Retail joins the BSIMM—finally

The BSIMM—Building Security In Maturity Model—is now into its 10th year of being a self-described “measuring stick for software security” for multiple industries.

But there are still newcomers—this year it’s retail. Ten retail firms participated in BSIMM9, which tracks the development of SSIs (software security initiatives) by organization based on 116 possible activities, grouped into a dozen practices that fall under four domains—Governance, Intelligence, SSDL (Secure Software Development Lifecycle) Touchpoints, and Deployment.

Retail joins seven other verticals that have reached a critical mass to be analyzed as stand-alone verticals—finance, independent software vendors (ISV), tech, healthcare, Internet of Things (IoT), insurance, and cloud.

And while the BSIMM is a measuring stick, the reports say up front that the model is not a how-to guide for software security. Rather, it’s based on the collection of detailed observations, so organizations can see what others in their field are doing, what is working, and what isn’t.

Retail software security initiatives

All of this raises a logical question: Why is retail so late to the party? It would seem retail should have been there from the beginning, given that it is as heavily dependent on software—and easily as much at risk from insecure software—as any other vertical. It uses software for everything from payroll to inventory to tracking customer purchasing habits.

And it is an industry that has had plenty of high-profile data breaches due to hackers exploiting vulnerabilities in either their systems or related third-party systems. The Target breach and Home Depot breach are just two of the more notorious.

Protect your customer relationships and bottom line.

Sammy Migues, principal scientist at Synopsys and a co-author of the report since the beginning, said he can only guess why retail is just now showing up. It could be, he said, “a lack of CISOs or similar executives driving creation of software security initiatives rather than having software security being thought of as a function of IT under a CIO or CTO.”

And Dr. Gary McGraw, vice president of security technology at Synopsys and also a co-author from the start, also said there is no obvious answer. “I think some of them had a lot of soul searching to do. They had to come to the realization that they needed to do better than check the [compliance] box.”

So how does retail measure up?

Whatever the reasons for retail’s late arrival, the good news is that the retail firms who participated in this year’s report (they are allowed to remain anonymous if they wish) displayed an impressive level of maturity in their SSIs—they were collectively equal to or better than average in 10 of the 12 practices.

“They came in strong,” Migues said, noting that for some of the participants, retail is not their core business, but either way, “they’re often not starting software security from scratch. They’re likely doing it in other parts of the firm and applying it to their retail business.

“Also, they’re also learning quickly from those who came before them in the space. They’re already collectively more mature than healthcare and insurance,” he said.

Of course, it will be possible to get a more accurate picture of that business sector if the number of participants grows. This year there were 50 in the financial vertical, 42 in ISV, and 22 in tech.

McGraw said he thinks it will. “I think all the verticals are going to grow,” he said. “The most powerful thing is the community. When you see people that look like you, then that encourages you to participate.”

But Migues said participants can learn even from those in other industries, since many of their software security needs, risks, and vulnerabilities are similar.

“Retail is just another version of a web front end that ties to a cloud back end and processes lots of individual transactions,” he said. “Lots of financial applications are the same. Lots of ‘as-a-service’ things from traditional ISVs, like Intuit Online, are the same. Lots of IoT things are the same back end but the front end looks like a thermostat or refrigerator or whatever.”

What’s next for the BSIMM?

As always, there are hopes that yet more verticals will join the community. Which one ought to be next? Both Migues and McGraw said automotive.

Indeed, modern vehicles—especially those with autonomous features—have been described numerous times as “a collection of computers with some wheels.”

“They know they’ve become a software house,” McGraw said.

“There are high-profile companies out there who have had high-profile software problems,” Migues added. “Getting into the BSIMM Community might actually help their image.”

Does your software security initiative measure up to your peers?

Find out in BSIMM9.