The application Security (AppSec) landscape is very fragile when it comes to meeting the ever-growing challenges of enterprise cybersecurity threats. Thankfully, AI tools and solutions have somewhat improved AppSec. In an attempt to understand the layers of AppSec program trends for 2024, Synopsys Software released its BSIMM14 report. Here’s what the report on AppSec program trends and recommendations has to speak to the security community.
How application security is changing
The annual BSIMM reports reflect trends in software security that are responses to the evolution of cybercrime. One of the top trends noted in BSIMM14 is increased focus on automation, as organizations are taking advantage of easy-to-use yet powerful automation available in modern toolchains to update security testing and touchpoints. This allows them to shift security everywhere throughout the software development life cycle (SDLC) instead of simply shifting left.
Featured Story of the Week: 2024 Enterprise Storage Trends for CIOs
When automation makes security tasks easier, trends emerge around automated activities. Modern toolchains, for example, allow security testing in the QA stage to be automated, much like static application security testing (SAST) scans that happen earlier in the development process. Security teams that embraced the “shift everywhere” testing philosophy found that their pipelines were able to take scripted actions based on the results of those automated security tests. Firms are also using automation to better gather and use the intelligence provided by sensors throughout the SDLC to proactively prevent vulnerabilities before they become an issue for developers.
Four BSIMM software security trends
Moving from “shift left” to “shift everywhere” continues.
While the “shift left” mantra, a term coined by the BSIMM report in its early years, was meant to encourage organizations to start their security testing earlier in the SDLC, it was never meant to be taken to mean shift only left. Shift everywhere is a philosophy; it’s an approach to security governance that acknowledges the reality that consistently achieving acceptably secure software is a shared responsibility. Each stakeholder has their business processes to execute, but each also needs to do their version of security sign-off, which requires understandable and usable telemetry from the SDLC toolchain.
CIO Influence News: Continental and Synopsys Provide Vehicle Digital Twin Capabilities to Accelerate Software Development
Expanding the scope of security.
External pressures like government regulations and increased supply chain threats are leading organizations to extend risk management to the software that they integrate from outside sources, the toolchains used by their developers, and the software present in their operating environments.
Implementing product-specific security.
A growing number of product companies have started referring to their centralized software security effort as a product security program, rather than application or software security. This naming trend seems to correlate with product vendors creating security programs to manage the risk associated with software that has existed in hostile environments for years to decades (as compared to applications in private data centers).
Continuing to emphasize Security Champion programs.
The oldest insight provided by BSIMM data is that the decision to build and operate a Security Champions program has a measurable impact on total BSIMM scores. In BSIMM14, firms with a Security Champions program scored on average 25% higher than firms without one.
The latest BSIMM report, now in its 14th iteration, contains information from more than 130 companies in eight verticals about what’s working, what isn’t, what’s changing about the risks and threat landscapes they’re facing, and how they’re responding to those changes. This annual report by the Synopsys Software Integrity Group helps organizations maximize the benefits and minimize the pain of a world run by software.
And that information can help you do the same, from producing more secure code to tracking your software supply chain. It’s all in the latest Building Security in Maturity Model (BSIMM) report, released last week.
No matter how mature your security program is, there’s always room for improvement. As digital transformation has accelerated, increasing the amount of code being written, borrowed, and bought across all sectors of the business landscape, cybercrime has kept pace. Hackers continue their non-stop quest to exploit vulnerabilities in your software, transforming its benefits into profits for themselves while damaging, or even destroying, their victims.
Latest CIO Influence News: Comvault Appoints Michel Borst as AVP Asia & Joanne Dean as AVP Channel & Alliances, Asia
These ongoing realities are why the BSIMM report remains relevant. It tracks the evolution of the ways damage can be inflicted through software defects, and how defenses necessarily evolve as well.
Use the BSIMM to build an AppSec culture
Software security maturity is a journey, not an event. But the BSIMM report can get you started on that journey and help get you to the destination you want and need faster.
The goal of the BSIMM report remains what it was when it was launched in 2008—to enable cooperation among organizations and help them build trust in their software, not by dictating what to do but by documenting what other organizations are doing within their software security initiatives (SSIs).
That’s why the BSIMM report includes a free “roadmap” to help organizations improve the security of the software that runs their enterprises. It provides detailed information from more than 130 participating organizations in verticals including the cloud, financial services, financial technology, insurance, Internet of Things (IoT), healthcare, and technology.
The participants include 11,100 security professionals who collectively help about 270,000 developers working on about 97,000 applications.
The point of the roadmap is that it leaves each organization free to choose its maturity path. It provides numerous routes to a destination without mandating which one to take. However, each company needs an SSI that matches its risk profile and priorities, because threats are becoming more sophisticated all the time.
No software is inviolable, and as daily headlines remind us, hackers can exploit design flaws, bugs, and other defects in software to steal intellectual property and employee and customer personal information, raid corporate bank accounts, undermine building security, and take down an organization’s operations with ransomware attacks.
Top CIO News: CallTower Earns Prestigious Cisco Powered Premiere Provider Worldwide Designation
That means insecure software is a business risk—potentially an existential risk. And, if you’re in business, you need to keep that software secure enough for you and your customers to trust it.
