On average, an organisation uses at least 11 different AppSec tools throughout its software development life cycle (SDLC). That is excluding penetration testing, source code reviews, risk assessments, threat models and much, much more. I’ve seen first-hand how difficult it is for organisations juggle security across hundreds of CI/CD pipelines. Furthermore, there is a real disconnect between manual penetration testing reports and previous results.
If you’re one of the security professionals out there feeling overwhelmed by the sheer amount of findings your AppSec tools generate and feel like you’re getting lost in the data, I know what that feels like.
The question is, how can we fix it?
The problem: Security teams vs developers
First, we need to understand the problems. The first obvious issue to tackle is the speed of production. We are dealing with phenomenal scale. The amount of software being written and deployed to production everyday is massive. To offer some examples, Facebook delivers 50,000 — 60,000 Android builds each day, Amazon deploys a new software to production every second, and Netflix deploys new releases 100 times a day.
As a security community, we are desperately trying to keep up and figure out what the vulnerabilities are, and what organisations should be doing about it. But to be blunt, it is impossible. Developers are sprinting off to create new applications and bringing them to market at the speed security cannot keep up with.
Figure 1: How many individual application security testing (AST) tools is your organisation currently using?
Synopsys carried out a survey to find out the number of tools organisations are using and the majority are reporting somewhere between 11 – 20 application security testing (AST) tools. But here’s the problem it is actually creating: security teams end up with a massive amount of information to dissect. Imagine getting data sets from all directions generated from these tools over and above the usual threat modelling, penetration testing, and risks assessment results — all of which the security teams have to go through manually.
It’s hard, and it takes a lot of time.
The big question is: How will I make sure that my development team (who are sprinting) can get meaningful information from my findings? How can I ensure that they are not pushing out vulnerable code, while not being slowed down?
How do we bridge this gap?
Speed to market is the name of the game. There are three givens in today’s environment:
- Test your software as it’s the number one attack surface. To get a holistic picture of the security of your software, it’s imperative to run multiple types of tests, to ensure a comprehensive perspective of your security stance.
- Quicken the pace of development to match business velocity by enabling security without introducing friction. The testing of applications can’t bog down development workflows and inhibit efficiency.
- Protect developer productivity and avoid dumping the mountain of findings on them to fix. Instead, you must correlate the findings and prioritise them to ensure your developers are working efficiently to address the biggest risks.
Meeting all three of these demands requires running the right test at the right time, at the right level, and then effectively correlating and prioritising the results for remediation.
Gartner recently coined a new term — ASOC — which stands for application security orchestration and correlation. It is the modern way of thinking about vulnerability management and software security at scale. Essentially what it means is to provide a central view of all of the tools that might be used. It ensures that it is tool agnostic, so it doesn’t matter what vulnerability assessment or testing tools and methods you are using. It then starts to automatically prioritise and then it helps you track that remediation.
ASOC can help you do that and answer the big questions both teams look for:
- Centralised risk visibility: Where can I see and assess our software risk?
- Tool agnostic: What mechanisms are being used to test our software?
- Correlate results, issue prioritisation: What security and quality issues were found and what level of criticality do they involve?
- Track remediation: Were the issues resolved?
Synopsys Code Dx, is a leading ASOC solution that can integrate all your AppSec test results into a centralised location and automate the most time-intensive tasks to speed up testing and remediation.
Gone are the days of siloed, monolithic solutions that brought development workflows to a halt. Gone too are the days of “good enough” testing that often created extraneous findings for developers to fix, ironically adding more friction and impeding their productivity. Instead, the next generation of AppSec takes a “just enough” approach to testing—one that aligns with the needs for key events in the DevOps workflow.
(The author Mr. Phillip Ivancic, APAC Head of Solutions Strategy, Synopsys Software Integrity Group and the views expressed in this article are his own)