Embed Size (px)
Citation preview
WHITE PAPER
The BSIMM Brings Science to Software Security
1synopsys.com |
The BSIMM Brings Science to Software SecurityThe BSIMM (Building Security In Maturity Model), now in its 10th iteration, has the same fundamental goals that it did at the start, more than a decade ago: Help organizations navigate the often-treacherous path of developing an effective software security initiative (SSI) and provide a free tool they can use as a measuring stick for those SSIs.
Since then, it has established a reputation as the best tool available to do exactly that, but not by trying to tell organizations exactly how to build their long-term initiative. Each initiative—and we’ve seen hundreds—will always be a unique thing, and one-size-fits-all, cookbook approaches will always be less effective than personalized approaches.
Instead, the BSIMM is very much a “what’s happening now” guide. While it doesn’t try to tell any individual organization exactly how to build its personalized initiative, our approach to improving software security clearly captures the common elements in lots of initiatives. This year’s release is based on observations of 122 participating companies, primarily in eight verticals: financial, independent software vendors (ISV), tech, healthcare, Internet of Things (IoT), insurance, cloud, and retail.
By now, you should have heard of the BSIMM, especially if you’re a software security person. Maybe you’ve even downloaded a copy of your own—it’s free under the Creative Commons license.
Either way, it’s time to get a new copy, because we’ve just released BSIMM10.
What’s changed?Remember, because the BSIMM is completely data driven, this report is different from any you may have read in the past. That’s how science goes.
That’s also how the world of software security goes—it evolves. So there are changes in BSIMM10 that reflect that evolution, which manifested in two major ways.
DevOps’ impact on software security The BSIMM data show that the DevOps movement, along with growth in CI/CD tooling and digital transformation, is affecting the way that firms approach software security for their software portfolio.
We updated many of the BSIMM activity descriptions to reflect these changes. We also added three new activities to reflect how firms are working to match the speed of software security to the speed at which their business delivers functionality to market:
• Integrate software-defined lifecycle governance focuses on replacing traditional human- and document-driven processes with automation that drives application lifecycle management processes.
• Monitor automated asset creation addresses maintaining awareness of the virtual assets now being created by engineering teams.
• Automate verification of operational infrastructure security helps ensure that virtual assets adhere to security expectations when created and over time.
The new wave of engineering-driven security cultureBSIMM10 is our first study to formally reflect changes in SSI culture, observed in a new wave of engineering-led software security efforts originating bottom-up in the development and operations teams rather than top-down from a centralized software security group (SSG). Engineering-led security culture has shown itself to be a means of establishing and growing meaningful software security efforts in some organizations, whereas it struggled to do so even just a few years ago.
What’s in this document?The document you’re reading focuses on BSIMM10 facts and figures. The data collected and organized essentially report what participating firms are doing and what tools they’re using to enable their SSIs. In other words, organizations can see what is already working, or perhaps not working, for others in their industry.
Those observations cover 119 activities grouped under 12 practices, which fall under four domains: Governance, Intelligence, SSDL (Secure Software Development Lifecycle), and Deployment.
2synopsys.com |
The numbers are about real SSIs doing real work to secure the software that you use every day. This is no ephemeral top-10 list from the bug parade. This is a set of facts about the real state of software security on planet Earth.
What is the BSIMM Community?Together, all firms whose observations are included in BSIMM10 comprise the BSIMM Community.
The BSIMM project is spearheaded by three co-authors: Sammy Migues, Michael Ware, and John Steven. The data, gathered through direct observation, describes the work of 122 software security initiatives from firms including Adobe, Aetna, Alibaba, Ally Bank, Amadeus, Amgen, Autodesk, Axway, Bank of America, Betfair, BMO Financial Group, Black Duck Software, Black Knight Financial Services, Box, Canadian Imperial Bank of Commerce, Capital One, City National Bank, Cisco, Citigroup, Citizens Bank, Comerica Bank, Dahua, Depository Trust & Clearing Corporation, Eli Lilly, Ellucian, Experian, F-Secure, Fannie Mae, Fidelity, Freddie Mac, General Electric, Genetec, Global Payments, HCA Healthcare, Highmark Health Solutions, Horizon Healthcare Services, HSBC, iPipeline, Johnson & Johnson, JPMorgan Chase & Co., Lenovo, LGE, McKesson, Medtronic, Morningstar, Navient, NCR, NetApp, News Corp, NVIDIA, PayPal, Principal Financial Group, Royal Bank of Canada, Scientific Games, Synopsys Software Integrity Group, TD Ameritrade, The Home Depot, The Vanguard Group, Trainline, Trane, U.S. Bank, Veritas, Verizon, Wells Fargo, and Zendesk. BSIMM10 added 19 firms and dropped 17 for data freshness reasons (we are serious about data integrity), for a data pool of 122 firms. Over time, 8 firms have rejoined the community after they were dropped. The data freshness threshold is currently 42 months. As our study progresses, we intend to decrease the freshness window to 36 months to better align with business cycles.
What is the BSIMM?As stated above, the BSIMM is a free measuring stick for software security. The best way to use it is to compare and contrast your own initiative with the data in the model, which shows what other organizations are doing. You can then identify goals and objectives of your own and look to the BSIMM to determine which further activities make sense for you.
