In our first piece on Application Security Orchestration and Correlation (ASOC), we looked at how this new application security trend improves DevSecOps efficiency. We will now focus on the second primary benefit of ASOC tools—scalability.
In this article, we will explore the typical challenges AppSec teams face due to today’s rapid development cycles, and how ASOC tools make scaling possible through application security automation and orchestration.
The problem: AppSec can’t keep up with DevOps
Application security teams have often struggled to keep up with the rapid code releases produced by DevOps teams. Testing inevitably falls behind as development speeds up.
It’s difficult to go back through the application code and remediate every possible issue later in the development cycle. Reviewing and fixing vulnerabilities in code that may have been written six months ago isn’t easy, and developers typically don’t want to address code that works, “just” because there may be a security risk. The result is that insecure software is often released, which increases the risk for a breach.
The solution isn’t to slow down development so security can catch up; successful application development instead demands a synchronicity between speed and security, with both getting the constant and equal attention they deserve. The harmonization between speed and security is the reason behind the shift to DevSecOps.
Many companies are in the process of making this shift. A recent report from Gartner uncovered several key data points that demonstrate the acceleration in the transition towards this application security best practice:
- 90 percent of software development projects will claim to be following a DevSecOps model by 2022 as compared to just 40 percent in 2019.
- 70 percent of DevSecOps initiatives will incorporate automated security vulnerability and configuration scanning by 2023 as opposed to just 30 percent in 2019.
- 60 percent of rapid development teams will have embedded DevSecOps practices by 2021, compared to 20 percent in 2019.
These plans are promising, but a true DevSecOps approach that fully integrates security into the design and development process can be challenging for many organizations. Comprehensive application security testing is time-consuming and resource-intensive. Analysts have to assess vulnerabilities across all attack surfaces, including custom code, third-party components, and the network where the software application will reside.
AppSec teams need to run a large number of tools, including:
- Static Application Security Testing (SAST) tools
- Dynamic Application Security Testing (DAST) tools
- Interactive Application Security Testing (IAST) tools
- Software Composition Analysis (SCA) tools
- Threat-modeling tools
In addition to the types of tools listed above, AppSec teams also use other methods, such as:
- Penetration testing
- Manual code review
- Network vulnerability analysis
- Bug bounties
These tools and reviews usually run at different times and frequencies, depending on where a given project is in the software development lifecycle (SDLC). Many AppSec tools are complicated to configure and run. Onboarding and maintenance take time, and AppSec teams are encouraged to run multiple tools in the same category—meaning multiple SAST tools and DAST tools, etc. One software development project may require dozens of tools over the course of the SDLC, and each one has its own user interface (not to mention peculiarities).
Oftentimes the same tools are used on multiple projects, requiring multiple configurations. Results across a variety of tools that don’t integrate with each other are inconsistent, with reports in different formats. It can take weeks (or longer) to identify false positives and to correlate and prioritize results.
Additionally, many enterprises are managing more than one build server. There may be hundreds of Jenkins servers, for example, in addition to multiple instances of TeamCity, Azure, and other services. It’s just not possible to bake application security into each one of these systems without orchestration.
Compounding the issue is a low ratio of security team members to developers. Developers outnumber security team members at a ratio of 100:1. When you consider how quickly each developer is trying to work, security doesn’t have much of a chance to identify and remediate all of the potential vulnerabilities.
It’s no wonder AppSec can’t keep up with development teams and track vulnerabilities efficiently.
The solution: Application security automation and orchestration with ASOC
Organizations need a way to centralize and harmonize AppSec testing across all development pipelines into a scalable, repeatable, and automated process. Then (and only then) will security stop clogging the development pipeline and be able to move at the speed of DevOps.
Application Security Orchestration and Correlation (ASOC) is the solution to make application security automation and scalability possible. Since we already provided a close look at ASOC in the first post in our series, we will just focus here on the aspects that enable scalability.
Orchestration increases the speed of AppSec testing and ensures all of the appropriate tests are run. Orchestration automates scanning processes to ensure specific tools are always run at specific intervals, across multiple build servers. An ASOC tool analyzes the source code to identify the languages used. It then automatically figures out the appropriate AppSec tools to run for a particular application. This creates a consistent and standardized process regardless of how many different development teams are working on various projects.
Because it makes it possible to have a standardized, automated process for AppSec testing, tool orchestration makes it easier to onboard new applications into the security pipeline. It also reduces the time needed to install, configure, and update AppSec testing tools. In other words, orchestration lets AppSec teams scale up their testing activities as needed.
Correlation and deduplication
ASOC tools automatically run, collect, and correlate results from every type of AppSec tool and testing method, including manual reviews, bug bounties, source code analyzers, automated and manual pen tests, software composition analyzers, and network vulnerability assessors. This reduces the number of results AppSec teams need to review.
Smart automation allows the AppSec team to use previous raw results and remediation activity to select an optimal mix of security testing tools for each application. The rule set for each AppSec tool can be optimized for each development pipeline based on the criticality of the application, regulatory compliance requirements, and overall organizational capabilities.
Our ASOC tool has a Triage Assistant that further improves the automation process. A machine-learning classifier learns which issues and vulnerabilities to act on based on prior decisions. Triage Assistant is tailored specifically to each individual organization and reduces the number of false positives, noise, or less-important results security team members have to sort through. Every 240 findings automatically categorized saves your organization the equivalent of one week’s time from a full-time employee.
Integration and centralized management
ASOC tools provide full integration with DevOps, fitting seamlessly into the continuous integration/continuous deliver (CI/CD) pipeline. Integration with issue tracking tools such as Jira allows developers to work on remediation within their preferred work environment. Developers can get immediate feedback on security-related issues within the tools and environments they are already working in.
An ASOC tool lets your AppSec team manage the passing of sensitive information such as tool credentials and application logins. It also monitors tool failures and ensures tools are properly configured and up to date.
ASOC allows the AppSec team to report and audit all three attack surfaces (custom code, third-party components, and the network) in a centralized system.
DevOps isn’t going to slow down, but ASOC tools make it possible for security to scale the AppSec process and move quickly, without letting issues slip by undetected or unaddressed. Stay tuned for the final piece in our ASOC series, in which we will take a closer look at how ASOC improves the accountability of the AppSec process.
To learn more about how Code Dx’s ASOC platform can help your AppSec team scale on-demand, contact us for a demo.