On average, an organization uses at least 11 different AppSec tools throughout its software development life cycle (SDLC). This excludes penetration testing, source code reviews, risk assessments, threat models and more. I’ve seen how difficult it is for organizations to juggle security across hundreds of CI/CD pipelines. Additionally, there is a real disconnect between manual penetration testing reports and previous results.
If you’re one of the security pros and you feel overwhelmed by the amount of results your AppSec tools generate and feel like you’re getting lost in the data, I know what it’s like.
The question is, how can we fix it?
The Problem: Security Teams vs. Developers
First, we need to understand the issues. The first obvious problem to solve is production speed. We are dealing with a phenomenal scale. The amount of software written and deployed to production every day is enormous. To give a few examples, Facebook ships 50,000 to 60,000 versions of Android every day, Amazon rolls out new software into production every second, and Netflix rolls out new versions 100 times a day.
As a security community, we are desperately trying to track and understand what the vulnerabilities are and what organizations should do about them. But to be honest, it’s impossible. Developers are rushing to create new apps and bring them to market at a speed that security cannot keep up with.
Figure 1: How many individual application security testing (AST) tools does your organization currently use?
Synopsys conducted a survey to find out how many tools organizations use, and the majority report between 11 and 20 Application Security Testing (AST) tools. But here’s the problem it actually creates: security teams end up with a massive amount of information to dissect. Imagine getting datasets from all directions generated from these tools beyond the usual threat modeling, penetration testing, and risk assessment results, all of which security teams have to sift through manually.
It’s hard, and it takes a long time.
The big question is, how am I going to make sure that my (sprinting) development team can get meaningful insights from my results? How can I make sure they don’t release vulnerable code, without being slowed down?
How do we bridge this gap?
Speed to market is the name of the game. There are three things in today’s environment:
- Test your software because it is the number one attack surface. To get an overall picture of your software’s security, it’s imperative to run several types of tests, to ensure a complete perspective of your security posture.
- Accelerate the pace of development to match the speed of the business by enabling security without introducing friction. Application testing cannot bog down development workflows and hinder efficiency.
- Protect developer productivity and avoid throwing mountains of conclusions to correct. Instead, you need to correlate results and prioritize them to ensure your developers are working effectively to address the most significant risks.
Meeting these three requirements requires running the right test at the right time, at the right level, and then effectively correlating and prioritizing the results for remediation.
Gartner recently coined a new term – ASOC – which stands for Application Security Orchestration and Correlation. It’s the modern way of thinking about vulnerability management and large-scale software security. This basically means providing a central view of all the tools that might be in use. It guarantees that it is tool-independent, so it doesn’t matter which vulnerability assessment or testing tools and methods you use. It then starts prioritizing automatically and then it helps you track that correction.
ASOC can help you do that and answer the big questions both teams are looking for:
- Centralized risk visibility: Where can I view and assess our software risk?
- Tool independent: What mechanisms are used to test our software?
- Correlate results, prioritize problems: What safety and quality issues have been detected and what level of criticality do they imply?
- Follow the fix: Have the issues been resolved?
Synopsys Code Dx is a leading ASOC solution that can integrate all your AppSec test results into one centralized location and automate the most time-consuming tasks to speed up testing and remediation.
Gone are the days of siled, monolithic solutions that disrupted development workflows. Also gone are the days of “good enough” testing, which often created superfluous results for developers to fix, ironically adding more friction and hampering their productivity. Instead, the next generation of AppSec takes a “just enough” approach to testing, one that aligns with the needs of key events in the DevOps workflow.
(The author, Mr. Phillip Ivancic, APAC Head of Solutions Strategy, Synopsys Software Integrity Group and the opinions expressed in this article are his own)