What the Building In Security Maturity Model (BSIMM) Says About the Role of SAST and SCA

BSIMM is an annual survey of real-world software security initiatives – SSI in the report – in the software industry, based on data and experience of 130 organizations. Instead of repeating the purpose of the study, this quote best summarizes the purpose of the study:

The BSIMM is a yardstick for the security of the software. The best way to use them is to compare your own initiative with what other organisations are doing. You can define your own objectives and then contact BSIMM to determine which additional activities are suitable for you.

… In the rapidly evolving field of software security, understanding what most, some, and few other organizations do in their ISS can inform you directly about your own strategy.

Summary, BSIMM11.

The key concept here is the yardstick. ISBMM is a way to measure where you are and plan where you want to go. It is a way for software companies to compare and discuss, implement, measure, report and improve the way they work with their colleagues.

Framework programme BSIMM11

OSIMM is grouped according to safety areas and methods, including many activities that are part of the safety system. It is illustrated below:

The source: BSIMM11 – Part 2 – BSIMM11 Framework

The maturity aspect of the BSIMM model includes improvement and optimisation, and in this case it describes the main practice areas that will be covered by the ISS, and as organisations move from a specific approach to a more strategic one, they move up the maturity ladder. In BSIMM they are defined as genesis, maturation and optimization, which according to the study do not necessarily have to be linear and should not end in a state of optimization.

I will not go into all these points in detail in this document, but it is clear that there are practices involving SAST (static application security testing) and SCA (software composition analysis), and then only briefly Standards and Requirements (SR), Code Revision (CR) and Security Testing (ST).

Role of SASTs and SCAs in ISBM11

The BSIMM recommendations clearly show that tools and automation play an important role in the field of safety and that the maturity of the practice makes it more complex to use. Looking at the Governance-led Getting Started checklist, it contains number 2, inventory software that is important for SCA, number 5, defect detection, i.e. the detection and exposure of existing vulnerabilities, in which SAST, SCA and other detection tools play an important role. Paragraph 6 – selection of security controls, including setting security coding standards and prioritising the identification and prevention of high-risk vulnerabilities. Point 7 – Repetition, i.e. automation (including tools), cyclical processes and implementation of DevSecOps, e.g. what all modern tools should contain If these are guidelines that go beyond the use of tools, it is clear that there is an important role for the maturing of security practices.

In the practice of Standards and Requirements (SRP), emerging practices include security standards that may impose certain restrictions on software developed to reduce vulnerability. In practice, the use of open sources of information is defined to determine risk and exposure. Companies that optimize their operations use and apply secure encryption standards, manage the risks associated with open source software and secure the software supply chain.

Let’s also take a look at the Code Review (CR) contact point: OSIMM notes that a new practice is the introduction of SASTs for working in parallel with manual inspection. A mature practice is the use of specially designed rules and the organisation of targeted vulnerabilities in a Top N list (e.g. a separate list of OWASP or CWE). During the optimization phase, organizations strive to eliminate critical types of vulnerabilities, automate malware detection and implement encryption standards (all of which play an important role in SAST).

Software asset inventories are highlighted in several places (as described in the Getting Started guide above), as well as the monitoring and enforcement of software supply chain policies. For example, third party software, including open source software, should be considered a potential target (AM 1.3). SCA plays an important role in the production of software packaging vouchers and exposure to known vulnerabilities in the supply chain.

Adult organizations optimize SAST, SCA

It is clear that tools play a role in the maturity of safety practices, and while these are in fact organisational improvements, the optimal use of tools where they make sense is an important part of it. In fact, these companies increase the value of their instruments and the return on investment as their practices evolve. The BSIMM emphasizes a number of issues for companies that are in the process of optimizing and maturing their software practice. It is therefore not surprising that SAST and SCA play a role in each of these categories (alongside other instruments, of course).

  • Software Supply Chain Management : Adult organizations understand that their software is not stand-alone and depends on many third-party software stacks. It is important to understand both real software and hidden dependencies in third-party code. As processes evolve, they begin to use the same security methods in their software supply chain.
  • Top N Risk Reduction : Prioritizing security improvements is essential, and mature organizations create their own targeted lists of vulnerabilities. These targeted vulnerabilities can be used to streamline and prioritize SAST and SCA settings and to determine which alerts need to be addressed.
  • Tool setting : It goes without saying: Adult companies adapt the instruments to their needs. As with the SAST tools, the more complex use includes test equipment and customizable rule sets that allow a better return on investment when using the tools.
  • Feedback loops : SAST tools provide important indicators and a general indicator of product quality and safety. SAST on the developer’s desktop provides instant feedback on new vulnerabilities. The SAST and SCA tools in the CI/CD pipeline provide valuable feedback on the vulnerability at product level and make it possible to follow the evolution of the software. The collection of data gives indications of improvement trends and problem areas.
  • Data-based administration : By extending the SAST and SCA feedback tools, the data per building provides a permanent barometer of product status. A trend analysis of these data shows the relative level of risk for certain types of vulnerabilities and software domains. Intelligent teams use this data to focus on testing and security with each iteration. For products that need to meet certain standards, SAST tools generate the reports needed to support successful testing and compliance. RCS tools help teams keep track of the risk of using third party software when new vulnerabilities are discovered in the software on which they depend.

It is clear that as an organisation matures in the field of security techniques, the use and complexity of the tools increases. They are also increasingly using the data from these instruments to make decisions to improve productivity because resources are concentrated in the right place.


The BSIMM11 report provides interesting information about current security practices in the software industry. It also defines a framework based on monitoring companies at each stage of maturity so that the organisation follows those who want to mature in their practice. Automation and tools play an important role in supporting more mature processes, and companies use tools in a more advanced form.

SAST and SCA tools play an important role in improving software security and the BSIMM shows that the increasing integration of tools in security practice goes hand in hand with the evolution of organizations. From an advanced perspective of static analysis, the detection and prevention of security vulnerabilities allows you to focus on improving the security of a developer’s desktop. SCA’s tools allow you to inventory the program stack and identify risk areas in the supply chain. The increasing integration and adaptation of these tools in existing workflows indicates a more mature use.

*** It’s a syndicated blog called Security Bloggers Network by Mark Hermeling. The original message can be found at https://blogs.grammatech.com/what-the-building-in-security-maturity-model-bsimm-says-about-the-role-of-sast-and-sca.

Related Tags:

bsimm assessment,benefits of bsimm,bsimm 9 report,bsimm pdf,bsimm framework start year,bsimm vs iso 27001,building security in maturity model (bsimm),bsimm is one of the standard support for checkmarx,security features and design falls under,application security maturity model,how many controls activities bsimm have,bsimm questionnaire