12 Questions to Ask for Organisations to Know Where Your Software Security Initiatives (SSI) Stand

by Lekshmi Nair, Managing Principal, Synopsys Software Integrity Group

In today’s digital landscape, insecure software can pose significant risks to businesses. Imagine the damage if a financial institution gets breached due to a security loophole in the software — It’s not just jeopardising sensitive data and intellectual property. There will also be financial loss from legal action, regulatory penalties and the cost of compensating the affected customers. Not to mention the bank’s stock value, and the lost of trust from their customers. The list goes on… Verizon’s Data Breach Investigation Report (DBIR) in two consecutive years reported Web applications-related attacks are one of the Top 2 attack categories. Further, the 2022 Cost of Data Breach Report produced by Poneman Institute states that the cost of a data breach reached an all-time high, the cost of a data breach averaged USD 4.35 million in 2022.

In an era dominated by headlines of cyber breaches happening globally, regardless of company size, the message is crystal clear: Every business, regardless of its scale, is a software business. In the wake of the major breaches in recent years, it’s evident that as long as an organisation has an online presence, they are inherently susceptible to these risks. Consequently, software security emerges as a critical aspect of any organisation’s operations. With the ever-increasing sophistication of cyber threats, it is essential for businesses to prioritise the security of the software they use.

To address these risks, organisations need to assess their Software Security Initiatives (SSI) maturity and prioritise the investments in initiatives in tandon with the current industry trends and competitor benchmarks. SSI refer to the measures and processes implemented by organisations to ensure the security of their software. The goal of an SSI is to build trust in the software by mitigating the risk of vulnerabilities and exploits. While there is no one-size-fits-all approach to SSI, organisations can benefit from learning about the practices and strategies adopted by others in their industry.

Here are the 12 questions businesses should ask to understand their SSI maturity. These questions will help identify areas for improvement and guide them towards a more robust software security posture:

Is Your SSI Keeping Pace with Change in Your Software Portfolio?

• Do you maintain at least a near-current view of all your software and development assets, including internal code, third-party code, open source, development environments and toolchains, infrastructure-as-code, and other software assets?

• Are you creating and using in your risk management processes SBOMs that detail all the components in the SSI’s software portfolio?

• Do you have a near-real-time view of your operations environments, along with a view into their aggregate attack surface and aggregate risk?

Are You Creating the DevSecOps Culture You Need?

• Are you building bridges between the various software security stakeholders in your organisation—governance, technical, audit, vendor management, cloud, etc.—to align culture, approach, technology stacks, and testing strategies?

• Have you scaled your security champions program across your software portfolio, including skills specific to automation, technology stacks, application architectures, cloud-native development, and other important DevOps needs?

• Are you delivering important security policy, standards, and guidelines as-code that run in engineering and operations toolchains?

Are You Shifting Security Efforts Everywhere in the Engineering Lifecycle?

• Are you automating security decisions to remove the time-consuming manual review and moving toward a secure, auditable, governance-as-code-driven SDLC?

• Are you following a shift everywhere strategy to move from large, time-consuming security tests to smaller, faster, timelier, pipeline-driven security tests conducted to improve engineering team performance?

• Are you managing supply chain risk through vendor software assurance, governance-driven access and usage controls, maintenance standards, and collected provenance data?

How Does Your SSI Measure Up?

• Do you routinely use telemetry from security testing, operations events, risk management processes, event postmortems, and other efforts to drive process and automation improvements
  in your DevOps toolchain or governance improvements in your policies and standards?

• Does your SSI strategy include security efforts needed specifically for modern technologies, such as cloud, container, orchestration, open source management, development pipeline, etc.?

• Are you actively experimenting with new technologies, such as AI and large language models (LLMs),, that have the opportunity to integrate security and engineering functions while also reducing engineering friction?

Most organisations have already covered the basics of software security policy, testing, and outreach. It takes a concerted effort to scale an SSI to address changes in portfolio size, technology, infrastructure, regulation, laws, attackers, attacks, and more. Internal review of efforts vs. needs is always a good way to move forward.

Using BSIMM to Make Progress
After answering all 12 questions, it is important to see your company’s position relative to the industry. Synopsys’ Building Security In Mature Model (BSIMM) scorecard serves as a measuring stick to determine where your SSI currently stands relative to the participants, whether as a whole or for specific verticals. A direct comparison of your efforts to the BSIMM scorecard for the entire data pool is probably the best first step. It helps organisations understand their current security posture, communicate their software security efforts to stakeholders, and track progress over time.

Synopsys’ BSIMM report, now in its 14th iteration, contains information from more than 130 companies in eight verticals about what’s working, what isn’t, what’s changing about the risks and threat landscapes they’re facing, and how they’re responding to those changes. This annual report by the Synopsys Software Integrity Group helps organisations maximise the benefits and minimise the pain of a world run by software.