DevSecOps at scale and speed with Intelligent Orchestration

AppSec shouldn’t compromise velocity. Learn how Intelligent Orchestration optimizes AppSec testing while removing complexity from DevOps toolchains.

Intelligent Orchestration | Synopsys

To stay competitive, organizations are embracing digital transformation and innovating at record speed. In order to achieve this, they’re embracing agility through processes such as DevOps, site reliability engineering, GitOps, and more. Organizations are building modern applications with new languages and new frameworks, and deploying them on new platforms and with a variety of deployment options.

All these approaches require automation to maximize velocity and enable continuous improvement. Software developers must move fast—they check in their code changes every day, even hourly, and this code is then deployed using continuous delivery or continuous deployment pipelines. Shipping fast is the new normal, whether we in the software security industry like it or not.

In the face of this emphasis on velocity—and despite a growing awareness and interest in application security—application vulnerabilities are still the biggest cyber security risk. So security cannot be an afterthought.

Testing modern applications requires multiple activities

We at Synopsys believe that integrating security testing throughout the software development life cycle (SDLC) helps discover and reduce vulnerabilities early. We call that “building security in.” These testing techniques include both automated and manual activities. Manual activities like threat modeling and architecture risk analysis are about design, assets, attack surfaces, and deep examinations of functionality. Automated activities include static application security testing (SAST), software composition analysis (SCA), dynamic application security testing (DAST), and interactive application security testing (IAST).

Some of the benefits of a secure SDLC approach include:

  • More-secure software.
  • Security is baked into every stage.
  • In addition to finding vulnerabilities early, design flaws are also identified.
  • Testing early (“shifting left”) reduces costs by detecting defects earlier in the SDLC, when they are easier to remediate.
  • An overall reduction of intrinsic business risk for your organization.

Application security in SDLC | Synopsys

The trouble is, the more frequently organizations deploy code to production, the less time there is for traditional security activities. Traditional security activities—and even automated tools—often cause friction, reduce speed, and require time-consuming manual processes. And being slow is no longer an option.

The industry problem

Security teams are increasingly adopting DevOps methodologies in an effort to catch up, a process called DevSecOps. And that means adding automation. Automation is key for DevOps, and it’s even more important for DevSecOps. But simply adding another application security tool and automating it to scale security activities won’t cut it. It hasn’t worked before and it’s not going to work now. Automating several tools in a pipeline and running them whether or not they’re needed is an ongoing industry problem and creates several challenges, including:

  • DevOps teams require speed, but automated security activities are slow. Application security testing tools take time to run, so when integrated within developer pipelines, those pipeline are slowed.
  • Automated security tools are designed to find all issues—not necessarily the most important issues.
  • DevOps requires constant collaboration, but defect discovery is not uniform. Each security tool has its own API, its own way of providing results, and its own way of breaking the build. Security teams struggle to collaborate due to the inherent differences in each tool automated in the pipeline.
  • DevOps requires scale, but security tools and activities require manual intervention. There are several manual activities that need to be performed on a regular basis, such as an update to a threat modeling, manual code review, and penetration testing.  Not knowing when to perform these manual security activities, what activities are needed,  and whether they are needed at all makes it more difficult for DevOps teams to  scale.
  • Automated security tools have high false positives, making resolution and remediation more difficult.

The solution

The ideal solution to this problem would be to:

  • Balance the golden triangle: people, process, and technology
  • Run automated security tests without slowing down the pipeline
  • Enforce all processes and policies in an organization
  • Reduce the burden on developers by automating as much as possible and only surfacing the most important issues for remediation
  • Ensure that the right tests and analysis are performed at the right time, based on policies, risk profiles, and changes to the code
  • Provide an automated signoff process when a critical defect cannot be fixed and code must be deployed to production
  • Document all decisions so the auditing or compliance team can review the logs at any time

Intelligent Orchestration

Intelligent Orchestration enables teams to integrate application security analysis into DevOps pipelines while maintaining development velocity. It uses a purpose-built, cloud-based CI/CD pipeline that automatically performs the right security tests at the right time based on SDLC events and defined policies. And it provides risk-based vulnerability reporting to help teams focus on the highest-priority issues.

How Intelligent Orchestration helps development teams

Developers are given vulnerabilities prioritized by their organization’s security policies (e.g., only critical vulnerabilities or only critical SQLi vulnerabilities), so they aren’t overwhelmed by analysis results. Intelligent Orchestration can determine when to run a specific scan and when not to, based on actual code changes, a dynamically calculated total risk score, and predetermined security policies.

Development teams can also specify that any time a developer pushes a code change or merges code from a development branch to the main branch, that action will trigger SAST or SCA to run. Developers then get all the information they need to fix any identified issues and merge the fixed code into the main branch—detailed descriptions, actionable remediation advice, file changed, line number, and commit ID.

Intelligent Orchestration also helps DevOps engineers who have hundreds and thousands of CI/CD jobs up and running. Intelligent Orchestration simplifies and reduces the risk of adding application security testing into DevOps pipelines by providing a purpose-built security analysis pipeline that integrates easily with existing toolchain. And it eliminates friction by isolating analysis from other development flows, ensuring pipeline velocity is maintained.

How Intelligent Orchestration helps security and compliance teams

Security teams need to easily configure their organization’s specific policy, governance, and compliance requirements. In Intelligent Orchestration, the policies that determine the depth and breadth of security activities, the detection of any anomalies in normal development workflows, and scan compliance requirements can be configured for each individual business unit, product team, application, or the entire organization.

Security teams can also easily implement security or quality gates based on configurable criteria. Identified critical issues are then pushed automatically to issue-tracking systems like Jira. This provides continuous feedback and visibility of security findings to development teams.

Intelligent Orchestration also enables users to configure post-scan feedback, so designated development, security, and DevOps leads are immediately notified of paused or failed builds or critical security vulnerabilities or failures. This helps speed remediation.

Intelligent Orchestration benefits | Synopsys

Security at scale and at speed with Intelligent Orchestration

With Intelligent Orchestration you don’t have to worry that application security is slowing your development pipelines and hindering your digital transformation and innovation. Instead of running all the automated activities in the pipeline (e.g., SAST, SCA, IAST, DAST) for every build and waiting for your teams to perform the manual activities, Intelligent Orchestration runs only the right tools and triggers the right manual activities at the right time—or not at all. It sends the right notifications—or none at all. It notifies the right people—or none at all. With Intelligent Orchestration your team can build secure, high-quality software, faster.

Build security in DevOps with Intelligent Orchestration

Watch the on-demand webinar

 
Meera Rao

Posted by

Meera Rao

Meera Rao

Meera Rao (Subbarao) is a senior director for product management (DevOps solutions) at Synopsys. She has over 20 years of experience in software development organizations in a variety of roles including Architect, Lead Developer, Project Manager, and Security Architect. Meera has overseen and performed secure code reviews, static analysis implementations, architectural risk analyses, secure design reviews, and threat modeling of systems built from a few thousand lines of code to systems containing tens of millions of lines of code. She has developed multiple Synopsys training courses and is a certified instructor in architectural risk analysis, threat modeling, and more.


More from Security news and research