Security automation gains traction, prompting a “shift everywhere” philosophy
The use of automated security technology is growing rapidly, which in turn is propagating the “shift everywhere” philosophy – performing security tests throughout the entire software development life cycle – across more organizations, according to Synopsys.
This year’s findings revealed a clear trend of firms increasingly taking advantage of security automation to replace manual, subject matter expert–driven security activities to reduce cost and improve effectiveness.
Organizations embrace advanced automation strategies
Greater automation has enabled organizations to embrace the shift everywhere philosophy, with automated, event-driven security testing increasing by 200% over the last two years.
Shift everywhere is a philosophy about the security testing and sensors that generate information for all stakeholders in the company, it’s not rooted in increasing the security spend or effort. Accordingly, shift everywhere is not adding more security for security’s sake, instead, it’s ensuring that every security stakeholder can knowledgably make risk management decisions.
As part of their mitigation tactics, many organizations are maturing their automation to go beyond defect discovery, expanding their scope to minimize the risk introduced by supply chains, taking a holistic approach to securing their applications and products, and leveraging capabilities that make security possible under these evolving conditions. They’re also increasingly adding AI into their ecosystems, which can increase productivity but also introduces new attack surfaces and risk.
Automation has led to a 68% growth in mandatory code review in the last five years. Recent economic conditions have caused a reduction in expensive, subject matter expert–driven activities that are not easy to automate. Centralized defect reporting and attack lists all decreased in usage by more than 17%.
Organizations are embracing modern toolchain technology that allows security testing in the Quality Assurance (QA) stage to be automated – leading to a 10% growth in several related security activities.
“Everyone has gone all-in on automation across a range of security functions, and that’s leading directly to better practices,” said Jason Schmitt, GM of the Synopsys Software Integrity Group. “Companies are seeing firsthand that eliminating human error with consolidated, integrated security tooling makes security programs more effective and affordable — a compelling combination. With cyberattacks on the rise and coming from every angle, automation is proving essential to defend against myriad threats that are targeting software, while enabling companies to do more with less in this uncertain economy.”
Firms expect more from service providers and partners
The report also found that customers have made valuable strides in improving the culture of security at their organizations. Firms with security champion programs made up of developers, QA analysts, or architects in a security-enabler role, earned an average 25% higher Building Security In Maturity Model (BSIMM) score than firms without one.
Firms are also demanding more from service providers and partners. Expectations for strong vendor security practices grew by 21% as firms held vendors to standards similar to those they use internally.
Customers also reported that security processes made impressive progress adhering to industry best practices. Organizations are increasingly building Software Bills of Materials (SBOMs), with a 22% increase in SBOM creation from last year. Identifying and controlling open source risk increased by just under 10% from last year.
Not all trends are positive, and many companies have seen reduced security budgets. Activities that rely on experts to perform manual tasks have seen declines as security teams seek to maximize their return on investment by focusing on automation.