close search bar

Sorry, not available in this language yet

close language selection
 

Building smarter DevSecOps with Intelligent Orchestration

Intelligent Orchestration takes the complexity out of DevSecOps by delivering the right tests, at the right time, to the right people.

The modern software development life cycle is characterized by rapid DevOps workflows and CI/CD pipelines. Facebook delivers between 50,000 and 60,000 Android builds each day. Amazon reportedly deploys new software to production every second, and the Netflix DevOps team deploys new releases 100 times each day.

The industry has responded to this rapidly expanding growth in development with a rapidly expanding set of application security testing (AST) tools. Recent studies show that DevOps teams are running more security scans than ever before: Over 50% of teams run static application security testing (SAST) scans, 44% run dynamic application security testing (DAST), and around 50% scan containers and dependencies. This has added more practical challenges and complexity to implementing and operating DevSecOps.

Key challenges in DevSecOps

DevSecOps integrates application security into this fast-paced agile development environment and ensures that software can be secured in a scalable way. This necessarily shifts DevSecOps from being an eventual goal to an urgent focus for security teams today. But there are some key challenges to implementing DevSecOps.

Tool sprawl

The biggest barrier to enterprise DevSecOps adoption is technical complexity. As organizations mature their AppSec practices, the number of AST tools increases, leading to different control points and fragmented results. Running all AST tools at every single build trigger is not feasible and leads to pipeline congestion.

Developer overhead

Developers generally lack knowledge and experience with application security tooling since it is not a default part of the developer role. However, developers need to consistently implement the right security tools and techniques to identify and prevent security issues. These security responsibilities are falling on developers without a corresponding shift in the scope of their role.

Speed vs. security

Added responsibilities on development teams with tight shipping deadlines and accelerating sprints means there is less time for software developers and engineers to create quality and secure software. This negatively impacts the pace of development and deployment, and makes security a bottleneck.

Lack of control

Most teams end up tracking security activities in spreadsheets or project management portals such as ADO or Jira. This approach relies on manual attestations that are prone to failures. This means that the leadership team lacks visibility and can’t ensure that the right tools are run at the right time. This can eventually cause AppSec initiatives to fail.

Smarter DevSecOps with Intelligent Orchestration

Synopsys Intelligent Orchestration offers a comprehensive way of automating testing as part of DevSecOps. It provides customized AppSec pipelines that automate security testing throughout the software development life cycle.

Automate the right tools at the right time

One way to handle tool sprawl is to understand an application’s risk profile—the kind of assets and controls an application has—in order to determine the right tool rather than running all the AST tools. This enables you to perform the right tests at the right time and deliver the right results to the right people. Users can define policies-as-code to integrate AST tools within pipelines and trigger testing only when required. Intelligent Orchestration automatically runs the right security tools or triggers manual testing activities based on how significant code changes are, the total risk score, and a company’s own security policies.

Intelligent Orchestration helps optimize developer pipeline | Synopsys

Figure 1. A development pipeline using Intelligent Orchestration can optimize security testing based on policy, code changes, and risk.

This new, risk-driven, security-where-needed approach focuses more-stringent controls on higher-risk application changes while avoiding security testing in lower-risk areas.

Reduce developer overhead

With Intelligent Orchestration, developers no longer need to learn different AST tools or keep track of running the right tools at the right intervals. A development team’s time and effort can be focused on coding and defect remediation rather than identifying and hunting security risks. Developers can focus on their jobs while Intelligent Orchestration automates the security tools.

Secure applications with rapid development

By isolating security testing from build and release pipelines, Intelligent Orchestration also helps you avoid pipeline congestion. This process operates independently of the core DevOps pipeline to parallelize security testing and optimize your builds.

isolating security testing from build pipelines | Synopsys
Figure 2. Isolating security testing in developer pipelines with Intelligent Orchestration helps avoid pipeline congestion.

Ensure security governance

With well-defined rulesets and an automated orchestration process, leadership teams can ensure application security throughout the life cycle.

Intelligent Orchestration enables policy-as-code, so security teams can automate the right scans, at the right depth, at the right time, on the right applications based on the application risk portfolio and code changes. This also helps enterprises optimize the cost invested in existing AST tools.

With individual application risk profiles aligned to security policies, security teams get real-time insights into the risk posture during application development rather than relying on manual processes based on attestation.

Security at scale with Intelligent Orchestration

DevSecOps can be extremely beneficial, improving both security and organizational efficiency. But the most challenging part of DevSecOps adoption is aligning security with existing business processes and ensuring it doesn’t add more complexity. With Intelligent Orchestration, teams can overcome these challenges and improve security, reduce risk and complexity, and optimize cost while achieving secure, faster deployment. Security and leadership teams can gain control of governance at scale with the right tools and right integrations, while easing the burden on developers, letting them focus on building secure software at the speed of light.

Learn more about Intelligent Orchestration

 
Samuelson Devasigamony

Posted by

Samuelson Devasigamony

Samuelson Devasigamony

Samuelson Devasigamony is a solutions architect on the Advanced Technology Solutions team at Synopsys. He is a security thought leader who has been working in application/ product security engineering practices across software development life cycle since 2006. When not working, Samuelson likes to do photography, long-drives, and volunteer for non-profit organizations.


More from Security news and research