informa
Slideshow

12 Bare-Minimum Benchmarks for AppSec Initiatives

The newly published Building Security in Maturity Model provides the software security basics organizations should cover to keep up with their peers.
Governance: Strategy and Metrics
Governance: Compliance and Policy
Governance: Training
Intelligence: Attack Models
Intelligence: Security Features and Design
Intelligence: Standards and Requirements
SSDL Touchpoints: Architecture Analysis
SSDL Touchpoints: Code Review
SSDL Touchpoints: Security Testing
Deployment: Penetration Testing
Deployment: Software Environment
Deployment: Configuration Management and Vulnerability Management
1/12

As application security methodology and best practices have evolved over more than a decade, the Building Security in Maturity Model (BSIMM) has been there each year to track how organizations are making progress. BSIMM11, released last week by Synopsys, is based on the software security practices in place at 130 different firms across numerous industries, including financial services, software, cloud, and healthcare.

The practices were measured by the model's proprietary yardstick, which lumps 121 different software security metrics into four major domains: governance, intelligence, secure software development lifecycle (SSDL) touchpoints, and deployment. Each of these domains are further broken down into three practice categories containing numerous activities that slide from simple to very mature.

Similar to previous reports, BSIMM11 shows that most organizations are at the very least hitting the basics — including activities like performing external penetration testing and instituting basic software security training across development organizations. The following are the most common activities cited for each practice category, providing an excellent yardstick for the bare minimum that organizations should be doing to keep up with their peers.

 

 
Next slide
Recommended Reading: