Collective Intelligence Podcast, Gary McGraw on BSIMM9 and Supply Chain Security
The Building Security In Maturity Model, better known as BSIMM, has become the de facto tool for measuring software security in the enterprise. One of its architects, Gary McGraw, vice president of security technology at Synopsys, is a software security pioneer having written numerous books on the topic. He joins editorial director Mike Mimoso on this episode of the Collective Intelligence podcast to discuss BSIMM9, the latest version of the report and some of the trends that emerged out of the data collected from 120 contributing companies.
McGraw identified one takeaway as the architectural convergence among internet of things vendors, independent software vendors, and cloud vendors. Similar secure development practices have emerged between the three vertical markets, with McGraw calling it a “natural convergence.”
Driving this convergence, he said, is the distributed nature of these three separate markets requiring similar approaches in securing them. In concert, DevOps continues to inch forward as a priority as organizations release updates quicker and continuous integration is becoming a reality for many development shops. The integration of security into DevOps is another emerging trend of note, the report says.
BSIMM9 also features for the first time the inclusion of nine retail companies as contributors, and McGraw notes that retail’s software security practices are already ahead of its healthcare counterparts. One reason is the rash of payment card breaches to hit major retailers in the last five years driving those organizations to lock down security practices.
Finally, McGraw discusses the state of supply chain security in the enterprise and the risks posed by interdiction at a supplier, and what kind of visibility enterprises can demand contractually into a vendor’s code review and other secure development practices.
The Collective Intelligence Podcast, presented by Flashpoint and hosted by Editorial Director Mike Mimoso, features regular interviews with a diverse set of industry experts and Flashpoint analysts on the latest information security news and industry trends.