Software security is becoming a critical business priority and a growing number of organisations are benchmarking their efforts early in their software security initiative (SSI) lifecycle, using the results strategically to improve their risk posture over time.
“With the rise of widely distributed and increasingly disruptive attacks targeting vulnerable software, we are seeing a shift from the reactive ‘penetrate and patch’ approach toward more proactive strategies for organisations to build secure software systematically from the ground up,” said Dr Gary McGraw, vice president, security technology, Synopsys Inc. “Organisations are beginning to understand that they can mitigate risk more effectively by establishing an SSI, assessing their strengths and weaknesses early on, and focussing their efforts on the most appropriate practices and activities.”
Synopsys released the eighth iteration of the Building Security in Maturity Model (BSIMM), a software security maturity model. It is based on real-world data and helps organisations plan, execute and measure their SSIs. BSIMM8 includes data collected from 109 firms and describes the work of 4769 software security professionals, showcasing the science behind software security best practices. Their work guides the security efforts of almost 300,000 developers across approximately 95,000 applications. The firms represent industry verticals such as financial services, independent software vendors (ISVs), cloud, healthcare, Internet of Things (IoT), and insurance.
Among the key findings from the study are:
- Organisations use the BSIMM to jumpstart their SSIs. BSIMM8 introduces firms in the early stages of the SSI lifecycle. This is seen by a slight drop in the average maturity score from 33.9 to 33.1, and the average software security group age from 3.94 to 3.88 in the BSIMM population. SSI benchmarking is one of the pivotal first steps in the software security journey.
- BSIMM firms mature over time. Firms that participated in multiple past assessments show a clear trend of improvement, with scores increasing by an average of 10.3 or 33.4%. Benchmarking is an effective exercise to guide organisations along the optimal path towards building secure software consistently.
- Maturity varies by industry. Each industry prioritises certain activities over others, and every industry and individual organisation has a different path toward building security. On average, cloud, financial services, and ISV firms are more mature than those in healthcare, IoT, and insurance. Financial services and cloud firms have notably higher scores in compliance and policy practices, while IoT firms have the most mature software environment practices.
The BSIMM observes firms that have established real SSIs, quantifying the occurrence of 113 activities which show common ground shared by many initiatives as well as variations that make each initiative unique. The data show that high-maturity initiatives are well-rounded in all 12 practices described by the model. Organisations can use the BSIMM to compare initiatives and determine which additional activities might be useful.