Synopsys has released its latest version of the Building Security in Maturity Model (BSIMM) study which has revealed how the DevOps movement and adoption of continuous integration and continuous delivery (CI/CD) tooling are affecting the way that firms approach software security.
This is seen in the BSIMM’s addition of three new activities that reflect how firms are actively working to automate security activities to match the speed at which their business delivers functionality to market. BSIMM10 also includes updated descriptions and examples of existing activities to reflect how they are being implemented as part of modern DevOps organisations.
Designed to help organisations plan, execute, mature, and measure their software security, the BSIMM includes data collected from firms that have established real SSIs, quantifying the occurrence of 119 activities to show the common ground shared by many initiatives as well as the variations that make each initiative unique.
The study also reflects changes in SSI culture, observed in a new wave of engineering-led software security efforts originating bottom-up in development and operations teams rather than top-down from a centralised software security group. In some organisations, an engineering-led security culture has overcome its struggle to establish and grow meaningful software security efforts. This new wave of engineering-driven security culture is emerging in response to both the demands of modern software delivery practices such as Agile and DevOps and undesirable friction with existing SSIs.
BSIMM10 is the first edition to define three phases of SSI maturity—emerging, maturing, optimising—and describe how different firms typically progress through them. The BSIMM data show that organisations improve demonstrably over time, and many achieve a level of maturity where they focus on the depth, breadth, and scale of the activities they’re conducting rather than always striving for more activities.
BSIMM10 describes the work of 7,900 software security professionals whose efforts guide and maximise the security efforts of nearly 470,000 developers working on more than 173,000 applications. BSIMM10 represents firms in industry verticals including financial services, high tech, independent software vendors (ISVs), cloud, healthcare, Internet of Things (IoT), insurance, and retail.
To download the full BSIMM10 report, please click here