May 17, 2020

Managing risk in the software supply chain

Sammy Migues, Synopsys
5 min
Managing risk in the software supply chain
The Building Security In Maturity Model (BSIMM) is a well-respected, in-depth set of activities businesses use to increase understanding of their cybers...

The Building Security In Maturity Model (BSIMM) is a well-respected, in-depth set of activities businesses use to increase understanding of their cybersecurity risk management.

Despite the positive application of the BSIMM, its size can make it seem like a daunting tool. With this in mind, Synopsys introduced the BSIMMsc almost eight years ago. It has since undergone years of systematic refinement to help streamline risk management in the process of software acquisition from third-party vendors by keeping vendors accountable for their code. 

The BSIMMsc offers organizations a risk management tool that provides insight into vendors’ software security efforts through an attestation, designed for ease-of-use by groups that work to assess and minimise the risk of third-party software. The BSIMMsc offers a process to highlight risk for software acquirers, allowing them to glean insight into the software security efforts of specific vendors. This allows organisations to conduct an analysis of the software that vendors propose to deliver. In turn, this promises to provide a significant innovation from the outdated methods of quality assurance, such as simply reviewing a vendor’s penetration test reports, while reducing the inconvenience of commissioning an external or in-house penetration test on commercial off-the-shelf software or any other software provided.

Cutting out clueless code

Following nearly eight years of real-world scenarios, two primary uses for the BSIMMsc surfaced. The most frequent applications of the BSIMMsc are to assess the reliability of software vendors. This can be described informally in binary terms, with the vendors grouped based on their reliability as either “clueless” or “clueful”. This is essential to daily business operations because conducting business with a clueless vendor can have serious security consequences. The BSIMMsc provides additional scrutiny in the software procurement process as it affords the ability to sort vendors according to how seriously they take software security. This facilitates the creation of a “do not buy from” list, which both significantly limits the possibility of conducting business with clueless vendors when decision-makers are searching for new software, and actively increases cybersecurity awareness. 

A further use of the BSIMMsc is to separate clueful prospective vendors into two additional groups. One group consists of vendors that display immature security processes, resulting in software that occasionally passes penetration tests (but usually doesn’t). The second group will have the software security fundamentals required for consistently generating high-quality software and are well known for facilitating a quick response when necessary. This information can directly inform a “preferred vendor” list. Over time, vendors will strive to move from the “don’t buy” to the “preferred” list, increasing software quality for all acquirers.

The BSIMMsc operates through a qualitative approach, providing a very effective, low-impact initial look into software security capability. Indeed, if a prospective vendor fails this brief critical review then it clearly indicates that they are not worth the time and money to conduct a deep-dive quantitative analysis. Furthermore, because of the nature of enterprise risk management, the BSIMMsc is intentionally streamlined in terms of scope and power in order to maintain user engagement.


What’s in your code?

Given the constantly increasing complexity of corporate software environments, it is no surprise that firms are increasing scrutiny of software security, particularly when considering the ubiquity of third-party software. Indeed, every modern enterprise relies on third-party software in some manner, especially considering constraints such as imposed time-to-market deadlines and technology stacks. Third-party code can manifest in several forms from custom-built software to software-as-a-service. Some external code, such as JavaScript modules, is inevitable as vendors and partners often inject it into a firm’s web applications to provide added value for the firm or its customers. Some external software even possesses the capability to write new code as it executes. As third-party code is so prolific, it is important to understand what your company relies on, and why. Putting your faith in the wrong vendor or vulnerable code might have catastrophic consequences. Therefore, the BSIMMsc is a valuable tool for identifying reliable vendors. You wouldn’t put something you don’t trust into your body, so why imbed it into your business? 

Understanding what third-party software an organisation employs can be a challenge, making software risk analysis an extremely difficult task. To mitigate this risk, the BSIMMsc focuses explicitly on providing a lightweight indictor of a vendor’s security capability, instead of attempting to measure the security posture of a particular piece of software. By simply measuring software after it has been delivered, firms are often measuring their own ability to test software rather than the vendors’ ability to consistently make good software, leading to inadequate risk management. Determining which fundamentals of software security specific vendors prioritize will provide a more cohesive understanding of associated risk when compared to a simple penetration test.

What’s important?

