How Widespread Are Software Security Checkpoints in the SDLC?
According to the 13th and latest edition of the annual Synopsys Building Security In Maturity Model (BSIMM) report, 90% of the member organisations surveyed have established software security checkpoints in their software development lifecycle (SDLC), suggesting this is an important step in their software security initiatives.
There was a 51% increase in activities controlling OSS risk over the last 12 months and a 30% increase in organisations building and maintaining a software bill of materials (SBOM), as discussed in a previous blog.
What is the Synopsis BSIMM?
Established in 2008, the BSIMM is a tool for creating, measuring and evaluating software security initiatives. Using a data-driven model, it leverages the industry’s largest set of data on worldwide cybersecurity practices, having been developed through the careful study and analysis of more than 200 initiatives.
- Participants from a diverse range of sectors, including healthcare, fintech, IoT, insurance, tech, cloud, ISV and finance
- 130 firms are in BSIMM13
- 75% come from North America, 13% from Europe, Africa and the Middle East, and 12% from the Asia-Pacific region
- 3,442 SSG Members
- 8,508 Security Champions
Of the 130 organisations involved in the report, 48 of them were Fortune 500 companies, including Adobe, the Bank of America, and Lenovo. In total, they attempted to secure more than 145,000 applications, which were built and maintained by nearly 410,000 developers.
The findings underline a sharp increase in BSIMM member organisations implementing an automated and continuous security testing approach throughout the SDLC, minimising risk across their full portfolio of apps.
Year-on-Year Trends
By looking at changing trends, we can assess the differences between BSIMM12 and BSIMM13. This can include indicators such as high growth in observation rates among common activities. The observation rate for the following six activities had grown at a rate of 20% or more since BSIMM12:
- Implementation of cloud security controls +34%
- Making code review mandatory for all projects +27%
- Creating a standards review process +25%
- Gathering and using attack intelligence +25%
- Identification of open source +24%
- Requirement of security sign-off for compliance-related risk +20%
Taking Action
Whether in the process of creating a software security initiative or maintaining an existing program, BSIMM13 data indicates that organisations should be considering the following essential steps:
- Using data to drive security decisions
- Moving towards automated testing and security
- Moving to smaller, automated checks during the SDLC
- Creating a comprehensive SBOM as a matter of priority
BSIMM Methodology
BSIMM obtains its data from interviews with member firms during a BSIMM assessment. After each assessment, the observation data is anonymised and added to the BSIMM database, where statistical analysis is performed to identify trends in how BSIMM firms are securing their software.
Prevention is Better Than Cure
It’s an old adage, and a cliched one at that. But it’s usually true, and anything concerning OSS is no exception.
Protect yourself today – begin your complimentary assessment for an objective and an unbiased view of your software landscape.
GET YOUR SCORE
Independent & Impartial
Our Agnostic Open-Source assessment will provide an objective view of your software landscape without bias. You’ll receive a comprehensive report of your current position along with recommendations delivered in a format that allows you to retain this information and act upon it quickly and easily.