Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
According to the latest edition of the annual Synopsys Building Security In Maturity Model (BSIMM) report, 90% of the member organizations surveyed have established software security checkpoints in their software development lifecycle (SDLC), indicating that this is an important step to success in their software security initiatives.
Additionally, there was a 51% increase in activities associated with controlling open-source risk over the last 12 months, as well as a 30% increase in organizations building and maintaining a software bill of materials (SBOM).
About the Synopsys BSIMM
Started in 2008, the BSIMM is a tool for creating, measuring and evaluating software security initiatives. It uses a data-driven model leveraging the industry’s largest dataset of worldwide cybersecurity practices. BSIMM was developed through the careful study and analysis of more than 200 software security initiatives.
The BSIMM13 report analyzed the software security practices across 130 enterprise organizations — including 48 Fortune 500 companies such as Adobe, Bank of America and Lenovo — in their cumulative efforts to secure more than 145,000 applications built and maintained by nearly 410,000 developers.
Event
MetaBeat 2022
MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.
Register Here
The findings highlight significant increase in activities that indicate BSIMM member organizations are implementing a “shift everywhere” approach to perform automated and continuous security testing throughout the SDLC and manage risk across their complete application portfolio.
Year-over-year trends
One way to examine differences between last year’s BSIMM12 and BSIMM13 is to look for trends, such as a high growth in observation rates among common activities. For example, the observation rate for six activities below grew at 20% or higher in BSIMM13 observations compared to last year. This includes the following:
- 34% implement cloud security controls.
- 27% make code review mandatory for all projects.
- 25% create a standards review process.
- 25% gather and use attack intelligence.
- 24% identify open source.
- 20% require security sign-off for compliance-related risk.
Taking action
Whether organizations are in the process of creating a software security initiative or maintaining a mature program, BSIMM13 data indicates they should be considering the following key actions:
Put automated software security tools into place
Whether used for static or dynamic testing or software composition analysis, these tools can help remedy defects and identify known vulnerabilities in your software, whether that software was developed in-house, is commercial third-party software, or is open source.
Use data to drive security decisions
Collect and combine data from your security testing tools and use that data to create and enforce software security policies. Gather data on what testing was performed and what issues were discovered to drive security improvements in both the software development lifecycle and your governance processes.
Move toward automating security testing and decisions
Move away from human-intensive manual approaches to more effective, consistent, and repeatable automated approaches.
Move to smaller, automated checks within the SDLC
Whenever possible, replace manual activities such as pen testing or manual code review with smaller, faster, pipeline-driven, testing whenever there is an opportunity to check software.
Create a comprehensive SBOM as soon as possible
A software bill of materials should inventory your assets, along with open source and third-party code.
The BSIMM is an open standard that includes a framework based on software security practices, which an organization can use to assess and mature its own efforts in software security.
BSIMM methodology
BSIMM data originates in interviews conducted with member firms during a BSIMM assessment. After each assessment, the observation data is anonymized and added to the BSIMM data pool, where statistical analysis is performed to highlight trends in how BSIMM firms are securing their software.
Read the full report from Synopsis.