Keep CALMS with Intelligent Orchestration and Code Dx

Achieving a culture of DevSecOps is possible with the help of solutions like Intelligent Orchestration and Code Dx.Keep CALMS with Intelligent Orchestration and Code Dx | Synopsys

As a trusted adviser to my clients, I use my unparalleled experience with a broad range of security tools to help them build and mature security programs. I work tirelessly to help them break down silos, facilitate collaborative change, create a culture of lean learning, and  ensure continuous feedback and sharing, so they can build pipelines that are intelligent and risk-based. 

CAMS or CALMS: What’s in a name?

Damon Edwards first coined the acronym CAMS, which stands for culture, automation, measurement, and sharing. CALMS, coined by Jez Humble, coauthor of “The DevOps Handbook,” stands for culture, automation, lean, measurement, and sharing. 

As seen in Figure 1 below, what both these acronyms signify is that DevSecOps is a culture of continuous collaboration, continuous feedback, automation, lean/learning, measurement, and sharing. 

Diagram of CALMS | Synopsys
Figure 1: Diagram of CALMS

The table below outlines how Intelligent Orchestration and Code Dx® can help you keep CALMS.

CALMS methodology Theme Intelligent Orchestration and Code Dx
Collaboration and sharing Facilitating collaborative change and sharing
  • Collaboration enables all groups within an organization, including development, operations, and application security teams, to move toward a proactive rather than reactive engagement. Intelligent Orchestration enables collaboration by automatically providing information and feedback to development, security, compliance, and DevOps teams.  
  • Intelligent Orchestration and Code Dx provide all the information developers need to fix identified issues and merge the fixed code into the main branch: detailed descriptions, actionable remediation advice, which file changed, the line number, and the commit ID.
  • Security or quality gates based on configurable failure criteria can be easily implemented using Intelligent Orchestration and Code Dx. And both solutions can automatically push critical issues to issue-tracking systems like Jira to provide development teams with continuous feedback and visibility into security findings.
Automation Accelerating development velocity with improved automation
  • Intelligent Orchestration’s automation capabilities enable teams to build DevSecOps pipelines that are intelligent and risk-based, ensuring that the DevOps team isn’t slowed by security activities. It also facilitates governance, compliance, and assurance to support organizations as they scale their security testing activities.
  • Instead of spending time running all AppSec scans (e.g., static application security testing (SAST), software composition analysis (SCA), interactive application security testing (IAST), and dynamic application security testing (DAST)) for every build, Intelligent Orchestration enables teams to run only the right tools at the right time at the right depth—or not at all.
  • Security teams can easily configure governance and compliance requirements as code with Intelligent Orchestration. The policies that determine the depth and breadth of security activities, define development workflows, and set scan compliance requirements can be configured and automated for each individual business unit, product team, application, or the entire organization. 
Lean and learning Building a culture of lean learning
  • Instead of waiting to fix bugs and vulnerabilities until after they wreak havoc on your applications, Intelligent Orchestration and Code Dx allow teams to treat security issues like any other bug within the DevOps process. Both solutions make security a part of the DevOps processes, not a separate entity from which developers only receive feedback when security issues are identified. 
  • Organizations can use Intelligent Orchestration to configure post-scan feedback so that designated development, security, and DevOps leads are immediately notified of paused or failed builds, or critical security vulnerabilities or failures, so they can be remediated right away.
Measurement Measuring success
  • Data gathered by Code Dx on the type and frequency of security vulnerabilities found in individual developers’ code can be leveraged for focused developer feedback and training. This data helps prioritize the most critical vulnerabilities for remediation to properly allocate resources.
  • Code Dx provides a centralized place to manage the results from a large number of AppSec tools across multiple projects and departments.
  • Metrics dashboards available within Code Dx show how vulnerability management and AppSec are performing over time in an organization.

Let’s dig deeper and explore each of the topics in detail.

