BSIMM10 compiles a decade of research on software security activities in real-life firms into a guide for maturing your software security initiative.
Have you heard of the BSIMM? If you have, you know it’s the best way to measure your software security initiative (SSI) year after year to see how it’s evolving and how your SSI compares to that of other firms in your industry. If you haven’t, you’re in luck: The latest version is out now, and it’s notably different from last year’s version. Read on for a summary, or get the report here.
The BSIMM is the Building Security In Maturity Model. It compiles all the observations collected from BSIMM assessments (analyses of individual organizations) and offers conclusions about software security best practices, demonstrates how real-life SSIs mature and evolve, and describes the state of software security within and across verticals. In other words, it reports on the software security activities performed by real-world organizations—not what they should do but what they actually do.
When an organization asks for a BSIMM assessment, we send a team of consultants to conduct in-depth interviews with key security personnel from the software security group (SSG) and the legal, compliance, training, intelligence, incident response, and engineering teams. Using these observations, we score the organization’s existing efforts in 119 software security activities across 12 practices.
In a BSIMM assessment, we compare the organization’s SSI to other organizations in the same vertical. We discuss areas of strength and potential improvement. Then we add all those observations to the BSIMM pool, updating the model incrementally with every assessment. We also remove those assessments that have aged out. Consequently, the model reflects the state of software security and the maturity of SSIs in the real world.
BSIMM10 is the 10th version of the BSIMM. It describes 119 activities (grouped into 12 general practices in four domains) performed by 122 firms we assessed within the last 42 months. Some firms had multiple assessments to see how their SSIs were maturing. Some firms also had different business units assessed separately.
With that much data, it’s easy to see patterns emerge. BSIMM10 highlights three new patterns in real-life software security programs: how DevOps is changing software security, how engineers are leading security efforts, and how SSIs evolve through three phases.
BSIMM10 shows that the DevOps movement, along with growth in CI/CD tooling and digital transformation, is affecting the way that firms secure their software portfolios.
Agile, CI/CD, and DevOps are driving an increase in development velocity and the use of automation. In response, firms are changing the way they approach the software security activities they perform. We’ve updated many of the BSIMM activity descriptions to reflect these changes. We’ve also added three new activities (see below) that demonstrate how firms are actively working to match the speed of software security to the speed of software delivery.
BSIMM10 is our first study to formally reflect changes in SSI culture. Governance-led cultures, where centralized SSGs lead software security efforts from the top down, were once dominant. Now we’re seeing more engineering-led cultures, where development and operations teams drive software security efforts from the bottom up. Just in the past few years, engineering-led security culture has established and grown meaningful software security efforts in some organizations.
The demands of modern software delivery practices, such as agile and DevOps, are driving this new wave of engineering-driven security culture. Another contributing factor is the fact that teams are trying to avoid friction with existing SSIs.
Traditional governance-driven cultures practice proactive risk management through controls around assurance, such as policies, standards, and gates. But engineering-driven cultures prioritize speed and automation, prototyping controls incrementally, and building on existing tools and techniques. Even though their priorities and approaches differ, and sometimes compete, both cultures can exist within the same organization. All stakeholders must coordinate efforts to align these cultures and drive the SSI in a single coherent direction.
BSIMM10 shows that organizations can improve over time. Many mature to the point where they strive to expand existing software security activities rather than always adding new ones.
We’ve measured 50 of the 122 firms in BSIMM10 at least twice (on average, 30 months apart). Their activity counts increased by an average of 11.1 (42%), and in 43 firms, the raw score went up.
BSIMM10 is the first BSIMM report to define three phases of SSI maturity—emerging, maturing, and optimizing. BSIMM10 also demonstrates how both governance-led and new engineering-led cultures can progress through these phases.
Maybe you’re new to the software security party. Maybe you read an earlier BSIMM report, or you’ve even had a BSIMM assessment. In any case, we encourage you to download BSIMM10 (it’s free). It’ll show you how your organization can improve, or even start, a software security initiative. Software security is never going to get easier. But by sharing what we know, learning from one another’s mistakes, and always building on existing best practices, we can make it better.