A vulnerability response is a combination of people, process, and technology. Software composition analysis tools help identify and track library usage. When a new vulnerability emerges, a Synopsys Black Duck® research team investigates the issue. This particular vulnerability was not assigned a detailed CVE entry until several hours after it was disclosed, but Synopsys analysts had already allocated a Black Duck Security Advisory (BDSA) number and pushed the notification out to Synopsys customers.
The next question is your ability to respond. Once Black Duck sends out an alert, security analysts on your team can see which applications are impacted. The developers who own those applications get notifications automatically too, sometimes via Teams, Slack, or even in a Jira ticket or email, depending on how Black Duck alert is configured. You then need to have the organizational machinery in place to rapidly roll out an update. This is where we must look at the DevOps capability itself.
One of the key metrics from DevOps Research and Assessment (DORA), a cross-industry program to measure and benchmark organizational DevOps capabilities, is the speed at which a change can be pushed into production. According to DORA, elite performers can complete this cycle in less than an hour and deploy any change on demand. But only 26% of the 1,200 respondents surveyed in the latest State of DevOps Survey fall into the elite category. While this is a large number of organizations, the next tier, high performers, takes between a day to a week to complete the cycle. These organizations are equipped to respond less quickly, meaning that slotting in a security patch is not something that would be considered a “business as usual” activity.
This significant gap between elite and high performers illustrates why maximizing the uptake of foundational DevOps practices benefits everyone and underlines why security teams must partner with development to ensure that the business is adequately equipped to respond, whether tackling a fast fix for a security, quality, or any other kind of issue.