Report: 90% of organizations have software security checkpoints in their software development lifecycle (SDLC)

Couldn’t attend Transform 2022? Discover all the summit sessions now in our on-demand library! Look here.

According to the latest edition of the annual Synopsys Building Safety Model in Maturity (BSIMM) report, 90% of surveyed member organizations have established software security checkpoints in their software development life cycle (SDLC), indicating that this is an important step towards the success of their software development initiatives. software security.

Additionally, there has been a 51% increase in activities associated with open source risk control over the past 12 months, as well as a 30% increase in organizations building and maintaining a software bill of materials ( SBOM).

About Synopsys BSIMM

Launched in 2008, the BSIMM is a tool for creating, measuring and evaluating software security initiatives. It uses a data-driven model leveraging the industry’s largest dataset of global cybersecurity practices. BSIMM was developed through careful study and analysis of over 200 software security initiatives.

Image source: Synopsys

The BSIMM13 report analyzed software security practices at 130 companies, including 48 Fortune 500 companies such as Adobe, Bank of America and Lenovo, in their cumulative efforts to secure more than 145,000 applications created and maintained by nearly 410,000 developers.


MetaBeat 2022

MetaBeat will bring together thought leaders to advise on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, California.

register here

The results highlight a significant increase in activity that indicates that BSIMM member organizations are implementing a “change everywhere” approach to perform automated and continuous security testing across the SDLC and manage risk across their organization. application portfolio.

Year-over-year trends

One way to examine the differences between BSIMM12 and last year’s BSIMM13 is to look for trends, such as strong growth in compliance rates among common activities. For example, the compliance rate for the six activities below increased by 20% or more in BSIMM13 observations compared to last year. This includes the following:

  • 34% implement security controls in the cloud.
  • 27% make code review mandatory for all projects.
  • 25% create a standards review process.
  • 25% collect and use attack intelligence.
  • 24% identify open source.
  • 20% require security clearance for compliance risk.
Image source: Synopsis.

To take part

Whether organizations are creating a software security initiative or maintaining a mature program, BSIMM13 data indicates that they should consider the following key actions:

Implement automated software security tools

Whether used for static or dynamic testing or for software composition analysis, these tools can help remediate defects and identify known vulnerabilities in your software, whether that software was developed in-house, whether it is commercial third-party software or whether it is open source.

Use data to make security decisions

Collect and combine data from your security testing tools and use that data to create and enforce software security policies. Gather data on tests performed and issues discovered to improve security both in the software development lifecycle and in your governance processes.

Go to the automation of security tests and decisions

Ditch manual, human-intensive approaches in favor of more efficient, consistent, and repeatable automated approaches.

Move to smaller, automated checks within the SDLC

Where possible, replace manual activities such as penetration testing or manual code review with smaller, faster, pipeline-driven tests whenever it is possible to verify the software.

Create a full SBOM ASAP

A software bill of materials should list your assets, as well as open source and third-party code.

The BSIMM is an open standard that includes a framework based on software security practices, which an organization can use to evaluate and mature its own software security efforts.

BSIMM methodology

BSIMM data comes from interviews conducted with member companies during a BSIMM assessment. After each assessment, observation data is anonymized and added to the BSIMM data pool, where statistical analysis is performed to highlight trends in how BSIMM companies secure their software.

Read it full report from Synopsys.

VentureBeat’s mission is to be a digital public square for technical decision makers to learn about transformative enterprise technology and conduct transactions. Discover our Briefings.

Comments are closed.