DevSecOps is no longer a consideration—it’s a necessity

Gartner reported that DevSecOps, among several other use cases, is fundamental for AppSec solutions to address. Learn why Synopsys earned the highest score.

It’s a given that the pandemic accelerated many adjustments in office life, services, and technologies. Changes like “virtual onsites” for job interviews, ordering meal kits when grocery store lines were long, and managing personal finances from our phones all reveal a larger trend—the demand for every industry to provide highly available, digital experiences to their employees and customers.

In a security context, this new normal carries another implication: Any interruption or breach of digital services can compromise customer retention and daily operations. To ensure software can be secured in a scalable way, it is necessary to integrate security into software development workflows from the outset. This has shifted DevSecOps from being an eventual goal to an urgent focus of security teams today.

Invested does not always mean tested

For many organizations, application security (AppSec) is still largely built around a reactive posture—testing is often inconsistent and siloed, and it occurs too late in the software development life cycle (SDLC). This translates to a huge bottleneck for development teams: A 2021 Forbes cyberthreat study estimates that it can take an average of 48 days to close a critical software vulnerability. In the meantime, the code we write and deploy is changing faster, and the scale of potentially unchecked software risk grows with it.

Developers, who are often the key owners of remediation activities, know security is important but don’t have time to spend on it. And “no time for security” often translates to limited AppSec practices being enforced. There are challenges on many fronts to accomplishing timely, efficient security processes in DevOps environments. The inability to integrate all developer tools and scanning sources into existing pipelines or developer tool chains, and the lack of effective developer feedback loops, can cause many AppSec initiatives to fail.

But despite potential resistance from development teams, many organizations have heavily invested in application security testing (AST) tooling. Most enterprises today use a variety of AST tools for the stages of the SDLC—static application security testing (SAST) and software composition analysis (SCA) are typically leveraged at the build/development stage, and dynamic application security testing (DAST) is leveraged during staging to uncover issues in simulated production conditions. Additionally, within each of these categories of AST tools, the detection capabilities and types of applications and programming languages supported can vary between vendors. Each tool searches for specific types of software flaws, exploitability, and issue sources, so any testing tool in isolation will uncover a limited scope of potential vulnerabilities. A comprehensive AppSec program means investing in multiple tools within an AST category, and implementing the appropriate AST tools across stages of the SDLC.

But while many organizations have invested extensively in AST tooling, security hygiene remains inconsistent across development teams. In the 2022 ESG report “Walking the Line: GitOps and Shift Left Security,” 35% of respondents reported releasing production-level code with known vulnerabilities, and 45% admit to releasing software without any testing or security checks. This is the case because traditional AppSec can often translate to wading through a backlog of application vulnerabilities that are siloed in multiple repositories. And manually filtering false positives and redundant results tremendously hinders development velocity.

Simply put, these bottlenecks greatly limit the value of an organization’s existing AppSec investment. This is where DevSecOps offers an attractive approach to all stakeholders—weaving together security and development workflows to facilitate collaboration, efficiency, and accountability.

How to implement DevSecOps

While there is not one right way to start implementing DevSecOps, there are some guiding principles to look for in AppSec solutions that will help you ascertain scalability and effectiveness. These include

• Securing code as fast as you write it: Adopt tools that can work with developer tools and processes at the CI level
• Running the right testing at the right time: Standardize testing workflows and policies across security and development teams, with defined thresholds for triggering testing automatically
• Filtering AppSec noise to focus on what matters most: Visualize and streamline all AppSec data across the SDLC to make informed triage and remediation decisions

Build security into your DevOps

How Synopsys can help you

Gartner’s 2022 “Critical Capabilities for Application Security Testing” report details several use cases that are fundamental for any application security solution to address. In this report, DevSecOps is highlighted as one of the key use cases for achieving software resilience at scale. There are several needs that stand out in how Gartner ranks the effectiveness of DevSecOps solutions.

• Orchestrating and correlating AppSec results across tools: Having an ability to integrate testing within the SDLC, with holistic visibility across tools at every stage of the CI/CD pipeline
• IDE-based testing: Having solutions to shift testing downstream and provide real-time developer feedback and contextual guidance for remediation

Synopsys ranks highest among 13 vendors in the Gartner report for the DevSecOps use case. We offer a robust portfolio of solutions that address these key needs. Some of the benefits of Synopsys solutions include

• Application security orchestration and correlation (ASOC) to manage testing, risk visibility, and prioritization: Synopsys Intelligent Orchestration and Code Dx® offer a comprehensive way of automating testing workflows and creating a single source of truth for AppSec data. With Intelligent Orchestration, users can define policies-as-code to integrate AST tools within pipelines and trigger testing only when required. Once testing decisions are defined, Code Dx adds the ability to normalize and correlate results across both automated AST tools and manual reviews (such as threat modeling, architecture risk analysis, and pen testing) to provide a single repository of AppSec data for the entire SDLC. With this data, Code Dx provides contextual, risk-based insight into critical work, and can communicate high-priority findings directly to remediation owners through two-way integrations with developer feedback loops.
• Shifting testing downstream: Synopsys Code Sight™ combines SAST and SCA to detect security, quality, and compliance issues in proprietary code and open source dependencies, and integrates this testing within the IDE to provide real-time developer feedback. Additionally, for runtime testing, Synopsys Seeker® enables continuous testing and active verification of vulnerabilities for running apps. Seeker also provides detailed insights and data flow mapping of endpoints and API calls, allowing development teams to validate critical vulnerabilities and weaknesses not just for software builds, but also for interrelated components and attack surfaces.

For more about how Synopsys can help you implement DevSecOps, check out our eBook, Transforming AppSec: The Top Three Ways to Build Security into DevOps, and download the Gartner report to learn more.