How to make their software more secure is an eternal topic that many enterprises must continue to think about, and creating safe and reliable software is inseparable from a rigorous and scientific software security construction evaluation model.
As a technology company deeply engaged in software security, since the first release of Synopsys Software Security Build Maturity Model (BSIMM) in 2008, Synopsys technology recently released the twelfth version of BSIMM - BSIMM12. To this end, at the BSIMM12 media interview meeting of Synopsys, Yang Guoliang, senior security architect of the software quality and security department of Synopsys, introduced some basic information of BSIMM12 in detail and shared the thinking of Synopsys technology for more than ten years since it engaged in software security solution evaluation.
The main point of BSIMM12
Before focusing on BSIMM12, Yang Guoliang first talked about the original intention of Synopsys Technology to continue to do BSIMM reports. He noted that the BSIMM model considered all aspects of the entire software security program from the outset, creating a descriptive model based on the actual activities of the enterprise. Yang highlighted the BSIMM model's regular collection of data to keep it fresh. In addition to this, Synopsys has created communities to share the latest findings and drive business transformation for software security initiatives.
Yang Guoliang summarized the main points of the latest BSIMM12 version. He noted that wide-ranging ransomware and software supply chain disruptions have led to a growing focus on software security, with attacks from ransomware and the risk of supply chain disruptions threatening the security of an enterprise's software.
He also pointed out that enterprises are learning how to turn risk into data, visualize risk, and help design decisions against software security. The BSIMM12 release also enhances cloud security features, where container orchestration and container security issues are addressed. Yang also believes that the security team is providing resources, personnel and knowledge for DevOps practices. The primary function of the security team will shift from traditional centralized control and compliance management to empowering DevOps teams.
Yang also talked about a new trend, which is the increased attention of software bills of materials. He pointed out that the concept of Software BOM (SBOM) is also being implemented within the software industry. In order to strengthen the safety management of products provided by suppliers, safety supervision needs to be strengthened through operational BOM enhancement application inventory counting.
Achieve your goals with BSIMM
Yang stressed that BSIMM is not a set of methodologies or guiding models, but a yardstick to measure safety activities.
Yang talked about how BSIMM helps clients achieve security-related goals, which he summarized as six points: grasping the current state of SSI and providing visibility; measuring new approaches to software security; evaluating the company's own software security initiative strategy; establishing a methodology for measuring the progress of software security initiatives; demonstrating the state of software security (to customers, partners, and regulators); and gathering specific details to explain how security programs work to the company's top management or board of directors.
He believes that the BSIMM model can not only help customers achieve their supply chain security goals, but also demonstrate and self-certify to regulators.
Challenges for security teams
Yang also pointed out the mainstream challenges faced by security teams. The first is to embrace digital transformation and cloud technology, because the process of enterprise digital transformation involves a large number of cloud-related technologies, so it is urgent to ensure the security of this technology. Related security issues include infrastructure as code security issues, as well as container image management, infrastructure management issues, and so on.
The second is to bridge the gap between the engineering team and the AppSec team. He believes that it is necessary to build bridges between development teams and security teams, to establish models that help both parties understand each other.
The third is the shift to "everywhere". Specifically, he argues that security activities cannot just be "shift left." In the past two years, due to the rise of container technology, some security activities can only be monitored during the stage of deployment in the container, and it is necessary to appropriately "shift right" to the deployment stage and monitoring stage. In addition to these, there are corresponding safety work in all aspects of the company, so it has changed from a "shift left" to a "shift everywhere" trend.
The fourth is the issue of DevSecOps, pointing out that more and more enterprises are beginning to adopt DevSecOps high-productivity and security-based models, and how to ensure efficiency and security in the Process of DevSecOps is also a challenge.
The fifth is visibility into large-scale work. Yang Guoliang believes that under the massive code, how to ensure the corresponding data, especially security-related data, and use these data to guide the work is very difficult.
The sixth is to manage supply chain risks. He believes that the security team must pay close attention to every link of the supply chain and control it accordingly to avoid attacks on the supply chain.
He also introduced Synopsys' Intelligent Orchestration platform, which is able to gradually transform some of the traditional security activities from process-oriented to risk-oriented.
When asked about the scope of application of BSIMM in domestic enterprises, Yang Guoliang said that we do not pick the industry, if an industry reaches a certain scale, Xinsi will launch a spider web report on its evaluation average for this industry. But since not all companies actually get a perfect score in practice, the real criterion for judging the scope of application of the BSIMM model is actually whether it is beneficial to the enterprise, or whether there is a need for security assessment. (Text/Xu Peiyan)