The Building Security In Maturity Model (BSIMM)—the annual report on the evolution of software security initiatives (SSIs)—is gaining some maturity . The latest report, which went public on September 15, is the 11th iteration.

The BSIMM is a real-world view of application security activities on which organizations are spending time and money.

Here are some key takeaways from this year’s report.

Don’t just shift left: Shift everywhere

When Cigital began writing about the concept of shifting left around 2006, it was addressing a niche audience. But the term rapidly became a mantra for product vendors and at security conferences, dominating presentations and panel discussions. The concept was never meant to be taken literally, as in “shift (only) left.”

“What we really meant is more accurately described as shift everywhere, to conduct an activity as quickly as possible, with the highest fidelity, as soon as the artifacts on which that activity depends are made available,” said Sammy Migues, principal scientist at Synopsys and a co-author of the BSIMM since its beginning.

Engineering demands security at speed
In a growing number of organizations, engineering teams perform many of the software security efforts, responsible for CloudSec, ContainerSec, DeploymentSec, OpsSec, and so on.

Engineering groups are making it clear that feature velocity is a priority. That means security testing tools that run in cadence and invisibly in their toolchains—even free and open source tools—are more valuable than commercial tools that create, or appear to create, more friction than benefit. The message: We’d love to have security in our value streams—if you don’t slow us down.

Champions as code
Traditional software security champions tended to function on a more personal level: brown bags, person-to-person conversation, email, spreadsheets, dashboards, and an occasional public callout of recalcitrant teams.

That is morphing into champions contributing security knowledge directly as code, in the form of toolchain sensors to determine software’s adherence to expectations, pre-approved configurations and configuration checkers, reusable security libraries, and so on.

They are establishing “structural” security, so to speak. If developers write their code within a secure structure, they will build more secure software.

Digital transformation: Everybody’s doing it
Digital transformation efforts are pervasive, and the reality is that software security is a key element of it at every level of an organization.

At the executive level, the organization must move its technology stacks, processes, and people toward an automate-first strategy.

At the SSG level, the team must reduce analog debt, replacing documents and spreadsheets with governance as code.

At the engineering level, teams must integrate intelligence into their tooling, toolchains, environments, software, and everywhere else.

Security: Getting easier—and more difficult
There are more trends that deserve attention. The BSIMM11 provides insights on:

  • Emerging application security activities
  • Industry comparisons
  • How to use BSIMM to start or improve an application security program

Get your free copy of the BSIMM11 report here

Taylor Armerding, Synopsys

Synopsys Software Integrity Group helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle. Learn more at