Following ongoing discussions within the wider BSIMM community, several activities appear to be broadly prioritised. Software vendors and acquirers consider the following pieces of evidence to provide an adequate initial gauge of third-party software security capability:

  • A documented, secure software development lifecycle (e.g., an SSDL that includes security checkpoints)

  • Artefacts showing that the activities described in the SSDL occur as expected (e.g., the results from an architecture risk analysis or a code review)

  • Personal conversations with the software security leader that demonstrate a high level of knowledge about software security initiatives and technology

  • The existence of a full-time software security group (SSG), perhaps called a product or application security group

  • A documented process that ensures security defects are addressed and fixed

  • A third-party review of software security efforts and results 

With this feedback from industry professionals in mind, the BSIMMsc was designed to encompass three design requirements.

Firstly, it shall be explicit and clear about real software security activities. Secondly, it shall discriminate between firms that know little about software security and firms that practice some of the basics. Finally, it shall help assess maturity in a way that coheres with the larger BSIMM. This keeps software vendors accountable for their products and encourages greater transparency between acquirers and vendors.

The BSIMMsc offers the potential to gauge vendor software security efforts by analysing metrics across four industry-specific domains: Governance, Intelligence, SSDL Touchpoints, and Deployment. Within these domains, the BSIMMsc isolated 22 (out of 119) security model activities that outline the maturity of a vendor’s software security development. 

For more information on how to keep your code safe, read the latest BSIMMsc whitepaper by Synopsys.

By Sammy Migues, BSIMM Co-Author and Principal Scientist at Synopsys.

Share article

Jun 16, 2021

Grupo Espinosa: 70 years of constant evolution

Macmillan Education
Grupo Espinosa
3 min
A proudly Mexican company servicing the publishing industry with best-in-class printing, storage and distribution facilities in the heart of Latin America

Founded in 1952, Grupo Espinosa has been relentlessly supporting the publishing industry with producing more than 100 million copies every year – whether its books, magazines, catalogues or single-order custom prints. No project is big or small for Grupo Espinosa, as the facility can scale up on demand and their turnaround times are highly competitive. Grupo Espinosa works with on-demand digital press or offset press, in paperback with glued softcover binding, PUR softcover binding, stitched paperback binding, binder’s board, hardcover, saddle stitched, Spiral or Wire-O. Equipped with the experience needed for a product to leave the plant ready for distribution, Grupo Espinosa delivers anywhere inside or outside Mexico. Traditionally starting off as a black and white printing press, Grupo Espinosa has experienced transformation first hand – from colour to digital offset printing. Currently, Grupo Espinosa is also looking at making capital investments into audio books to match with the increasing demand. 

So how did a seemingly local operation in Latin America become a world-renowned printing facility trusted by hundreds of clients? As Rogelio Tirado, CFO of Grupo Espinosa for the last six years says “It all comes down to our market experience and our dedication to quality”. With nearly 70 years behind them, and located in Mexico City, Grupo Espinosa has two major locations – one spanning 75,000 square metres and the other about 45,000 square metres. Both locations are controlled by a single ERP (Enterprise Resource Planning) system ensuring speed, consistency and quality of work. Tirado says this isn’t their only competitive advantage. He adds “Our competitive advantage is the relationship we have with customers and the trust they put in us with their intellectual property”. Speaking of trust, global publishing giant Macmillan Education exclusively partners with Grupo Espinosa for their Latin America operations, as part of Macmillan’s decentralized hub strategy. Having a facility that offered the full spectrum of service – from storing digital content to printing and distributing – was one of the major requirements for Macmillan, and Grupo Espinosa was recognized as the leading printing hub for providing this 360 infrastructure. Another factor that has led to success for Grupo Espinosa is the absolute focus on quality and time. The staff are committed to providing the best quality in the best possible time, without causing wastage of resources. Sustainability is a huge factor playing into Grupo Espinosa’s operations, and they’ve created a healthy environment with the sustainable use of paper and energy resources as well as keeping their employees – most of them associated with the organisation for over 10 years – happy. He adds, “In order to be truly successful, you need to be good to the environment, employees, suppliers, and your customers. But most importantly, you need to be sustainable, you need to have proper working conditions, pay proper salaries, proper prices for paper, source the paper from sustainable sources, pay your taxes,  basically be a good global corporate citizen and that's probably one of the biggest achievements that we have.”

Share article