Increased compliance activities such as creating software bill of materials (SBOM), running software composition analysis (SCA) scans, running code repositories, and securing attack surfaces created by artificial intelligence (AI) applications are becoming key software security It’s one of the trends. Highlighted in the latest edition of the Building Security in Maturity Model (BSIMM) report.
First introduced in 2008, the annual BSIMM report analyzes the software security practices of organizations across eight industries. Contains information about what’s working, what’s not, what’s changing about the software security risk and threat landscape, and how organizations are responding to those challenges. . By comparing and contrasting initiatives to what other organizations are doing, organizations can use the report as a measuring stick for software security.
More than 120 companies participated in the latest report. BSIMM15 – AARP, AETNA, AMAICH OF AMAICH, Diebold Nixdorf, Eli Lilly and Company, Fidelity, Honeywell, Johnson & Johnson, Lenovo, MassMutual, Navy Federal Credit Union, Sonicwall, Synchrony Financial, TD 11,100 security professionals collectively assisting 270,000 developers working on 96,000 applications at Ameritrade, Vanguard, and Zoominfo, among others.
However, while legacy application security practices are good at tackling general blocking and traditional software threats, they are no match for modern attacks from the software supply chain and AI/ML. Here are key takeaways from the BSIMM15 report and why you need to go far beyond traditional AppSec practices to manage modern software risks.
(Get the essential guide: Software Supply Chain Security for Dummies)
Real World Examines Today’s Software Threats and Practices
Here are BSIMM’s key trends and insights for this year:
1. Organizations are installing AI and ML. The opportunities and risks of artificial intelligence (AI) and machine learning (ML) are paramount to organizations. The key is the rise of AI-developed code using tools like GitHub’s Copilot.
The BSIMM15 report states:
“When we talk to clients about what they’re trying to do and the problems they’re having with it, we see a variety of pain points, but generally the problem everyone struggles with is uncertainty. There’s not a lot of well-understood guidance out there, so they have to find the answers themselves. That uncertainty has increased by 30% from BSIMM14 to develop new attack methods. He appears to be contributing to the formation of a research group.
2. Organizations are compliant. Organizations burdened by self-certification requirements for selling software to the U.S. government are increasingly implementing activities that support compliance and software supply chain security, such as creating SBOMs and performing software composition analysis (SCA) on code repositories. I’m prioritizing. Organizations creating SBOMs for deployed software increased by 22% over BSIMM14, while organizations running SCA on their repos jumped 67%.
3. Security awareness training is on the decline. Compared to BSIMM1, where 100% of organizations conducted software security awareness training, only 51.2% of BSIMM15 provided basic security training to their teams, marking the lowest rate observed to date. I’m doing it.
There are two ways to fight against AI.
Saša Zdjelar, chief trust officer at ReversingLabs, said the rise of AI has left organizations flattened, both within organizations and in software development. On the generative AI front, they are being pushed by their businesses to faster and faster adoption of AI without sufficient governance on how to manage it safely.
“I think one of the biggest problems is that most companies don’t even fully know where AI is being used. And they have a hard time wrapping their arms around them. When they do, they want to know which large language model is okay, but how do you make it not just safe, but actually safe, and if it damages your company’s brand and reputation? Are you not providing an inappropriate answer?”
—Saša Zdjelar
Software risks are also created by the implementation of AI and ML used to develop the software, says one of the report’s authors and an associate principal consultant at BSIMM sponsor Black Duck Software. Mike Lyman said. “We don’t necessarily know where all that code is coming from, and that can introduce risks such as open source licensing risks, which can lead to code being released with copyleft licenses. “We may recommend using code snippets that come out of open source libraries. So we have to be aware of that type of thing,” he said.
Lyman notes that this is why AppSec teams really need to focus on all code reviews, and how much defective code written by humans is now being reused by ML.
“A lot of people don’t realize that AI learns to write code by looking at the code we write. I would make the same mistake.”
– Mike Cryman
Software supply chain risks and shifts are everywhere
Jason Soroko, senior fellow at Sectigo, said the increased use of SCA and SBOMS identified at BSIMM15 is a sign of growing interest in software supply chain security.
“This shows a growing desire for systemic transparency and compliance. Organizations are finally acting on the idea that you can’t protect what you don’t understand.”
However, Soroko warned that it remains to be seen whether these incremental improvements “risk being undone if core security knowledge and security culture diminish.”
RL’s Zdjelar said he welcomed BSIMM15’s focus on software supply chain risks, but said organizations need to move their entire software stack everywhere.
“(BSIMM15) does mention software supply chain risks, but only in areas such as software materials and open source, and not about how software supply chain risks are introduced into companies by commercial software. If you think about how supply chain violations have occurred over the past six to seven years, all of the violations have come from commercial software packages, not open source.
—Saša Zdjelar
I am concerned about the decline in my training program.
The decline in security awareness training identified in BSIMM15 has been a trend since the program’s inception, Black Duck’s Lyman said. “BSIMM1 started at 100%, but there were only nine software security leaders in that initial study,” he said.
As soon as businesses were added, it began to decline, he said. “Since BSIMM2, there has been a slow and steady decline, which is now as low as 51% of 51% who have basic software security awareness training.”
“We felt that a lot of it was the budget, and the attitude. Companies have software security training programs that they don’t feel they need to revisit. It’s a priority. And most of us don’t know. As it is, if it’s not a priority, it tends to fall apart over time. So I think a lot of it is something we’re playing with.”
– Mike Cryman
Another thing that leads to decline is that many companies misunderstand annual general security awareness training for software security training. “It’s very important to know how to avoid clicking suspicious links and avoid malware, but we don’t really know how to write secure code,” he said.
Zdjelar said formal education appears to be on the decline when it comes to the correct way to develop code and reliance on tools to do the job for you.
“I think it’s a very dangerous precedent because the tools are also built by humans. Humans are humans who make mistakes with good, secure software. So the trend away from developer education is I think it’s a very bad habit and an over-reliance on touring.”
—Saša Zdjelar
What you need for modern software supply chain security
Although BSIMM data from real-life organizations is important, Caroline Wong, director of cybersecurity at Teradata, said they are not representative of the mainstream.
“I would say it’s around the top 25% of existing software security initiatives included in the BSIMM study. These are organizations that take software security seriously and are on the cutting edge of innovation and maturity in this area.”
–caroline wong
Wong said the fact that BSIMM is a descriptive and not a prescriptive model makes sense. “These activities are not just identified by smart people as ‘good ideas,’ but they are valuable ideas that will pass an ROI assessment in your organization and have sufficient resource allocation to be considered active and operational.” ” she said.
Zdjelar said the problem with BSIMM is that it is not forward-looking. He wants to ensure that the next edition of BSIMM includes a focus on software supply chain security risks posed by commercial software. And that means having the right tools for the job.
Traditional application security testing (AST) tools such as SCA and other code scanning approaches cannot identify modern threats, he said.
“Now, BSIMM is talking about traditional legacies like static code analysis and dynamic scanning. It lacks analysis.”
—Saša Zdjelar
Zdjelar explained that binary analysis can flag threats in the supply chain that traditional AST tools cannot find.
“SAST, DAST, and SCA tools are not designed to find the presence of malware or the presence of tampering or the fact that your CI/CD pipeline may have been compromised. That’s not what they’re looking for. It’s not a thing.”
***This is a Security Blogger Network syndicated blog (Main) written by John P. Mello Jr. – modern tools
