Posted by Robert Vamosi on September 20, 2017
How does your software security initiative stack up against the best? Against others in your market? Against your own goals? A Building Security In Maturity Model (BSIMM) assessment can answer these questions.
Whether you call it a software security initiative (SSI), application security program, product security process, or something else, it’s a business necessity to have a concerted effort that instills, measures, manages, and evolves software security activities in a coordinated fashion. To keep your effort pointed in the right direction, you must measure it. The BSIMM, a unique tool in the software industry, is a measuring stick that gives a snapshot of existing software security activities.
“Given that every organization has unique requirements for its software portfolio, the BSIMM doesn’t try to be a how-to guide,” said Sammy Migues, principal scientist, Synopsys Software Integrity Group. “Instead, a BSIMM measurement reflects the current maturity of an organization’s overall initiative. It gives a current benchmark, and it helps set a goal for organizations wanting to improve their software security. Measurement results also make great objective data for discussing additional resources with executive management.”
On Wednesday, Synopsys released its eighth report in the series, BSIMM8. The current dataset includes 256 distinct measurements collected from 109 firms in multiple vertical markets. It provides a composite view as well as year-over-year data.
BSIMM measurement results are useful for executives responsible for initiating and maintaining an SSI. Often, the executives are already part of an internal group that the BSIMM calls the software security group (SSG). Mature organizations will also have a satellite system of others within the organization such as developers, architects, and people engaged in and promoting software security. Additionally, all 10 firms with the highest BSIMM scores have a satellite.
“The BSIMM is an observational model that reports in a common framework what organizations are actually doing,” Migues said. “Because we drop older data from the model, BSIMM8 also reflects the current state of organizational approaches to software security.”
The 109 participating organizations are drawn from six well-represented verticals (with some overlap):
Verticals with lower representation in the BSIMM population include telecommunications, security, retail, and energy. In total, BSIMM8 describes the work of 1,268 SSG members working with 3,501 satellite people to secure the software developed by 290,582 developers. This represents a combined portfolio of 94,802 applications.
“The BSIMM can be used to measure any ongoing initiative,” Migues said. “The BSIMM8 data pool includes firms that create web applications, thick clients, embedded software, IoT, medical devices, and everything else. Software security groups range from 1 person to 130. Development team sizes range from 20 to 35,000. If an organization has an SSI, the BSIMM can measure it.”
Synopsys created BSIMM1 in 2008 based on analysis of data from nine firms, resulting in a common framework containing 110 unique software security activities. The BSIMM software security framework (SSF) and activity descriptions provide a common vocabulary for explaining the elements of an SSI, allowing comparison of initiatives that use different terms, operate at different scales, exist in different vertical markets, or create different work products. Synopsys classifies the work as a maturity model because improving software security almost always means changing the way an organization works—something that doesn’t happen overnight.
Being observational and capturing industry changes over time, BSIMM8 now includes 113 activities within the 12 practices of the BSIMM framework. The practices are organized into four domains.
Activities are as specific as “Use automated [static analysis] tools along with manual review.” While this might seem obvious, it was observed in only 65% of BSIMM8 participants. BSIMM8 also provides detailed descriptions and observation data for all 113 activities.
Since creating the BSIMM, Synopsys has performed 321 assessments in 146 firms. To keep the BSIMM data pool relevant, the ongoing study drops measurements older than 42 months. The result today is BSIMM8 including data on 109 firms.
Many firms use BSIMM assessments as their periodic benchmark. Thirty-six of the currently participating firms have had a second set of interviews to study how their initiatives have changed over time. Sixteen firms have undertaken three BSIMM assessments, five firms have done four, and one firm has had five.
“The BSIMM is an open standard that anyone can download and use,” Migues said. “If a firm chooses to have Synopsys perform an objective assessment, they also become a member of the BSIMM community, which includes a low-noise mailing list of other software security leaders and semi-annual private conferences for participants only. There’s no reason for an organization getting started with a SSI to try to do it alone.”