What Can Retail Software Security Initiatives Gain from the BSIMM?


The Building Security In Maturity Model (BSIMM) is a measuring stick for software security initiatives around the globe. In the latest iteration, retail industry initiatives were added to the data pool. Here’s what we observed.

The Building Security In Maturity Model, or BSIMMOpens a new window , now in its tenth year of being an objective measuring stick for software security on planet Earth, welcomed a new industry vertical to the data pool this year: retail.

If you’ve followed the BSIMM over the last decade, you know that a number of different industry verticals, including financial services and independent software vendors (ISVs), have been closely tracked since its inception. Healthcare and Internet of Things (IoT) were added with BSIMM6 and cloud and insurance with BSIMM7.

The threshold for inclusion as a BSIMM vertical is nine firms. This is so that no individual firm in a vertical will have its BSIMM data exposed when numbers describing a subpopulation representing the vertical are published. Adhering to the threshold policy allows us as scientists to publish detailed results from subsets of the BSIMM data.

Ten retail firms participated in BSIMM9, which tracks the development of software security initiatives (SSIs) by organizations based on 116 possible activities grouped into a dozen practices, including, for example, Strategy & Metrics, Standards & Requirements, Code Review, and Software Environment.

BSIMM9 reports on numbers from 120 firms, with 110 firms not found in retail. It also reports numbers directly from the retail vertical as a subset.

The BSIMM is an objective, data-driven model that prides itself on scientific accuracy. A data freshness threshold of 42 months is applied to data gathered over the last ten years.

All told, the BSIMM has produced more than 320 detailed measurements since it started. BSIMM9 reports on these measurements directly, drawing important conclusions about the state of software security as practiced by leading firms.

You can think of the BSIMM as a map that helps a firm go from point A to point B in the software security space. The map provides an objective overview of the software security space itself, defined by the software security initiatives of 120 firms. The map itself does not provide explicit directions for a software security journey; instead, it can be used to build a clear set of directions that apply to any particular firm on the planet.
In other words, the BSIMM is a descriptive model rather than a prescriptive model.

Having a map to help you on a journey beats the heck out of setting out in your car without a plan. For example, getting from point A to point B via the interstate system is usually a better bet than taking windy back roads (and is way better than setting out in entirely the wrong direction). Likewise, using the BSIMM to guide your SSI by knowing where you stand among your peers is far superior to taking a willy-nilly approach to software security driven by the technology flavor of the day.

By leveraging the collection of detailed observations describing software security activities performed by real-world organizations (not what they should do but what they actually do), retail firms, as a vertical market, have made a remarkably fast progress in software security.

When we computed a comparison of retail versus “Earth” (that is, all BSIMM9 firms), retail shows distinct above-average performance.

The retail vertical, with an average software security group (SSG) age of only 3.2 years and average SSG size of around eight full-time people, tracks closely to the overall BSIMM data pool (which includes many firms that have been practicing software security for well over a decade).

The most obvious differences are in the Architecture Analysis, Software Environment, and Configuration Management & Vulnerability Management practices, where retail participants are somewhat ahead of the average for Earth.

The SSIs of the BSIMM firms in retail (firms are allowed to remain anonymous if they wish) displayed an impressive level of maturity for a vertical new to BSIMM reporting. They were collectively equal to or better than average in 10 of the 12 practices.

This quick progress compared to many other verticals (such as healthcare) is likely observed for two reasons. The first we already discussed above—use of the BSIMM as a guiding map. Retail benefits as a late adopter from all the lessons that the early adopters learned the hard way.

Figuratively speaking, retail may have been able to accelerate quickly because it looked at the BSIMM map and decided to take the interstate in the right direction instead of a bunch of back roads in the wrong direction.

The second reason for quick progress is a bit tougher to stomach. We’ll call it “getting security religion the hard way.” Sadly, catastrophic data breaches, in which hackers exploit vulnerabilities in vulnerable IT systems, are not unknown in retail. Target and Home Depot were involved in just two of the more notorious.

Both firms made lemonade out of lemons, found security religion, and joined the BSIMM Community as they worked to improve their security posture and build security in. After some soul searching following massive, spectacular data breaches, smart firms realize that they must clean up their act in a hurry and do more than simply check a compliance box.

BSIMM provides an opportunity for all firms to learn without having to make the same mistakes—or wrong turns—that others did earlier, and without having to suffer a spectacular data breach first.

It’s also free. The data collected and organized are available to any business under the Creative Commons Attribution-ShareAlike license.

As in any data-driven project, an even more accurate, detailed picture of the retail sector will emerge as the number of retail firms in the study grows. BSIMM9 describes 50 financial services firms and 42 ISVs. We fully expect retail to grow just as big.

Of course, the benefit of developing and mining collective data is huge, but the benefit of the community is even bigger. In fact, the BSIMM Community turns out to be a powerful resource indeed, holding conferences, sharing best practices, and generally cutting through the BS in computer security. Simply put, the more data we gather, the better the model is. If you join the BSIMM, you’re going to get out more than you get in. Retail is actually much farther along and mature in its software security then verticals like healthcare and insurance.

Co-Author: Taylor Armerding, Senior Security Strategist, Synopsys

Taylor Armerding is senior security strategist with the Synopsys Software Integrity Group.