With over a decade experience in software security, what can Synopsys teach us? Managing Consultant Adam Brown presented this very subject at Infosecurity Europe 2022, with the help of Synopsys’s BSIMM metrics.
The Building Security in Maturity Model (BSIMM) is an assessment done by Synopsys that helps firms analyse the state of their software security. This understanding then allows these firms to repair where they are going wrong. Currently on the 12th iteration of BSIMM, the 13th is on the horizon. According to Adam Brown, Managing Consultant, through an interview-driven process, Synopsys works with 231 firms to produce reports and aggregate this data for free availability at BSIMM.com.
The BSIMM is no typical maturity framework. Through assessment interviews, a score card is crafted, which will include information such as how a firm might improve security pitfalls as well as other metrics on patterns and weaknesses.
But wait, Brown was careful to point out, what’s the difference between measurements and metrics? And why does this matter?
Measurements are numbers representing information without the context of the situation, he explained, and metrics were those same numbers, but taking into account the context. Without context, the data is inconsistent. In other words, Synopsys believes in shifting right, not left, and understanding how security systems operate in real-world situations. And so BSIMM uses metrics.
What does Synopsys do with these metrics? According to Brown, metrics on software security should be used to determine where energy is being diverted into security and in which areas. For example, imagine that there are three levels of security protections. Level one protections are the most ..
Support the originator by clicking the read the rest link below.
