Achieving a culture of DevSecOps is possible with the help of solutions like Intelligent Orchestration and Code Dx.
As a trusted adviser to my clients, I use my unparalleled experience with a broad range of security tools to help them build and mature security programs. I work tirelessly to help them break down silos, facilitate collaborative change, create a culture of lean learning, and ensure continuous feedback and sharing, so they can build pipelines that are intelligent and risk-based.
Damon Edwards first coined the acronym CAMS, which stands for culture, automation, measurement, and sharing. CALMS, coined by Jez Humble, coauthor of “The DevOps Handbook,” stands for culture, automation, lean, measurement, and sharing.
As seen in Figure 1 below, what both these acronyms signify is that DevSecOps is a culture of continuous collaboration, continuous feedback, automation, lean/learning, measurement, and sharing.
Figure 1: Diagram of CALMS
The table below outlines how Intelligent Orchestration and Code Dx® can help you keep CALMS.
|CALMS methodology||Theme||Intelligent Orchestration and Code Dx|
|Collaboration and sharing||Facilitating collaborative change and sharing||
|Automation||Accelerating development velocity with improved automation||
|Lean and learning||Building a culture of lean learning||
Let’s dig deeper and explore each of the topics in detail.
Organizations seeking to bridge the gap between DevOps and security while maintaining productivity and solution time to market often don’t realize that changes are required throughout the organization. Just like continuous integration, continuous delivery, and continuous deployment, there also must be continuous collaboration and continuous communication across development, security, and operations teams, just to name a few.
Intelligent Orchestration comes to your rescue here. Whether it is providing timely feedback to your developers to fix a critical issue, notifying the application security team of a high-risk change that requires a manual code review or an update to a threat model, or even getting a sign-off from an authority about pushing a known vulnerability to production, Intelligent Orchestration can facilitate the collaborative change an organization requires.
In Figure 2, the code scanning alerts in GitHub Actions list the top two SQL injection issues. The issues that are prioritized are configured by the organization based on the issues the team cares about.
Figure 2: Code scanning alerts in GitHub Actions list the issues the team is concerned about
Intelligent Orchestration can notify application security teams when they need to perform a manual code review and threat modeling based on a high-risk code change. These policies can be configured as policy as code and enforced within the pipeline automatically, as shown in Figure 3.
Figure 3: Intelligent Orchestration triggers a manual code review and threat modeling based on high-risk code change
Intelligent Orchestration and Code Dx also make it easy to implement security gates based on configurable criteria or Code Dx risk score, as shown in Figure 4. Teams can query the risk score through the extensive APIs the solution provides and allow the Intelligent Orchestration pipeline to pause the build, as shown in Figure 5.
Figure 4: An example of a Code Dx risk score based on configurable criteria
Figure 5: Intelligent Orchestration pauses the build based on information provided from the Code Dx risk score
As organizations move toward DevOps in order to deploy to production daily or even every few minutes, they want a security solution that matches that velocity. When pipelines are built to include security tools, all the configured tools run all the time. But instead of running all AppSec scans (e.g., SAST, SCA, IAST, DAST) for every build, you can run only the right tools at the right time—or not at all—with Intelligent Orchestration.
Intelligent Orchestration automatically runs the right security tools (or triggers manual testing activities, as shown earlier is Figure 3) based on how significant the code changes are, the total risk score, and your company’s own security policies. This enables security teams to easily implement security processes and policies for all applications across their organization, at enterprise scale.
If the code changes are minor, such as changing the font using CSS in an HTML file, the risk score would be low, so no security scan tools would need to run at all, as shown in Figure 6. Scanning would be disabled, saving valuable time and resources.
However, if the code change was major or critical in nature, such as changing an authentication API, this would result in a high risk score, and multiple security testing scans such as SAST, SCA, and DAST would be enabled, as shown in Figure 7. In addition, this would also trigger manual code review and manual penetration testing as required actions.
