Over 130 organizations have recorded their software security programs on an annual basis in the BSIMM report, allowing them to compare and contrast their strategy against peers. In this article, Jamie Boote, associate principal security consultant at Synopsys Software Integrity Group, explores key trends observed in this exercise.Â
As with most things, we are stronger when working together. The same goes for cyber security. By sharing intelligence, learning from one another’s failures and successes, as well as discussing how the threat landscape is evolving and how to best respond, we can move forward better prepared to tackle the challenges of tomorrow. In this vein, over 130 organizations, including Adobe, PayPal and Lenovo, have recorded their software security programs annually in the Building Security in Maturity Model (BSIMM) reportOpens a new window , allowing them to compare and contrast their strategy against peers.Â
Now in its 13th year, the BSIMM report has played a key role in reinforcing efforts to secure over 145,000 applications built and maintained by 410,000 developers. The recently-published BSIMM13 report reveals five activities that most organizations are implementing today: therefore, serving as a good starting point for others introducing their own software security program. This includes setting up security checkpoints such as automated static analysis, dynamic security testing, penetration tests and manual code review, as well as its associated governance; ensuring host and network security basics are applied, identifying privacy obligations, creating an incident response plan, and utilizing external penetration testers to spot issues sooner rather than later. By correlating results with those of preceding years, we may also notice areas that require greater focus, be it cloud security controls or better visibility into open-source code.
Besides these observations, there were a couple of other trends worth exploring.
See More: Deterministic Protection: The New Generation of Software Security
Supply Chain Risk Management
First and foremost, it is not a surprise that many organizations have increasingly prioritized initiatives to mitigate software supply chain risk. Look no further than security researcher Alex Birsan’s 2021 discovery of dependency confusionOpens a new window to understand how one vulnerability can have such a widespread impact. Through this one flaw, Birsan was able to hack into dozens of household names, from Apple and Microsoft to PayPal. Imagining such intel in the wrong hands should be enough to jolt security teams into action.Â
The ubiquitous nature of open-source software in today’s technologies certainly requires greater effort in identifying and managing the risk this entails. In fact, Software Composition Analysis (SCA) tools have been at the heart of these initiatives to identify and control open-source risk, both growing nearly 35% from last year. Moreover, the shift towards cloud-native application development has brought into question how such apps are stored, packaged, deployed and interfaced through application programming interfaces (APIs). To combat this challenge, some organizations are turning to automated tests to assess APIs continuously before allowing them to receive sensitive data. There has also been a 30% growth in the number of organizations creating Software Bills of Materials (SBOMs) to enhance visibility into the usage of third-party software as well as improve the organization’s capacity to respond to disclosed vulnerabilities.
Generally, most organizations are changing their relationships with third-party partners as well. Indeed, activities to ‘communicate standards to vendors’ and ‘ensure compatible vendor policies’ have risen by 46% and 56%, respectively, as organizations delegate more security responsibility to their partners. Over time, many more organizations also include SLA terms in vendor contracts to ensure that standards are met, 15% year-on-year, to be exact. Yet, interestingly, providing security awareness training to vendors and outsourced workers seems to have dropped significantly on the list of priorities, falling by 30%. It would appear that with the inclusion of SLA terms in contracts, the responsibility has shifted from the organization to the vendor to provide staff training.Â
To Shift Everywhere and BeyondÂ
Another trend that surfaced in this year’s report is the expansion on the “shift left†movement trend that began over 15 years ago; now, we’re witnessing the “shift everywhere†operation in full swing. In addition to adding security testing towards the beginning of the development process, teams are now embedding and automating security measures into all phases of the software lifecycle. As many as 82% of BSIMM member organizations now utilize automated code review tools, ranking the practice among the top 10 most observed activities. This approach leverages smaller, faster and often pipeline-driven testing seen in the implementation of security tests in QA automation activity which shot up nearly 50%.
Software security has also moved beyond applications and products into operations. Security and operations teams are collaborating more, with activity to ‘fix all occurrences of software bugs in operations’ rising by 175%, while attempts to ‘enhance the SSDL to prevent software bugs’ altogether went up by more than 70%. Concurrently, software security groups are working more closely than ever with infrastructure teams to generate knowledge-as-code libraries or machine-deployable security knowledge.Â
Regardless of the team structures observed in BSIMM members, one of the most common first steps for getting started with software security was vesting authority and responsibility to a single team or role. This team may emerge first as an individual software lead or as a small collective of engineers but eventually expand into a more extensive group, including developers, testers, architects, and DevOps engineers, among others. Whether led from within engineering or a security function, their main aim is to provide software security services, set and verify compliance to policy as well as enable security to scale with the business.Â
Developing a Security Conscience
Historically, initiatives that have the greatest impact are those that a senior executive also advocates as they help ensure the team is empowered and held accountable. This is usually the CISO but could be any C-Level representative such as the CFO, CEO, or COO. In addition to this, some of the firms that score highest in BSIMM assessments have a security champions program. These champions do not necessarily have to be security experts, but they do offer the company a ‘security conscience’, surveying for possible issues and flagging these as and when they are discovered.Â
There is no one-size-fits-all approach to software security, but by keeping an eye on the latest trends and what is or is not working well for others, we can gain important insights that will guide us toward one of many solid security strategies.Â
How are you upgrading your software security with efficient intelligence sharing? Tell us about it on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .
Image Source: Shutterstock