May 2020

The Building Security In Maturity Model (BSIMM) project has been compiling research on software security activities in organizations around the globe for over a decade. It collects all the observations from BSIMM assessments of individual organizations and offers conclusions on software security best practices, demonstrates how real-life SSIs mature and evolve, and describes the state of software security within and across industry verticals. In other words, the BSIMM reports on the software security activities real-world organizations are implementing in practice.

When an organization decides to move ahead with a BSIMM assessment, Synopsys sends a team of consultants to conduct in-depth interviews with key security personnel from the Software Security Group (SSG) and the legal, compliance, training, intelligence, incident response, and engineering teams of that organization. With the help of these observations, a score is attributed to the organization’s existing efforts in 119 software security activities across 12 practices.

Below is a spider chart that illustrates how scoring throughout these 12 practices is presented to an organization. This chart shows an organization’s most mature practices in relation to the entire pool of BSIMM participants.

EdgeVerve recently underwent a BSIMM assessment, joining the BSIMM data pool and becoming the first firm headquartered in India to benchmark their software security program with the BSIMM. EdgeVerve is a wholly-owned subsidiary of Infosys Limited. They help clients across the globe navigate their digital journey and drive business value by adopting their AI, Intelligent Automation, and AI-enabled suite of products.

EdgeVerve proactively established a product security group and has been maturing that team for over five years. The team conducts activities such as penetration testing, static analysis (using industry-leading tools such as Coverity), and software composition analysis (with Black Duck). Being part of the BSIMM study now provides EdgeVerve an opportunity to enhance its product security program further and become part of a diverse, global software security community.

EdgeVerve builds products consumed by large, global companies. Secure software is critical to customers. The decision to proceed with a BSIMM assessment reinforces EdgeVerve’s commitment to software security in the development of their product offerings. By exhibiting the presence of a dedicated software security group, EdgeVerve intends to drive organizational change throughout the AI and Automation industry, demonstrating a high degree of security effort in the following BSIMM practices:

What is EdgeVerve doing to ensure security?

Security has always been a top priority for EdgeVerve. A software security group has been a part of the company from day one of its existence. The software security initiatives and a sustained effort in implementation over the years has resulted in the maturity of their security processes.

Security initiatives have been reinforced with the introduction of more advanced controls that are demanded by the changes in today’s technology landscape. For example, in the last 12 to 24 months, some controls have been set up for stringent open source vulnerability identification and tracking. The case is the same with containers. This includes investing in the right set of tools.

The developer community also has access to tools that can identify vulnerabilities in a given version of an open source component before they choose to use it in any EdgeVerve product. A push towards DevSecOps, the integration of static scans within IDEs, and incremental scans to highlight newly introduced issues on a daily basis have helped EdgeVerve to shift security left in the SDLC, thereby improving the maturity of the overall application security process.

Security is embedded at various stages in the product development and deployment life cycles, and several layers of hierarchy in the organization, employing a varied set of tools and processes. Internal audits, internal product security maturity metrics, a dedicated security team, a committed engineering team, a culture that emphasizes shared security responsibility, and unwavering top management support on security initiatives have helped EdgeVerve reach their current security maturity stance.

Security controls are implemented for every release of the product. The controls include static application security testing (SAST), dynamic application security testing (DAST), internal and external penetration testing exercises, open source security audits, and container scans. Guides and checklists for secure deployment also help guide the delivery and operations teams.

Security initiatives are supported and executed by a highly skilled and certified team of security professionals manning the responsibility of EdgeVerve’s security charter. The team includes certified professionals with CISSP, CEH, ISO 27001 LA, OSCP, CBCI, and ITIL certifications. Additionally, their team blends the organizational emphasis on security with specialized skillsets and experience to put effective controls in place. This is reflected in their BSIMM score, placing EdgeVerve higher than the BSIMM pool average in 9 out of 12 practice areas.

EdgeVerve’s security coverage spans across developer orientation to necessary training and enablement. There are secure coding standards for the developer community, and security as a shared responsibility is ingrained into the technical ethos of the organization. For instance, Capture the Flag (CTF) contests and security challenges help keep employee engagement active. The October Cyber Security Awareness Month sees healthy participation from the EdgeVerve developer community as well. Seminars and expert talks from industry leaders in application security is another feature highlighting the importance the firm give to developer training and awareness.

Importance of being a part of software security assessment

Being a software product company, EdgeVerve realizes the importance of sustaining high security standards in the way their products are architected, engineered, validated, and deployed. The success lies in not just fulfilling clients’ requirements of functionality, but also in ensuring that the CISO of client organization feels secure in trusting their products with their customer data and the critical operations that are central to their business.

As EdgeVerve is in the business of AI, automation, and banking software, data is the essential input in delivering the desired outcomes for clients. That makes it considerably more important for an AI product company like EdgeVerve to aim at the highest levels of security while building products.

Providing clients with an internal peek of the security controls they have would probably serve the purpose only partially. But they recognize that if they can benchmark themselves against the practices of a community of firms and be able to quantify the maturity of their security processes, that would be a much more evolved way of providing confidence to their clients. The BSIMM does just that. It provides a view of where EdgeVerve stands with respect to similar organizations that operate in related industries.

Why EdgeVerve chose BSIMM

A data-driven model, BSIMM helps organizations measure the effectiveness and maturity of their software security initiatives accurately. It provides organizations with intelligence to build their software security program on par with global security standards.

Result of the assessment

The BSIMM assessment at EdgeVerve was an intense process. The BSIMM panel conducted interviews of various stakeholders, including the COO, security heads, product engineering staff, and security experts. To accurately represent the facts, multiple rounds of discussions were also conducted. The whole process built confidence in the security practices and even brought out the areas which need strengthening.

