BSIMM14: Crowd-sourced guidebook to better software security

Competition and cooperation don’t have to be mutually exclusive in the world of software security. The annual Building Security In Maturity Model (BSIMM) report from the Synopsys Software Integrity Group, is proof.

The report, now in its 14th iteration, demonstrates that sharing what works, or doesn’t, to improve software security can benefit every organization without undermining competition on everything else — product features, quality, customer service, reliability, etc.

That’s something more than warm and fuzzy. These days it could be existential, because software runs just about everything in modern life. We depend on it for energy, finance, communication, entertainment, recreation, healthcare, retail, education, utilities, transportation, appliances, home security, agriculture — the list goes on.

It means that every business is a software business, which makes software risks business risks because cybercrime is just as ubiquitous as software itself. For as long as software has existed, hackers have been on a nonstop quest to exploit its vulnerabilities for profit while damaging, or even destroying, their victims. Just one example: A rural hospital in northern Illinois closed earlier this year after it was unable to recover from the damage of a cyberattack in 2021.

So if you’re in business, you, your suppliers, your partners, and indirectly your customers, all need the BSIMM.

The goal of the report remains the same as when it started — to help organizations help one another minimize and mitigate those risks. The way it helps is by documenting how dozens of organizations in multiple industry sectors are improving their software security. That carries more weight than a lecture from a set of experts at a single company, no matter how well-qualified. (Disclosure: I write for Synopsys)

It does so in granular detail on security initiatives ranging from automation to artificial intelligence (AI) to supply chain security tools like Software Bills of Materials (SBOMs).

The structure

The BSIMM14 “skeleton” contains 126 activities organized under 12 practices that are in turn grouped under four domains. And the report doesn’t dictate exactly which activities your organization should implement to improve its software security. As noted, it just documents what other companies in your industry are doing. The BSIMM14 report relies on data from 130 participating organizations in eight verticals — cloud, financial services, financial technology (FinTech), healthcare, independent software vendors, insurance, Internet of Things (IoT), and technology.

The participating companies include 11,100 security professionals helping about 270,000 developers build security into about 97,000 applications. They explain in detail (anonymously) their own software security initiatives (SSIs) — what’s working, what isn’t, what’s changing about risks and threats, and how they’re responding to those changes to build trust into their software.

It’s one of the reasons the BSIMM report describes itself as a free “roadmap” to help organizations, because there is no one-size-fits-all route to software security maturity. Indeed, the whole idea of a roadmap is to show multiple routes to a destination without dictating which one to take.

Jamie Boote, principal consultant with the Synopsys Software Integrity Group and a coauthor of BSIMM14, said he thinks of it more as a “travel guidebook for setting an itinerary when you’re on a journey. There’s a list or menu of sites and attractions you can visit — activities that can be incorporated into your software security strategy to guide your journey,” he said.

The destination is common to all, however, and can be reduced to a sentence or two: Create an SSI to build security into software so it can be trusted. Then continue to increase the maturity of your SSI to maintain that trust.

And while, as noted, the report doesn’t mandate the implementation of any of the 126 security activities it documents, if everybody in your industry sector is doing something with good results, that’s a strong indication that you ought to be doing it too. You could call it crowd-sourcing security.

The 94-page report takes some time to digest, but it moves from the general to the specific. Early on, it notes major trends that are either new or continuing to increase or decrease.

The AI invasion

This year, no surprise, AI is on that list. Since the launch of ChatGPT in November 2022, AI tools are now embedded into the software development life cycle (SDLC) to design applications, and to create and test software. That carries both benefits and risks.

AI is fast and never gets tired. But at least so far it needs human oversight. It can get organizations in trouble by recommending third-party or open source snippets of code without noting that they have attribution and/or licensing requirements.

Boote said the mistakes AI makes in software development range from design flaws to coding errors to running a test and missing a vulnerability. “AI isn’t self corrective,” he said, so you need to treat all its output as if it’s coming from a developer who isn’t as skilled or able to learn and react to previous correction.”

Other major trends include

Automation. This now involves much more than using automated software testing tools. The report found “automated, event-driven security testing increasing by 200% over the last two years.” This includes learning from mistakes to create automated guardrails — policy as code — that ensure the only way to write code is the secure way. That takes security beyond fixing bugs to preventing them.

