Security problems in software are inevitable. Although we have taken various measures to cope with those problems, such as establishing security code specifications, organizing special security teams, hiring third-party security companies to carry out penetration test, etc., the effect is still questionable. Behind those problems which seemed easy to be solved, there are deep hidden contradictions always turning out to be obstacles for enterprises to build up more secure software.

According to cask effect, it is not enough to prevent various security problems in current software system just by security scanning, intrusion detection and hardware firewall, because simply adoption of those measures probably lead to avalanche. The problems can only be solved substantially once they are prevented at their sources, i.e. security awareness of developers, business analysis, software architecture and code writing. Therefore, security problems need to be nipped in the bud by carrying out various security practices in the overall life cycle of software development.

In BSI, security test is a fairly important and complex step and always the field hard to get through due to its heavy demands on various security tools and professional knowledge regarding security issues as well as the expensive cost for different security tests. In fact, a large number of automatic security scanning and security attack tools have emerged currently, which are easy to be applied. In addition, problems and solutions are detailed in test reports, and the tools are easy to be inserted into CI for automatic operation. Therefore, regular security tests are greatly accelerated and thus test costs are reduced.

Another key character of BSI is its emphasis on teamwork. Software development involves in all team members playing different roles at operation, and therefore, responsibility for software security shall be shared among the team members. Moreover, the security shall be guaranteed not only relying on such passive defenses as firewalls and security reviews before product release, but also by proactive attitude and preventive actions, to realize BSI in the true sense and facilitate enterprises to develop software with higher security, so as to safeguard common interests of enterprises and users.