Virtualization Technology News and Information
Why True DevSecOps Must Be a Business Process

By Joanne Godfrey, Security Evangelist, ZeroNorth

Organizations are finally truly "shifting left"- recognizing how testing their code for vulnerabilities, and remediating them early in the software development lifecycle (SDLC), delivers security, business and economic value. Many companies are turning to application security (AppSec) scanning tools- such as SCA, SAST and DAST-to scan their code at various stages in the SDLC.

While implementing AppSec scanning is a great first step in delivering more secure applications to market, it's not enough. First, AppSec tools are designed to scan a specific moment in time and do not, on their own, drive consistent, continuous scanning throughout the development process, which means there may well be critical gaps in the security posture. Second, centrally managing and orchestrating multiple AppSec tools requires considerable effort and expertise, especially if they need to be integrated within DevOps pipelines.

Third, AppSec scanning tools are incentivized to produce loads of findings-too many and often too disparate for security or DevOps teams to analyze and handle. And as a result, critical vulnerabilities are often left undetected and unresolved, putting the organization and the application's users at risk.

Fourth, similarly, AppSec tools on their own cannot produce a holistic view of AppSec risk across the SDLC. As a result, it's impossible to make informed business decisions on where to focus development efforts.

For AppSec to be effective within today's hyper velocity development environments, we need more than just tools. AppSec must be a process, one that is automated, consistent and repeatable at scale. This process needs to be a strategic initiative, aligned with DevOps and business processes. This is the definition of true DevSecOps.

DevSecOps requires a consistent and repeatable process to support business objectives

True DevSecOps must be a continuous process that brings security, engineering and risk managers together to serve the business - by improving application security, by accelerating product deployment timelines, by visualizing AppSec risk, and by establishing and enforcing security governance across the enterprise. 

To support this process, a DevSecOps solution must continuously and uniformly apply the organization's standards for security. This requires an automation platform that drives consistent, policy-based AppSec scanning within CI/CD pipelines in a way that's transparent and as flexible as possible for developers. Throughout this process, a DevSecOps solution must automatically streamline the vast quantity of vulnerability findings generated into a common risk framework, removing noise and compressing data, so developers can easily triage, prioritize and remediate vulnerabilities based on business risk impact.

Providing a continuous process for scanning early and often, with a closed loop feedback process to developers (while they are still working with the code), helps accelerate secure product delivery while removing friction between developers and security teams.  


Responsibility for business risk through DevSecOps must be shared

Beyond facilitating the early discovery and remediation of critical vulnerabilities, a DevSecOps solution must provide holistic visibility of AppSec risk to business, security and engineering leaders. This visibility must be both consumable for business leaders as well as provide technical insights for security and engineering professionals. The objective is to enable all stakeholders to collaborate and share responsibility for assessing and acting to address AppSec-related risk to the business.

The distributed nature of development teams, process and tools, together with the disparate formats of vulnerability data, mean true AppSec visibility is only possible if all AppSec data is centrally normalized and analyzed. Only a DevSecOps platform that enables consistent AppSec scanning throughout the SDLC, and then ingests and streamlines all AppSec data generated, can create a complete picture of AppSec risk for all relevant stakeholders.

For executive leadership level, this visibility will enable them to monitor and measure alignment with the organization's security governance program, as well as gauge risk exposure and compliance status, and ultimately make good risk management decisions for the business. Business unit leaders need this visibility to understand their product lines' security posture and security readiness, identify long-term AppSec trends and compare AppSec performance across teams. Application owners and development leaders need to be able to quickly identify and focus on addressing AppSec hotspots, as well as figure out how to prevent issues from re-occurring, whether it be through adding resources, training, or targeted coaching for a specific development team or individual.

Delivering secure applications to market at speed, reduces risk and helps drive innovation. In today's hyper agile world and rapidly evolving, and worsening, threat landscape, this is a sound business strategy. But it requires a fundamental shift in the way organizations approach application security today. Application security can no longer be haphazard, tool-centric and tactical. It must be a strategic business process that connects and aligns security, engineering and business leaders to collaboratively support the organization's governance model while improving AppSec, visibility and time-to-market. This is true DevSecOps.



Joanne Godfrey 

Joanne Godfrey is a Security Evangelist at ZeroNorth. Previous to this, she was a Senior Product Marketing Manager at IBM Security, where she was responsible for the positioning and messaging of IBM Security's data security portfolio. Joanne has over two decades of product marketing leadership experience at technology companies, including AlgoSec, Bradford Networks (acquired by Fortinet), Shunra Software (acquired by HP) and Precise Software (acquired by Veritas). 

Joanne has a wide range of enterprise technology expertise, including application, network and data security. She is also a published author on cybersecurity topics in both industry and business publications. 

Published Wednesday, July 14, 2021 7:36 AM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<July 2021>