Gartner reported that DevSecOps, among several other use cases, is fundamental for AppSec solutions to address. Learn why Synopsys earned the highest score.
It’s a given that the pandemic accelerated many adjustments in office life, services, and technologies. Changes like “virtual onsites” for job interviews, ordering meal kits when grocery store lines were long, and managing personal finances from our phones all reveal a larger trend—the demand for every industry to provide highly available, digital experiences to their employees and customers.
In a security context, this new normal carries another implication: Any interruption or breach of digital services can compromise customer retention and daily operations. To ensure software can be secured in a scalable way, it is necessary to integrate security into software development workflows from the outset. This has shifted DevSecOps from being an eventual goal to an urgent focus of security teams today.
For many organizations, application security (AppSec) is still largely built around a reactive posture—testing is often inconsistent and siloed, and it occurs too late in the software development life cycle (SDLC). This translates to a huge bottleneck for development teams: A 2021 Forbes cyberthreat study estimates that it can take an average of 48 days to close a critical software vulnerability. In the meantime, the code we write and deploy is changing faster, and the scale of potentially unchecked software risk grows with it.
Developers, who are often the key owners of remediation activities, know security is important but don’t have time to spend on it. And “no time for security” often translates to limited AppSec practices being enforced. There are challenges on many fronts to accomplishing timely, efficient security processes in DevOps environments. The inability to integrate all developer tools and scanning sources into existing pipelines or developer tool chains, and the lack of effective developer feedback loops, can cause many AppSec initiatives to fail.
But despite potential resistance from development teams, many organizations have heavily invested in application security testing (AST) tooling. Most enterprises today use a variety of AST tools for the stages of the SDLC—static application security testing (SAST) and software composition analysis (SCA) are typically leveraged at the build/development stage, and dynamic application security testing (DAST) is leveraged during staging to uncover issues in simulated production conditions. Additionally, within each of these categories of AST tools, the detection capabilities and types of applications and programming languages supported can vary between vendors. Each tool searches for specific types of software flaws, exploitability, and issue sources, so any testing tool in isolation will uncover a limited scope of potential vulnerabilities. A comprehensive AppSec program means investing in multiple tools within an AST category, and implementing the appropriate AST tools across stages of the SDLC.
But while many organizations have invested extensively in AST tooling, security hygiene remains inconsistent across development teams. In the 2022 ESG report “Walking the Line: GitOps and Shift Left Security,” 35% of respondents reported releasing production-level code with known vulnerabilities, and 45% admit to releasing software without any testing or security checks. This is the case because traditional AppSec can often translate to wading through a backlog of application vulnerabilities that are siloed in multiple repositories. And manually filtering false positives and redundant results tremendously hinders development velocity.
Simply put, these bottlenecks greatly limit the value of an organization’s existing AppSec investment. This is where DevSecOps offers an attractive approach to all stakeholders—weaving together security and development workflows to facilitate collaboration, efficiency, and accountability.
While there is not one right way to start implementing DevSecOps, there are some guiding principles to look for in AppSec solutions that will help you ascertain scalability and effectiveness. These include
Gartner’s 2022 “Critical Capabilities for Application Security Testing” report details several use cases that are fundamental for any application security solution to address. In this report, DevSecOps is highlighted as one of the key use cases for achieving software resilience at scale. There are several needs that stand out in how Gartner ranks the effectiveness of DevSecOps solutions.
Synopsys ranks highest among 13 vendors in the Gartner report for the DevSecOps use case. We offer a robust portfolio of solutions that address these key needs. Some of the benefits of Synopsys solutions include
For more about how Synopsys can help you implement DevSecOps, check out our eBook, Transforming AppSec: The Top Three Ways to Build Security into DevOps, and download the Gartner report to learn more.
Natasha is a senior security solutions manager for Integrated Application Security at Synopsys. She has over eight years of experience in the cybersecurity and enterprise networking space. Prior to Synopsys, Natasha was with ServiceNow, where she drove product marketing initiatives for ServiceNow Security Operations, a SOAR platform for incident and vulnerability management. She has also held various roles in product marketing and software product management at Imperva and A10 Networks.