Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:00 PM
Sammy Migues
Sammy Migues
Connect Directly
E-Mail vvv

BSIMM10 Shows Industry Vertical Maturity

The Building Security In Maturity Model is the only detailed measuring stick for software security initiatives, and it continues to evolve.

The Building Security In Maturity Model (BSIMM) is now in its 10th iteration. It continues to evolve as the only detailed and sophisticated "measuring stick" for software security initiatives (SSIs), also known as application or product security programs.

The BSIMM is an observational model. While it's useful for some industry experts and pundits to prescriptively document what worked for them that one time in that one situation, the BSIMM took a different path. The BSIMM observes what's happening in hundreds of organizations and tells everyone how firms are actually spending their time and money to achieve an appropriate level of software security across their entire software portfolio. Since its creation over a decade ago, this data-driven approach has evolved through the analysis of nearly 200 SSIs globally. BSIMM10 represents real-world data from 122 organizations over eight industry verticals: cloud, Internet of Things (IoT), independent software vendors (ISVs), high technology, healthcare, insurance, financial services, and retail.

The BSIMM started in 2008 with a set of 110 activities. Over time, one activity was removed and 10 activities were added. Why? Because that's what we observed in the world of software security. To help everyone understand how frequently each of the 119 BSIMM10 activities are observed across the current 122 firms, we use frequency analysis to sort the activities into levels. Commonly observed activities — across all verticals — are tagged as level 1, while sparsely observed activities are level 3.

That means we can use a high-water mark diagram such as the one below to illustrate how frequently various levels of activities are observed in firms participating in the BSIMM study as well as in a particular firm. The diagram shows that the current 122 firms are collectively putting effort into more activities in Strategy & Metrics, Compliance & Policy, and Standards & Requirements compared with Attack Models and Architecture Analysis, whereas the ExampleFirm places value on Attack Models, Code Review, and Penetration Testing. This view acts as a proxy for overall maturity but can also be broken down on an industry vertical basis to observe effort across activities and growth differences between various industries.


In highly regulated industries such as financial services, for instance, it's not surprising to see a spike around Compliance & Policy, whereas we typically don't see that spike with ISVs or IoT. Most verticals measured currently within the BSIMM have a good handle on the foundational security activities.

We're seeing some verticals collectively doing more than others in various areas for a variety of reasons. In certain industries, effort in particular activities is driven by legal reasons relating to regulations, statutes, and contracts. In others, customer expectations and preferences, along with perceptions of privacy, may drive which of the 119 BSIMM10 activities are emphasized over others.

Let's take medical device manufacturers as an example. The software built into the monitors and devices produced for hospitals and doctors' offices is going to be out there for 20 years, perhaps even longer. Imagine what software attacks are going to look like in 20 years! Now, imagine doing that 20 years ago and predicting what software security mechanisms would be needed for today. As you can see, this is a very complex problem and different firms in the vertical approach the problem differently.

Different verticals emphasize different security activities based on their different perceptions of risk. We see that reflected in their spider diagrams, which in turn reflects the foundational activities and the more uncommon activities they implement to help build out their particular SSI.

It isn't reasonable to say that Healthcare Company X is more mature than Retail Company Y because this would be like comparing apples to oranges. Why? Because each firm will build the right program for its needs. Even if they are in the same business, a firm doing 30 activities and a firm doing 50 activities might have the same overall maturity relative to their software portfolios. However, we can say that one group of firms within a specific industry vertical does things that seem to be collectively important throughout the vertical, while another group of companies in another industry vertical carries out completely different activities that seem to be important to them. They're not the same things necessarily, and yet there are trends among each industry.

BSIMM10 is the first iteration of the study to formally reflect changes in SSI culture, observed in a new wave of engineering-led software security efforts originating bottom-up in the deployment and operations teams rather than top-down from a centralized software security group. Engineering-led security culture has shown itself to be a means of establishing and growing meaningful software security efforts in some organizations, though it struggled to do so even just a few years ago.

Along these cultural lines, BSIMM data also show that the DevOps movement, along with the growth in continuous integration/continuous development (CI/CD) tooling and digital transformation, is affecting the way firms approach software security for their software portfolios. BSIMM10 includes three new activities for this reason.

In recent years, as organizations have started using DevOps practices that pushed software to the cloud, we're seeing that this is a big change agent in most firms. As DevOps culture and CI/CD toolchains intersect with cloud deployments, we're realizing this is a game-changer in terms of software security. We don't yet understand the full impact as we're still in the early phases of the evolution of these technologies and strategies. Upcoming iterations of the BSIMM will certainly shed more light on what organizations are doing to get from DevOps to DevSecOps and to secure their cloud deployments. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Account Fraud Harder to Detect as Criminals Move from Bots to 'Sweat Shops'."

Sammy Migues is a Principal Scientist at Synopsys. He is an information security visionary with a proven record of entrepreneurial innovation, intellectual capital development, practical business solutions, and performance optimization. Migues is the co-author of the Building ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.