Synopsys study highlights impact
of DevOps on software security
ynopsys has released
BSIMM10, the latest version
of the Building Security In
Maturity Model (BSIMM), designed to
help organisations plan, execute, mature
and measure their software security
initiatives (SSIs).
S
Synopsys has used the BSIMM nearly
450 times across 185 firms over the past
decade and this 10th iteration reflects
software security activities observed
across 122 firms.
BSIMM10 also highlights the impact of
DevOps on software security initiatives,
the emergence of a new wave of
engineering-driven security efforts
and how firms progress through three
phases of software security maturity.
BSIMM10 describes the work of 7,900
software security professionals whose
efforts guide and maximise the security
efforts of nearly 470,000 developers
working on more than 173,000
applications. BSIMM10 represents firms
|
Issue 19
Key findings from the BSIMM10 study:
▯ DevOps’ impact on software
security: The BSIMM data shows
that the DevOps movement and the
adoption of continuous integration
and continuous delivery (CI/CD)
tooling are affecting the way that
firms approach software security.
This is seen in the BSIMM’s addition
of three new activities that reflect
how firms are actively working to
automate security activities to match
the speed at which their business
delivers functionality to market.
BSIMM10 also includes updated
descriptions and examples of
existing activities to reflect how they
are being implemented as part of
modern DevOps organisations.
▯ The new wave of engineering-
driven security culture: BSIMM10
is the first study to formally reflect
changes in SSI culture, observed in a
new wave of engineering-led software
security efforts originating bottom-
up in development and operations
teams rather than top-down from
a centralised software security
group. In some organisations, an
engineering-led security culture has
overcome its struggle to establish
and grow meaningful software
security efforts. This new wave of
engineering-driven security culture
is emerging in response to both
the demands of modern software
delivery practices such as Agile and
DevOps and undesirable friction with
existing SSIs.
▯ Firms use the BSIMM to navigate
their software security journey:
BSIMM10 is the first edition to define
three phases of SSI maturity –
emerging, maturing, optimising – and
describe how different firms typically
progress through them. The BSIMM
data shows that organisations
improve demonstrably over time and
many achieve a level of maturity
where they focus on the depth,
breadth and scale of the activities
they’re conducting rather than
always striving for more activities.
“Leading an effective software security
initiative is challenging and the dramatic
technological and organisational shifts
brought on by DevOps and CI/CD are
not making that task easier,” said Sammy
Migues, Principal Scientist at Synopsys.
“As a tool that constantly evolves to
reflect the experiences of hundreds of
software security groups around the
world, the BSIMM and its community
are invaluable resources, whether you’re
just beginning your journey, looking to
optimise your program or grappling with
new challenges.”
The BSIMM includes data collected
from firms that have established real
SSIs, quantifying the occurrence of 119
activities to shows the common ground
shared by many initiatives as well as the
variations that make each initiative unique.
The BSIMM data show that high-maturity
initiatives are well-rounded, carrying
out numerous activities in all 12 of
the practices described by the model.
Organisations can use the BSIMM to
compare initiatives and determine which
additional activities might be useful to
support their overall strategies. u
61
www.intelligentciso.com
in industry verticals including financial
services, high tech, independent
software vendors (ISVs), cloud,
healthcare, Internet of Things (IoT),
insurance and retail.