Understanding the latest BSIMM report trends can help you plan strategic improvements to your own security efforts.
If you want good advice on how to improve your organization’s software security—and you should—you’ve come to the right place.
What makes it even better is that it’s not coming only from us—It’s coming from your peers in your own industry sector. More than 130 companies in eight verticals told Synopsys (anonymously, of course) what’s working, what isn’t, what’s changing about risks and threats, and how they’re responding to those changes to build trust into their software.
And that information can help you do the same, from producing more-secure code to tracking your software supply chain. It’s all in the latest Building Security in Maturity Model (BSIMM) report, released this week. Now in its 13th iteration, this annual report by the Synopsys Software Integrity Group helps organizations maximize the benefits and minimize the pain of a world run by software.
The need for advice like this should be obvious. It’s not news that software is everywhere and runs just about everything, enabling a seemingly limitless range of benefits to modern business.
Nor is it news that cybercrime is everywhere. For as long as software has existed, hackers have been on a nonstop quest to exploit vulnerabilities in it, turning its benefits into profits for themselves while damaging, or even destroying, their victims.
Those ongoing realities are why the BSIMM report remains relevant. It tracks the constant evolution of the ways damage can be inflicted through software defects, and how defenses necessarily evolve as well.
It’s also important because, as BSIMM13 puts it in a nod to poet/philosopher John Donne, “No one is an island.” Almost nobody can escape software and the ways it connects us all, for better or worse. That’s why the internet is called the web—billions of digital connections made from strands of code, running everything from electricity to traffic lights, utilities, finance, education, communication, entertainment—the list goes on and on.
And since we’re all connected, it’s crucial for the community of good guys to cooperate. After all, the bad guys cooperate regularly. The goal of the BSIMM report remains what it was when it was launched in 2008—to enable cooperation within the law-abiding community to help one another build trust into their software, not by dictating what to do but by documenting what other organizations are doing within their own software security initiatives (SSI).
That’s why the BSIMM report describes itself as a free “roadmap” to help organizations improve the security of the software that runs their enterprises. It provides detailed information from more than 130 participating organizations in verticals including cloud, financial services, financial technology, independent software vendors, insurance, Internet of Things (IoT), healthcare, and technology.
Those participants include nearly 11,900 security professionals helping more than 410,000 developers secure the software running 145,000 applications.
Each organization can decide on the best way to progress on its journey to maturity. Indeed, the whole idea of a roadmap is to show multiple routes to a destination without dictating which one to take.
But every organization needs an SSI that matches its risk profile and priorities. Because the threats are real and keep getting more sophisticated.
Software isn’t perfect—nothing is—and as daily headlines remind us, if hackers can exploit design flaws, bugs, and other defects in software, they can steal intellectual property, swipe the personal information of employees and customers, raid corporate bank accounts, undermine the physical security of a building, and take down the operations of an organization with ransomware attacks.
That means insecure software is a business risk—potentially an existential risk. And if you’re in business, you need to keep that software secure enough for you and your customers to trust it.
As noted, every BSIMM report reflects trends in software security that are responses to the evolution of cybercrime. This latest one is no different. One of the top trends noted in BSIMM13 is increased focus on open source software and supply chain security.
Just a few years ago, those were fringe topics in the security community. Now they are top priorities in both the private and public sectors. They are key elements in President Biden’s May 2021 Executive Order on Improving the Nation’s Cyber Security and multiple federal guidance documents that have been released in response to it.
That’s because third-party software—open source and commercial—is in just about every codebase and comprises the large majority of them, as documented by another Synopsys report, Open Source Security and Risk Analysis.
So an encouraging trend noted by BSIMM13 is that 73% of cybersecurity professionals surveyed have increased their efforts to secure their supply chains.
One of the ways to do that is by using an automated software composition analysis tool, which helps find open source components in a codebase, along with any known defects and licensing conflicts in those components.
Another is the creation and maintenance of a software Bill of Materials (SBOM), which identifies third-party software in codebases, so an organization can respond quickly to any new disclosures of vulnerabilities in any of those components. BSIMM13 found a 30% increase in organizations creating SBOMs, reflecting the increased awareness of software supply chain risks, not to mention the impending requirement that any software products sold to federal agencies must have an SBOM.
The report also found that many BSIMM community members are demanding software vendors meet security standards. The “communicating standards to vendors” and “ensuring compatible vendor policies” activities were up by 46% and 56% respectively.
Interestingly, not all activity relating to software supply chain risk management experienced growth. BSIMM13 notes that the “provide training for vendors and outsourced workers” activity dropped by 30% after increasing steadily over the lifetime of the BSIMM. However, the report speculates that the training itself is not declining, but rather that organizations are specifying training requirements to their vendors instead of providing it themselves.
An SSI doesn’t come into being or succeed without effort, of course. It takes leadership and a team of people who are not only security experts but who can also recruit developers, testers, architects, and DevOps engineers who can become “software security champions” and enable a software security group to scale its efforts without having to expand the group itself.
As the BSIMM report puts it, “security champions don’t need to be security pros; they just need to act as the security conscience of the team, keeping their eyes and ears open for potential issues and surfacing them when discovered. ‘Jiminy Crickets’ of software security, if you will, high keepers of knowledge of right and wrong; guides along the straight and narrow.”
The value of security champion programs is apparent in a continuing trend—on average, firms with such programs score better in BSIMM assessments than those without one. BSIMM13 found that difference was a dramatic 35%.
Nor does software security maturity happen overnight. It is a journey, not an event. But the BSIMM report can get you started on that journey and help get you to the destination you want and need faster.
Best of all, the complete report is free and open, available under the Creative Commons Attribution-ShareAlike 3.0 license.
So if you haven’t started, start now. BSIMM13 means you’re out of excuses.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.