As it turns out, not all advice is good advice.
Despite having the best intentions, those we look to for guidance often lead us down a path that, while successful for them, ultimately isn’t meant for us.
When it comes to software security, taking bad advice can be detrimental.
The daily headlines remind us: if hackers can exploit the open vulnerabilities in business software, they can steal intellectual property, swipe the personal information of employees and customers, drain corporate bank accounts, undermine the physical security of a building or even take down the operations of an organization with ransomware attacks.
Every business is now a software business, and software is now a business risk.
To survive this hostile environment, we must be careful in deciding those we seek for advice and whether to act on that guidance.
Rather than soliciting feedback from one or two of your peers, what if you had detailed insights from more than 100 of them at your fingertips? What’s worked, what’s failed and perhaps most importantly, what’s changed? And how have they responded to those changes to build trust in their software?
That’s why more than 130 of some of the most well-known organizations around the globe have undergone a BSIMM analysis to date.
Established in 2008, the BSIMM – the Building Security In Maturity Model – observes 250 software security initiatives across four domains: Governance, Intelligence, SSDL Touchpoints, and Deployment, to examine how organizations build security into software development to combat a rapidly evolving digital threat landscape. Through this data-driven lens, the BSIMM holistically assesses the maturity of an organization’s software security group to create a software security scorecard used to benchmark the maturity of their program.
Assessments and scorecards aside, BSIMM provides member organizations with a private digital community to engage with peers, share insights and learn best practices, as well as in-person events to foster meaningful connections and tighter collaboration.
BSIMM is also the subject of an annual report – now in its thirteenth iteration – that highlights trends observed in member organizations’ software security initiatives to help the wider security community plan, execute and measure their organizations’ initiatives. Understanding the latest BSIMM report trends can help you plan strategic improvements to your own security efforts.
BSIMM13 highlights evolving trends among member organizations’ software security initiatives over the last 12 months in their cumulative efforts to secure more than 145,000 applications built and maintained by nearly 410,000 developers.
One of the top trends noted in BSIMM13 is an increased focus on open-source software and software supply chain security. Those were fringe topics in the security community just a few years ago. Now, they are top priorities for more than half (51%) of BSIMM organizations, with good reason. Whether open-source or commercial, third-party software is in just about every codebase and comprises the large majority of them.
Therefore, an encouraging trend noted in BSIMM13 is that 73% of cybersecurity teams surveyed have increased their efforts to secure their supply chains. One way to do so is to use an automated software composition analysis (SCA) tool, which helps find open-source components in a codebase and any known defects and licensing conflicts in those components.
Another is creating and maintaining a software bill of materials (SBOM), which identifies third-party software in codebases so an organization can respond quickly to any new disclosures of vulnerabilities in any of those components. BSIMM13 found a 30% increase in organizations creating SBOMs, reflecting the increased awareness of software supply chain risks.
BSIMM13 also shines a light on a continuing trend in organizations deriving value from ‘security champions programs.’ Security champions are a team of people who are not only security experts but can also recruit developers, QA testers, architects and DevOps engineers to become ‘software security champions’ and enable a software security group to scale its efforts without having to expand the group’s headcount. In BSIMM13, firms with such programs scored 35% better on average in BSIMM assessments than those without one.
But perhaps the most compelling figure from the BSIMM13 data is zero: none of the 130 participant organizations had the exact same structure for its software security group.
There is no single best route to maturing a software security program. The destination, however, is common to all: delivering software that can be trusted.
That’s why the BSIMM report is likened to a roadmap. Rather than dictating the best path for an organization to take, BSIMM empowers each organization to chart their own course toward building security in maturity based on their unique risk profile and priorities.
While it’s certainly possible to arrive at this destination without a map, having a little help from your friends can help ensure you get there safely.