Accountability is essential for AppSec analysts, managers, and CISOs. Learn how ASOC tools bring the visibility and transparency required.
We have already discussed how application security orchestration and correlation (ASOC) makes the AppSec process more efficient and scalable. In this final post in our ASOC series, we will demonstrate how ASOC tools bring accountability to both the technical and business sides of application security.
The DevSecOps approach to application development requires companies to combine speed and security into a harmonious process. But—as we have previously discussed—this is not easy to accomplish.
Application security is time-consuming. Analysts are responsible for assessing vulnerabilities in all attack surfaces, including custom code, third-party components, and the network where the application resides. Scanning for vulnerabilities within these attack surfaces requires at least one tool for each—but you actually need multiple tools for each attack surface (multiple SAST, DAST, third-party component scanners, etc.). That’s just for one application; organizations with more than one software project at any given time have even more complicated problems to solve.
In short, larger enterprises run dozens of disparate tools that don’t integrate with each other. Configuring and maintaining each tool can also be complex—and if the same tool is used on more than one project, it needs to be configured for each use case. In addition, AppSec analysts often conduct other tests, including penetration testing and manual code reviews to make sure the application code is secure. These tests are usually run at different times and frequencies. The results from a variety of tools and scans contain false positives and inconsistencies. It can take weeks for the AppSec team to correlate, deduplicate, and prioritize the results across hundreds of disjointed point-solution AppSec tools.
Then there is the issue of what to do with the findings. How will they be assigned to developers and how will remediation be tracked and monitored appropriately? Disjointed assessments of the various attack surfaces using dozens or even hundreds of tools impede situational awareness of security throughout the software development life cycle (SDLC), creating accountability issues on the technical side of AppSec for analysts and their managers.
There is also an accountability problem on the business side of AppSec. Specifically, there is typically little to no accountability for the management or reporting of AppSec tools or their results.
A survey of enterprise IT decision-makers identified the top three challenges of DevSecOps. The results demonstrate the sources of these accountability issues.
Despite these challenges, CISOs and other high-level managers and executives are asked such questions as:
A slow AppSec process that lacks automation, integration, and consistency leaves CISOs and AppSec managers without accurate or detailed answers to these questions. Yet, at the end of the day, leaders are held responsible if insecure software is released. Accountability matters.
ASOC tools solve the accountability problem from both a technical and business perspective by providing six capabilities that bring automation, integration, consistency, and transparency to the AppSec process.
ASOC tools function as a system of record. Regardless of which scanners are used, an ASOC platform serves as a single (auditable) archive for all AppSec activity. ASOC platforms record and track when software was tested, what issues were found, and when those issues were resolved. Organizations can use this data to generate reports and run audits across all three software attack surfaces and across the entire SDLC. A system of record provides the visibility and transparency required for AppSec accountability.
ASOC tools store all testing and remediation activities in a system of record. The Code Dx ASOC tool provides great detail on issue tracking and remediation.
Managers and AppSec analysts can view the status of open issues on a single screen and see such data as:
Additionally, two-way Jira integration allows analysts to create a new Jira ticket or link to an existing one, so developers can address remediation issues without leaving their preferred working environment.
Tool orchestration enables the AppSec team to use previous raw results and remediation activity to select an optimal mix of security testing tools for each application within the organization. The rule set for each AppSec tool can be optimized for each development pipeline based on the criticality of the application, regulatory compliance requirements, and overall organizational capabilities.
No matter how many different development teams are working within the organization, orchestration allows AppSec to maintain control over security scans. Your AppSec team can set up orchestration for any tool they want to use, including commercial, open source, and in-house tools. Development teams can still run whatever scans they want and share that data with the AppSec team, but orchestration allows AppSec to make sure that specific scans are always run—creating a consistent and standardized AppSec process across the enterprise.
ASOC tools provide a single pane of glass (SPOG) 360-degree view of AppSec through a unified dashboard that integrates information from all the application security tools in use. A single display provides centralized risk visibility, situational awareness, and continuous security monitoring of application security efforts. Quick access to risk visibility at both a project and business unit level with visual graphics on such data as open findings and average days to resolution provide real-time metrics on project health from a security standpoint.
The Code Dx ASOC tool assigns a risk score to each project. The score provides a letter grade to give you a quick sense of the overall quality of a given project. The grade is based on a percentage score, which is generated from the number of vulnerability findings in custom code and third-party components. Next to the letter grade, you can also see a specific percentage score that shows the general trends of the project’s risk score over the past week.
The risk score helps managers and executives monitor progress on application security over the life of a project and quickly identify potential problem areas.
Metrics drive process improvement across both security and development teams. Examples of valuable metrics included in the Code Dx ASOC tool are:
The dashboard gives CISOs and AppSec managers the information they need to answer questions on AppSec at any time and keep them accountable to the overall AppSec process.
The right ASOC tool automates time-consuming application security workflows and makes software security risks visible across the SDLC at DevOps speed. AppSec analysts, managers, and CISOs gain the transparency and visibility needed to bring accountability to the application security process.