Software Integrity Blog


How to scale a software security initiative: Lessons from the BSIMM

The approach needed for scaling a software security initiative (SSI) varies from industry to industry and from business to business, right?

That’s one of the questions explored by the Building Security In Maturity Model (BSIMM).

But, why now? Computers and software have been around for decades. Why have software security topics, especially that of scalability, become more important recently?

More software means more vulnerabilities

As more software is developed, more vulnerabilities are also created. Hackers are getting smarter about how they carry out an attack. Attacks are becoming more widespread and more prevalent. As such, businesses should also get smarter; bolstering security efforts to protect their most valuable assets: user data and other sensitive internal data. After all, every business in every industry is a target these days.

The BSIMM stays ahead of the bad guys by analyzing actual data from 67 leading firms throughout 12 industries. The study isn’t about best practices. It’s not about the good vs. bad methods to carry out an SSI. It’s not even about theories. BSIMM is an observation of participating firms to describe and measure descriptive approaches. Real data. Real activities.

BSIMM-V (the fifth iteration of the study) measures the work of 2,930 full-time software security employees controlling the work of over 272,000 developers. The study focuses on finding patterns, analyzing and measuring SSIs, and finding what works and what doesn’t within each.

Key findings from BSIMM-V

One key finding is that many firms only focus on the highest-risk applications, thinking that this is enough to mitigate their risk for attacks. In actuality, the medium and low-risk apps are also part of the attack surface and should be addressed. It’s not just the highest-risk threats that should be resolved; the entire portfolio matters or else you’re still leaving gaps open for attack.

Synopsys’ VP of Security Technology, Gary McGraw, recently spoke at the American Software Testing Qualifications Board, Inc. (ASTOB) Conference in Washington, DC, where he shared the lessons learned from BSIMM-V.

The touchpoints Dr. McGraw outlines for scaling an SSI are:

  1. Scaling Code Review
  2. Scaling Architecture Analysis
  3. Scaling Penetration Testing
 Become a part of the growing BSIMM Community.


More by this author