ASOC Part 3: How to improve AppSec accountability with Application Security Orchestration and Correlation

by | Oct 22, 2020 | AppSec Classroom, Blog

Share This Story, Choose Your Platform

We have already discussed how Application Security Orchestration and Correlation (ASOC) makes the AppSec process more efficient and scalable. In this final post in our ASOC series, we will demonstrate how ASOC tools bring accountability to both the technical and business sides of application security. 

The accountability problem in AppSec

The DevSecOps approach to application development requires companies to combine speed and security into a harmonious process. But—as we have previously discussed—this is not easy to accomplish.

Application security is time consuming. Analysts are responsible for assessing vulnerabilities in all attack surfaces, including custom code, third-party components, and the network where the application resides. 

Scanning for vulnerabilities within all of those attack surfaces requires at least one tool for each—but you actually need multiple tools for each attack surface (multiple SAST, DAST, third-party component scanners, etc.). That’s just for one application; organizations with more than one software project at any given time have even more complicated problems to solve.

In short, larger enterprises run dozens of disparate tools that don’t integrate with each other. Configuring and maintaining each tool can also be complex—and if the same tool is used on more than one project, it needs to be configured for each use case.

In addition, AppSec analysts are often conducting other tests, including penetration testing and manual code reviews to make sure the application code is secure. These tests are usually run at different times and frequencies.

The results from a variety of tools and scans contain false positives and inconsistencies. It can take weeks for the AppSec team to correlate, deduplicate, and prioritize the results across hundreds of disjointed point-solution AppSec tools.

Then there is the issue of what to do with the findings. How will they be assigned to developers and how will remediation be tracked and monitored appropriately?

Disjointed assessments of the various attack surfaces using dozens or even hundreds of tools impede situational awareness of security throughout the software development lifecycle (SDLC), creating accountability issues on the technical side of AppSec for analysts and their managers. 

There is also an accountability problem on the business side of AppSec. Specifically, there is typically little to no accountability for the management or reporting of AppSec tools or their results. 

A survey of enterprise IT decision-makers identified the top three challenges of DevSecOps. The results demonstrate the sources of these accountability issues. 

  • A lack of automated, integrated security testing tools (61 percent)
  • Inconsistent approach (56 percent)
  • Security testing slows things down (48 percent)

Despite these challenges, CISOs and other high-level managers and executives are asked such questions as:

  • When was the software last tested?
  • What issues were found?
  • Have they been fixed?

A slow AppSec process that lacks automation, integration, and consistency leaves CISOs and AppSec managers without accurate or detailed answers to these questions. Yet, at the end of the day, leaders are held responsible if insecure software is released. Accountability matters. 

6 ways ASOC improves AppSec accountability

1. System of Record 

ASOC tools solve the accountability problem from both a technical and business perspective by providing six capabilities that bring automation, integration, consistency, and transparency to the AppSec process.

2. Remediation tracking 

ASOC tools function as a System of Record. Regardless of which scanners are used, an ASOC platform serves as a single (auditable) archive for all AppSec activity. ASOC platforms record and track when software was tested, what issues were found, and when/if those issues have been resolved. Organizations can use this data to generate reports and run audits across all three software attack surfaces and across the entire SDLC. A System of Record provides the visibility and transparency required for AppSec accountability. 

ASOC tools store all testing and remediation activities in a System of Record. The Code Dx ASOC tool in particular provides great detail on issue tracking and remediation. 

Managers and AppSec Analysts can view the status of open issues on a single screen and see such data as: 

  • The type of vulnerability found
  • The tools that discovered the issue
  • The date the issue was first identified
  • Who has been assigned the task of remediation (along with who handed out the assignment)
  • A detailed description of the vulnerability
  • Guidance on recommended actions to take for remediation
  • A comment thread to share status 

Additionally, two-way Jira integration allows analysts to create a new Jira ticket or link to an existing one, so developers can address remediation issues without leaving their preferred working environment.

3. Central management and standardization of AppSec 

Tool orchestration enables the AppSec team to use previous raw results and remediation activity to select an optimal mix of security testing tools for each application within the organization. The rule set for each AppSec tool can be optimized for each development pipeline based on the criticality of the application, regulatory compliance requirements, and overall organizational capabilities. 

No matter how many different development teams are working within the organization, orchestration allows AppSec to maintain control over security scans. Your AppSec team can set up orchestration for any tool they want to use, including commercial, open-source, and in-house tools. Development teams can still run whatever scans they want and share that data with the AppSec team, but orchestration allows AppSec to make sure that specific scans are always run—creating a consistent and standardized AppSec process across the enterprise.

4. Single pane of glass view 

ASOC tools provide a single pane of glass (SPOG) 360 degree view of AppSec through a unified dashboard that integrates information from all of the application security tools in use. A single display provides centralized risk visibility, situational awareness, and continuous security monitoring of application security efforts. Quick access to risk visibility at both a project and business unit level with visual graphics on such data as open findings and average days to resolution provide real-time metrics on project health from a security standpoint. 

5. Risk score 

The Code Dx ASOC tool assigns a risk score to each project. The score provides a letter grade to give you a quick sense of the overall quality of a given project. The grade is based on a percentage score, which is generated from the number of vulnerability findings in custom code and third-party components. Next to the letter grade, you can also see a specific percentage score that shows the general trends of the project’s risk score over the past week.

The risk score helps managers and executives monitor progress on application security over the life of a project and quickly identify potential problem areas.  

6. Metrics dashboard 

Metrics drive process improvement across both security and development teams. Examples of valuable metrics included in the Code Dx ASOC tool are:

  • Open Findings—Shows the overall triage status of a project. Findings are grouped into severity categories, and users get a visual display of the types of findings, the severity level, the age of findings, and the percentage that have been triaged. 
  • Average Days to Resolution—Shows the average number of days it takes to remediate new findings. This is also broken down into severity level, so you can see how quickly more severe threats are addressed. 
  • Analysis Frequency—Provides CISOs and AppSec managers with instant access to the most recent testing completed. It includes details on how many analyses were run on the project over a given time period and the number of unique tools run during those analyses. 
  • Activity Monitor—Provides a heatmap display that represents analysis activity over the past year. 

The dashboard gives CISOs and AppSec managers the information they need to answer questions on AppSec at any time and keep them accountable to the overall AppSec process. 

The right ASOC tool automates time-consuming application security workflows and makes software security risks visible across the SDLC at DevOps speed. AppSec Analysts, managers, and CISOs gain the transparency and visibility needed to bring accountability to the application security process.

Reach out today for a demo to learn more about how the Code Dx ASOC platform can benefit application security within your organization.

Share This Story, Choose Your Platform