By Jack M.Germain
Independent software vendors, along with Internet of Things and cloud vendors, are involved in a market transformation that is making them look more alike. The similarities are evident in the way they approach software security initiatives, according to a report from Synopsys.
Synopsys on Tuesday released its ninth annual Building Security in Maturity Model, or BSIMM9. The BSIMM project provides a de facto standard for assessing and then improving software security initiatives, the company said. Based on 10 years of conducting the software study, it is clear that testing security correctly means being involved in the software development process, even as the process evolves, said Gary McGraw, vice president of security technology at Synopsys.
Using the BSIMM model, along with research from this year’s 120 participating firms, Synopsys evaluated each industry, determined its maturity, and identified which activities were present in highly successful software security initiatives, he told LinuxInsider.
“We have been tracking each of these vendors separately over the years,” McGraw said. “We are seeing that this whole cloud thing has moved beyond the hype cycle and is becoming real. As a result, the three categories of vendors are all beginning to look the same. They are all taking a similar approach to software security.”
Targets on Businesses’ Backs
The BSIMM is a multiyear study of real-world software security initiatives based on data gathered by more than 90 individuals in 120 firms. The report is a measuring stick for software security, according to Synopsys. Its primary intent is to provide a basis for companies to compare and contrast their own initiatives with the model’s data about what other organizations are doing. Companies participating in the study then can identify their own goals and objectives. The companies can refer to the BSIMM to determine which additional activities make sense for them.
Synopsys captured the data for the BSIMM. Oracle provided resources for data analysis. Synopsys’ new BSIMM9 report reflects the increasingly critical role that security plays in software development. It is no exaggeration to say that from a security perspective, businesses have targets painted on their backs due to the value that their data assets represent to cybercriminals, noted Charles King, principal analyst at Pund-IT.
“Software can provide critical lines of defense to hinder or prevent incursions, but to be effective, security needs to be implemented across the development cycle,” he told LinuxInsider. “The BSIMM9 report nails some high points by emphasizing the growing importance of cloud computing for businesses.”
Security Status Quo
Rather than provide a how-to guide, this report reflects the current state of software security. Organizations can leverage it across various industries — including financial services, healthcare, retail, cloud and IoT — to directly compare and contrast their security approach to some of the best firms in the world.
The report explores how e-commerce has impacted software security initiatives at retail firms.
“The efforts by financial firms to proactively start Software Security Initiatives reflects how security concerns affect and are responded to differently by various industries and organizations,” said King. “Overall, the new report emphasizes the continuing relevance, importance and value of the Synopsys project.”
One key finding in the new report is the growing role played by cloud computing and its effects on security. For example, it shows more emphasis on things like containerization and orchestration, and ways of developing software that are designed for the cloud, according to McGraw.
Following are key findings from this year’s report:
- Cloud transformation has been impacting business approaches to software security; and
- Financial services firms have reacted to regulatory changes and started their SSIs much earlier than insurance and healthcare firms.
Retail, a new category for the report, experienced incredibly fast adoption and maturity in the space once retail companies started considering software security. In part, that is because they have been making use of BSIMM to accelerate faster. In one sense, the report enables predicting the future, allowing users to become more like the firms that are the best in the world, according to McGraw.
“The bottom line is that we see the BSIMM is indicating a market transformation that is actually taking place. We are getting past the baloney into the brass tacks,” he said.
Activities and Practices
Researchers established a BSIMM framework based on three levels of activities with 115 activities divided into 12 different practices. Level one activities are pretty easy and a lot of firms undertake them, noted McGraw. Level two is harder and requires having done some level one activities first.
“It is not necessary, but that is what we usually see,” he said. “Level three is rocket science. Only a few firms do level three stuff.”
The researchers already had some idea of what is easy and what is hard in dealing with software security initiatives. They also know the most popular activities in each of the 12 practices.
“So we can say if you are approaching code review and you are not doing this activity, you should know that pretty much everybody else is,” said McGraw. “You should then ask yourself, ‘Why?'”
That does not mean you have to do XYZ, he added. It just means maybe you should consider why you are not doing that.
The BSIMM9 report also gives a detailed explanation of the key roles in a software security initiative, the activities that now comprise the model, and a summary of the raw data collected. It is essential to recognize the target audience for the report. The audience is anyone responsible for creating and executing a software security initiative. Successful SSIs typically are run by a senior executive who reports to the highest levels in an organization.
They lead an internal group the researchers call the “software security group,” or SSG, charged with directly executing or facilitating the activities described in the BSIMM. The BSIMM is written with the SSG and its leadership in mind.
“We are seeing for the first time a convergence of verticals — ISVs, IoT vendors and the cloud — that used to look different in the way they approached software security,” said McGraw. “They were all doing software security stuff, but they were not doing it exactly the same way.”
Each year researchers talk to the same firms as well as new participants. All of the data is refreshed each year. That provides a perspective of at least 12 months — but probably, on average, a much shorter time span. There is not that much of a lag indicator involved because of the scientific methods the researchers use, according to McGraw.
The BSIMM review provides a much more objective view of what is going on in the target groups than you would get by looking at a few case studies, he noted. That was one of the study’s goals when he initiated it years ago.
“The BSIMM is the result of wanting to have real objective data without overemphasizing technology or people of particular vendors or whoever paid us money,” McGraw said.
Under the BSIMM’s charter, it is designed not to be a profit-making, but to help Synopsys break even. Firms pay for their participation in the study and sponsored events, said McGraw. Non-participants can view the report for free, but paying to participate gets the companies their own results. This gives the paid participants a very intense look at their own software security and how it compares to others with their own data published for them, McGraw explained. The published report does not provide the data of individual firms, only collective data.
The most important outcome for participating is feedback from the community that developed among the participants, according to McGraw. Synopsys holds two annual conferences, one in the U.S. and one in the EU.
Ten years ago security researchers did not know what everybody was doing regarding software security. Now firms can use the BSIMM data to guide their own firm’s approach to it, according to McGraw.
“We learned that all firms did software security slightly differently. There is no one correct way because the cultures of all the firms and their dev teams differed,” he said. With a unified view of all the approaches used, researchers can describe in general how to approach software security and track particular activities, McGraw said.
“We didn’t come up with a particular set of prescriptive guidance. Instead, we came up with a descriptive set of facts that you can use to make great fast progress with software security,” he noted.
What Successful Firms Are Doing
BSIMM researchers recognize that the report data on software security never will eliminate data breaches and other software security concerns. Unfortunately, there is no first-order way to measure security, noted McGraw.
“You cannot throw software in a box that lights up red or green. We retreated to developing a look at what successful firms are doing as a way to guide other firms to be more like them,” he said, “but there is no way to measure that directly.”