close search bar

Sorry, not available in this language yet

close language selection
 

BSIMM13: Trends and recommendations to help improve your software security program

Understanding the latest BSIMM report trends can help you plan strategic improvements to your own security efforts.

BSIMM13 | Synopsys

If you want good advice on how to improve your organization’s software security—and you should—you’ve come to the right place.

What makes it even better is that it’s not coming only from us—It’s coming from your peers in your own industry sector. More than 130 companies in eight verticals told Synopsys (anonymously, of course) what’s working, what isn’t, what’s changing about risks and threats, and how they’re responding to those changes to build trust into their software.

And that information can help you do the same, from producing more-secure code to tracking your software supply chain. It’s all in the latest Building Security in Maturity Model (BSIMM) report, released this week. Now in its 13th iteration, this annual report by the Synopsys Software Integrity Group helps organizations maximize the benefits and minimize the pain of a world run by software. 

The need for advice like this should be obvious. It’s not news that software is everywhere and runs just about everything, enabling a seemingly limitless range of benefits to modern business. 

Nor is it news that cybercrime is everywhere. For as long as software has existed, hackers have been on a nonstop quest to exploit vulnerabilities in it, turning its benefits into profits for themselves while damaging, or even destroying, their victims. 

Those ongoing realities are why the BSIMM report remains relevant. It tracks the constant evolution of the ways damage can be inflicted through software defects, and how defenses necessarily evolve as well.

It’s also important because, as BSIMM13 puts it in a nod to poet/philosopher John Donne, “No one is an island.” Almost nobody can escape software and the ways it connects us all, for better or worse. That’s why the internet is called the web—billions of digital connections made from strands of code, running everything from electricity to traffic lights, utilities, finance, education, communication, entertainment—the list goes on and on. 

Download BSIMM13

About BSIMM13

And since we’re all connected, it’s crucial for the community of good guys to cooperate. After all, the bad guys cooperate regularly. The goal of the BSIMM report remains what it was when it was launched in 2008—to enable cooperation within the law-abiding community to help one another build trust into their software, not by dictating what to do but by documenting what other organizations are doing within their own software security initiatives (SSI).

That’s why the BSIMM report describes itself as a free “roadmap” to help organizations improve the security of the software that runs their enterprises. It provides detailed information from more than 130 participating organizations in verticals including cloud, financial services, financial technology, independent software vendors, insurance, Internet of Things (IoT), healthcare, and technology. 

Those participants include nearly 11,900 security professionals helping more than 410,000 developers secure the software running 145,000 applications.

Each organization can decide on the best way to progress on its journey to maturity. Indeed, the whole idea of a roadmap is to show multiple routes to a destination without dictating which one to take.

But every organization needs an SSI that matches its risk profile and priorities. Because the threats are real and keep getting more sophisticated. 

Software isn’t perfect—nothing is—and as daily headlines remind us, if hackers can exploit design flaws, bugs, and other defects in software, they can steal intellectual property, swipe the personal information of employees and customers, raid corporate bank accounts, undermine the physical security of a building, and take down the operations of an organization with ransomware attacks.

That means insecure software is a business risk—potentially an existential risk. And if you’re in business, you need to keep that software secure enough for you and your customers to trust it. 

Supply chain security is a priority

As noted, every BSIMM report reflects trends in software security that are responses to the evolution of cybercrime. This latest one is no different. One of the top trends noted in BSIMM13 is increased focus on open source software and supply chain security

Just a few years ago, those were fringe topics in the security community. Now they are top priorities in both the private and public sectors. They are key elements in President Biden’s May 2021 Executive Order on Improving the Nation’s Cyber Security and multiple federal guidance documents that have been released in response to it.

That’s because third-party software—open source and commercial—is in just about every codebase and comprises the large majority of them, as documented by another Synopsys report, Open Source Security and Risk Analysis

So an encouraging trend noted by BSIMM13 is that 73% of cybersecurity professionals surveyed have increased their efforts to secure their supply chains.

