More and more companies have decided to control the risks associated with open source in the last year
Synopsys on Wednesday reported a 51% increase in activity associated with open source risk control over the past 12 months.
In its annual Building Security in Maturity Model (BSIMM) report analyzing the software security practices of 130 organizations, Synopsys also found a 30% increase in the number of organizations creating and maintaining a software bill of materials (SBOM) to fully catalog components of their deployed software. .
This year’s report, BSIMM13, found that BSIMM organizations have made significant progress in integrating security options into CI/CD pipelines and development tool chains over the past 12 months. The report notes a 48% growth in activities that enable organizations to include security testing in quality assurance automation.
“Perhaps the most important data discovery this year is the progress being made in the transition to digital transformation,” said Sammy Migues, principal scientist at Synopsys Software Integrity Group. “The common element that has enabled more organizations to perform security activities such as translating risk numbers into decisions, continuous defect discovery, governance as code, and automating security standards coding is the digital transformation effort; it is the method that enables the next stage of maturity for security teams.”
Scott Gerlach, co-founder and CSO at StackHawk, added that more and more companies depend on web APIs to power and enable their businesses. Gerlach said the most sensitive data resides at the API layer and that’s where the risk is centralized. Gerlach said security teams should partner with engineering early in the development lifecycle to understand what APIs are being developed, what data they process, and how best to test APIs for potential security issues.
“Security leadership takes a siled approach to API protection, relying on internal security tools and processes instead of partnering with engineering teams,” Gerlach said. “The best way to ensure API security is to integrate API security testing into the engineering team’s existing workflows in the software development process. Simply put, many security teams get into API security too late (after the API has been shipped to production) or with legacy tools not designed to test APIs.
Craig Burland, chief information security officer at Inversion6, said the BISMM13 report is good news for the software development lifecycle world. Burland said that to make the ideas of “security from the start” or “integrated security” a reality, the IT community must embrace its role in cybersecurity and embrace changes such as integrating security scanning into security cycles. development and capturing cyber requirements to run alongside user needs.
“Groups like BSIMM and OWASP push good ideas forward,” Burland said. “Hopefully more members of the development community will grasp these concepts and take them forward.”