BSIMM12 data indicates a 61% increase in software security groupsâ€™ identification and management of open source over the past two years, almost certainly due to the prevalence of open source components in modern software and the rise of attacks using popular open projects as vectors.
The growth in activities related to cloud platforms and container technologies show the dramatic impact these technologies have had on how organizations use and secure software. For example, Building Security In Maturity Model (better known as BSIMM) made only five observations of â€œuse orchestration for containers and virtualized environmentsâ€ in BSIMM10, while it made 33 observations two years later for BSIMM12 â€” an increase of 560%.
Another emerging trend observed in the BSIMM12 research is that businesses are learning how to translate risk into numbers. Organizations are exerting more effort to collect and publish their software security initiative data, demonstrated by a 30% increase of the â€œpublish data about software security internallyâ€ activity over the past 24 months.
BSIMM12 data also shows an increase in capabilities focused on inventorying software; creating a software bill of materials (BOM); understanding how the software was built, configured, and deployed; and the organizationâ€™s ability to redeploy based on security telemetry.
Demonstrating that many organizations have taken to heart the need for a comprehensive up-to-date software BOM, the BSIMM activity related to those capabilities â€” â€œenhance application inventory with operations bill of materialsâ€ â€” increased from 3 to 14 observations over the past two years, a 367% increase.
The move from maintaining traditional operational inventories toward automated asset discovery and creating bills of material includes adding â€œshift everywhereâ€ activities such as using containers to enforce security controls, orchestration, and scanning infrastructure as code.
BSIMM has grown from nine participating companies in 2008 to 128 in 2021, with now nearly 3,000 software security group members and over 6,000 satellite members (aka â€œsecurity championsâ€).
This 2021 edition of the BSIMM report â€” BSIMM12 â€” examines anonymized data from the software security activities of 128 organizations across various verticals, including financial services, FinTech, independent software vendors, IoT, healthcare, and technology organizations.
Read the full report by BSIMM.