BSIMM12: Takeaways and Recommendations to Help You Improve Your Software Security Program


BSIMM12 brings together research on the software security activities of real companies to create a guide that helps you navigate your software security initiative.

DevOps experience

The popular business book, “The 7 Habits of Highly Effective People,” explores the theory that successful individuals share common qualities to achieve their goals, and that these qualities can be identified and applied by others. Applying the principle to software security, the Building Security In Maturity Model project, better known as BSIMM, examines organizations’ software security initiatives, conducts in-person interviews on the activities of those organizations, and publishes its findings each. year. Now in its 12th iteration, the BSIMM report has grown from nine participating companies in 2008 to 128 in 2021, representing nearly 3,000 members of the Software Security group and over 6,000 satellite members (aka Security Champion) working with nearly 400 000 developers on more than 150,000 applications.

The 2021 edition of the BSIMM report – BSIMM12 – examines anonymized data from the software security activities of 128 organizations across various industry verticals, including financial services, FinTech, independent software vendors, IoT, healthcare and technological organizations. Participating organizations include industry leaders such as Aetna, Bank of America, Citigroup, Freddie Mac, and Johnson & Johnson.

Download BSIMM12 |  Synopsis

BSIMM12 demonstrates that every business is in the software industry

Many organizations examined in BSIMM12 identify with traditional verticals, but all recognize that they are fundamentally in the software industry. Software plays a major role in the operations of every organization. Delays in software development and deployment affect product release dates, the lifeblood that drives revenue and profit. Companies that sell software or products that include embedded software cannot afford security, compliance, or quality issues to compromise their products.

Even companies that are not directly involved in the sale of software or software-driven products are equally dependent on the quality and security of the software. The software drives administrative systems for payroll, invoicing, receivables, sales tracking and customer records. The software controls their production, manages inventory, directs warehousing and manages the distribution systems that keep a business running. In the service industries, software is used to analyze, optimize, model, interact with and support customers.

The results of the BSIMM12 tell us that software risk is business risk, and to effectively manage the second, you need to tackle the first.

Four major trends in software security in BSIMM12

Software security groups are increasingly lending more resources, personnel, and knowledge to DevOps.

Security teams forge partnerships with development teams, with the goal of proactively including security efforts in the critical path of software delivery.

Continuous testing is increasing.

BSIMM12 data indicates that more and more companies are prioritizing continuous monitoring and reporting rather than using a point-in-time fault discovery approach and then using safety telemetry to improve development processes. software and governance.

Break tests down into smaller, more timely checks and run them more frequently.

The imperative to identify software problems as early as possible remains, leading to the need to break down large test events into smaller, more timely checks. But there is also a growing awareness among software security groups that sometimes the orchestration of the deployment or the post-deployment environment reflects the best opportunity for certain testing.

The application of politics as a code, or governance as a code, is on the rise.

Governance as code shifts security practices and adherence to compliance policies from a manual approach to a more consistent, efficient, repeatable, and automated approach. BSIMM data collected in previous years indicated that organizations were beginning the process of replacing manual and human governance activities with automation. Observations from BSIMM12 now indicate that the only source of software security standards and policies is increasingly becoming human-readable configuration code or simplified code that performs vulnerability discovery, the essence of corporate governance. software defined lifecycle.

Register for the BSIMM12 webinar to learn more

Following the Leaders: What BSIMM12 Says for Security Initiatives

Based on the BSIMM12 data, organizations in the process of building a software security initiative should consider the following key actions:

  • Use security testing telemetry whenever possible to collect data such as tests performed and issues discovered to improve the software development lifecycle (SDLC) and governance processes.
  • Move to the automation of security decisions with the end goal of governance as verifiable code. Governance as code moves security practices and compliance compliance from a manual approach to a more consistent, efficient, and repeatable automated approach.
  • Create a complete software inventory (including a software nomenclature or nomenclature) of your assets, detailing both code created in-house as well as open source and third-party code.
  • Implement small incremental security activities throughout the SDLC, rather than using large, slow pass / fail gates that delay pipeline progress.
  • Implement automated security tools that can identify and help you fix flaws, vulnerabilities, and malicious code in your organization’s critical software, whether that software was developed in-house or by contractors, whether it is commercial third-party software or is open source.

Your roadmap to a better software security initiative starts here

For the past 12 years, the BSIMM report has been used by organizations around the world as a measurement tool to compare their own ISS to the wider BSIMM community. Organizations can assess their maturity, from “emerging” (or starting) to “maturing” (ie, “activating” or refining their existing security practices to improve their security posture.

Wherever your organization is in its journey, let BSIMM12 provide you with a roadmap to help you achieve your goals.

Follow the leaders: infographic BSIMM12 |  Synopsis


About Author

Leave A Reply