2. Lack of AppSec tool integration
Most DevOps toolchains are assembled of tools from multiple vendors. Teams pick the source code management (SCM), continuous integration (CI), build tools, binary repositories, test automation, and trouble ticketing systems that best suit their needs. Off-the-shelf integrations as well as APIs make it reasonably easy to combine everything into a well-oiled DevOps machine.
But teams often find that this mix-and-match approach is more difficult when they try to fold multiple AppSec tools into the mix. Security analysis generally requires a combination of static application security testing (SAST), software composition analysis (SCA), and some form of dynamic testing (dynamic application security testing, interactive application security testing, fuzzing, etc.) tools. Developers need a consolidated view of issues, but combining and reconciling findings from multiple vendors’ tools can be difficult. This challenge is the motivation behind the design of Code Sight™, an IDE plugin that brings results from SAST and SCA together directly at the developer desktop.
3. Pipeline friction and developer overload
Perhaps the biggest challenge developers face is the competing priorities of traditional AppSec tools and modern DevOps velocity. Many AppSec tools were designed around a model in which a member of the security team ran the tests, reviewed the often voluminous list of findings, and forwarded the list back to the development team for remediation. At best, this process might take several hours, but more often than not it would take days.
This lengthy, human-intensive model is incompatible with the high-velocity, integrated, and automated model of DevOps. And it makes clear that it’s not enough to build security into DevOps. You need to leverage AppSec tools that have DevOps built into them.
That means to be truly DevOps compatible, tests must be triggered by events in the SDLC (e.g., pull requests, commits, builds, etc.), run in the background without human intervention, and automatically apply security policies so developers can focus on the highest risk. An example of this type of solution is Synopsys Intelligent Security Scan GitHub Action. This integration allows teams to easily automate SAST and SCA within their GitHub workflows. Leveraging the Coverity® and Black Duck® scan engines and the intelligent test execution and reporting capabilities within the Synopsys Polaris Software Integrity Platform™, Intelligent Security Scan addresses both the execution delays that can be caused by security testing and the vulnerabilities overload teams face with legacy tools.