90% of the member organizations surveyed have established software security checkpoints in their software development lifecycle (SDLC) according to the most recent Synopsys Building Security In Maturity Model (BSIMM) report, indicating that this is a critical step to successful software security initiatives.
In addition, there was a 51% increase in activities associated with reducing open-source risk over the previous 12 months, as well as a 30% increase in organizations creating and maintaining a software bill of materials (SBOM).
About the Synopsys BSIMM
The BSIMM, which was launched in 2008, is a tool for constructing, measuring, and evaluating software security initiatives. It is built on a data-driven approach leveraging the industry's largest database of worldwide cybersecurity practices.
In their efforts to secure more than 145,000 applications created and maintained by over 410,000 individuals, the BSIMM13 report reviewed software security practices across 130 enterprise organizations, including 48 Fortune 500 companies such as Adobe, Bank of America, and Lenovo.
The findings highlight a significant rise in activity that indicates that BSIMM member organizations are adopting a "shift everywhere" strategy to perform automated and continuous security testing throughout the SDLC and manage risk across their entire application portfolio.
Trends year over year
One approach to examine differences between BSIMM12 and BSIMM13 last year is to look for patterns, such as a high observation rate among common activities. For example, the observation rate for six activities below grew at 20% or higher in BSIMM13 observations compared to last year:
- 34% implement cloud security controls.
- 27% make code review mandatory for all projects.
- 25% create a standards review process.
- 25% gather and use attack intelligence.
- 24% identify open source.
- 20% require security sign-off for compliance-related risk.
BSIMM13 data suggests that organizations should consider the following main actions, whether they are planning a software security project or maintaining a mature program.
These tools can assist in fixing bugs and identify known vulnerabilities in your software, whether it is developed in-house, commercial third-party software, or open source.
Collect and combine data from your security testing tools and use it to create and enforce software security policies. Gather data on what testing was done and what problems were discovered to drive security improvements in both the software development lifecycle and your governance processes.
Move away from human-intensive manual approaches to more efficient, consistent, and repeatable automated approaches.
When it's possible, substitute manual tasks such as pen testing or manual code review with smaller, faster, pipeline-driven, testing.
Along with open source and third-party code, a software bill of materials should list your software assets.
The BSIMM is an open standard that provides a framework based on software security practices that an organization may use to assess and mature its own efforts in software security.
The BSIMM methodology
BSIMM data originates from interviews conducted with member companies during a BSIMM assessment. After each assessment, observation data is anonymized and added to the BSIMM data pool, where statistical analysis is performed to highlight trends in BSIMM firms' software security.
Read the whole synopsis report here.