In its 2019 Hype Cycle for Application Security report, Gartner revealed a new, “high-priority” category called Application Security Orchestration and Correlation (ASOC). ASOC delivers three primary benefits to the AppSec process within organizations: efficiency, scalability, and accountability.
This is the first article in a three-part series in which we will take a closer look at each of these benefits. We will focus on efficiency first, demonstrating how ASOC helps your DevSecOps team function better.
What is ASOC?
Let’s first take a look at what ASOC is all about. Gartner created the category by combining Application Vulnerability Correlation (AVC) and Application Security Testing Orchestration (ASTO).
AVC tools streamline the AppSec process by correlating and deduplicating the results from a wide variety of AppSec testing tools, yielding one single set of results. AVC tools can also prioritize the vulnerabilities identified, so you can manage remediation more efficiently. ASTO tools integrate application security testing tools across the software development lifecycle (SDLC), promoting a DevSecOps approach to software development. This merger was based on the fact that many organizations need both AVC and ASTO capabilities, and several vendors in the marketplace are now providing them via one tool.
Gartner defines ASOC tools as those that “streamline software vulnerability testing and remediation by automating workflows. They automate security testing by ingesting data from multiple sources (static, dynamic, and interactive [SAST/ DAST/IAST], software composition analysis [SCA], vulnerability assessments, and others) into a database. ASOC tools correlate and analyze findings to centralize and prioritize remediation efforts. They act as a management layer between application development and security testing tools.”
In order to be listed in the ASOC category, tools must meet certain criteria that differentiate them from standard AppSec tools:
- They must integrate with a wide range of commercial AppSec testing tools.
- They must correlate the findings from these tools.
- They must provide orchestration capabilities.
Robust ASOC tools integrate with continuous integration and continuous delivery (CI/CD) engines. When evaluating ASOC tools, consider the following:
- Correlation and analysis capabilities of results from a wide range of AppSec testing tools
- Integration with defect tracking systems
- Out-of-the-box integration and support for existing security testing, development, and CI/CD tooling
- Speed and accuracy of correlation and analysis
- Scope and nature of reporting capabilities, including technical metrics, as well as business and risk analysis
Three ways ASOC improves the efficiency of DevSecOps
- You can prioritize the most critical vulnerabilities for remediation to properly allocate resources.
Resource allocation is a challenge faced by many AppSec teams. AppSec tools uncover a wide range of potential issues. Some may be false positives, and others may simply not be relevant to your organization. The time spent conducting triage on potential vulnerabilities can be debilitating for many companies.
An IEEE study found that it takes an average of ten minutes to triage one finding to determine if an issue is exploitable and needs to be fixed. Additionally, studies have shown that an average of 66 percent of findings from the average SAST tool are irrelevant. This translates into an incredible amount of time spent triaging findings that turn out to be false positives or irrelevant. No matter how large your AppSec team is, no organization can afford to waste time researching issues that don’t actually pose a threat to application security.
Vulnerability prioritization is just as important for developers as it is for security. Agile development calls for rapid iteration. The most critical defects must be addressed before the next build is pushed through to ensure security is maintained throughout the development process.
ASOC tools can prioritize vulnerabilities based on exploitability. Issues can be assigned a severity score, so your security team can focus their attention on addressing vulnerabilities that are real and pose a bigger threat to your organization.
If your application must comply with certain regulations such as HIPAA and PCI DSS, an ASOC tool can check your codebase and identify the exact lines of code that are in violation (and suggest ways to make it compliant). These types of compliance issues are a higher priority, as they can result in severe penalties and fines.
More advanced ASOC tools have a built-in capability that uses machine learning to automatically predict which vulnerability findings are most important based on past triage decisions. Every 240 findings automatically categorized saves your organization the equivalent of one week’s time from a full-time employee.
The prioritization capabilities provided by ASOC tools give security pros and developers the information they need to make sure the biggest threats to security are addressed before the next release.
ASOC tools also provide support for managing remediation, allowing security to assign tasks to developers and track progress. Integration with issue tracking tools and developer environments make it easier for developers to address problems, as they don’t have to leave their preferred working environment. They can correct issues within their preferred workflow.
Whether you have one AppSec project running or 30, efficient resource allocation is essential to creating an efficient and Agile development process that keeps security a top priority.
- You can centrally manage the results from a large number of AppSec tools across multiple projects/departments
DevOps came about as the development and operations teams began working more closely together in order to support the Agile development methodology. As DevOps continued to evolve, security was integrated into the equation.
