The “Building Security In Maturity Model” observational study, or BSIMM, tells you everything in its name. After studying hundreds of companies for over a decade, BSIMM seeks to understand what organizations are actually doing to build security initiatives into their software development processes. As a model, it helps companies assess their AppSec and DevSecOps maturity—and recognize how much further they may need to go in the journey. Equally as important, BSIMM shares key trends to keep in mind when it comes to software security practices.
BSIMM tells us about a few trends. First, that CI/CD instrumentation and orchestration have become standard components of any modern software security initiative, including how they are designed and executed. Not only are organizations changing the way they organize their teams, but they are also beginning to automate their activities throughout the CI/CD pipeline.
Another trend outlined by BSIMM is the “shift left” concept, an agile practice that brings development and testing together early in the software development life cycle (SDLC). It promotes the idea of security at all stages and encourages actions earlier in the SDLC. As a result, the move left could now be seen as “shifting right” or even “everywhere” to ensure actions typically performed to the left move in the other direction, including into production.
As a result, security is addressed within a build as soon as possible, making security inherent rather than an afterthought, a sentiment carried throughout the process. There are clear business benefits to this approach as well. For example, finding and fixing bugs earlier in the SDLC is more cost-effective because it can cost up to six times more money to fix a bug found later in the life cycle.
Shifts in Perspective
The reality is security and the delivery of software has changed a lot over recent years. The approach is more collaborative—more federated— than ever before; today, responsibility for security must be shared across security and development teams – secure application development is everyone’s responsibility. Now that it’s being handled by the people who are actually conceiving and building the software, is “shift left” really the correct message? And do we need to broaden our lens in terms of how we think about shifting within the scanning process?
We now have the awareness of what it means to exert security control over a bigger piece of the SDLC. And more of the way we build, package, deliver and operate is going to be software-defined. As a result, things are becoming more software-defined, which means code is now creeping right, or “shifting right” into the life cycle. As a result, the more accurate strategy is to shift security where the code is. Rather than shifting left to reach security earlier, why not also shift right to do security everywhere?
Essentially, when we talk about shifting left or right, we are talking about the art of proactively building security into software development and delivery – each and every step of the way. Why? Because it is the main capability we are trying to build within organizations—the ability to deliver better software with fewer flaws and overall better quality. Because delivering perfect, flawless software the first time (or the hundredth) is impossible, as it will always carry some degree of inherent risk, it’s important to listen to people in the organization who are focused on speed of delivery and agility.
Consider applying this same concept to your security initiative. Instead of slowing people down to build better software, perhaps it’s wise to participate in their efforts to deliver software faster, with more resiliency within the security sphere. This means not just finding and fixing software flaws, but watching out for potential vulnerabilities down the line. This strategy is what establishes a robust application security program.
Security is Everywhere
BSIMM tells us continuous delivery of security is now a movement, and it’s actually making software better. It’s time to embrace this or be left behind. When we have a “win” in security, we can scale those wins across the product, the team and the organization. Security-aware developers will find this to be a highly exciting time, a time when application security is finally beginning to shift everywhere.