EdgeVerve scored above the average of the community of BSIMM10 participants in 9 out of 12 practice areas. The report states that the interviewers “never observed all 119 activities in a single firm, and such a feat is not a reasonable goal.”

Conclusion

EdgeVerve is the first Indian product organization assessed against the BSIMM framework, which is a matter of great pride for several reasons:

Any security expert would undoubtedly admit that security is an ongoing journey. The EdgeVerve team is committed to treading the path of security with utmost seriousness. Their recent BSIMM assessment further emphasizes this. It also points out a few areas where the firm can improve, and they are persistent in their endeavor toward building a robust software security strategy.

Sandesh Mysore Anand, Managing Security Consultant, Synopsys

Ashok Kumar Ratnagiri, Director & Head, Product Security, EdgeVerve

Towards the end of 2018, industry research firm Research and Markets estimated that the global retail industry (including food and grocery, apparel, furniture, consumer electronics, personal care, jewellery) will be valued at USD 31,880 billion by 2023, at a CAGR of over 5%. It looked extremely positive.

Less than 18 months later, today, nearly 35 countries have gone under lockdowns of varying magnitude all over the world. A third of the global population is under lockdown across Asia, Europe, Americas and the Middle East. In much of this world, everything apart from food and grocery has been categorised non-essential, and therefore made almost unavailable. Nordstrom shut all its US stores. Even Amazon isn’t shipping non-essentials in many parts of the world. And there is no consensus on when we’ll see the back of this crisis.

The impact of this on the retail ecosystem is tangible, almost visceral. Globally, there is acute shortage of essentials across stores. Who would have thought we’d have civil unrest over toilet paper? But here we are.

Supply chain resilience is the need of the hour

The idea of supply chain resilience is not new, it has long been discussed in the academia, C-suite as well as on the shop floor. The current pandemic has only accentuated the urgency around it. Experts agree that resilience needs to be adoptive and developmental guiding supply chains to recover from a disruptive event or crisis, as well as find stability in its aftermath. That sure rings a bell!

At EdgeVerve, we believe that two things define supply chain resilience: Their ability to be ‘connected and ‘cognitive’.

Building the foundation of connectedness

Let’s understand a connected supply chain first. A connected supply chain is one that has accurate, end-to-end, near real-time visibility across all its parts — distributors, retailers, local stores etc. On the demand side, this will give the brand sell-through sales and inventory visibility. The granularity of this data at a store- and SKU-level and the ability to receive this in near real-time is what drives the meaningful connections. CPG players are slowly coming to have access to such data but they are few and far between. As the retail industry experts at KPMG write, “The ability to predict and manage demand has never been more important.” But it’s a sad truth that most manufacturers in the retail space don’t have a holistic and timely view of their own supply chain.

And this can be of immense value in today’s unmanageable demand fluctuations, where customers are walking into stores grabbing everything they can into their carts, panic-buying products, and hoarding non-perishables like never before. “Following President Macron’s address on March 12, hypermarkets and supermarkets saw record-breaking sales spiking 84% on the following day (March 13) and up 38% for the whole week, with 6 to 7 times more products sold compared to a regular Friday,” reported Nielsen about the situation in France.

As a result, there arose concerns of stockouts on essentials among CPG players and retailers. A connected supply chain could empower brands to re-direct their products to ‘red zones’ where the demand is high, from other areas where the situation is better. They might be able to identify distributors who have extra stock and move them where needed. They might reduce lead times for delivery by intelligently allocating resources across the supply chain.

Giving it the power of cognition

Cognitive supply chain is one that builds on the data derived from its connectedness towards learning and developing actionable insights. Cognition will drive decisions that optimize KPIs for operations, marketing and brand managers alike. On-time in-full (OTIF), fill rates, inventory turns, promotion effectiveness, to name a few.

A cognitive supply chain leverages artificial intelligence and machine learning capabilities to process complex datasets and variables to make accurate predictions. But, true power is in its ability to sense and adjust in real time.

Consider a typical CPG promotion that runs for 2-3 weeks. Its effectiveness can be measured only with downstream sell-through data. But most CPG companies rely on syndicated data providers like Nielsen and IRI for this data, which may not be timely or have the granularity to react quickly and course correct.

With the ability to use a causal framework to design a promotion and then see the daily sell-through data at a store-level, CPG companies can create micro segments and regularly tweak strategies. In a recent study for a CPG company, we reported 20% stockout for their strategic sales channels for an expensive promotion. This is an surmountable challenge for a cognitive connected supply chain. A recent PWC study finds that only half of the best-in-class digital CPG champions even have the beginnings of a ‘digital twin of their supply chain’.

We might come out of the pandemic to a changed environment — tighter purses, changed channels of purchase, new brand loyalties, new or stressed suppliers, challenges aplenty. At that time, the only thing that’ll differentiate the best from the rest would be their resilience.

At EdgeVerve, we believe that resilient will be those enterprises who invest in a connected cognitive supply chain. The TradeEdge suite of products is designed for enterprises to achieve this vision. We’ve enabled 26 global enterprises — across CPG, apparel, beauty, pharmaceuticals, food and beverages, and technology industries to begin this journey. When you’re ready, we can help you navigate your next.

If you’d like to discuss the product and explore possibilities, don’t hesitate to write to us at Praveen_kombial@edgeverve.com.

Reference:

https://www.pwc.com/gx/en/industries/industrial-manufacturing/digital-supply-chain/digital-champions-2025.html

Month: May 2020

EdgeVerve Completes First BSIMM Assessment in India