Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Tuesday, 16 August, 2022
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Over a Decade in Software Security: What Have We learned?

Shifting Right Towards Resilience, Quality, and Security with Synopsys & BSIMM

by The Gurus
July 1, 2022
in Featured
Over a Decade in Software Security: What Have We learned?
Share on FacebookShare on Twitter

With over a decade experience in software security, what can Synopsys teach us? Managing Consultant Adam Brown presented this very subject at Infosecurity Europe 2022, with the help of Synopsys’s BSIMM metrics.

The Building Security in Maturity Model (BSIMM) is an assessment done by Synopsys that helps firms analyse the state of their software security. This understanding then allows these firms to repair where they are going wrong. Currently on the 12th iteration of BSIMM, the 13th is on the horizon. According to Adam Brown, Managing Consultant, through an interview-driven process, Synopsys works with 231 firms to produce reports and aggregate this data for free availability at BSIMM.com.

The BSIMM is no typical maturity framework. Through assessment interviews, a score card is crafted, which will include information such as how a firm might improve security pitfalls as well as other metrics on patterns and weaknesses.

But wait, Brown was careful to point out, what’s the difference between measurements and metrics? And why does this matter?

Measurements are numbers representing information without the context of the situation, he explained, and metrics were those same numbers, but taking into account the context. Without context, the data is inconsistent. In other words, Synopsys believes in shifting right, not left, and understanding how security systems operate in real-world situations. And so BSIMM uses metrics.

What does Synopsys do with these metrics? According to Brown, metrics on software security should be used to determine where energy is being diverted into security and in which areas. For example, imagine that there are three levels of security protections. Level one protections are the most foundational and level three protections are the additional, specialized ones that certain firms may prefer over others.

More isn’t always better, Brown noted. But a solid foundation of level one protections, a good amount of level two ones, and a scattering of threes, will increase the security maturity level of the firm in question.

During his presentation, Brown also shared some BSIMM data on the software security trends of today. Since the previous BSIMM report, there has reportedly been a 60% increase in the identification of open source and the control of open source as well as another 60% increase in firms using service level boilerplate agreements for vendors. Shockingly, there was still a near zero observance rate for looking at malicious code within firms. According to Brown, only one out of all the 128 firms included in the BSIMM data pool was careful enough to do this.

More positively, there has been a shift towards continuous effort, observation, and defect discovery. More specifically, a 40% increase in the observation rate of automating static and dynamic testing tools in the Software Development Life Cycle (SDLC) was reported.

Beyond the bare-bones of security metrics, BSIMM also considers whether a firm is governance-led or engineering-led. In other words, what the operational priorities of the firm are. The approach to maximising security for either is individual. For a governance-led organisation, the checklist for improvements may focus more on leadership, rules, checkpoint compliance, and centralised testing, whereas for an engineering-led organisation, velocity and automation might be more important qualities.

Despite these differences, however, governance and engineering led firms should have shared goals. What are they?

Resilience. Quality. Security.

With a 15% increase in firms beginning the journey to integrate these metrics into their software security framework, BSIMM seems to have done its job in measuring the emergence of security properties and aiding in the development of security activities in firms with lower maturity scores.

This is what Synopsys has learned from BSIMM, and surely as software security only continues to expand and intensify as the years pass, there will much more to learn. Here at IT Security Guru, we are looking forward to what the BSIMM13 will have to teach us.

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

A Talk About Unified Identity Security & Deploying Resilience

Next Post

SPACE Dynamic Orchestration in the SASE Cloud with Cato Networks

Recent News

Over 8000 VNC instances left exposed, researchers find

Over 8000 VNC instances left exposed, researchers find

August 16, 2022
Phone, apps open.

Signal Confirms Roughly 1900 Users Affected by Twilio Breach

August 16, 2022

Are Cloud Environments Secure Enough for Today’s Threats?

August 16, 2022
Feedzai with Lloyds Banking Group wins Aite-Novarica Fraud Impact Award

Feedzai with Lloyds Banking Group wins Aite-Novarica Fraud Impact Award

August 15, 2022

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information