Many organizations have advanced from the DevOps methodology to DevSecOps, and it is expected this trend will continue throughout 2020 as more enterprises leverage the cloud. A DevSecOps approach promotes collaboration between software application development teams and application security teams.
Initially, DevOps emerged as the development and operations teams began working more closely together in order to support the Agile development methodology. DevSecOps is the next step in the evolution of application development, bringing security into the equation. Rather than addressing security at the end of development (which can drastically impact meeting the launch date goal), security should be incorporated into the entire development process.
It can be challenging to create a harmonious relationship between developers and AppSec teams, as security members are often viewed as bottlenecks who slow down development. Software development teams are often “under the gun” to deliver new features as rapidly as possible to gain a competitive edge.
It is also difficult to hit development deadlines and create a secure application; teams often feel they have to choose one over the other. However, a new feature in some application security management solutions called “tool orchestration” gives AppSec teams the control and speed they need to keep up with the fast pace of DevOps.
The end result? A true state of DevSecOps in which all three units function harmoniously together, creating more secure applications swiftly and efficiently, while ending the trade-off between rapid development and a secure application.
Tool orchestration: A key ingredient for DevSecOps
Comprehensive application security requires the use of a variety of AppSec testing tools. Results come back in different formats and need to be de-duped and prioritized. Even then, developers often don’t want to stop their work on the next build in order to remediate security issues, especially when they have to log into another application (or a number of applications) to do so.
An application security management solution addresses these issues by:
- Correlating results from multiple AppSec tools and manual tests into a single set of results
- Including open source vulnerability scanners to improve AppSec coverage
- Checking your codebase against regulations such as HIPAA and PCI-DSS
- Providing tools to track and remediate vulnerabilities
- Integrating with popular developer tools such as Jira and Azure DevOps to stay in the development workflow
- Cross-referencing results from Static Application Security Testing (SAST) tools and Dynamic Application Security Testing (DAST) tools, in order to identify which vulnerabilities are real and pose the biggest threat.
- Providing AppSec with centralized control over application security testing, creating a consistent and optimized AppSec program
This type of orchestration lets your organization run a wide variety of AppSec tools from a single platform and reduces the workload on developers and security analysts by significantly lowering the number of duplicate results. You receive fewer false positives. Developers can remediate issues without having to leave their preferred working environment. The entire AppSec process is streamlined, helping security teams move faster without sacrificing quality.
In many enterprises (especially larger ones), however, there are multiple development teams working on various projects, using different tools and processes. Adding to the problem is that security teams are typically quite small compared to development teams, making it hard for AppSec to keep up with the faster pace of development.
Different applications require varying types of testing, depending on their complexity and risk level. The process of on-boarding new AppSec tools can be time-consuming for the security team, slowing down the process with days of testing and configuration. Even after the tools are on-boarded, it’s difficult for AppSec team members to stay on top of security across all of the various development teams throughout the organization without slowing down the overall software development lifecycle (SDLC). Tool orchestration and smart automation provide a solution to this dilemma by giving AppSec professionals prioritized control over which vulnerability scans are run and increasing the speed of the overall AppSec process.
The benefits of orchestration include:
Development teams can still run whatever scans they want and share that data with the AppSec team, but orchestration allows AppSec to make sure that specific scans are always run—creating a consistent and standardized AppSec process across the enterprise.
Optimized application security across pipelines
Smart automation allows the AppSec team to use previous raw results and remediation activity to select an optimal mix of security testing tools for each application. The rule set for each AppSec tool can be optimized for each development pipeline based on the criticality of the application, regulatory compliance requirements, and overall organizational capabilities.
No matter how many different development teams are working within the organization, orchestration allows AppSec to maintain control over security scans, ensuring a consistent application security process is in effect at all times. Your AppSec team can set up orchestration for any tool they want to use, including commercial, open-source, and in-house tools.
Better development pipeline management
AppSec testing becomes a scalable and repeatable process that can be automated across all development pipelines within the enterprise. Security can get an accurate picture of application security across all development teams.
Faster AppSec process
Orchestration makes it easier to onboard new applications into the security pipeline. It also reduces the time needed to install, configure, and update AppSec testing tools. AppSec can run extensive tests across all build servers without slowing down the development process.
Improved harmony between security and development
Rather than adding complexity to the developers’ pipeline, DevSecOps can be achieved using a single platform to execute and manage the vulnerability scans and resulting data. Security has the power to make sure AppSec is already part of the process, truly putting the “Sec” in DevSecOps—without skipping a beat.
Some AppSec management systems only allow you to do this by building connectors, but there are others that offer an open platform. You’re not reliant on the system supporting a specific AppSec tool. You can create on-demand scanning environments for any tools running within your organization.
As the demand for rapid development and secure applications continues to grow, enterprises need a solution such as tool orchestration to streamline and automate the application security process. Orchestration provides AppSec team members with the features and functionality needed to move at the pace of DevOps without increasing the risk of releasing an insecure application—a union of security and speed.