New Synopsys Research Finds Significant Increase in Practices to Strengthen Software Supply Chain Security

BSIMM13 data shows a nearly 50 percent increase in activities to secure open source components and integrate security into developer toolchains

MOUNTAIN, Calif., September 21, 2022 /PRNewswire/ — Synopsys, Inc. (Nasdaq: SNPS), published today BSIMM13, the latest edition of the annual Building Security In Maturity Model (BSIMM) report that examines the software security practices of 130 organizations—including Adobe, PayPal and Lenovo—in their combined -joint effort to secure more than 145,000 applications built and maintained by nearly 410,000 developers.

The findings highlight a significant increase in activities indicating that BSIMM member organizations are implementing a “shift everywhere” approach to perform automated and continuous security testing throughout the software development lifecycle (SDLC) and manage risk across their complete application portfolio.

To learn more, download the BSIMM13 Trends & Insights report.

“BSIMM13 findings suggest that with the attention placed on software supply chains, most enterprise organizations are taking a risk-based approach to application security. Such an approach recognizes that security is not limited to the codebase; this includes the software development process. where security reviews and testing ‘move everywhere’ to continuously improve security outcomes.” said Jason Schmitt, general manager of the Synopsys Software Integrity Group. “The findings also show that BSIMM members’ software security initiatives are maturing, and they are now looking for ways to drive scalability, efficiency and overall effectiveness of their programs.”

Conducted by the Synopsys Software Integrity Group, BSIMM13 highlights emerging trends in software security initiatives by member organizations over the past 12 months, including:

  • Managing Software Supply Chain Risk and the Rise of SBOMs
    Perhaps as a result of recent high-profile supply chain attacks, software supply chain risk management—most commonly done by identifying and securing open source software—appears to be a top priority for member organization of BSIMM. BSIMM13 reports a 51% increase in open source risk control-related activities over the past 12 months, as well as a 30% increase in Software Bill of Materials (SBOM) development and maintenance by organization to fully catalog the components within their deployed software.
  • Integrating Security into Developer Toolchains
    As part of their efforts to “move everywhere” BSIMM organizations have made significant progress in integrating security options into CI/CD pipelines and developer toolchains over the past 12 months. BSIMM13 data records a 48% growth in activities that enable organizations to integrate security tests with QA automation.
  • Extending Software Security Beyond Products and Applications
    BSIMM13 data also shows a significant growth in activities indicating that security teams are working in operations to secure non-application software—such as the automation created for CI/CD—as the observation of activities for using operational data for continuous improvement has grown by 95% in the last 12 months.
  • “Shift Everywhere” with Automated and Continuous Testing
    BSIMM13 data reported that 82% of BSIMM member organizations are now using automated code review tools—ranking in the top 10 most observed activities at BSIMM13—opening up their ability to perform more rapid, incremental security tests and identify vulnerabilities as they are introduced throughout the SDLC.

Founded in 2008, BSIMM is a maturity model that observes and quantifies the activities that software security professionals perform to help members of the broader security community plan, execute and measure their initiatives. organization. BSIMM data comes from interviews conducted with member organizations during the BSIMM assessment. Following assessment, observational data is anonymized and added to the BSIMM data pool, where statistical analysis is performed to highlight trends in how BSIMM organizations secure their software.

In addition to publishing its annual report, BSIMM provides members with a private community to interact with peers, learn best practices and gain new insights through community discussions, blogs, courses with e-learning, webinars and more exclusive content focused on securing software in today’s dynamic. business environment.

“In joining the BSIMM community in 2015, we saw significant value in using the insights gained from the annually refreshed observations to help us plan and measure our own security program, and also gain insight into training areas that are most important to our customers,” said Bill Jaeger, Executive Director of Lenovo’s Infrastructure Solutions Group Product Security Office. “Furthermore, the BSIMM community itself is an amazing resource, with members who generously share experiences and lessons learned; we are all on a similar journey, and startup companies just in their software security initiatives can learn a lot from those who started earlier.”

Those interested in learning more about the findings and the BSIMM program can download the BSIMM13 Trends & Insights report or the full BSIMM13 Foundations, which provides an in-depth analysis of the data and explores trends specific to industry.

Acknowledgments

Synopsys would like to say thank you Jamie Boote, Eli Erlichman, Stephen Gardnerand Sammy Miguelauthors of BSIMM13, as well Kathy Clark-Fisher and Ryan Franciswhose behind-the-scenes work keeps BSIMM’s science project, conferences, and community on track.

Some of the companies participating in the BSIMM study include: AARP, Adobe, Aetna, Ally BankAxway, Bank of America, Bell Network, CIBC, Cisco, Citi, Diebold NixdorfDepository Trust & Cleaning Corporation, Egis, Eli Lilly and Company, eMoney Advisor, EQBank, Equifax, Fidelity, Finastra, Freddie Mac, F-Secure, Genetec, HCA Healthcare, Honeywell CE, HSBC, Imperva, Inspur Software, Intralinks, iPipeline, Johnson & Johnson, Landis+Gyr, Lenovo, MassMutual, MediaTek, Medtronic, Navient, Navy Federal Credit Union, NEC, NetApp, Oppo, PayPal, Pegasystems, Principal Financial, Realtek, SambaSafety, ServiceNow, Signify, SonicWall, Synchrony Financial, TD Ameritrade, Teradata, Trainline, Trane, US Bank, Veritas, Verizon Media, Vivo, World Wide Technology, ZoomInfo.

About BSIMM

Founded in 2008, the Building Security In Maturity Model (BSIMM) is a data-driven tool for creating, measuring, and evaluating software security initiatives. Developed through careful study and analysis of over 250 software security initiatives, BSIMM13 includes current, real-world data from 130 organizations worldwide. In addition to publishing its annual report, BSIMM provides member organizations with a private community to engage with peers, learn best practices and gain new insights through community discussions, blogs, e-learning courses, webinars and more. To learn more about the BSIMM program, visit www.bsimm.com

About the Synopsys Software Integrity Group

Synopsys Software Integrity Group helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development lifecycle. Learn more at www.synopsys.com/software.

About Synopsys

Synopsys, Inc. (Nasdaq: SNPS) is the Silicon to Software™ partner for the innovative companies that build the electronic products and software applications we expect every day. As an S&P 500 company, Synopsys has a long history of being a global leader in electronic design automation (EDA) and semiconductor IP and offers the industry’s broadest portfolio of application security testing tools and services. Whether you’re a system-on-chip (SoC) designer building advanced semiconductors, or a software developer writing more secure, high-quality code, Synopsys has the solutions needed to deliver of innovative products. Learn more at www.synopsys.com.

Editorial Contact:

Liz Samet
Synopsys, Inc.
336-414-6753
[email protected]

SOURCE Synopsys, Inc.

#Synopsys #Research #Finds #Significant #Increase #Practices #Strengthen #Software #Supply #Chain #Security #Source Link #New Synopsys Research Finds Significant Increase in Practices to Strengthen Software Supply Chain Security

Leave a Comment