The use of automated security technology is growing rapidly, which in turn is spreading the “ubiquitous transformation” philosophy — performing security testing throughout the entire software development lifecycle — across more organizations, according to Synopsys.
This year's results revealed a clear trend of companies increasingly leveraging security automation to replace manual security activities driven by subject matter experts to reduce cost and improve effectiveness.
Organizations are adopting advanced automation strategies
Greater automation has enabled organizations to embrace a transformation-everywhere philosophy, with automated event-driven security testing increasing by 200% over the past two years.
Ubiquitous transformation is a philosophy around security testing and sensors that generate information for all stakeholders in the company, not rooted in increased spending or security effort. Accordingly, ubiquitous transformation does not add more security for security's sake, but rather ensures that every security stakeholder can make informed risk management decisions.
As part of their mitigation approaches, many organizations are evolving their automation to go beyond anomaly detection, scaling to reduce risks caused by supply chains, taking a comprehensive approach to securing their applications and products, and leveraging capabilities that make security possible under these evolving conditions. They are also increasingly adding AI to their ecosystems, which can increase productivity but also introduces new attack surfaces and risks.
Automation has led to a 68% growth in mandatory code review in the past five years. Recent economic conditions have caused a decline in expensive, expert-oriented activities that are not easy to automate. The use of centralized defect reporting and attack lists decreased by more than 17%.
Organizations are adopting modern toolchain technology that allows automation of security testing at the Quality Assurance (QA) stage – leading to a 10% growth in many security related activities.
“Everyone has put their best foot forward in automation across a range of security functions, and that leads directly to better practices,” said Jason Schmidt, general manager, Synopsys Software Integrity Group. “Businesses are seeing firsthand that eliminating human error with unified, integrated security tools makes security software more effective and affordable – a compelling combination. With the rise of cyberattacks coming from every angle, automation is proving essential to defending against a myriad of software threats.” , enabling companies to achieve more with less in this unstable economy.
Businesses expect more from service providers and partners
The report also found that customers have made valuable strides in improving the security culture in their organizations. Companies with leading security programs made up of developers, QA analysts, or architects in a security enablement role had a 25% higher average score on the Building Security Maturity Model (BSIMM) than companies without this program.
Businesses are also demanding more from service providers and partners. Expectations for strong vendor security practices rose 21%, as companies held vendors to standards similar to those they use internally.
Customers also reported that security operations have made impressive progress in adhering to industry best practices. Organizations are increasingly building software lists of materials (SBOMs), with a 22% increase in SBOM creation compared to last year. Identification and monitoring of open source risks has increased by just under 10% over the past year.
Not all trends are positive, and many companies have seen their security budgets decline. Activities that rely on experts to perform manual tasks have seen a decline as security teams seek to maximize ROI by focusing on automation.
