AI and Automation
Building better software security with a BSIMM app
In a rapidly changing world, security is more important than ever. With good security, customers can trust organizations to take their digital infrastructure to the next level. But how do you implement top security measures across a large, complex company?
At ServiceNow, we use our own products to protect ourselves and our customers—and to extend the functionality of the Now Platform. To see how we perform against industry benchmarks, we use the Building Security in Maturity Model (BSIMM), a 100-page document of 122 data-driven benchmarks for building better software security.
Owned by Sunnyvale-based electronic design automation company Synopsys, BSIMM is a “taxonomy of security behaviors that allow organizations to measure and improve their software development practice,” explains Steve S., director of product security management at ServiceNow.
In other words, if you want the best security, BSIMM is the way to go. However, most organizations struggle to comprehend and distill all of these benchmarks into a system that works for each unique sector of their business. That’s why ServiceNow created a BSIMM app on the Now Platform.
007 of software
With red teams that organize planned hacks of our systems, bad-actor simulations, and threat models of potential malicious activity, a day in the life of a ServiceNow security employee sounds a lot like a James Bond movie.
“My goal is to keep ServiceNow’s name out of the 11:00 news,” says Bobby W., senior staff product security engineer for the company. “It’s very important for trust to be maintained at a company that’s knee-deep in third-party vendor relationships. That’s our brand right there.”
Prior to the creation of the BSIMM app, the assessment of security behaviors “was done on spreadsheets, which is a horrible thing to do to somebody,” Bobby says, laughing. “My last spreadsheet [at a prior job] was 30 workbooks long.”
Steve had a thought: Why don’t we figure out how to do this ourselves? “We designed the app for how we would actually use it,” he explains. “We incorporated all BSIMM activities across all versions [there’s an updated list every year], as well as the spider graphs that show where you are in relation to your peers, the world, etc.”
“The app allows us to take something as broad as a framework that’s three to four weeks of work, multiple conversations, and groups of teams involved, and build spider charts and services that can actually identify two to three years of work in just a simple series of reporting metrics,” Bobby says. What was once an intangible process is seamlessly transformed into quick, tangible action steps. It’s operationalized.
“It’s tough to come across, and really a beautiful thing to do. It’s something I’ve not been able to do at other companies,” Bobby adds.
Simplifying complexity
When working with various teams across ServiceNow, our security champions don't have to waste energy distilling complex information—the app does it for them. “We're filtering it down to what’s specific to [each team] and how they compare to other people,” Bobby says. “Because I'm working so fast, I’m not focused on curating information. I can focus on what I’m trying to do and what I’m trying to say.”
Manshu V., principal digital technology (DT) program manager at ServiceNow, uses the BSIMM app to monitor and improve the security practices across the DT organization. “It’s especially important because our folks in DT use our own products,” he says.
Thanks to the ease and distillation of information from the BSIMM app, Manshu is able to prioritize what’s most important to the DT organization. He’s helped build threat model secure designs for apps, security scanning processes for code, and even planned hacks of our systems to find vulnerabilities. Although they haven’t produced any “alarming findings,” Manshu finds the process fascinating, he says.
![If we’re going to be the most trusted SaaS [software as a service] provider, we need to be secure. As [ServiceNow CEO] Bill McDermott says, ‘Trust is the ultimate human currency. It’s earned in drops and lost in buckets. -Steve S., Director of Product Security Management](/blogs/2023/better-software-security-with-bsimm-app/_jcr_content/root/responsivegrid/responsivegrid/responsivegrid/image_copy_copy.coreimg.png/1687453697331/better-software-security-with-bsimm-app-quote2.png)
Rising to the challenge
Without the BSIMM app, Manshu says, it can be tempting to simply choose the “easiest” behaviors to implement, which may not have the most value. Just as building a house in California versus Florida involves different ecological threats, different ServiceNow teams have different security threats, he adds.
With the BSIMM app, nothing is left to chance. It customizes the security analysis results according to the team and organization it’s interacting with, and it details action plans for increasing that particular team’s security. Security testing requires commitment, hard work, and taking risks, but it’s worth it, Manshu says.
“If we’re going to be the most trusted SaaS [software as a service] provider, we need to be secure,” Steve adds. “As [ServiceNow CEO] Bill McDermott says, ‘Trust is the ultimate human currency. It’s earned in drops and lost in buckets.”
Work at a company that takes security seriously. Apply for a role at ServiceNow.
© 2023 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.