Figure 7: Major code changes triggering all AST activities
In addition to running the tools at the right time at the right depth and notifying the right teams, Intelligent Orchestration also provides the right learning information to the right teams at the right time, and with the right amount of information.
Intelligent Orchestration enables teams to fix software defects quickly, easily, and correctly with fast analysis results and actionable remediation advice as they code. Figure 8 below shows actionable remediation guidance to help a developer fix a SQL injection issue in their source control repository.
Figure 8: Actionable guidance for SQL injection
Issue tickets are automatically created in the defect-tracking system for tracking and triage. Intelligent Orchestration can notify teams when application security testing (AST) tools identify critical issues. It can also create tickets to trigger manual activities. These issues are then pushed automatically to issue-tracking systems like Jira, as shown in Figure 9. This enables continuous lean learning, feedback, and visibility of security findings for development teams.
Figure 9: Jira is also used to add tickets for all security issues and manual activities
As new initiatives are implemented, metrics allow management to monitor progress, change behavior, and demonstrate the return on investment. A robust metrics program is crucial to running a successful and proactively managed software security initiative and achieving CALMS.
Let’s see what metrics can be gathered from Intelligent Orchestration and Code Dx. With SonarQube integration, Intelligent Orchestration displays the risk calculation, the score, and which security activities were run and which were skipped for that particular build, as shown below in Figure 10.
Figure 10: Intelligent Orchestration metrics in SonarQube
Code Dx provides a comprehensive dashboard that includes displays tailored to each stakeholder. For example, executives can view metrics pertaining to the entire organization and track progress, and application owners can track the progress of their application’s software security posture. Code Dx also provides metrics that show how vulnerability management and AppSec are performing over time in the organization.
Metrics on severity are key; they reveal the overall danger to the organization. Severity metrics also help security team members prioritize issues, so the most pressing ones can be addressed first. Figure 11 shows the Open Findings section in Code Dx, which displays the overall triage status of the project.
Figure 11: Open Findings view of a project in Code Dx
The Findings Count Trend visualization shows a breakdown of findings by detection method over time. It uses a stacked area chart, with date as the X axis and total finding count as the Y axis. By default, an area for each detection method is shown, so the stacked areas’ total height indicates the total number of findings at a given date, as shown below in Figure 12.
Figure 12: Findings Count Trend in Code Dx
It’s not enough just to know how many vulnerabilities are identified; average number of days to resolution is another important AppSec metric. The longer an issue lingers, the more likely it is to be exploited. Managers can use this metric to assess remediation efforts and identify inefficiencies.
In Code Dx, the average number of days it takes to resolve a finding of a specified severity is displayed in a badge. A colored bar below the badges acts as a legend, and hovering the mouse cursor over a badge highlights that severity’s respective color.
As a general rule, teams may want to prioritize higher-severity findings, so team leads will want to see a lower number of days to resolution for higher-severity findings. Figure 13 shows the Average Days to Resolution view in Code Dx.
Figure 13: Average number of days to resolve a finding
The types of vulnerabilities found is also important. Knowing the most common types of vulnerabilities in applications helps developers write better code and prevent these issues, and it can help remediate them more quickly when they do occur.
Code Dx displays the top finding types by project and across all projects within an organization, as shown in Figure 14.
Figure 14: Top findings type for a project
Intelligent Orchestration and Code Dx can help organizations:
With Intelligent Orchestration and Code Dx, organizations can build trust into their software while realizing important initiatives such as CALMS, DevSecOps, and digital transformation.
Meera Rao (Subbarao) is a senior director for product management (DevOps solutions) at Synopsys. She has over 20 years of experience in software development organizations in a variety of roles including Architect, Lead Developer, Project Manager, and Security Architect. Meera has overseen and performed secure code reviews, static analysis implementations, architectural risk analyses, secure design reviews, and threat modeling of systems built from a few thousand lines of code to systems containing tens of millions of lines of code. She has developed multiple Synopsys training courses and is a certified instructor in architectural risk analysis, threat modeling, and more.