Jason Schmitt, general manager of the Synopsys Software Integrity Group, said automation is leading directly to better security practices. “Companies are seeing firsthand that eliminating human error with consolidated, integrated security tooling makes security programs more effective and affordable — a compelling combination,” he said. “With cyberattacks on the rise and coming from every angle, automation is proving essential to defend against myriad threats that are targeting software.”

Keep shifting everywhere. Automation has enabled the continued growth of the “shift everywhere” trend — a very good thing. More than a decade ago, the mantra in software development was to “shift left,” as in, start testing code early in the SDLC instead of waiting until the end, when it takes much more time and money to fix defects. That was an improvement, but also both insufficient and misleading, since the goal is to do the right test at the right time, anywhere in the SDLC.

Sammy Migues, principal at Imbricate Security and a coauthor of the BSIMM since it began, has said more than once that the “shift left” exhortation wasn’t intended to mean shift only left. “What we really meant is to conduct a security control activity as quickly as possible, with the highest fidelity, as soon as the artifacts on which that activity depends are made available,” he said.

It also means that security is a shared responsibility. As the report puts it, “Each stakeholder has their own business processes to execute, but each also needs to do their version of security sign-off, which requires understandable and usable telemetry from the SLC toolchain.” Migues added that “those stakeholders span software ideation to obsolescence and destruction, so you have to shift everywhere to give them what they need.”

He also said he has been unpleasantly surprised at resistance to shift left outside the BSIMM community. “It’s a really simple idea. It amazes me that some folks push back on this,” he said.

Strengthen the supply chain. Most software products today are assembled rather than written from scratch. Another Synopsys report, the annual Open Source Security and Risk Analysis report, noted earlier this year that virtually all software products contain third-party or open source software components, which make up an average of 76% of all codebases.

And if most of the components used to build software products are external, that means keeping track of them is crucial. As numerous experts have said, the most dangerous vulnerability is the one you don’t know about.

Hence the need for SBOMs — an inventory of all the components in a software product. Boote likens it to “an ingredient list on the side of a cereal box,” noting that this not only lets an organization quickly find out if it’s using a component with a newly discovered vulnerability, but also helps it avoid using components that might be incompatible or out-of-date.

The encouraging trend the BSIMM14 found is a 22% increase in SBOMs from the previous year.

We are the champions… of the SDLC. Mature SSIs also cultivate “security champions” — people who aren’t formally part of the security team but who have an interest in software security and are willing to promote it at the team level. They can include developers, software architects, testers, operations teams, managers, and the executive team — even external vendors.

Their value is apparent in yet another trend — BSIMM14 firms with a Security Champions program (80 of 130 firms) scored on average 25% higher (13 observed activities) than firms without one (50 of 130).

According to the report, “firms with security champions had several training activities that were present at a much higher rate than those without. These training activities include ‘conduct software security awareness training’ and ‘deliver on-demand individual training,’ which were about 40% and 50% higher in firms with champions than those without.”

That’s the good news. But this is another area where Migues said he is mystified that something that has such obvious benefit isn’t embraced universally.

“Only 76 of the 130 BISMM14 firms have a satellite,” he said. “What!? Why? This is the easiest thing to do, and you probably don’t need to hire anyone — you can do this with people you already have.”

“My take is that it’s hard because it’s also cultural. Many managers can execute on process but changing how the business works — like shift everywhere — is hard. It takes time, it rocks the boat, it requires building bridges, and it shifts attention and priorities for in-demand people.”

***

There is more — much more detail, in the BSIMM14 report. But one of its core overall messages since its beginning is that security is a journey, not an event. It’s much more than flipping a switch or pressing a button. So it doesn’t happen overnight. Still, a journey also presumes making progress toward a destination. And BSIMM participants can help you start on that journey and get to the destination you want and need faster.

There’s no need to lay down some cash to start the journey either. The complete report is free, available under the Creative Commons Attribution-Share Alike 3.0 License. So one of the best, most affordable resolutions you can make for 2024 is to add BSIMM14 to your reading list.