|
|
Source: Synopsys. Picture of code. |
Synopsys has released BSIMM11, the Building Security In Maturity Model (BSIMM) research report that is now in its 11th iteration. The report can be used as a measuring stick to determine how an organisation stands in terms security relative to other firms. In particular, it includes the regulated industries - financial services, healthcare and insurance companies.
From an initial pool of nine organisations and 110 activities in 2009, the BSIMM now tracks 211 organisations in multiple verticals* and includes 121 observed activities. This year’s report is based on observations of 130 participating companies, in nine verticals compared to 122 participants in eight verticals last year. However, Synopsys did not simply add eight firms — 27 were added and 19 removed, the company said in a blog post.
New in the research format this year are:
New software security activities
BSIMM10 added new activities to "reflect the reality that some organisations were working on ways to speed up security to match the speed with which the business delivers functionality to market", said Taylor Armerding, Security Advocate at Synopsys in the blog post.
"To those, BSIMM11 adds activities for implementing event-driven security testing and publishing risk data for deployable artifacts. Those directly reflect the ongoing DevOps and DevSecOps evolution and its intersection with traditional software security groups," he noted.
New activities in the BSIMM represent a shift toward DevSecOps. Three activities added to BSIMM10 saw exceptional growth within the past year (SM3.4 Integrate software-defined lifecycle governance, AM3.3 Monitor automated asset creation, and CMVM3.5 Automate verification of operational infrastructure security). This reflects how some organisations are actively working to accelerate software security efforts to match the pace of software delivery, Synopsys said.Furthermore, the two activities added in BSIMM11 represent a continuation of that trend (ST3.6 Implementing event-driven security testing, and CMVM3.6 Publishing risk data for deployable artifacts).
Engineering-led software security efforts are successfully contributing to DevOps value streams in pursuit of resiliency, the company added. BSIMM11 shows that continuous integration/continuous delivery (CI/CD) instrumentation and operations orchestration have become standard components of many organisations’ software security initiatives, and are influencing how they are organised, designed, and executed.
For example, software security teams increasingly report into a technology group or CTO (as opposed to an IT security team or chief information security officer [CISO]) and are changing how they recruit and organise talent internally.
Software-defined security governance is no longer just aspirational, Synopsys added. Organisations are replacing some high-friction, out-of-band security activities with automated activities triggered by events in the CI/CD pipeline execution.
Converting human processes and decision-making to algorithms is one of the ways organisations are increasingly addressing resource constraints and cadence management problems.
“Shift left” is becoming “shift everywhere.” The implementation of the “shift left” concept has evolved from the literal interpretation of performing some security testing earlier in the development cycle to performing security activities as soon as the artifacts to be reviewed are available. That could mean to 'the left' of where activities have historically been performed, but often, it’s to the right, including in production.
'Software security group (SSG)' redefined
The new definition acknowledges that a SSG might be spread out in the organisation across corporate, engineering, and perhaps other departments.
"Indeed, this year’s report observed that organisations with governance-led security efforts and engineering-led security efforts are equally able to use the BSIMM to improve their capabilities," Armerding said.
Financial technology (fintech) as a vertical
Independent software vendors (ISVs) that make software specifically for financial services firms are now considered as a separate group.
“The way modern software is built and deployed has transformed dramatically over the past few years, so naturally the efforts required to secure that software are changing as well,” said Michael Ware, BSIMM co-author and Senior Director of technology at Synopsys.
“Businesses are critically dependent on software, and modern methodologies have accelerated the speed of development. As a result, there is more software everywhere, and we still need to worry about all the pre-existing software. As a model that constantly evolves to represent the actual practices in use by hundreds of software security groups around the world—including some of the most advanced teams in the world—the BSIMM provides a near-real-time view into how these changes are being implemented to protect the growing software portfolios.”
Cloud, Internet of Things, and high technology firms are three of the most mature verticals in the BSIMM11 data pool. Three verticals in the BSIMM operate in highly regulated industries: financial services, healthcare, and insurance. BSIMM11 found that large financial institutions react to regulatory changes much earlier than insurance or healthcare organisations. And although healthcare companies increasingly build devices and associated services, their overall maturity trails high-tech organisations that offer similar functionalities.
Another interesting finding is that the fintech vertical compares well to financial services. In fact, fintech was discovered to be more mature overall, and excels in the Training, Code Review and Security Testing practices.
In Synopsys' experience with the BSIMM, large financial services firms reacted to regulatory changes and started their software security initiatives (SSIs) much earlier than insurance and healthcare firms. Even as the number of financial services firms has grown significantly over the past five years, with a large influx into the BSIMM data pool of newly-started initiatives, the average age for a financial services firm's SSG at last assessment time was found to be 4.9 years, versus 3.8 years for insurance and 3.7 years for healthcare.
Time spent by financial services firms maturing their collective SSIs shows up clearly in side-by-side comparisons. Although organisations in the insurance vertical include some mature outliers, the data for these three regulated verticals show insurance lags behind in the Strategy & Metrics, Compliance & Policy, and Attack Models practices, while moving above average in the Security Testing practice. Compared to financial services firms, we see a similar contrast in healthcare, which achieves par in Compliance & Policy, Architecture Analysis, Code Review, and Penetration Testing, but lags in other practices.
In the BSIMM population, we can find large gaps between the maturity of verticals, even when the technology stacks might be similar. There is an obvious gap between technology firms that build devices tied to backend services and healthcare firms that increasingly build devices tied to backend services. The disparity in maturity extends to most practices, although the healthcare vertical is predictably ahead in the Compliance & Policy practice. Fortunately for organisations that find themselves behind the curve, the experiences of many BSIMM participants provide a good roadmap to faster maturity, Synopsys said.
Started in 2008, BSIMM is an open standard that includes a framework based on software security practices which an organisation can use to assess and mature its own efforts in software security.
Details:
*The verticals include financial services, fintech, independent software vendors, cloud, healthcare, the Internet of Things, insurance, and retail. BSIMM11 describes the work of 8,457 software security professionals who guide the efforts of over 490,000 developers.
No comments:
Post a Comment