Three Overarching Shifts in Application Security


Three Overarching Shifts in Application Security

As the rate of software development accelerates, organizations are forced to adopt new practices and undergo cultural shifts. DevOps, with its focus on rapid service delivery, was born of these needs. When done right, the DevOps approach helps build reliable software quickly with fewer roadblocks than agile or waterfall methodologies.

But with change comes challenges. Many organizations have struggled to improve their application security (AppSec) to keep pace with development cycles. To succeed, AppSec must be integrated into every stage of the development pipeline. This requires the right mix of tools, people, and processes. Achieving the right balance is a key challenge.

How can security leaders know how much is too much when it comes to their AppSec activities? How little is too little? What investment makes sense for their organization?

These are the types of questions that Synopsys' Building Security In Maturity Model (BSIMM) and its annual report were created to answer.

Now in its 11th iteration, the annual BSIMM report (BSIMM11) offers CISOs and other security executives a framework to test, measure, and benchmark their current AppSec activities. Based on the practices of 130 different organizations across a variety of industries and geographies, it includes household brands such as Adobe, JPMorgan Chase, and Verizon.

Regardless of how well-known the organization, or mature its AppSec posture, the BSIMM can help identify gaps and determine what activities to add. To wit, BSIMM11 identifies three overarching shifts every security leader should know about in how leading organizations approach their AppSec programs.

  1. Development-led vs. Security-led

    Instead of a traditional structure, in which separate security teams drive security, developers themselves are taking on security responsibilities. As more organizations move toward DevOps, automated tools are removing roadblocks, minimizing errors, and changing how teams address security. As development speeds increase, teams realize they can't complete all security activities prior to deployment. This requires a shift in mentality from a "zero risk" tolerance to "a good enough" approach.

  2. Shift everywhere vs. Shift left

    The term "shift left" is widely understood to mean promoting security testing early in the development lifecycle. BSIMM11 clarifies this concept to bring it closer to its intended meaning, coining the new phrase "shift everywhere" to underscore the importance of performing security testing as early as possible in every stage of the lifecycle. Industry-leading security teams are conducting security activities as quickly and reliably as possible. Continuous, event-based security telemetry throughout a value stream, rather than a single point-in-time analysis, is being adopted as a best practice.

  3. DevSecOps
  4. The idea of baking security into all phases of a DevOps lifecycle is quickly becoming the norm. But organizations are adopting this approach in their own ways and at their own pace. In many organizations, software is built in anticipation of failure, and the associated test cases go directly into regression suites run by quality assurance (QA) groups or through automation. Developers and engineers increasingly view security as their responsibility, which means learning esoteric vulnerability and exploitation details, combined with integrating and operating myriad sets of tools to implement security at the speed and scale required for DevSecOps.

Learn more about these trends, as well as emerging activities, and how to use them to improve your AppSec program in the BSIMM11 Digest: The CISO's Guide to Modern AppSec.

Sustaining Partners