Software security groups increased use of open source tech by 61% over 2 years

BSIMM12 data indicates a 61% increase in software security groups’ identification and management of open source over the past two years, almost certainly due to the prevalence of open source components in modern software and the rise of attacks using popular open projects as vectors.

The growth in activities related to cloud platforms and container technologies show the dramatic impact these technologies have had on how organizations use and secure software. For example, Building Security In Maturity Model (better known as BSIMM) made only five observations of “use orchestration for containers and virtualized environments” in BSIMM10, while it made 33 observations two years later for BSIMM12 — an increase of 560%.

Another emerging trend observed in the BSIMM12 research is that businesses are learning how to translate risk into numbers. Organizations are exerting more effort to collect and publish their software security initiative data, demonstrated by a 30% increase of the “publish data about software security internally” activity over the past 24 months.

BSIMM12 data also shows an increase in capabilities focused on inventorying software; creating a software bill of materials (BOM); understanding how the software was built, configured, and deployed; and the organization’s ability to redeploy based on security telemetry.

Demonstrating that many organizations have taken to heart the need for a comprehensive up-to-date software BOM, the BSIMM activity related to those capabilities — “enhance application inventory with operations bill of materials” — increased from 3 to 14 observations over the past two years, a 367% increase.

The move from maintaining traditional operational inventories toward automated asset discovery and creating bills of material includes adding “shift everywhere” activities such as using containers to enforce security controls, orchestration, and scanning infrastructure as code.

BSIMM has grown from nine participating companies in 2008 to 128 in 2021, with now nearly 3,000 software security group members and over 6,000 satellite members (aka “security champions”).

This 2021 edition of the BSIMM report — BSIMM12 — examines anonymized data from the software security activities of 128 organizations across various verticals, including financial services, FinTech, independent software vendors, IoT, healthcare, and technology organizations.

Read the full report by BSIMM.

Source link