Software Integrity Blog

 

BSIMM10: A decade of research on software security activities

BSIMM10 compiles a decade of research on software security activities in real-life firms into a guide for maturing your software security initiative.

BSIMM10: A decade of research on software security activities

Have you heard of the BSIMM? If you have, you know it’s the best way to measure your software security initiative (SSI) year after year to see how it’s evolving and how your SSI compares to that of other firms in your industry. If you haven’t, you’re in luck: The latest version is out now, and it’s notably different from last year’s version. Read on for a summary, or get the report here.

Download BSIMM10

What is the BSIMM?

The BSIMM is the Building Security In Maturity Model. It compiles all the observations collected from BSIMM assessments (analyses of individual organizations) and offers conclusions about software security best practices, demonstrates how real-life SSIs mature and evolve, and describes the state of software security within and across verticals. In other words, it reports on the software security activities performed by real-world organizations—not what they should do but what they actually do.

What is a BSIMM assessment?

When an organization asks for a BSIMM assessment, we send a team of consultants to conduct in-depth interviews with key security personnel from the software security group (SSG) and the legal, compliance, training, intelligence, incident response, and engineering teams. Using these observations, we score the organization’s existing efforts in 119 software security activities across 12 practices.

In a BSIMM assessment, we compare the organization’s SSI to other organizations in the same vertical. We discuss areas of strength and potential improvement. Then we add all those observations to the BSIMM pool, updating the model incrementally with every assessment. We also remove those assessments that have aged out. Consequently, the model reflects the state of software security and the maturity of SSIs in the real world.

Sample spider chart of software security activities

What is BSIMM10? How is it different from BSIMM9?

BSIMM10 is the 10th version of the BSIMM. It describes 119 activities (grouped into 12 general practices in four domains) performed by 122 firms we assessed within the last 42 months. Some firms had multiple assessments to see how their SSIs were maturing. Some firms also had different business units assessed separately.

With that much data, it’s easy to see patterns emerge. BSIMM10 highlights three new patterns in real-life software security programs: how DevOps is changing software security, how engineers are leading security efforts, and how SSIs evolve through three phases.

DevOps is changing software security

BSIMM10 shows that the DevOps movement, along with growth in CI/CD tooling and digital transformation, is affecting the way that firms secure their software portfolios.

Changes to existing software security activities

Agile, CI/CD, and DevOps are driving an increase in development velocity and the use of automation. In response, firms are changing the way they approach the software security activities they perform. We’ve updated many of the BSIMM activity descriptions to reflect these changes. We’ve also added three new activities (see below) that demonstrate how firms are actively working to match the speed of software security to the speed of software delivery.

New software security activities in BSIMM10

New software security activities in BSIMM10

  • Integrate software-defined lifecycle governance focuses on replacing traditional human- and document-driven processes with automation that drives application lifecycle management processes.
  • Monitor automated asset creation addresses maintaining awareness of the virtual assets now being created by engineering teams.
  • Automate verification of operational infrastructure security helps to ensure that virtual assets adhere to security expectations when created and over time.

Engineers are leading security efforts

BSIMM10 is our first study to formally reflect changes in SSI culture. Governance-led cultures, where centralized SSGs lead software security efforts from the top down, were once dominant. Now we’re seeing more engineering-led cultures, where development and operations teams drive software security efforts from the bottom up. Just in the past few years, engineering-led security culture has established and grown meaningful software security efforts in some organizations.

Why the culture shift?

The demands of modern software delivery practices, such as agile and DevOps, are driving this new wave of engineering-driven security culture. Another contributing factor is the fact that teams are trying to avoid friction with existing SSIs.

Download BSIMM10

Clash of cultures

Traditional governance-driven cultures practice proactive risk management through controls around assurance, such as policies, standards, and gates. But engineering-driven cultures prioritize speed and automation, prototyping controls incrementally, and building on existing tools and techniques. Even though their priorities and approaches differ, and sometimes compete, both cultures can exist within the same organization. All stakeholders must coordinate efforts to align these cultures and drive the SSI in a single coherent direction.

Software security initiatives evolve through 3 phases

BSIMM10 shows that organizations can improve over time. Many mature to the point where they strive to expand existing software security activities rather than always adding new ones.

We’ve measured 50 of the 122 firms in BSIMM10 at least twice (on average, 30 months apart). Their activity counts increased by an average of 11.1 (42%), and in 43 firms, the raw score went up.

BSIMM10 is the first BSIMM report to define three phases of SSI maturity—emerging, maturing, and optimizing. BSIMM10 also demonstrates how both governance-led and new engineering-led cultures can progress through these phases.

  • Emerging: an organization tasked with booting a new SSI from scratch or formalizing nascent or ad hoc software security activities into a holistic strategy.
  • Maturing: an organization with an existing or emerging software security approach connected to executive expectations for managing software security risk and progressing along a roadmap for scaling security capabilities.
  • Optimizing: an organization that’s fine-tuning and evolving its existing security capabilities (often with a risk-driven approach), having a clear view into operational expectations and associated metrics, adapting to technology change drivers, and demonstrating business value as a differentiator.

Your roadmap to effective software security activities is here

Your roadmap to a better SSI is here

Maybe you’re new to the software security party. Maybe you read an earlier BSIMM report, or you’ve even had a BSIMM assessment. In any case, we encourage you to download BSIMM10 (it’s free). It’ll show you how your organization can improve, or even start, a software security initiative. Software security is never going to get easier. But by sharing what we know, learning from one another’s mistakes, and always building on existing best practices, we can make it better.

Does your software security initiative need a lift?

Download BSIMM10

 

More by this author