BSIMM 14 finds rapid growth in automated security technology

Corporations are rapidly adopting automated security technology, which is further enabling the “shift everywhere” security philosophy, according to the latest Building Security in Maturity Model (BSIMM) report released Tuesday by Synopsys.

BSIMM, now in its fourteenth year, is managed by Synopsys and based on interviews during a BSIMM assessment of 130 member companies, including Bank of America, Lenovo, Honeywell, and TD Ameritrade. After each assessment, the data is anonymized and added to a data pool where it is analyzed statistically to highlight trends about how the BSIMM companies are securing their software.

“Everyone has gone all-in on automation across a range of security functions, and that’s leading directly to better practices,” Jason Schmitt, general manager of the Synopsys Software Integrity Group, said in a statement. “Companies are seeing firsthand that eliminating human error with consolidated, integrated security tooling makes security programs more effective and affordable — a compelling combination.”

“With cyberattacks on the rise and coming from every angle, automation is proving essential to defend against myriad threats that are targeting software, while enabling companies to do more with less in this uncertain economy,” Schmitt added.

Automated security testing increases by 200%

The report noted that greater automation has enabled organizations to embrace the shift everywhere philosophy, with automated, event-driven security testing increasing by 200% over the last two years. It added that automation has led to a 68% growth in mandatory code review in the last five years and greater toolchain usage, which allows for security testing to be automated in the QA stage of the development lifecycle.

The report also found that expert-driven activities that are not easy to automate took a hit. Activities like centralized defect reporting and attack lists decreased by 17% across the BSIMM companies. “Those activities have seen a decline because relying on humans makes them more expensive, even though they provide really good benefits,” BSIMM Associate Principal Consultant Jamie Boote tells CSO. “We think that’s the thumbprint of the economy on security.”

Boote adds that the impact of a mature cloud architecture on security was also revealed in the BSIMM data. “We’re seeing that organizations that have really wrapped their arms around the cloud are able to implement security automation in a way that those who haven’t made that commitment haven’t been able to match,” he says.

Greater automation, in turn, has enabled the shift everywhere security philosophy, Boote continues. “Shift everywhere has become a real possibility because the tooling is there,” he said. “We can run the right test at the right time and get the results to the right people so they can make the right decision.”

Firms demand strong security practices from service providers

BSIMM researchers also found that security champions make a difference in organizations. Firms with security champion programs made up of developers, QA analysts, or architects in a security-enabler role, they noted, earned an average 25% higher BSIMM score than firms without one. Firms are also demanding more from service providers and partners, according to the report. Expectations for strong vendor security practices grew by 21% as firms held vendors to standards similar to those they use internally.

Another development among the BSIMM companies was greater software bill of materials (SBOM) usage, with organizations building SBOMs increasing by 22% from last year. There is also greater awareness of open-source risk among the companies, with identifying and controlling open-source risk increasing by just under 10% from last year.

Impact of AI on security research planned

The impact of artificial intelligence (AI) on security hasn’t turned up in the BSIMM data yet, but the researchers are preparing for that in the next version of the project. “We are setting up ways to look for the impact of AI on application security moving forward, but we haven’t seen that impact because AI is still too new,” Boote says.

“We anticipate there are controls that firms will have to adopt to secure contributions from AI,” he continued. “AI is going to be writing software. It’s going to be writing requirements. It’s going to be creating designs. It’s going to be testing and evaluating software. So, we will be measuring how firms are securing their AI tooling.”