Learn more about Intelligent Orchestration and Code Dx

Facilitating collaborative change and sharing

Organizations seeking to bridge the gap between DevOps and security while maintaining productivity and solution time to market often don’t realize that changes are required throughout the organization. Just like continuous integration, continuous delivery, and continuous deployment, there also must be continuous collaboration and continuous communication across development, security, and operations teams, just to name a few.

Intelligent Orchestration comes to your rescue here. Whether it is providing timely feedback to your developers to fix a critical issue, notifying the application security team of a high-risk change that requires a manual code review or an update to a threat model, or even getting a sign-off from an authority about pushing a known vulnerability to production, Intelligent Orchestration can facilitate the collaborative change an organization requires.

In Figure 2, the code scanning alerts in GitHub Actions list the top two SQL injection issues. The issues that are prioritized are configured by the organization based on the issues the team cares about.

Code scanning alerts in GitHub Actions | SynopsysFigure 2: Code scanning alerts in GitHub Actions list the issues the team is concerned about

Intelligent Orchestration can notify application security teams when they need to perform a manual code review and threat modeling based on a high-risk code change. These policies can be configured as policy as code and enforced within the pipeline automatically, as shown in Figure 3.

Intelligent Orchestration triggers manual code review | SynopsysFigure 3: Intelligent Orchestration triggers a manual code review and threat modeling based on high-risk code change

Intelligent Orchestration and Code Dx also make it easy to implement security gates based on configurable criteria or Code Dx risk score, as shown in Figure 4. Teams can query the risk score through the extensive APIs the solution provides and allow the Intelligent Orchestration pipeline to pause the build, as shown in Figure 5.

Code Dx risk score | SynopsysFigure 4: An example of a Code Dx risk score based on configurable criteria

 

Intelligent Orchestration pauses build from info from Code Dx risk score | SynopsysFigure 5: Intelligent Orchestration pauses the build based on information provided from the Code Dx risk score

Accelerating development velocity with improved automation

As organizations move toward DevOps in order to deploy to production daily or even every few minutes, they want a security solution that matches that velocity. When pipelines are built to include security tools, all the configured tools run all the time. But instead of running all AppSec scans (e.g., SAST, SCA, IAST, DAST) for every build, you can run only the right tools at the right time—or not at all—with Intelligent Orchestration. 

Intelligent Orchestration automatically runs the right security tools (or triggers manual testing activities, as shown earlier is Figure 3) based on how significant the code changes are, the total risk score, and your company’s own security policies. This enables security teams to easily implement security processes and policies for all applications across their organization, at enterprise scale.

If the code changes are minor, such as changing the font using CSS in an HTML file, the risk score would be low, so no security scan tools would need to run at all, as shown in Figure 6. Scanning would be disabled, saving valuable time and resources.

application when minor JavaScript file changed | SynopsysFigure 6: An example application when a minor JavaScript file was changed

However, if the code change was major or critical in nature, such as changing an authentication API, this would result in a high risk score, and multiple security testing scans such as SAST, SCA, and DAST would be enabled, as shown in Figure 7. In addition, this would also trigger manual code review and manual penetration testing as required actions.

Major code changes trigger AST activities | SynopsysFigure 7: Major code changes triggering all AST activities 

Building a culture of lean learning

In addition to running the tools at the right time at the right depth and notifying the right teams, Intelligent Orchestration also provides the right learning information to the right teams at the right time, and with the right amount of information. 

Intelligent Orchestration enables teams to fix software defects quickly, easily, and correctly with fast analysis results and actionable remediation advice as they code. Figure 8 below shows actionable remediation guidance to help a developer fix a SQL injection issue in their source control repository.

Guidance from SQL injection | SynopsysFigure 8: Actionable guidance for SQL injection

Issue tickets are automatically created in the defect-tracking system for tracking and triage. Intelligent Orchestration can notify teams when application security testing (AST) tools identify critical issues. It can also create tickets to trigger manual activities. These issues are then pushed automatically to issue-tracking systems like Jira, as shown in Figure 9. This enables continuous lean learning, feedback, and visibility of security findings for development teams.

