Automate your DevSecOps to take the pressure off triage

Automation is a key component of the secure DevOps, or DevSecOps, approach. Automation is how organizations establish security gates, and it can be used to prioritize findings and triage their remediation response. In 2022, Synopsys commissioned the SANS Institute to examine how improvements in security posture and operational effectiveness can be achieved by aligning development, security, and operations teams around the cultural ideals, practices, and tools of secure DevOps.

In this blog series, we’ve examined what the 2022 SANS DevSecOps Survey can teach us about how implementing DevSecOps practices can help organizations institute secure coding without sacrificing development velocity, establish policies and testing to automate security, and help those involved with triage and remediation work more efficiently.

In this blog post, let’s look at the lessons we can draw from the SANS study about using automation and integrations to ensure that prioritization and triage leads to rapid remediation. Prioritization means implementing automation on the front end to detect the vulnerabilities you’ve identified as important to your business needs, whereas triage means implementing automation on the back end to alert project owners, development engineers, or security personnel who can remediate vulnerabilities in a timely manner.

Automation for DevSecOps

Automation is a core topic of the SANS survey and respondents from all industry sectors noted that it is increasing in importance as delivery cadence continues to increase. Findings from the report conclude that 32% of respondents deliver system changes to production daily or on a continuous basis, while 61% deliver multiple times a week. This is a lot of code, moving at a very high rate of velocity, and SANS report respondents noted that, as the ratio of developers to security engineers increases, automating security testing in the CI/CD pipeline is the only way to evaluate every one of these code pushes for security flaws.

Automation is the only way forward if DevSecOps is to keep pace with the speed of development and of business, and 83.3% of those queried by the SANS report said that they have built automation to handle these needs. And because security continues to be “pushed left” in the SDLC, the responsibility for detecting and fixing security defects is increasingly falling on developers. This means that developers are having an ever-increasing impact on security.

Organizations need to build efficient automated workflows into the systems developers are already using. Most developers already have advanced issue tracking that can be used for this purpose, but when over 30% of respondents report that they are pushing daily or continuously, security issues detection needs to be automated and enforced by AppSec policies that are set by Security teams. Even better, automated workflows should notify developers as soon as possible about issues that require fixing, including while they’re writing code, and at the commit. For the 80% of respondents who already are working with automated builds, static analysis remains a highly effective security tool that can be run automatically at scale in the native pipeline or in a parallel pipeline for computationally intensive activities.

Respondents also reported needing repositories where the triage history for unknown vulnerability detection can be kept and merged to prevent breaking builds or to prevent sending “noisy” alerts for false positives or known issues. This triage history needs to be available in the tools that developers are using as they code.

Automated policy is the key to prioritization and triage

At its core, automated policy is a system of record for communicating the security requirements, operational goals, and regulatory compliance needs that affect your project and business. Setting policy is how a small group like a security team can communicate effectively with the C-suite, program owners, or developers at scale and across a complex set of security issues. Since each of these teams has a different role and may prioritize issues differently, automated policies make it possible to engender best practices even when a contributing party isn’t present or able to participate in the project or sprint. Policy violations then become a way to communicate to stakeholders that an aspect of the project or workflow has a problem, and alert them that action needs to be taken.

Automating policy-as-code allows security engineers to define the issues the organization should care about, and prioritize how and when they should be fixed. This means that developers responsible for fixing issues don’t waste time figuring out what to fix and when. They can just get to work.

By automating policy enforcement, organizations can

• Define the security strategy based on the risk profile of the application
• Tailor security strategy to application risk profiles
• Set and use metrics and KPIs to implement continuous improvement and drive efficient security measures
• Tighten feedback loops between development and security teams

Automating policy enforcement is how you manage the insight you get from all the tests and tools you are using. An insight management tool normalizes and correlates findings so you can prioritize your efforts to have the greatest efficacy.