The BSIMM Community Awards recognize the most impactful projects carried out by BSIMM member organizations throughout the year.
In 2022, being tasked with leading an organization’s software security program can feel a lot like hosting a high-profile Hollywood awards ceremony. One wrong move can end up slapping you across the face—and in front of everyone.
It’s rough out there. Despite all the great work these people and their teams do on a daily basis to keep their organization’s digital footprint secure, we seem to only hear about them when things go awry.
That’s why we created the inaugural BSIMM Community Awards, which aim to recognize the most impactful projects carried out by BSIMM member organizations throughout the year.
Whether it’s cutting costs, reducing the friction between development and security teams, or launching a champions program, these are the projects that drive some of the world’s most recognized brands forward.
Established in 2008, the BSIMM—which stands for Building Security in Maturity Model—is a maturity model that observes 125 software security initiatives across four domains (Governance, Intelligence, SSDL Touchpoints, and Deployment) to examine how organizations build security into software development to combat a rapidly evolving digital threat landscape. Through this data-driven lens, the BSIMM holistically assesses the maturity of an organization’s software security group to create a software security scorecard and benchmark the maturity of its program.
Assessments and scorecards aside, the BSIMM provides member organizations with a private digital community to engage with peers, share insights, and learn best practices, as well as in-person events to foster meaningful connections and tighter collaboration.
But don’t take it from us, here’s what Bill Jaeger, Executive Director of Lenovo’s Infrastructure Solutions Group Product Security Office, had to say about the BSIMM community:
“Having joined the BSIMM community in 2015, we have found significant value in leveraging the insights drawn from the annually refreshed observations to help us plan and measure our own security program, and also to gain a sense of the practice areas that are most important to our customers. Additionally, the BSIMM community itself is a fantastic resource, with members generously sharing experiences and lessons learned. We’re all on a similar journey, and firms just beginning their software security initiatives can learn so much from those that started earlier.”
The inaugural BSIMM Community Awards ceremony took place during this year’s annual BSIMM North America Conference, hosted October 4-6 in Colorado Springs, Colorado.
To select this year’s winners, a panel of BSIMM assessors reviewed the submissions from BSIMM member organizations and selected five winners whose projects best demonstrated a positive business impact through initiative and innovation.
Here are your 2022 BSIMM Community Award winners:
Recognized for: Product Security Leads Program
SAS’s product security lead (PSL) role has allowed the organization to provide the required support and management of its SSDLC across the product portfolio and the enterprise. By integrating security lanes of authority with business lanes of authority, both the product security leads program and security champions program have the potential to fully align with the business. Through PSLs, the SAS product security team has been able to scale its impact across its 200-person security champion network and ensure that value is provided across the SSDLC.
Recognized for: Security Outreach Program
FINRA’s outreach program caught our attention because of how it illustrates the importance of communication and outreach on behalf of application security. The company’s outreach program enabled it to secure vital buy-in for AppSec by building a successful messaging strategy that went beyond compliance and risk strategies.
Zoom Video Communications, Inc.
Recognized for: Engineering Security Champions Program
Zoom’s security champions program is a novel way to solve what it terms the “cyber talent crunch.” During the Great Resignation, skilled application security professionals were hard to come by, and talent was even harder to retain. By growing developers into AppSec experts, Zoom is cultivating its own next generation of cyber talent to better drive the security transformation underway.
Recognized for: Creation and Centralization of a Security Scanning Template
Haven’s approach to scaling security tooling by packaging security knowledge into prepackaged security templates is representative of the next step of application security program scaling. By putting effort into knowledge capture, Haven lets its developers develop software that is secure by default.
Recognized for: Enterprise Application Security Assurance Program
Shifting left and identifying weaknesses in design, DTCC has mitigated risks by using findings from its design breaking exercises to drive the use of strong security controls and frameworks, and it has seen real results in the form of reduced detection of vulnerabilities reported during assessments performed further down the line.
Those interested in learning more about these findings and the BSIMM program can download the BSIMM13 Trends & Insights report or the full-length BSIMM13 Foundations, which provides an in-depth analysis of the data and explores industry-specific trends.
From everyone here at the Synopsys Software Integrity Group, congratulations to this year’s winners!