- Some of the nation’s largest companies have made significant changes in how they develop and test their software products amid a rapid increase in supply chain attacks, according to a report from Synopsys.
- Over the last 12 months, organizations increased efforts to control open source security risk by 51%, according to the 13th annual Building Security in Maturity Model report. Among those changes to improve security, there was a 30% increase in the use of software bills of materials, the study indicated. About 130 BSIMM member organizations, including PayPal, Adobe, Lenovo and others, were part of the study.
- About 82% of BSIMM member organizations are now using automated tools to review their software code, a change that enables faster security testing and helps organizations find software vulnerabilities in a more efficient manner.
The BSIMM study demonstrates a significant shift in software security tactics over the past 12 months, driven in part by the surge in supply chain attacks, including SolarWinds, Kaseya and others over the last two years.
Organizations are dedicating much more time and effort into monitoring the security of open-source software and automating their testing processes amid a shortage of qualified workers to efficiently test software.
“Companies are leveraging automation, such as software composition analysis tools, to identify open source, create bills of materials for deployed software, and newly added perform application composition analysis on code repositories activity,” Eli Erlikhman, managing principal at Synopsys Software Integrity Group, said via email.
The study comes amid an effort by the Biden administration to bolster the security of software used by federal agencies. Authorities hope these new requirements will expand to the broader software industry.
The administration has also been working with private-sector partners to encourage more developers to strengthen their software security practices on the front end, before that software is sent to market.