t cht lk
The BSIMM , now in its 11th iteration , is a measuring stick and can be used to inform a roadmap for organisations seeking to create or improve their SSIs , not by prescribing a set way to do things but by showing what others are already doing .
Previous years ’ reports have documented that organisations have been successfully replacing manual governance activities with automated solutions . One reason for this is the need for speed , otherwise known as feature velocity . Organisations are doing away with the high-friction security activities conducted by the software security group ( SSG ) out-of-band and at gates . In their place is software-defined lifecycle governance .
Another reason is a people shortage – the ‘ skills gap ’ has been a factor in the industry for years and continues to grow . Assigning repetitive analysis and procedural tasks to bots , sensors and other automated tools makes practical sense and is increasingly the way organisations are addressing both that shortage and time management problems . But while the shift to automation has increased velocity and fluidity across verticals , the BSIMM11 finds that it hasn ’ t put the control of security standards and oversight out of the reach of humans .
Apply a well-rounded risk mitigation strategy
In fact , the roles of today ’ s security professionals and software developers have become multi-dimensional . With their increasing responsibilities , they must do more in less time and while keeping applications secure . As development workflows continue to evolve to keep up with organisational agility goals , they must account for a variety of requirements , including :
• Real-time visibility into what software and services are running , as well as associated environments and configurations
• Insight into running software ' s composition
• Automatic execution of at least the minimum required vulnerability discovery testing with each release , with results provided directly to bug tracking systems
• Aggregation and search of operational data for meaningful security information across a value stream
• Traceability of running services to the repositories , build and team that produced them
• Enabling engineering teams to remediate security defects
• Updating network , host , container or application-layer configuration through orchestration
• Automatically invalidating and rotating sensitive assets within a deployment
• Automatic fail-over / rollback to working assets or known-good working configuration / build
This is the reality around which organisations build and / or consume software . Over the years we ’ ve witnessed the use and expansion of automation in the integration of tools such as GitLab for version control , Jenkins for continuous integration ( CI ), Jira for defect tracking and Docker for container integration within toolchains . These tools work together to create a cohesive automated environment that is designed to allow organisations to focus on delivering higher quality innovation faster to the market .
Through BSIMM iterations we ’ ve seen that organisations have realised there ’ s merit in applying and sharing the value of automation by incorporating security principles at appropriate security touchpoints in the software development life cycle ( SDLC ), shifting the security effort ‘ left ’.
This creates shorter feedback loops and decreases friction , which allows engineers to detect and fix security and compliance issues faster and more naturally as part of software development workflows .
More recently , a ‘ shift everywhere ’ movement has been observed through the BSIMM as a graduation from ‘ shift left ’ – meaning firms are not just testing early in development but conducting security activity as soon as possible with the highest fidelity as soon as is practical .
As development speeds and deployment frequencies intensify , security testing must compliment these multifaceted dynamic workflows . If organisations want to avoid compromising security and time to market delays , directly integrating security testing is essential .
Since organisations ’ time to innovate continues to accelerate , firms must not abdicate their security and risk mitigation
76 INTELLIGENTCIO www . intelligentcio . com