EdgeVerve, an AI and intelligent automation company, recently underwent a BSIMM assessment to evaluate its software security program—with stellar results.
By Sandesh Mysore Anand, Managing Security Consultant at Synopsys, and Ashok Kumar Ratnagiri, Director & Head, Product Security at EdgeVerve
The Building Security In Maturity Model (BSIMM) project has been compiling research on software security activities in organizations around the globe for over a decade. It collects all the observations from BSIMM assessments of individual organizations and offers conclusions on software security best practices, demonstrates how real-life SSIs mature and evolve, and describes the state of software security within and across industry verticals. In other words, the BSIMM reports on the software security activities real-world organizations are implementing in practice.
A data-driven model, the BSIMM helps organizations measure the effectiveness and maturity of their software security initiatives accurately. It provides organizations with intelligence to build their software security program on par with global security standards.
When an organization decides to move ahead with a BSIMM assessment, Synopsys sends a team of consultants to conduct in-depth interviews with key security personnel from the organization’s software security group (SSG) and the legal, compliance, training, intelligence, incident response, and engineering teams. With the help of these observations, the BSIMM team attributes a score to the organization’s existing efforts in 119 software security activities across 12 practices.
The spider chart below illustrates how a BSIMM assessment presents scoring throughout these 12 practices to an organization. The chart shows the maturity of the organization’s practices in relation to the entire pool of BSIMM participants.
EdgeVerve recently underwent a BSIMM assessment, joining the BSIMM data pool and becoming the first firm headquartered in India to benchmark their software security program with the BSIMM. EdgeVerve is a wholly owned subsidiary of Infosys Limited. They help clients across the globe navigate their digital journey and drive business value with their AI, intelligent automation, and AI-enabled suite of products.
EdgeVerve proactively established a product security group and has been maturing that team for over five years. The team conducts activities such as penetration testing, static analysis (using industry-leading tools such as Coverity), and software composition analysis (with Black Duck). Being part of the BSIMM study now provides EdgeVerve an opportunity to enhance its product security program further and become part of a diverse, global software security community.
EdgeVerve builds products consumed by large, global companies. Secure software is critical to customers. The decision to proceed with a BSIMM assessment reinforces EdgeVerve’s commitment to software security in the development of their product offerings. By exhibiting the presence of a dedicated software security group, EdgeVerve intends to drive organizational change throughout the AI and automation industry, demonstrating a high degree of security effort in the following BSIMM practices:
Security has always been a top priority for EdgeVerve. A software security group has been a part of the company from day one of its existence. The company has matured their security processes over the years through their software security initiatives and a sustained effort in implementation.
Security initiatives. EdgeVerve has reinforced its security initiatives with the introduction of more advanced controls demanded by the changes in today’s technology landscape. For example, in the last 12–24 months, the company has set up controls for stringent open source vulnerability identification and tracking in both applications and containers. The company’s efforts include investing in the right set of tools.
Developer community. The developer community has access to tools that can identify vulnerabilities in a given version of an open source component before they choose to use it in any EdgeVerve product. A push toward DevSecOps, the integration of static scans within IDEs, and incremental scans to highlight newly introduced issues daily have helped EdgeVerve shift security left in the SDLC, thereby improving the maturity of the overall application security process.
Product life cycles. EdgeVerve has embedded security at various stages in their product development and deployment life cycles and across several layers of hierarchy in the organization, employing a varied set of tools and processes. Internal audits, internal product security maturity metrics, a dedicated security team, a committed engineering team, a culture that emphasizes shared security responsibility, and unwavering top management support for security initiatives have helped EdgeVerve reach their current security maturity stance.
Product releases. The company has implemented security controls for every release of their products. These controls include static application security testing (SAST), dynamic application security testing (DAST), internal and external penetration testing exercises, open source security audits, and container scans. Guides and checklists for secure deployment also help guide the delivery and operations teams.
Security teams. EdgeVerve’s security initiatives are supported and executed by a highly skilled and certified team of security professionals manning the responsibility of the company’s security charter. The team includes certified professionals with CISSP, CEH, ISO 27001 LA, OSCP, CBCI, and ITIL certifications. Additionally, their team blends the organizational emphasis on security with specialized skill sets and experience to put effective controls in place. Their efforts are reflected in the company’s BSIMM score, placing EdgeVerve higher than the BSIMM pool average in 9 out of 12 practice areas.
Training and enablement. EdgeVerve’s security coverage ranges from developer orientation to necessary training and enablement. The company has secure coding standards for the developer community and has ingrained security as a shared responsibility into the technical ethos of the organization. For instance, capture-the-flag (CTF) contests and security challenges help keep employees engaged. Cyber Security Awareness Month in October sees healthy participation from the EdgeVerve developer community as well. Seminars and expert talks from industry leaders in application security is another feature highlighting the importance the firm gives to developer training and awareness.
As a software product company, EdgeVerve realizes the importance of maintaining high security standards in the way they architect, engineer, validate, and deploy their products. As EdgeVerve is in the business of AI, automation, and banking software, data is the essential input in delivering the desired outcomes for clients. A focus on data makes it considerably more important for an AI product company like EdgeVerve to achieve the highest levels of security while building products. The company’s success lies not just in fulfilling clients’ functionality requirements but also in ensuring that the CISOs of their client organizations feel secure in trusting EdgeVerve’s products with their customer data and the critical operations that are central to their business.
Providing clients with an internal peek at their security controls would serve this purpose only partially. Instead, EdgeVerve recognized that benchmarking themselves against the practices of a community of firms and quantifying the maturity of their security processes would be a much more evolved way of providing confidence to their clients. A BSIMM assessment does just that. It provides a view of where EdgeVerve stands with respect to similar organizations that operate in related industries.
The BSIMM assessment at EdgeVerve was an intense process. The BSIMM panel conducted interviews of various stakeholders, including the COO, security heads, product engineering staff, and security experts. To accurately represent the facts, the panel also conducted multiple rounds of discussions. The whole process built confidence in the company’s security practices and even brought out the areas that needed strengthening.
EdgeVerve scored above the average of the community of BSIMM10 participants in 9 out of 12 practice areas. The report states that the interviewers “never observed all 119 activities in a single firm, and such a feat is not a reasonable goal.”
EdgeVerve is the first Indian product organization assessed against the BSIMM framework, which is a matter of great pride for several reasons:
Any security expert would undoubtedly admit that security is an ongoing journey. The EdgeVerve team is committed to treading the path of security with utmost seriousness. Their recent BSIMM assessment further emphasizes this commitment. It also points out a few areas where the firm can improve, and they are persistent in their endeavor to build a robust software security strategy.