FINAL WORD

As cybercriminals take advantage of the fear and uncertainty surrounding the pandemic , it ’ s crucial that organisations ensure the software they build and operate is secure – despite reduced resources . Adam Brown , Associate Managing Security Consultant , Synopsys , talks us through the steps organisations can take to improve their application security programmes to protect organisational data and that of their customers .

with the prospect of months of staffing and Business Continuity challenges . Concurrently , cyberattacks by opportunistic hackers and cybercrime groups looking to profit or further disrupt society are on the rise . Organisations must ensure the software they build and operate is secure against these increasing attacks , even as their available security resources may be decreasing . And a remote workforce is only one of the challenges organisations face in terms of securing their digital properties and sensitive data . While many companies want to invest in security , they may not know where to start . After all , it ’ s a challenging endeavor to identify where and how to secure your most valuable or vulnerable projects . It ’ s a daunting task . However , by tactically addressing their security testing capacity , staff skills and software supply chain risks today , organisations can respond to resource challenges now while fundamentally improving the effectiveness of their AppSec program going forward . Here ’ s how .

Establish a benchmark and mature your strategy

Get started by gathering a full understanding of what your organisation ’ s security activities involve . The Building Security In Maturity Model ( BSIMM ) is not a how-to guide , nor is it a one-size-fits-all prescription . A BSIMM assessment reflects the software security activities currently in place within your organisation . Thus , giving you an objective benchmark whereby to begin building or maturing your software security strategy . The BSIMM , now in its 11th iteration , is a measuring stick and can be used to inform a roadmap for organisations seeking to create or improve their SSIs , not by prescribing a set way to do things but by showing what others are already doing .

Previous years ’ reports have documented that organisations have been successfully replacing manual governance activities with automated solutions . One reason for this is the need for speed , otherwise known as feature velocity . Organisations are doing away with the high-friction security activities conducted by the software security group ( SSG ) out-of-band and at gates . In their place is software-defined lifecycle governance .

Another reason is a people shortage – the ‘ skills gap ’ has been a factor in the industry for years and continues to grow . Assigning repetitive analysis and procedural tasks to bots , sensors and other automated tools makes practical sense and is increasingly the way organisations are addressing both that shortage and time management problems . But while the shift to automation has increased velocity and fluidity across verticals , the BSIMM11 finds that it hasn ’ t put the control of security standards and oversight out of the reach of humans .

Apply a well-rounded risk mitigation strategy

In fact , the roles of today ’ s security professionals and software developers have become multi-dimensional . With their

74 INTELLIGENTCIO www . intelligentcio . com