The Building Security In Maturity Model (BSIMM) tracks the evolution of software security each year. It is both a roadmap and a measuring stick for organizations seeking to create or improve their application security programs.
Now in its 11th iteration, this year’s BSIMM (BSIMM11) includes findings from 130 companies, across nine industry verticals, and spanning multiple geographies.
Four key activities were found to be trending in BSIMM11. As these activities are on the rise, it’s useful for organizations to compare them against their own programs and determine if they represent a gap or void to be filled.
- Governance as code
BSIMM11 shows organizations are continuing to replace manual governance activities with automated solutions. There are two drivers behind this trend: speed, or feature velocity, and a people shortage, or “skills gap.”
Assigning repetitive analysis and procedural tasks to bots, sensors, and other automated tools makes practical sense and is increasingly how organizations are addressing both the skills gap and time pressures.
While this shift to automation has increased velocity and fluidity, it hasn’t taken control of security standards and policy away from humans. Even with automation, a security policy must remain accessible and understandable for an application security program to be effective.
2. Continuous defect discovery
Continuous integration and testing have rendered governance checkpoints, or a gate relying on data from a point-in-time scan, obsolete. BSIMM11 documents that organizations are implementing modern defect-discovery tools, both open source and commercial, and favoring monitoring and continuous reporting approaches. This means defect discovery is no longer slowing development.
3. Continuous activity: Shift everywhere
Organizations can no longer perform all traditional application security activities in compartmentalized phases. Instead, security activities are being expanded across all phases as a continuous effort. This is being referred to as “shift everywhere,” a correction to a misconception with “shift left,” which was never meant to be inferred as shift only left.
“Shift everywhere” means conducting a security activity as quickly as possible, with the highest fidelity, as soon as the artifacts on which that activity depends are available. In some cases, it means shifting left—to the beginning of the software development lifecycle (SDLC)—but in other cases, it means shifting to the middle or the right.
4. Security as resilience and quality
BSIMM11 notes that in some organizations, security is becoming a component of quality, which is becoming a component of reliability, which is a part of resilience—the operational goal for many development or engineering groups.
While this trend has been building for a while, BSIMM11 found organizations being more proactive in their efforts to build reliable software by adding activities to the SDLC. Additionally, organizations are adopting resilience practices, most prevalently in engineering-led initiatives. Application security activities are integral parts of both quality assurance and resilience; many testing activities, such as SAST and SCA, fit naturally into quality assurance practices.
Taylor Armerding, Senior Cybersecurity Writer, Synopsys
Synopsys Software Integrity Group helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle. Learn more at www.synopsys.com/software.
