Compare these activities to your own application security programmes and determine if they represent a gap you can fill The Building Security In Maturity Model (BSIMM) tracks the evolution of software security each year. It’s both a roadmap and a measuring stick for organisations seeking to create or improve their application security programmes. Now in its 11th iteration, this year’s report (BSIMM11) includes findings from 130 companies across nine industry verticals, spanning multiple geographies. Four key security activities were found to be trending in BSIMM11. As these activities are on the rise, it could be useful for organisations to compare them with their own programmes and determine if they represent a gap that can be filled.
- Governance as code
BSIMM11 shows that organisations are continuing to replace manual governance activities with automated solutions. There are two drivers behind this trend: speed, or feature velocity, and a people shortage, or skills gap. Assigning repetitive analysis and procedural tasks to bots, sensors and other automated tools makes practical sense and is increasingly how organisations are addressing both the skills gap and time pressures. While this shift to automation has increased velocity and fluidity, it hasn’t taken control of security standards and policy away from humans. Even with automation, a security policy must remain accessible and understandable for an application security programme to be effective.
- Continuous defect discovery
Continuous integration and testing have rendered governance checkpoints, or gates relying on data from a point-in-time scan, obsolete. BSIMM11 documents that organisations are implementing include modern defect-discovery tools, both open source and commercial, and that favour monitoring and continuous reporting approaches. This means defect discovery is no longer slowing development.
- Continuous activity: shift everywhere
Organisations can no longer perform all traditional application security activities in compartmentalised phases. Instead, security activities are being expanded across all phases as a continuous effort. This is being referred to as “shift everywhere,” which means conducting a security activity as quickly as possible, with the highest fidelity, as soon as the artifacts on which that activity depends are available. In some cases, it means shifting left – to the beginning of the software development life cycle (SDLC) – but in other cases, it means shifting to the middle or the right
- Security as resilience and quality
BSIMM11 notes that in some organisations, security is becoming a component of quality, which is becoming a component of reliability, which is a part of resilience – the operational goal for many development or engineering groups. While this trend has been building for a while, BSIMM11 has found that organisations are being more proactive in their efforts to build reliable software by adding activities to the SDLC. Additionally, organisations are adopting resilience practices, most prevalently in engineering-led initiatives. Application security activities are integral parts of both quality assurance and resilience; many testing activities, such as static application security testing (SAST) and software composition analysis (SCA), fit naturally into quality assurance practices.