Embrace of a "shift everywhere" philosophy is driving a demand for automated, event-driven software security testing. Credit: Roman Samborskyi / Shutterstock Corporations are rapidly adopting automated security technology, which is further enabling the “shift everywhere” security philosophy, according to the latest Building Security in Maturity Model (BSIMM) report released Tuesday by Synopsys. BSIMM, now in its fourteenth year, is managed by Synopsys and based on interviews during a BSIMM assessment of 130 member companies, including Bank of America, Lenovo, Honeywell, and TD Ameritrade. After each assessment, the data is anonymized and added to a data pool where it is analyzed statistically to highlight trends about how the BSIMM companies are securing their software. “Everyone has gone all-in on automation across a range of security functions, and that’s leading directly to better practices,” Jason Schmitt, general manager of the Synopsys Software Integrity Group, said in a statement. “Companies are seeing firsthand that eliminating human error with consolidated, integrated security tooling makes security programs more effective and affordable — a compelling combination.” “With cyberattacks on the rise and coming from every angle, automation is proving essential to defend against myriad threats that are targeting software, while enabling companies to do more with less in this uncertain economy,” Schmitt added. Automated security testing increases by 200% The report noted that greater automation has enabled organizations to embrace the shift everywhere philosophy, with automated, event-driven security testing increasing by 200% over the last two years. It added that automation has led to a 68% growth in mandatory code review in the last five years and greater toolchain usage, which allows for security testing to be automated in the QA stage of the development lifecycle. The report also found that expert-driven activities that are not easy to automate took a hit. Activities like centralized defect reporting and attack lists decreased by 17% across the BSIMM companies. “Those activities have seen a decline because relying on humans makes them more expensive, even though they provide really good benefits,” BSIMM Associate Principal Consultant Jamie Boote tells CSO. “We think that’s the thumbprint of the economy on security.” Boote adds that the impact of a mature cloud architecture on security was also revealed in the BSIMM data. “We’re seeing that organizations that have really wrapped their arms around the cloud are able to implement security automation in a way that those who haven’t made that commitment haven’t been able to match,” he says. Greater automation, in turn, has enabled the shift everywhere security philosophy, Boote continues. “Shift everywhere has become a real possibility because the tooling is there,” he said. “We can run the right test at the right time and get the results to the right people so they can make the right decision.” Firms demand strong security practices from service providers BSIMM researchers also found that security champions make a difference in organizations. Firms with security champion programs made up of developers, QA analysts, or architects in a security-enabler role, they noted, earned an average 25% higher BSIMM score than firms without one. Firms are also demanding more from service providers and partners, according to the report. Expectations for strong vendor security practices grew by 21% as firms held vendors to standards similar to those they use internally. Another development among the BSIMM companies was greater software bill of materials (SBOM) usage, with organizations building SBOMs increasing by 22% from last year. There is also greater awareness of open-source risk among the companies, with identifying and controlling open-source risk increasing by just under 10% from last year. Impact of AI on security research planned The impact of artificial intelligence (AI) on security hasn’t turned up in the BSIMM data yet, but the researchers are preparing for that in the next version of the project. “We are setting up ways to look for the impact of AI on application security moving forward, but we haven’t seen that impact because AI is still too new,” Boote says. “We anticipate there are controls that firms will have to adopt to secure contributions from AI,” he continued. “AI is going to be writing software. It’s going to be writing requirements. It’s going to be creating designs. It’s going to be testing and evaluating software. So, we will be measuring how firms are securing their AI tooling.” Related content news AT&T suffers critical breach impacting 73 million customers Data released on the dark web impacts 7.6 million existing account holders and 65.4 million past subscribers. By Shweta Sharma 01 Apr 2024 4 mins Data Breach feature Recruit for diversity: Practical ways to remove bias from the hiring process Changing the wording on job descriptions and introducing a diverse hiring panel are some of the ways to remove bias when hiring cybersecurity professionals. By Aimee Chanthadavong 01 Apr 2024 8 mins Careers feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff 01 Apr 2024 17 mins Technology Industry IT Skills Events news Top cybersecurity product news of the week New product and service announcements from Bedrock Security, GitGuardian, Legit Security, Nametag, and Cybereason and Observe By CSO staff 29 Mar 2024 70 mins Generative AI Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe