The Building Security In Maturity Model (BSIMM) project has been compiling research on software security activities in organizations around the globe for over a decade. It collects all the observations from BSIMM assessments of individual organizations and offers conclusions on software security best practices, demonstrates how real-life SSIs mature and evolve, and describes the state of software security within and across industry verticals. In other words, the BSIMM reports on the software security activities real-world organizations are implementing in practice.
When an organization decides to move ahead with a BSIMM assessment, Synopsys sends a team of consultants to conduct in-depth interviews with key security personnel from the Software Security Group (SSG) and the legal, compliance, training, intelligence, incident response, and engineering teams of that organization. With the help of these observations, a score is attributed to the organization’s existing efforts in 119 software security activities across 12 practices.
Below is a spider chart that illustrates how scoring throughout these 12 practices is presented to an organization. This chart shows an organization’s most mature practices in relation to the entire pool of BSIMM participants.
EdgeVerve recently underwent a BSIMM assessment, joining the BSIMM data pool and becoming the first firm headquartered in India to benchmark their software security program with the BSIMM. EdgeVerve is a wholly-owned subsidiary of Infosys Limited. They help clients across the globe navigate their digital journey and drive business value by adopting their AI, Intelligent Automation, and AI-enabled suite of products.
EdgeVerve proactively established a product security group and has been maturing that team for over five years. The team conducts activities such as penetration testing, static analysis (using industry-leading tools such as Coverity), and software composition analysis (with Black Duck). Being part of the BSIMM study now provides EdgeVerve an opportunity to enhance its product security program further and become part of a diverse, global software security community.
EdgeVerve builds products consumed by large, global companies. Secure software is critical to customers. The decision to proceed with a BSIMM assessment reinforces EdgeVerve’s commitment to software security in the development of their product offerings. By exhibiting the presence of a dedicated software security group, EdgeVerve intends to drive organizational change throughout the AI and Automation industry, demonstrating a high degree of security effort in the following BSIMM practices:
What is EdgeVerve doing to ensure security?
Security has always been a top priority for EdgeVerve. A software security group has been a part of the company from day one of its existence. The software security initiatives and a sustained effort in implementation over the years has resulted in the maturity of their security processes.
Security initiatives have been reinforced with the introduction of more advanced controls that are demanded by the changes in today’s technology landscape. For example, in the last 12 to 24 months, some controls have been set up for stringent open source vulnerability identification and tracking. The case is the same with containers. This includes investing in the right set of tools.
The developer community also has access to tools that can identify vulnerabilities in a given version of an open source component before they choose to use it in any EdgeVerve product. A push towards DevSecOps, the integration of static scans within IDEs, and incremental scans to highlight newly introduced issues on a daily basis have helped EdgeVerve to shift security left in the SDLC, thereby improving the maturity of the overall application security process.
Security is embedded at various stages in the product development and deployment life cycles, and several layers of hierarchy in the organization, employing a varied set of tools and processes. Internal audits, internal product security maturity metrics, a dedicated security team, a committed engineering team, a culture that emphasizes shared security responsibility, and unwavering top management support on security initiatives have helped EdgeVerve reach their current security maturity stance.
Security controls are implemented for every release of the product. The controls include static application security testing (SAST), dynamic application security testing (DAST), internal and external penetration testing exercises, open source security audits, and container scans. Guides and checklists for secure deployment also help guide the delivery and operations teams.
Security initiatives are supported and executed by a highly skilled and certified team of security professionals manning the responsibility of EdgeVerve’s security charter. The team includes certified professionals with CISSP, CEH, ISO 27001 LA, OSCP, CBCI, and ITIL certifications. Additionally, their team blends the organizational emphasis on security with specialized skillsets and experience to put effective controls in place. This is reflected in their BSIMM score, placing EdgeVerve higher than the BSIMM pool average in 9 out of 12 practice areas.
EdgeVerve’s security coverage spans across developer orientation to necessary training and enablement. There are secure coding standards for the developer community, and security as a shared responsibility is ingrained into the technical ethos of the organization. For instance, Capture the Flag (CTF) contests and security challenges help keep employee engagement active. The October Cyber Security Awareness Month sees healthy participation from the EdgeVerve developer community as well. Seminars and expert talks from industry leaders in application security is another feature highlighting the importance the firm give to developer training and awareness.
Importance of being a part of software security assessment
Being a software product company, EdgeVerve realizes the importance of sustaining high security standards in the way their products are architected, engineered, validated, and deployed. The success lies in not just fulfilling clients’ requirements of functionality, but also in ensuring that the CISO of client organization feels secure in trusting their products with their customer data and the critical operations that are central to their business.
As EdgeVerve is in the business of AI, automation, and banking software, data is the essential input in delivering the desired outcomes for clients. That makes it considerably more important for an AI product company like EdgeVerve to aim at the highest levels of security while building products.
Providing clients with an internal peek of the security controls they have would probably serve the purpose only partially. But they recognize that if they can benchmark themselves against the practices of a community of firms and be able to quantify the maturity of their security processes, that would be a much more evolved way of providing confidence to their clients. The BSIMM does just that. It provides a view of where EdgeVerve stands with respect to similar organizations that operate in related industries.
Why EdgeVerve chose BSIMM
A data-driven model, BSIMM helps organizations measure the effectiveness and maturity of their software security initiatives accurately. It provides organizations with intelligence to build their software security program on par with global security standards.
Result of the assessment
The BSIMM assessment at EdgeVerve was an intense process. The BSIMM panel conducted interviews of various stakeholders, including the COO, security heads, product engineering staff, and security experts. To accurately represent the facts, multiple rounds of discussions were also conducted. The whole process built confidence in the security practices and even brought out the areas which need strengthening.
EdgeVerve scored above the average of the community of BSIMM10 participants in 9 out of 12 practice areas. The report states that the interviewers “never observed all 119 activities in a single firm, and such a feat is not a reasonable goal.”
Conclusion
EdgeVerve is the first Indian product organization assessed against the BSIMM framework, which is a matter of great pride for several reasons:
Any security expert would undoubtedly admit that security is an ongoing journey. The EdgeVerve team is committed to treading the path of security with utmost seriousness. Their recent BSIMM assessment further emphasizes this. It also points out a few areas where the firm can improve, and they are persistent in their endeavor toward building a robust software security strategy.