Authored by: Ian Hall, Asia-Pacific Client Services Manager, at Synopsys Software Integrity Group
Synopsys recently published its annual Building Security In Maturity Model (BSIMM) report, created to help organisations plan, execute, measure, and improve their software security initiatives. In its 11th iteration, BSIMM is a helpful guide for CISOs and security executives to compare data against their industry peers and pinpoint areas of specific need in their own application security (AppSec) program. This enables businesses to develop, improve, and mature their programs using BSIMM as a benchmark.
The following 4 steps provide a good foundation or starting point:
1. Identify Maturity Phase
BSIMM defines three maturity phases of an AppSec program. Identifying whether an organisation is emerging, maturing, or optimising is a necessary foundation from which to build. Executives should review the common markers to determine where they currently stand.
Emerging: An organisation starting from scratch, or formalising current adhoc security activities. For this phase, the initial strategy may be already defined, foundational activities have been implemented, and a rough roadmap might be already developed. However, there are restraints like budget, lack of resources and talent, and it is projected that 12 - 24 months are needed for evolution.
Maturing: An organisation with an existing or emerging AppSec program that is working on scaling, streamlining, and meeting executive expectations. Key activities may include working to apply existing activities to a greater percentage of technology stacks, departments, or the software portfolio. Security leadership might add fewer activities, while increasing depth, breadth, and cost-effectiveness of current activities.
Optimising: An organisation that is fine-tuning their existing AppSec program. Security management in this phase, has a clear view into operation expectations and associated metrics. There should also be seamless adaptation to technology change drivers. In addition, risk management and business value are clearly demonstrated as differentiators. At this point, AppSec leaders may be undergoing personal growth from technology executive to business enabler.
2. Embrace DevSecOps
CISOs and security teams must address the role of security within a DevOps environment, which means embracing DevSecOps. Focus should be placed on promoting security self-service for the development team, including automation in the secure software development lifecycle (SSDLC), and removing points of friction. Speed, agility, and automation are key considerations as security must keep up with the pace of DevOps.
3. Implement Key Activities
The activities form the backbone of the BSIMM. Each year’s report identifies what activities the various organisations in the data pool are performing. The activities are then rated based on frequency. This approach gives CISOs a snapshot into the most widely used activities of their peers.
BSIMM11 found several activities that grew explosively in the past year. Security executives should consider these activities as they play a key role in many successful AppSec programs.
For example, the chart above shows the use of application containers (SE3.4; now SE2.5) on a rise, from 0 in BSIMM7 (Year 2016) to 31 in 2020. Organisations are using application containers to make deployment easier and at the same time, decrease costs. The increase in the use of orchestration for containers and virtualised environments (SE3.5) also ensures workloads meet security requirements. It is also interesting to note businesses are ramping up their efforts to ensure cloud security basics (SE3.7; now SE2.6) are in place to keep pace with the overall increase in adoption of cloud-based deployments.
4. Define Roles and Responsibilities
Identifying individuals and their roles in an AppSec program reduces confusion while empowering teams to be proactive and innovative. CISOs should review the roles of teams within the AppSec program to determine if they can create clearer boundaries and expectations in their own organisations. They are categorised into 4 main groups:
Executive leadership: The most successful AppSec initiatives are those with executive sponsorship and oversight. Programs gain acceptance and support throughout organisations when they have executive buy-in. Having a single person (typically the CISO) in charge of security decisions allows the program to move forward without bottlenecks.
Application security team: Virtually all 130 organisations observed in BSIMM11 have an established AppSec team in place, though their structure and the names they go by vary greatly. Without this team, organisations would find it impossible to be consistent in their AppSec efforts. Executives should prioritise and closely align with this team to help drive and deliver security goals.
Security champions: Security champions are employees outside the security team who help raise awareness and garner support of AppSec practices among different members of the organisation. Executives should identify existing security champions within their organisations and foster relationships with potential champion recruits who can help ensure compliance with AppSec best practices throughout the SSDLC.
Everyone else: All employees play an indirect role in security. They can spread awareness, understanding and support for security practices and development. Executives should encourage education, inclusion and awareness across the entire organisation to give their AppSec programs the best chance to succeed
Regardless of whether you are a new CISO, someone in an emerging organisation, or a CISO overseeing existing programs, there are checklists to help you along. While addressing the 4 activities above, the CISO or security executive should consider diving into the full BSIMM11 report, which contains checklists to jumpstart and develop your AppSec program, and much greater insight into the activities, practice areas, and domains of the most successful AppSec programs operating today.