AppSec shouldn’t compromise velocity. Learn how Intelligent Orchestration optimizes AppSec testing while removing complexity from DevOps toolchains.
To stay competitive, organizations are embracing digital transformation and innovating at record speed. In order to achieve this, they’re embracing agility through processes such as DevOps, site reliability engineering, GitOps, and more. Organizations are building modern applications with new languages and new frameworks, and deploying them on new platforms and with a variety of deployment options.
All these approaches require automation to maximize velocity and enable continuous improvement. Software developers must move fast—they check in their code changes every day, even hourly, and this code is then deployed using continuous delivery or continuous deployment pipelines. Shipping fast is the new normal, whether we in the software security industry like it or not.
In the face of this emphasis on velocity—and despite a growing awareness and interest in application security—application vulnerabilities are still the biggest cyber security risk. So security cannot be an afterthought.
We at Synopsys believe that integrating security testing throughout the software development life cycle (SDLC) helps discover and reduce vulnerabilities early. We call that “building security in.” These testing techniques include both automated and manual activities. Manual activities like threat modeling and architecture risk analysis are about design, assets, attack surfaces, and deep examinations of functionality. Automated activities include static application security testing (SAST), software composition analysis (SCA), dynamic application security testing (DAST), and interactive application security testing (IAST).
Some of the benefits of a secure SDLC approach include:
The trouble is, the more frequently organizations deploy code to production, the less time there is for traditional security activities. Traditional security activities—and even automated tools—often cause friction, reduce speed, and require time-consuming manual processes. And being slow is no longer an option.
Security teams are increasingly adopting DevOps methodologies in an effort to catch up, a process called DevSecOps. And that means adding automation. Automation is key for DevOps, and it’s even more important for DevSecOps. But simply adding another application security tool and automating it to scale security activities won’t cut it. It hasn’t worked before and it’s not going to work now. Automating several tools in a pipeline and running them whether or not they’re needed is an ongoing industry problem and creates several challenges, including:
The ideal solution to this problem would be to:
Intelligent Orchestration enables teams to integrate application security analysis into DevOps pipelines while maintaining development velocity. It uses a purpose-built, cloud-based CI/CD pipeline that automatically performs the right security tests at the right time based on SDLC events and defined policies. And it provides risk-based vulnerability reporting to help teams focus on the highest-priority issues.
Developers are given vulnerabilities prioritized by their organization’s security policies (e.g., only critical vulnerabilities or only critical SQLi vulnerabilities), so they aren’t overwhelmed by analysis results. Intelligent Orchestration can determine when to run a specific scan and when not to, based on actual code changes, a dynamically calculated total risk score, and predetermined security policies.
Development teams can also specify that any time a developer pushes a code change or merges code from a development branch to the main branch, that action will trigger SAST or SCA to run. Developers then get all the information they need to fix any identified issues and merge the fixed code into the main branch—detailed descriptions, actionable remediation advice, file changed, line number, and commit ID.
Intelligent Orchestration also helps DevOps engineers who have hundreds and thousands of CI/CD jobs up and running. Intelligent Orchestration simplifies and reduces the risk of adding application security testing into DevOps pipelines by providing a purpose-built security analysis pipeline that integrates easily with existing toolchain. And it eliminates friction by isolating analysis from other development flows, ensuring pipeline velocity is maintained.
Security teams need to easily configure their organization’s specific policy, governance, and compliance requirements. In Intelligent Orchestration, the policies that determine the depth and breadth of security activities, the detection of any anomalies in normal development workflows, and scan compliance requirements can be configured for each individual business unit, product team, application, or the entire organization.
Security teams can also easily implement security or quality gates based on configurable criteria. Identified critical issues are then pushed automatically to issue-tracking systems like Jira. This provides continuous feedback and visibility of security findings to development teams.
Intelligent Orchestration also enables users to configure post-scan feedback, so designated development, security, and DevOps leads are immediately notified of paused or failed builds or critical security vulnerabilities or failures. This helps speed remediation.
With Intelligent Orchestration you don’t have to worry that application security is slowing your development pipelines and hindering your digital transformation and innovation. Instead of running all the automated activities in the pipeline (e.g., SAST, SCA, IAST, DAST) for every build and waiting for your teams to perform the manual activities, Intelligent Orchestration runs only the right tools and triggers the right manual activities at the right time—or not at all. It sends the right notifications—or none at all. It notifies the right people—or none at all. With Intelligent Orchestration your team can build secure, high-quality software, faster.
Meera Rao (Subbarao) is a senior director for product management (DevOps solutions) at Synopsys. She has over 20 years of experience in software development organizations in a variety of roles including Architect, Lead Developer, Project Manager, and Security Architect. Meera has overseen and performed secure code reviews, static analysis implementations, architectural risk analyses, secure design reviews, and threat modeling of systems built from a few thousand lines of code to systems containing tens of millions of lines of code. She has developed multiple Synopsys training courses and is a certified instructor in architectural risk analysis, threat modeling, and more.