I recently came across the Synopsys  Building Security In Maturity Model (BSIMM) report and found myself enthusiastically agreeing with a number of points that it makes. If you are not familiar, the report collects quantitative data from a number of companies each year around their security practices. In it, one of the things that they highlighted was “Security is becoming part of a quality practice, which is being recognized as part of reliability, all in pursuit of resilience”.

The 11th BSIMM report collected data from 130 different large companies in a wide range of industries. The participants in this year’s report ranged from Adobe to Zendesk and included companies as wide ranging as Eli Lilly, HSBC, and Medtronic. “The purpose of the BSIMM is to quantify the activities carried out by various kinds of SSIs across many organizations.” They generate the report from the data of common security practices by surveying a wide range of companies. From there they group these into the 4 major categories of Governance, Intelligence, SSDL Touchpoints and Deployment. Each of these major categories is then broken down into sub categories such as Code Review. For each sub category, there are then 3 levels with 2 to 5 real world practices like “Use automated tools along with manual review” in Level 1 and “Automate malicious code detection” in Level 3. Based on interviews, they then assess each company to determine if they perform the task or not. 

In the early part of the 2020 epoch, 3X Engineer Paul ("pk") Pereyda Karayan and I presented at BSidesSF about the intersection of security and quality assurance. We had a simple question, “Aren’t we all just hunting bugs?” One of the key takeaways was that from a user’s perspective it doesn’t matter whether the bug is classified as a security bug or not. Oftentimes, as practitioners we lose sight of the user experience. We are so caught up in the nuances of filing bugs in Jira, we miss the forest for the trees. Over the years, this has started to pervade through Silicon Valley, most notably being Facebook’s change in motto from “Move fast and break things” to “Move fast with stable infrastructure.” As with Facebook, so has the industry started to focus on not just speed, but also on stability and resilience.

The false dichotomy inherent in focusing on security bugs necessarily sets up gates. Security needs to become part of an overall quality program. Resilience can no longer just be seamlessly recovering from infrastructure outages. One of the key ways that we talked about at BSidesSF was to formally have Security and QA teams work closely together. This necessitated a shift left mentality. Today so many talk about Shift Left solely in the context of security issues, but it was actually “first introduced in 2001 by Larry Smith to encourage more comprehensive testing done by both developers and QA earlier in the process.” Security is part of an overall quality program and should be looked at holistically as such.