One of the ways to do that is by using an automated software composition analysis tool, which helps find open source components in a codebase, along with any known defects and licensing conflicts in those components. 

Another is the creation and maintenance of a software Bill of Materials (SBOM), which identifies third-party software in codebases, so an organization can respond quickly to any new disclosures of vulnerabilities in any of those components. BSIMM13 found a 30% increase in organizations creating SBOMs, reflecting the increased awareness of software supply chain risks, not to mention the impending requirement that any software products sold to federal agencies must have an SBOM.

The report also found that many BSIMM community members are demanding software vendors meet security standards. The “communicating standards to vendors” and “ensuring compatible vendor policies” activities were up by 46% and 56% respectively.

Interestingly, not all activity relating to software supply chain risk management experienced growth. BSIMM13 notes that the “provide training for vendors and outsourced workers” activity dropped by 30% after increasing steadily over the lifetime of the BSIMM. However, the report speculates that the training itself is not declining, but rather that organizations are specifying training requirements to their vendors instead of providing it themselves.

Five BSIMM software security trends

  • Moving from “shift left” to “shift everywhere” continues. While the “shift left” mantra, a term coined by the BSIMM report in its early years, was meant to encourage organizations to start their security testing earlier in the software development life cycle (SDLC), it was never meant to be taken to mean shift only left. “What we really meant is to conduct a security control activity as quickly as possible, with the highest fidelity, as soon as the artifacts on which that activity depends are made available,” said Sammy Migues, principal scientist at Synopsys and a coauthor of the BSIMM report since it began. Put another way, it means doing the right test at the right time with the help of automated tools like intelligent orchestration. Intelligent orchestration can enable continuous defect discovery during the SDLC that would be impossible to do manually.
  • Integrating security into developer toolchains. This helps security testing keep pace with the speed of development and makes shifting everywhere more feasible.
  • Moving to smaller, automated checks within the SDLC. This is another element of shifting everywhere, which helps developers find and fix defects when it takes the least time and money. The Open Web Application Security Project, citing the National Institute of Standards and Technology, IBM, and Gartner, reported several years ago that it can cost 30 to 60 times less to fix an application security vulnerability during the design phase (the beginning of the SDLC) than during production (the end).
  • Automating enforcement of coding standards. This amounts to automated guardrails—policy-as-code that makes sure the only way to write code is the secure way. That takes security beyond fixing bugs to preventing them. BSIMM13 found that the security activity “drive feedback from software life cycle data back to policy” increased by more than 80%, showing that BSIMM participants are updating policy based on their bug eradication efforts.
  • Increasing use of orchestration for container security. This refers to the use of automation and intelligent orchestration to monitor applications in containers for misconfiguration and noncompliance. BSIMM13 observed an increase of nearly 30% in the “use orchestration for containers and virtualized environments” activity.

Build an AppSec culture with security champions

An SSI doesn’t come into being or succeed without effort, of course. It takes leadership and a team of people who are not only security experts but who can also recruit developers, testers, architects, and DevOps engineers who can become “software security champions” and enable a software security group to scale its efforts without having to expand the group itself.

As the BSIMM report puts it, “security champions don’t need to be security pros; they just need to act as the security conscience of the team, keeping their eyes and ears open for potential issues and surfacing them when discovered. ‘Jiminy Crickets’ of software security, if you will, high keepers of knowledge of right and wrong; guides along the straight and narrow.”

The value of security champion programs is apparent in a continuing trend—on average, firms with such programs score better in BSIMM assessments than those without one. BSIMM13 found that difference was a dramatic 35%.

Nor does software security maturity happen overnight. It is a journey, not an event. But the BSIMM report can get you started on that journey and help get you to the destination you want and need faster.

Best of all, the complete report is free and open, available under the Creative Commons Attribution-ShareAlike 3.0 license

So if you haven’t started, start now. BSIMM13 means you’re out of excuses.

BSIMMBlogAd.png

 
Taylor Armerding

Posted by

Taylor Armerding

Taylor Armerding

Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.


More from Managing security risks