New report details the latest application security trends

Shift left becomes shift everywhere thanks to automated DevOps security tools, says Synopsis

Organizations are no longer relying on the ‘shift left’ approach to DevOps, as ‘shift everywhere’ becomes more popular thanks to the use of automation, a new report says.

Synopsys has released its latest Building Security in Maturity Model (BSIMM), which allows organizations to benchmark their software development initiatives against best practices deployed elsewhere.

Published today (September 15), BSIMM11 offers a snapshot of prevailing trends in application security, based on interviews with thousands of developers and security professionals at 130 organizations.

The findings are intended to serve as a roadmap for how organizations plan, execute, measure, and refine their own DevOps, digital transformation, and CI/CD tooling initiatives.

Getting ‘more done, sooner’

Of the key trends observed by Synopsys, Sammy Migues, a co-author of BSIMM11, tells The Daily Swig that the “pursuit of resiliency” alongside security will have “perhaps the largest impact on application security”, and “has driven, and will continue to drive changes in other trends”.

These trends include the mutation of the ‘shift left’ approach – embedding security into the development process – into a ‘shift everywhere’ paradigm, where security testing is about getting “more done sooner, with automation”.

The pursuit of resilience is also driving the conversion of document-based governance into code, which is reducing misunderstandings and greatly reducing friction, Migues, also principal scientist at Synopsys, added.


Read more of the latest DevSecOps news


Other such trends, he adds, include standardizing infrastructure so that secure configurations greatly increase speed and reduce the need for some testing.

“The way organizations deliver features to customers” is also being driven by this prioritization of resilience, with “A/B, blue-green, and canary deployments that allow easy roll-back” increasingly common.

Migues also explained how growing numbers of organizations are “federating” many security responsibilities such as for container, cloud, orchestration, and deployment security to those people in engineering who are near the problem and have skills in the solution.

Pandemics and process automation

Hinting at trends that might surface in the next edition’s data, the authors also report anecdotally that “the current world and political climate has caused significant changes in software security processes, technology, and resourcing”.

They explained: “We hear stories of a significant slow-down in hiring in many organizations and a mandate to get both this year’s and next year’s goals done with existing staff and technology.

“Primarily, we see this implemented as a significant acceleration in process automation, in applying some manner of intelligence through sensors to prevent people from becoming process blockers, and in the start of a cultural acceptance that going faster means not everything can be done in-band of the delivery lifecycle before deployment.”


YOU MAY ALSO LIKE Majority of top cybersecurity organizations have leaked data on dark web – report


FinTech addition

BSIMM11, which succeeds last year’s BSIMM10, includes data from financial technology (FinTech) organizations for the first time.

The FinTech vertical’s maturity level mirrors that of financial services, putting it ahead of healthcare and insurance in terms of the depth, breadth, and scale of its application security initiatives.

Technology firms are, perhaps unsurprisingly, among the most mature verticals on this front.

The first edition of BSIMM was launched in 2006 by Cigital – the application security firm later acquired by Synopsys – with data drawn from just nine organizations.

The model has since become gradually become more sophisticated to reflect the growing complexity of the software security landscape.

“In the rapidly changing software security field, understanding what most, some, and few other organizations are doing with their AppSec initiatives can directly inform an organization’s own strategy,” concludes Synopsys.


READ MORE Everyone’s responsibility: Why security is a developer’s problem too