and manage risk across their entire application portfolio.
To learn more, download the BSIMM13 Trends & Insights report.
“The findings from BSIMM13 suggest that with the focus on software supply chains, most enterprises are adopting a risk-based approach to application security. Such an approach recognizes that security is not just about code base; it includes the software development process where security reviews and testing “go all over the place” to continually improve security outcomes.” said Jason Schmitt, general manager of Synopsys Software Integrity Group. “The results also demonstrate that BSIMM member organizations’ software security initiatives are maturing and are now looking for ways to improve the scalability, efficiency and overall effectiveness of their programs.”
Led by Synopsys Software Integrity Group, BSIMM13 highlights evolving trends among member organizations’ software security initiatives over the past 12 months, including:
- Managing Software Supply Chain Risks and the Rise of SBOMs
Likely in the wake of recent high-profile supply chain attacks, software supply chain risk management – most often achieved through identifying and securing open source software – appears to be a priority. absolute for BSIMM member organizations. BSIMM13 reports a 51% increase in activities associated with open source risk control over the last 12 months, as well as a 30% increase in the number of organizations building and maintaining a software bill of materials (SBOM) to fully catalog components of their deployed software.
- Integrating security into developer toolchains
As part of their efforts to “go everywhere”, BSIMM organizations have made significant progress integrating security options into CI/CD pipelines and development tool chains over the past 12 months. BSIMM13 data indicates a 48% growth in activities that allow organizations to include security testing in quality assurance automation.
- Extend software security beyond products and applications
BSIMM13 data also shows phenomenal growth in activities that indicate that security teams are working with operations to secure non-application software, such as automation created for CI/CD, as observations of activities targeting to leverage operational data for continuous improvement increased by 95%. the last 12 months.
- “Shift Everywhere” with automated and continuous testing
Data from BSIMM13 indicates that 82% of BSIMM member organizations now use automated code review tools, which rank among the top 10 observed activities in BSIMM13, enabling them to perform incremental security testing faster and identify vulnerabilities as they are introduced. SDLC.
Created in 2008, the BSIMM is a maturity model that observes and quantifies the activities performed by software security professionals to help members of the wider security community plan, execute, and measure their organizations’ initiatives. BSIMM data comes from interviews conducted with member organizations during a BSIMM assessment. Following the assessment, observation data is anonymized and added to the BSIMM data pool, where statistical analysis is performed to highlight trends in how BSIMM organizations secure their software.
In addition to publishing its annual report, BSIMM offers its members a private community to engage with peers, learn best practices and gain new knowledge through community discussions, blogs, e-learning courses, webinars and more exclusive content focused on securing software in today’s dynamics. working environment.
“Having joined the BSIMM community in 2015, we have found significant value in leveraging insights gained from observations that are refreshed each year to help us plan and measure our own security program, and also gain insight into areas of practices most important to our customers,” said Bill Jäger, executive director of the Product Security Office of Lenovo’s Infrastructure Solutions Group. “Furthermore, the BSIMM community itself is a fantastic resource, with members generously sharing their experiences and lessons learned; we are all on a similar path, and companies just beginning their software security initiatives can learn a lot. of those who started earlier.”
Those interested in learning more about the results and the BSIMM program can download the BSIMM13 Trends & Insights report or the full BSIMM13 Foundations, which provides in-depth data analysis and explores industry-specific trends.
Synopsys would like to thank Jamie Boot, Eli Erlikhman, Stephen Gardnerand Sammy Miguesauthors of BSIMM13, as well as Kathy ClarkFisher and Ryan Francoiswhose behind-the-scenes work keeps the science project, conferences, and the BSIMM community on track.
Some of the companies participating in the BSIMM study include: AARP, Adobe, Aetna, Allied bankAxway, Bank of America, Bell Network, CIBC, Cisco, Citi, Diebold NixdorfDepository Trust & Cleaning Corporation, Egis, Eli Lilly and Company, eMoney Advisor, EQBank, Equifax, Fidelity, Finastra, Freddie Mac, F-Secure, Genetec, HCA Healthcare, Honeywell CE, HSBC, Imperva, Inspur Software, Intralinks, iPipeline, Johnson & Johnson, Landis+Gyr, Lenovo, MassMutual, MediaTek, Medtronic, Navient, Navy Federal Credit Union, NEC, NetApp, Oppo, PayPal, Pegasystems, Principal Financial, Realtek, SambaSafety, ServiceNow, Signify, SonicWall, Synchrony Financial, TD Ameritrade, Teradata, Trainline, Trane, US Bank, Veritas, Verizon Media, Vivo, World Wide Technology, ZoomInfo.
Created in 2008, the Building Security In Maturity Model (BSIMM) is a data-driven tool for creating, measuring, and evaluating software security initiatives. Developed through the careful study and analysis of over 250 software security initiatives, BSIMM13 includes current, real-world data from 130 organizations around the world. In addition to publishing its annual report, BSIMM offers member organizations a private community to engage with peers, learn best practices and gain new knowledge through community discussions, blogs, e-learning courses, webinars and more. To learn more about the BSIMM program, visit www.bsimm.com
About Synopsys Software Integrity Group
Synopsys Software Integrity Group helps development teams build secure, high-quality software, minimizing risk while maximizing speed and productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components and application behavior. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development lifecycle. Learn more at www.synopsys.com/software.
Synopsys, Inc. (Nasdaq: SNPS) is the Silicon to Software™ partner for innovative companies that develop the electronic products and software applications we rely on every day. As an S&P 500 company, Synopsys has long been a global leader in electronic design automation (EDA) and semiconductor intellectual property and offers the broadest portfolio of testing tools and services in industry application security. Whether you’re a system-on-chip (SoC) designer creating advanced semiconductors or a software developer writing more secure, high-quality code, Synopsys has the solutions to deliver innovative products. Learn more at www.synopsys.com.
SOURCE Synopsys, Inc.