Software Integrity Blog

 

ASOC series part 2: How to scale AppSec with application security automation

Learn how ASOC tools make scaling possible through application security automation and orchestration.

ScaleUp1png.png

In part one of our series on application security orchestration and correlation (ASOC), we looked at how this new application security trend improves DevSecOps efficiency. We will now focus on the typical challenges AppSec teams face due to today’s rapid development cycles, and how ASOC tools can solve these challenges with automation and scalability.

The problem: AppSec can’t keep up with DevOps

Application security teams have often struggled to keep up with the rapid code releases produced by DevOps teams. Testing inevitably falls behind as development speeds up.

It’s difficult to go back through the application code and remediate every possible issue later in the development cycle. Reviewing and fixing vulnerabilities in code that may have been written six months before isn’t easy, and developers typically don’t want to address code that works just because there may be a security risk. The result is that insecure software is often released, which increases the risk for a breach.

The solution isn’t to slow down development so security can catch up; instead, successful application development demands a synchronicity between speed and security, with both speed and security getting the constant and equal attention they deserve. The harmonization between speed and security is the reason behind the shift to DevSecOps.

Many companies are in the process of making this shift. A recent report from Gartner uncovered several key data points that demonstrate the acceleration in the transition toward this application security best practice:

  • 90% of software development projects will claim to be following a DevSecOps model by 2022 as compared to just 40% in 2019
  • 70% of DevSecOps initiatives will incorporate automated security vulnerability and configuration scanning by 2023 as opposed to just 30% in 2019
  • 60% of rapid development teams will have embedded DevSecOps practices by 2021, compared to 20% in 2019

These plans are promising, but a true DevSecOps approach that fully integrates security into the design and development process can be challenging for many organizations. Comprehensive application security testing is time consuming and resource intensive. Analysts must assess vulnerabilities across all attack surfaces, including custom code, third-party components, and the network where the software application will reside.

AppSec teams need to run a variety of tools, including:

  • Static application security testing (SAST) tools
  • Dynamic application security testing (DAST) tools
  • Interactive application security testing (IAST) tools
  • Software composition analysis (SCA) tools
  • Threat modeling tools

In addition to running the tools listed above, AppSec teams also use methods, such as:

These tools and reviews usually run at different times and frequencies, depending on where a given project is in the software development life cycle (SDLC). Many AppSec tools are complicated to configure and run. Onboarding and maintenance take time, and AppSec teams are encouraged to run multiple tools in the same category, such as multiple SAST tools and DAST tools. One software development project may require dozens of tools over the course of the SDLC, and each one has its own user interface (not to mention peculiarities).

Oftentimes, the same tools are used on multiple projects, requiring multiple configurations. Tools that don’t integrate with each other give inconsistent results, with reports in different formats. It can take weeks (or longer) to identify false positives and to correlate and prioritize results.

Additionally, many enterprises manage more than one build server. There may be hundreds of Jenkins servers, for example, in addition to multiple instances of TeamCity, Azure, and other services. It’s just not possible to bake application security into each one of these systems without orchestration.

Compounding the issue is a low ratio of security team members to developers. Developers outnumber security team members at a ratio of 100:1. When you consider how quickly each developer works, security doesn’t have much of a chance to identify and remediate all the potential vulnerabilities.

It’s no wonder AppSec can’t keep up with development teams and track vulnerabilities efficiently.

The solution: Application security automation and orchestration with ASOC

Organizations need a way to centralize and harmonize AppSec testing across all development pipelines into a scalable, repeatable, and automated process. This allows security to move at the speed of DevOps and stop clogging the development pipeline.

ASOC is the solution to make automation and scalability possible. Since we already provided a close look at ASOC in the first post in our series, we will just focus here on the aspects that enable scalability.

Orchestration

Orchestration increases the speed of AppSec testing and ensures all the appropriate tests are run. Orchestration automates scanning processes to ensure specific tools are always run at specific intervals across multiple build servers. An ASOC tool analyzes the source code to identify the languages used, then automatically figures out the appropriate AppSec tools to run for a particular application. This creates a consistent and standardized process regardless of how many different development teams are working on various projects.

Tool orchestration enables a standardized, automated process for AppSec testing, which makes it easier to onboard new applications into the security pipeline. It also reduces the time needed to install, configure, and update AppSec testing tools. In other words, orchestration lets AppSec teams scale up their testing activities as needed.

Correlation and deduplication

ASOC tools automatically run, collect, and correlate results from every type of AppSec tool and testing method, including manual reviews, bug bounties, source code analyzers, automated and manual pen tests, software composition analyzers, and network vulnerability assessors. This reduces the number of results AppSec teams need to review.

Prioritization

Smart automation allows the AppSec team to use previous raw results and remediation activity to select an optimal mix of security testing tools for each application. The rule set for each AppSec tool can be optimized for each development pipeline based on the criticality of the application, regulatory compliance requirements, and overall organizational capabilities.

Code Dx Triage Assistant is an ASOC tool that further improves the automation process. A machine-learning classifier learns which issues and vulnerabilities to act on based on prior decisions. Triage Assistant is tailored specifically to each individual organization and reduces the number of false positives, noise, or less-important results security team members must sort through. Every 240 findings automatically categorized saves your organization the equivalent of one week’s time from a full-time employee.

Integration and centralized management

ASOC tools provide full integration with DevOps, fitting seamlessly into the continuous integration/continuous delivery (CI/CD) pipeline. Integration with issue tracking tools such as Jira allows developers to work on remediation within their preferred work environment. Developers can get immediate feedback on security-related issues within the tools and environments they are already working in.

An ASOC tool lets your AppSec team manage the passing of sensitive information such as tool credentials and application logins. It also monitors tool failures and ensures tools are properly configured and up to date.

ASOC allows the AppSec team to report and audit all three attack surfaces (custom code, third-party components, and the network) in a centralized system.

DevOps isn’t going to slow down, but ASOC tools make it possible for security to scale the AppSec process and move quickly without letting issues slip by undetected or unaddressed.

Stay tuned for the final piece in our ASOC series, in which we will take a closer look at how ASOC improves the accountability of the AppSec process.

Learn how Code Dx’s ASOC platform can help your AppSec team scale on demand

Contact us for a demo

 

More by this author