See what’s new in the BSIMM10
The 10th iteration of the (also known as the BSIMM) is now available. This science experiment that escaped the lab continues to evolve as the only detailed and sophisticated “measuring stick” for software security initiatives, also commonly referred to as application or product security programs.
First things first, I’d like to note that the BSIMM is not a how-to guide. As the latest report puts it, “We like to say we visited a neighborhood to see what was happening and observed that ‘there are robot vacuum cleaners in X of the Y houses we visited.’ Note that the BSIMM does not say, ‘all houses must have robot vacuum cleaners,’ ‘robots are the only acceptable kind of vacuum cleaners,’ ‘vacuum cleaners must be used every day,’ or any other value judgments.”
Instead, it simply observes and reports the current state of a software security program. The benefit to organizations is that instead of a report telling them what to do in a one-size-fits-none sort of way, it reports in detail what others are already doing.
You may also like: BSIMM9: A Decade of Software Security Science.
BSIMM10 represents real-world data from 122 organizations over eight industry verticals:
The high-water mark diagram you see below illustrates how frequently various levels of activities are observed in firms participating in the BSIMM study as well as in a given firm. The diagram shows that the current 122 firms are collectively putting effort into more activities in Strategy & Metrics, Compliance & Policy, and Standards and Requirements compared to Attack Models and Architecture Analysis, whereas the ExampleFirm seems to place great value on Attack Models, Code Review, and Penetration Testing.
This view acts as a proxy for overall maturity but can also be broken down on an industry vertical basis to observe effort across activities and growth differences between various industries.
For example, in highly regulated industries, like financial services, it isn’t all that surprising to see a spike around Compliance and Policy; whereas, we typically don’t see that spike in ISVs or IoT. Most verticals measured within the BSIMM have a strong understanding of the foundational security activities.
Some verticals are collectively doing more than others in various areas for a variety of reasons. In certain industries, effort in particular activities is driven by legal reasons relating to regulations, statutes, and contracts. In others, customer expectation and preference, in addition to perceptions of privacy may drive which of the 119 BSIMM10 activities are emphasized over others.
Another way of looking at this is that different verticals carry out different security activities based on their different perceptions of risk. We see that reflected in their high-water mark diagrams, which in turn reflects the foundational activities and the more uncommon activities to help build out their particular SSI.
It isn’t reasonable to say that Healthcare Company X is more mature than Insurance Company Y because this would be like comparing apples to oranges. Why? Because each firm will build the right program for its needs. Even if they are in the same business, a firm doing 30 activities and a firm doing 50 activities might have the same overall maturity relative to their software portfolios.
But we can say that one group of firms within a specific industry vertical does things that seem to be collectively important throughout the vertical. Then again, another group of companies in another industry vertical carries out completely different activities that seem to be important to them. They’re not the same things necessarily, and yet, there are trends among each industry.
I’d also like to call out that BSIMM10 is the first iteration of the BSIMM study to formally reflect changes in SSI culture. This is observed in a new wave of engineering-led software security efforts originating bottom-up in the deployment and operations teams rather than top-down from a centralized software security group.
Engineering-led security culture has shown itself to be a means of establishing and growing meaningful software security efforts in some organizations. It struggled to do so even just a few years ago.
Along these cultural lines, BSIMM data also shows that the DevOps movement, along with the growth in CI/CD tooling and digital transformation, is affecting the way firms approach software security for their software portfolio. BSIMM10 includes three new activities for just this reason.
As organizations have started using DevOps practices that pushed software to the cloud, we’re seeing that this is a big change agent in most firms. As DevOps culture and CI/CD toolchains intersect with cloud deployments, we’re realizing this is a game-changer when we think about software security.
We don’t yet understand the full impact, as the dust is still settling around this new phase in the early phases of the evolution of these technologies and strategies. Upcoming iterations of the BSIMM will certainly shed more light on what organizations are doing to get from DevOps to DevSecOps and to secure their cloud deployments.