Asset Management, DevSecOps, Vulnerability Management

More companies moved to control open-source risk over the last year

A technician replaces a computer circuit board
Just over half of surveyed organizations have increased activities to control open-source risk since last year, according to Synopsys. (Air Force)

Synopsys on Wednesday reported a  51% increase in activities associated with controlling open-source risk over the last 12 months.

In its annual Building Security in Maturity Model (BSIMM) report analyzing the software security practices of 130 organizations, Synopsys also found a 30% increase in organizations building and maintaining a Software Bill of Materials (SBOM) to fully catalog the components within their deployed software.

This year's report, BSIMM13 found that BSIMM organizations made significant progress in integrating security options into CI/CD pipelines and developer toolchains over the last 12 months. The report notes a 48% growth in activities that let organizations include security tests in QA automation.

“Perhaps the most significant finding in this year’s data is the progress being made in the move toward digital transformation,” said Sammy Migues, principal scientist at Synopsys Software Integrity Group. “The common element that has enabled more organizations to perform security activities like translating risk numbers into decisions, continuous defect discovery, governance-as-code and automating coding standards is the digital transformation effort; it’s the method that’s allowing the next stage of maturity for security teams."

Scott Gerlach, co-founder and CSO at StackHawk, added that more and more companies depend on web APIs to power and enable their businesses. Gerlach said more sensitive data ends up at the API layer and that’s where risk is centralized. Gerlach said security teams need to partner with engineering early in the development lifecycle to understand what APIs are being developed, what data they handle, and how to best test the APIs for potential security issues.

“Security leadership is taking a siloed approach to API protection, relying on internal security tooling and processes instead of partnering with engineering teams,” Gerlach said. “The best way to ensure APIs are secure is to integrate API security testing into existing engineering team workflows in the software development process. Simply put, many security teams are looking at API security too late (once the API has been shipped to production) or with legacy tooling not built for testing APIs.”

Craig Burland, chief information security officer at Inversion6, said the BISMM13 report is welcome news for the software development lifecycle world. Burland said to realize the ideas of “secure-from-the-start” or “building-in security,” the IT community needs to embrace its role in cybersecurity and adopt changes like incorporating security scanning into development cycles and capturing cyber requirements to run alongside the user requirements.   

“Groups like BSIMM and OWASP are pushing the right ideas forward,” Burland said. “Hopefully more members of the development community will grab onto these concepts and push them forward.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.