Jira used to add tickets for security issues and manual activities | SynopsysFigure 9: Jira is also used to add tickets for all security issues and manual activities

Measuring success

As new initiatives are implemented, metrics allow management to monitor progress, change behavior, and demonstrate the return on investment. A robust metrics program is crucial to running a successful and proactively managed software security initiative and achieving CALMS.

Let’s see what metrics can be gathered from Intelligent Orchestration and Code Dx. With SonarQube integration, Intelligent Orchestration displays the risk calculation, the score, and which security activities were run and which were skipped for that particular build, as shown below in Figure 10.

Intelligent Orchestration metrics in SonarQube | SynopsysFigure 10: Intelligent Orchestration metrics in SonarQube

Code Dx provides a comprehensive dashboard that includes displays tailored to each stakeholder. For example, executives can view metrics pertaining to the entire organization and track progress, and application owners can track the progress of their application’s software security posture. Code Dx also provides metrics that show how vulnerability management and AppSec are performing over time in the organization.

Metrics on severity are key; they reveal the overall danger to the organization. Severity metrics also help security team members prioritize issues, so the most pressing ones can be addressed first. Figure 11 shows the Open Findings section in Code Dx, which displays the overall triage status of the project.

Open Findings in Code Dx | SynopsysFigure 11: Open Findings view of a project in Code Dx

The Findings Count Trend visualization shows a breakdown of findings by detection method over time. It uses a stacked area chart, with date as the X axis and total finding count as the Y axis. By default, an area for each detection method is shown, so the stacked areas’ total height indicates the total number of findings at a given date, as shown below in Figure 12.

Findings Count Trend in Code Dx | SynopsysFigure 12: Findings Count Trend in Code Dx

It’s not enough just to know how many vulnerabilities are identified; average number of days to resolution is another important AppSec metric. The longer an issue lingers, the more likely it is to be exploited. Managers can use this metric to assess remediation efforts and identify inefficiencies. 

In Code Dx, the average number of days it takes to resolve a finding of a specified severity is displayed in a badge. A colored bar below the badges acts as a legend, and hovering the mouse cursor over a badge highlights that severity’s respective color.

As a general rule, teams may want to prioritize higher-severity findings, so team leads will want to see a lower number of days to resolution for higher-severity findings. Figure 13 shows the Average Days to Resolution view in Code Dx.

Average days to resolution | SynopsysFigure 13: Average number of days to resolve a finding

The types of vulnerabilities found is also important. Knowing the most common types of vulnerabilities in applications helps developers write better code and prevent these issues, and it can help remediate them more quickly when they do occur. 

Code Dx displays the top finding types by project and across all projects within an organization, as shown in Figure 14. 

Top findings type for a project | SynopsysFigure 14: Top findings type for a project

The result: Keep CALMS and achieve DevSecOps

Intelligent Orchestration and Code Dx can help organizations:

  • Build a culture of lean learning, sharing, and collaboration that help ensure tight feedback loops and enable identified issues to be resolved in a timely manner
  • Accelerate the velocity of software security through automation
  • Gather appropriate metrics to strike a balance between detection, mitigation, and prevention of software-induced risk

With Intelligent Orchestration and Code Dx, organizations can build trust into their software while realizing important initiatives such as CALMS, DevSecOps, and digital transformation.

ESG report: Cracking the Code of DevSecOps | Synopsys

 
Meera Rao

Posted by

Meera Rao

Meera Rao

Meera Rao (Subbarao) is a senior director for product management (DevOps solutions) at Synopsys. She has over 20 years of experience in software development organizations in a variety of roles including Architect, Lead Developer, Project Manager, and Security Architect. Meera has overseen and performed secure code reviews, static analysis implementations, architectural risk analyses, secure design reviews, and threat modeling of systems built from a few thousand lines of code to systems containing tens of millions of lines of code. She has developed multiple Synopsys training courses and is a certified instructor in architectural risk analysis, threat modeling, and more.


More from Building secure software