Blog archive

Latest BSIMM Report: Security for DevOps and CI/CD Becomes a Priority

Enterprises are adapting their software security efforts to support DevOps as CI/CD instrumentation and operations orchestration have become standard components of organizations' software security initiatives. That's one of the insights from the latest Building Security In Maturity Model (BSIMM ) report from Synopsis.

First published in 2009, the BSIMM is the result of a multiyear study of real-world software security initiatives (SSIs). It was developed to provide a "fact-based" set of best practices for developing and growing an enterprise-wide software security program. That set of practices was the first maturity model for security initiatives created entirely from real-world data. The latest BSIMM is available for download now.

This edition of the BSIMM report was authored by Sammy Migues, principal scientist at Synopsys, and one of the original developers of the BSIMM, John Steven, founding principal of Aedify Security, and Mike Ware
Sr. director of technology at Synopsys.

"The purpose of the BSIMM is to quantify the activities carried out by various kinds of [software security initiatives] across many organizations," the report's authors explain. "Because these initiatives use different methodologies and different terminology, the BSIMM requires a framework that allows us to describe any initiative in a uniform way. Our software security framework (SSF) and activity descriptions provide a common vocabulary for explaining the salient elements of an SSI, thereby allowing us to compare initiatives that use different terms, operate at different scales, exist in different parts of the organizational chart, operate in different vertical markets, or create different work products."

The 11th BSIMM report was the result of the efforts of more than 8.4k security software security professionals, who guide the efforts of almost 500k developers. This edition examines practices across 130 companies in a range of industries, from financial to health care, to identify and help solve their software security challenges. 

The list of emerging trends in this report for DevOps teams includes:

  • Software security efforts are matching pace with software delivery: New activities show a shift toward DevSecOps, including: SM3.4 Integrate software-defined lifecycle governance, AM3.3 Monitor automated asset creation, CMVM3.5 Automate verification of operational infrastructure security 
  • Organizations are "shifting everywhere:" The "shift left" concept has evolved from performing security testing earlier in the development cycle to performing as soon as artifacts are available.
  • Security champions are evolving in firms embracing DevOps and DevSecOps: This is to recruit members from cloud and related roles to apply their expertise as code for organizational benefit.

The BSIMM has proved to be a useful reflection of the current state of software security initiatives in the enterprise, and given how hard it can be to get any organization to communicate honestly about its security practices, something of a miracle. As Gary McGraw, co-author of the original BSIMM, likes to say, it was a science that escaped the test tube to become a de facto standard.

"That's very gratifying, personally," McGraw told me in a 2015 interview, "but the important thing is the emphasis here on real data, and the use of facts in computer security. I think we've finally moved past the witchdoctor days in software security."

Posted by John K. Waters on September 15, 2020