This was an important step, as application security demands full attention at all stages of design and development. However, it has often been a challenge for the security team to keep up with the Agile sprints of DevOps.
Application security involves using a number of different types of AppSec testing tools.
- Static Application Security Testing (SAST) tools examine the application from the inside, looking for vulnerabilities in the source code, byte code, or application binaries.
- Dynamic Application Security Testing (DAST) tools approach the application from the outside, taking on the role of a robot attacker.
- Interactive Application Security Testing (IAST) tools combine SAST and DAST tools by using instrumentation technology to leverage information inside the running application to identify vulnerabilities.
- Software Composition Analysis (SCA) tools analyze applications for third party and open source software to detect vulnerable code.
- Threat modeling tools such as STRIDE and DREAD identify and assess potential vulnerabilities.
- Manual testing is also often conducted to make sure the application code is high-quality and secure.
It’s important to note that there are a number of tools on the market that fall into each category, each with its own strengths and weaknesses. For example, each SAST tool only identifies approximately 14 percent of the vulnerabilities in your code. So it’s no surprise that most organizations use more than one kind of each type of tool; this is the only way to ensure comprehensive code coverage in AppSec testing.
The problem is each tool shows results in a different format, and the same potential issue may be found by multiple tools. Weeding through long lists of results from multiple tools to remove duplicates and figure out which vulnerabilities are real and pose the highest threat takes up a lot of time. This makes it nearly impossible for security to move at the same speed as development.
Application Security Orchestration and Correlation, however, eliminates these issues by providing:
- A single, central hub for application security
- Support for commercial SAST, DAST, and IAST tools
- Automatic correlation of results from multiple AppSec tools and manual testing into a single set of results
- Integration with popular development environments and issue tracking tools
- Inclusion of tools to track and remediate vulnerabilities
These features enable organizations to provide better vulnerability coverage and more effective software testing that yields fewer false positives and no duplicate results. You get a single view of AppSec issues, no matter how many tools you are using to scan for threats. This allows you to rapidly identify where the most significant risks are and do something about them before they become a problem.
An ASOC tool empowers your security team to speed up the AppSec process without sacrificing quality, fostering a better relationship between development and security teams. A DevSecOps approach finally becomes a reality, enabling your organization to meet the demand for rapid development of secure applications.
- You have access to metrics to show how vulnerability management and AppSec are performing over time in your organization.
It’s impossible to know if your organization is getting better at application security if you can’t measure performance. Metrics can provide important information for C-level executives and for security and development team members in the thick of AppSec testing.
For example, CISOs may want data on the total number of application vulnerabilities and their severity. Data on the total number of vulnerabilities shows how well your organization is doing over time at reducing the total number of threats.
Metrics on severity are just as important, indicating the overall danger to the organization. Severity metrics also help security team members prioritize issues, so the most pressing ones can be addressed first.
Historical data about the number of new vulnerabilities shows how many issues are introduced with a new release. This is important for teams following the Agile development methodology, as it validates whether or not security is being given the attention it deserves during rapid iteration. CISOs can use this data to monitor overall risk, and AppSec managers can leverage the information to assess the quality of code being written by team members.
Average days to resolution is another important AppSec metric. The longer an issue lingers, the more likely it is to be exploited. Managers can assess remediation efforts and identify inefficiencies. It’s not enough just to know how many vulnerabilities are identified.
The types of vulnerabilities are also important. If you know the most common types of vulnerabilities found in your organization’s applications, you can improve security by training your security team and developers on these issues. You can provide training on how to write better code to prevent these issues and how to remediate them more quickly when they do occur.
ASOC tools provide the metrics that CISOs, AppSec managers, security team members, and developers need to improve over time. When it comes to metrics, a powerful ASOC tool provides all of the metrics mentioned above and more.
Additional features to look for in an ASOC tool include:
- A visual display of metrics, so you can quickly and easily see how AppSec is performing over time and identify trends.
- A central dashboard that provides interactive metrics, so you can uncover trends and see critical AppSec information quickly.
As ASOC tools become more popular, it’s important for organizations to understand how they can benefit from their use. Here we have outlined exactly how an Application Security Orchestration and Correlation tool can make your DevSecOps team more efficient. Be on the lookout for future posts in our AOSC series to discover how you can obtain scalability and accountability within AppSec across your entire enterprise.