Companies now commonly collect security metrics from their software development life cycle, implement basic security measures, and define their obligations to protect user data as part of a basic security strategy.
More than three-quarters of companies regularly take 10 common security steps to improve their overall defensive posture, including instrumenting their Secure Development Lifecycle (SDLC) and using automated tools, according to the annual Building Security in Maturity Model (BSIMM) report.
The report is based on the 12th BSIMM assessment of companies, which asks whether they have undertaken any of 122 different security activities. Of the 128 companies included in the survey, 92% collected data from their software development lifecycle to improve security, while 91% regularly confirmed the status of their basic host- and network-security measures — the two most common security initiatives among the companies surveyed, according to a ranked list generated from the BSIMM survey.
The data shows that companies are making progress in maturing their software security processes, says Eli Erlikhman, managing principal at Synopsys and one of the authors of the BSIMM report.
"We continue to see improvement in software security initiatives, where the organizations are becoming better in certain areas, such as controlling open source risk, vendor security, and defect discovery," he says. "At the same time, we see there is room for improvement in the industry, where organizations should continue building out their capabilities."
The annual BSIMM report gives companies a snapshot of the current efforts to secure applications and software in different industries. The framework is one way that companies can gather metrics on their software development with an eye toward improving their processes. Other models, such as the Capability Mature Model (CMM) and OWASP Software Assurance Maturity Model (OSAMM), are alternatives that focus on other aspects of software development.
The current assessments found that the growing number of public incidents of ransomware attacks and attacks on the software supply chain, such as the compromise of remote management software maker Kaseya, have companies more focused on activities designed to prevent or mitigate incidents. Over the past two years, 61% more companies have actively sought to identify open source — 74 this year versus 46 two years ago — while 55 companies have begun to mandate boilerplate software license agreements, an increase of 57% compared with two years ago.
"Over the last 18 months, organizations experienced a massive acceleration of digital transformation initiatives," said Mike Ware, information security principal at Navy Federal Credit Union, a member organization of the BSIMM community, in a statement. "Given the complexity and pace of these changes, it's never been more important for security teams to have the tools which allow them to understand where they stand and have a reference for where they should pivot next."
The BSIMM report aims to allow companies to make data-driven decisions on how to improve their software security efforts over time. The 10 most common activities — and the share of organizations participating in those activities — are:
The data suggests that, as a whole, companies are becoming more mature in regard to software security. Two years ago, the BSIMM 10 report found only 70% of assessed companies performed the least common of the top 10 activities, compared with 77% this year.
Organizations Focused on Software Supply, Shifting Everywhere
The BSIMM 12 survey also shows that more companies are focused on securing their software supply chains and keeping their infrastructure secure. The two fastest-growing activities are using orchestration for containers and virtualized environments, which grew to 33 participating companies from five firms two years ago, and ensuring cloud security basics, now 59 companies compared with nine two years ago.
Checking software bill-of-materials (SBOMs) is another fast growing area of software security, with 14 companies adopting the activity, compared with only three firms two years ago.
Many of these activities are examples of moving from a focus on shifting security further into development — so-called "shifting left" — to a focus on adding security activities to wherever they are needed, which Synopsys's Erlikhman calls "shift everywhere." The automated security verification of operational infrastructure is an example where security is moving left into development, right into operations, and more holistically into engineering.
"We see newer software security initiatives (SSIs) starting to implement these activities that shift [security] right" as well as left, he says. "It would be useful for all organizations to evaluate these approaches to see if they make sense for their business."