The security aspect of DevOps is evolving as new data found a new wave of engineering-led software security efforts originating bottom-up in the development and operations teams rather than top-down from a centralized software security group (SSG). 

Software security initiatives (SSIs) have identified a number of individuals (often developers, testers, and architects) who are invested in improving software security but are not directly employed in the SSG. These individuals are regarded as the satellite in an organization and BSIMM stated that “many organizations are now referring to this group as their software security champions.”

RELATED CONTENT: For effective DevSecOps, shift left AND extend right

Sixty-seven percent of firms that have been assessed more than once for the BSIMM have a satellite, while 66 percent of firms on their first assessment do not. This shows that as SSI matures, its activities become distribute

The report found that emerging engineering-led efforts attempt to understand software inventory by extracting it from the same tools they use to manage IT assets from which they then craft an inventory “brick-by-brick” rather than top-down. 

“Development teams are being asked for more story points, more features, [and] better feature velocity, but the security programs haven’t seriously kept up with that feature velocity,” Sammy Migues, a principal scientist at Synopsys, told SD Times. “So a lot of development organizations are self-organizing into this new DevOps culture, this new CI/CD tooling, and they’re starting to do some security things for themselves.”

The 10th iteration of BSIMM defined the three phases of SSI maturity—emerging, maturing and optimizing—and described how 122 firms typically progress through them. It spanned 119 activities that organizations can look at to see which activities are common across different vertical markets. Software security firm Synopsys SIG oversaw the report. 

DevOps teams are now implementing their own sensors in their toolchains and production as well as creating strategies that allow for quick A/B testing deployment strategies that allow them to pull back deployments with vulnerabilities very quickly, Migues explained. 

Meanwhile, organizations with highly centralized security structures from the past 10-15 years are still working to catch up to get in sync with what is happening in development. 

The data also found that Cloud, IoT and high-technology firms are three of the most mature verticals in the BSIMM10 pool, while the healthcare vertical remains low. 

The report showed that on average, cloud firms (which are not necessarily equivalent to cloud service providers) are noticeably more mature in the governance and intelligence domains compared to the technology and IoT firms but noticeably less mature in the attack models practice. However, technology and IoT firms show greater maturity in the penetration testing and software environment practices.

“In IoT and ISV there’s a broader set of concerns, especially for products that live a very long time such as in the embedded space,” said Migues. “In health care, we haven’t quite seen that uptake yet or at least it isn’t reflected in the BSIMM.”

When healthcare was compared to other highly-regulated industries such as financial services and insurance, the report found that financial services SSG average age was 5.4 years, insurance was at 3.2 years and healthcare last at 3.1.

“The DevOps culture that we see today isn’t necessarily the DevOps culture that was first described… It has also adapted to include application security software security as a first- class citizen, along with things like performance, resilience and reliability,” Migues said. “As the idea changes, the culture will change and as the culture changes the tooling will change.”