With over a decade experience in software security, what can Synopsys teach us? Managing Consultant Adam Brown presented this very subject at Infosecurity Europe 2022, with the help of Synopsys’s BSIMM metrics.
The Building Security in Maturity Model (BSIMM) is an assessment done by Synopsys that helps firms analyse the state of their software security. This understanding then allows these firms to repair where they are going wrong. Currently on the 12th iteration of BSIMM, the 13th is on the horizon. According to Adam Brown, Managing Consultant, through an interview-driven process, Synopsys works with 231 firms to produce reports and aggregate this data for free availability at BSIMM.com.
The BSIMM is no typical maturity framework. Through assessment interviews, a score card is crafted, which will include information such as how a firm might improve security pitfalls as well as other metrics on patterns and weaknesses.
But wait, Brown was careful to point out, what’s the difference between measurements and metrics? And why does this matter?
Measurements are numbers representing information without the context of the situation, he explained, and metrics were those same numbers, but taking into account the context. Without context, the data is inconsistent. In other words, Synopsys believes in shifting right, not left, and understanding how security systems operate in real-world situations. And so BSIMM uses metrics.
What does Synopsys do with these metrics? According to Brown, metrics on software security should be used to determine where energy is being diverted into security and in which areas. For example, imagine that there are three levels of security protections. Level one protections are the most foundational and level three protections are the additional, specialized ones that certain firms may prefer over others.
More isn’t always better, Brown noted. But a solid foundation of level one protections, a good amount of level two ones, and a scattering of threes, will increase the security maturity level of the firm in question.
During his presentation, Brown also shared some BSIMM data on the software security trends of today. Since the previous BSIMM report, there has reportedly been a 60% increase in the identification of open source and the control of open source as well as another 60% increase in firms using service level boilerplate agreements for vendors. Shockingly, there was still a near zero observance rate for looking at malicious code within firms. According to Brown, only one out of all the 128 firms included in the BSIMM data pool was careful enough to do this.
More positively, there has been a shift towards continuous effort, observation, and defect discovery. More specifically, a 40% increase in the observation rate of automating static and dynamic testing tools in the Software Development Life Cycle (SDLC) was reported.
Beyond the bare-bones of security metrics, BSIMM also considers whether a firm is governance-led or engineering-led. In other words, what the operational priorities of the firm are. The approach to maximising security for either is individual. For a governance-led organisation, the checklist for improvements may focus more on leadership, rules, checkpoint compliance, and centralised testing, whereas for an engineering-led organisation, velocity and automation might be more important qualities.
Despite these differences, however, governance and engineering led firms should have shared goals. What are they?
Resilience. Quality. Security.
With a 15% increase in firms beginning the journey to integrate these metrics into their software security framework, BSIMM seems to have done its job in measuring the emergence of security properties and aiding in the development of security activities in firms with lower maturity scores.
This is what Synopsys has learned from BSIMM, and surely as software security only continues to expand and intensify as the years pass, there will much more to learn. Here at IT Security Guru, we are looking forward to what the BSIMM13 will have to teach us.