The BSIMM is not a software security methodology; it’s a science project to capture salient aspects of everyone’s software security methodology so those looking to improve can quickly see what others are doing. To make this clear: Consider that the BSIMM can be used to measure an initiative built around the Microsoft SDL or the Synopsys Touchpoints, but it is by no means a substitute for either of those methodologies.
3synopsys.com |
The BSIMM is organized as a set of 119 activities in a software security framework, represented in Table 1. The framework includes 12 practices that are organized into four domains.
Table 1: BSIMM Software Security Framework
4synopsys.com |
BSIMM by the numbersTable 2 shows the growth of the BSIMM project over the years. Remember, software security initiatives are ongoing and not a fire-and-forget exercise.
Table 2: BSIMM numbers over time
BSIMM10 describes the work of 7,894 SSG and satellite people working directly in software security, having an impact on the security efforts of 468,500 developers. The satellite (e.g., security champions) is usually made up of developers, architects, and people in the organization directly engaged in and promoting software security but not as full-time SSG members.
If you wonder how big your firm’s SSG should be, you’re not alone. We wonder also, but we do know how big the SSGs are at 122 firms. If we average all the ratios of SSG size to development group size, we get an SSG “average of averages” of 1.37%, or one full-time SSG member for every 73 developers. Table 3 contains some additional interesting data.
Real-world data (122 firms)Initiative age Satellite sizeAverage: 4.5 years Average: 51.6Newest: 0.1 years Smallest: 0Oldest: 19 years Largest: 1,500Median: 3 years Median: 0SSG size Development group sizeAverage: 13.1 Average: 3,840.2Smallest: 1 Smallest: 5Largest: 160 Largest: 100,000Median: 6.0 Median: 900
Table 3: Real-world data (122 firms)
5synopsys.com |
Table 4 shows how many firms use of each of the 119 activities in their SSIs. Each activity has a label (e.g., “SM1.1”) and is described in detail in the BSIMM10 report. It lets you know, for free, who is doing what. Now what we need to do is spread the adoption of software security to all firms creating software. You can help.
Table 4: BSIMM activities for all firms
6synopsys.com |
How does your SSI compare to that of other groups, such as a vertical market?Table 5 shows what happens when the BSIMM measuring stick is applied to an example firm. You can directly compare how your SSI stacks up against the other 122 firms in BSIMM10.
Table 5: BSIMM scorecard for an example firm
7synopsys.com |
Is your firm a financial services institution? BSIMM10 compares you to the group of 57 other financial services firms. Are you an ISV? We can compare you directly to the group of 43 other ISVs. That measurement is a powerful tool that drives both budgets and improvement.
Nobody wants to be the slowest zebra in the zebra pack. Is your firm the slowest zebra? You can get your own scorecard like the one in Table 5 and do some analysis to find out.
We also create a spider diagram like the one shown in Figure 1 as a way of visualizing a comparison based on 12 practices. The 119 activities in the model fit directly into the 12 practices.
Figure 1: BSIMM spider diagram for an example firm
The “high-water mark” approach (based on three levels per practice) in our spider diagrams is sufficient to get a low-resolution feel for maturity, especially when working with data from a particular vertical or geography.
One meaningful comparison is to chart your own firm’s maturity high-water mark against the averages we’ve published to see how your initiative compares.
You can evolve tooAnother significant change: BSIMM10 is the first BSIMM report to define three phases of SSI maturity—emerging, maturing, and optimizing. It also demonstrates the hypothetical path governance-led and new engineering-led cultures might take to progress through those phases.
The BSIMM data show that no matter which path organizations take, they improve demonstrably over time, and many achieve a level of maturity where they focus on the depth, breadth, and scale of the activities they’re conducting rather than always striving for more activities.
Fifty of the 122 firms in BSIMM10 have been measured at least twice, and on average, the time between first and second measurements was 30 months. Across all 50 firms, the activity count increased by an average of 11.1 (42%), and the raw score went up in 43 of the 50 firms.
8synopsys.com |
You can join the communityThe 122 firms participating in BSIMM10 make up the BSIMM Community. An exclusive online community with more than 600 members allows SSG leaders participating in the BSIMM to discuss solutions with others who face the same issues, discuss strategy with someone who has already addressed an issue, seek out mentors from those further along a career path, and band together to solve hard problems.
The BSIMM Community also hosts annual private conferences in the United States and Europe where representatives from each firm gather together in an off-the-record forum to discuss software security initiatives.
Become part of the community today and take advantage of these unique resources. The BSIMM website includes a credentialed BSIMM Community section where information from the conferences, working groups, and mailing-list-initiated studies are posted.
©2019 Synopsys, Inc. All rights reserved. Synopsys is a trademark of Synopsys, Inc. in the United States and other countries. A list of Synopsys trademarks is available at www.synopsys.com/copyright.html . All other names mentioned herein are trademarks or registered trademarks of their respective owners.09/20/19.The BSIMM Brings Science to Software Security v2.
The Synopsys differenceSynopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.
For more information, go to www.synopsys.com/software .
Synopsys, Inc. 185 Berry Street, Suite 6500 San Francisco, CA 94107 USA
U.S. Sales: 800.873.8193 International Sales: +1 415.321.5237 Email: [email protected]
