By Joanne Godfrey, Security Evangelist, ZeroNorth
Organizations
are finally truly "shifting left"- recognizing how testing their code for
vulnerabilities, and remediating them early in the software development
lifecycle (SDLC), delivers security, business and economic value. Many
companies are turning to application security (AppSec) scanning tools- such as
SCA, SAST and DAST-to scan their code at various stages in the SDLC.
While implementing
AppSec scanning is a great first step in delivering more secure applications to
market, it's not enough. First, AppSec tools are designed to scan a specific
moment in time and do not, on their own, drive consistent, continuous scanning
throughout the development process, which means there may well be critical gaps
in the security posture. Second, centrally managing and orchestrating multiple AppSec
tools requires considerable effort and expertise, especially if they need to be
integrated within DevOps pipelines.
Third, AppSec
scanning tools are incentivized to produce loads of findings-too many and often
too disparate for security or DevOps teams to analyze and handle. And as a
result, critical vulnerabilities are often left undetected and unresolved,
putting the organization and the application's users at risk.
Fourth, similarly,
AppSec tools on their own cannot produce a holistic view of AppSec risk across
the SDLC. As a result, it's impossible to make informed business decisions on
where to focus development efforts.
For AppSec to
be effective within today's hyper velocity development environments, we need more
than just tools. AppSec must be a process, one that is automated, consistent
and repeatable at scale. This process needs to be a strategic initiative,
aligned with DevOps and business processes. This is the definition of true
DevSecOps.
DevSecOps
requires a consistent and repeatable process to support business objectives
True DevSecOps must
be a continuous process that brings security, engineering and risk managers
together to serve the business - by improving application security, by accelerating
product deployment timelines, by visualizing AppSec risk, and by establishing and
enforcing security governance across the enterprise.
To support this
process, a DevSecOps solution must continuously and uniformly apply the
organization's standards for security. This requires an automation platform
that drives consistent, policy-based AppSec scanning within CI/CD pipelines in
a way that's transparent and as flexible as possible for developers. Throughout
this process, a DevSecOps solution must automatically streamline the vast quantity
of vulnerability findings generated into a common risk framework, removing noise
and compressing data, so developers can easily triage, prioritize and remediate
vulnerabilities based on business risk impact.
Providing a continuous
process for scanning early and often, with a closed loop feedback process to
developers (while they are still working with the code), helps accelerate secure
product delivery while removing friction between developers and security teams.
Responsibility
for business risk through DevSecOps must be shared
Beyond
facilitating the early discovery and remediation of critical vulnerabilities, a
DevSecOps solution must provide holistic visibility of AppSec risk to business,
security and engineering leaders. This visibility must be both consumable for
business leaders as well as provide technical insights for security and engineering
professionals. The objective is to enable all stakeholders to collaborate and
share responsibility for assessing and acting to address AppSec-related risk to
the business.
The distributed
nature of development teams, process and tools, together with the disparate
formats of vulnerability data, mean true AppSec visibility is only possible if
all AppSec data is centrally normalized and analyzed. Only a DevSecOps platform
that enables consistent AppSec scanning throughout the SDLC, and then ingests
and streamlines all AppSec data generated, can create a complete picture of
AppSec risk for all relevant stakeholders.
For executive leadership
level, this visibility will enable them to monitor and measure alignment with
the organization's security governance program, as well as gauge risk exposure
and compliance status, and ultimately make good risk management decisions for
the business. Business unit leaders need this visibility to understand their
product lines' security posture and security readiness, identify long-term
AppSec trends and compare AppSec performance across teams. Application owners
and development leaders need to be able to quickly identify and focus on
addressing AppSec hotspots, as well as figure out how to prevent issues from
re-occurring, whether it be through adding resources, training, or targeted
coaching for a specific development team or individual.
Delivering
secure applications to market at speed, reduces risk and helps drive
innovation. In today's hyper agile world and rapidly evolving, and worsening,
threat landscape, this is a sound business strategy. But it requires a
fundamental shift in the way organizations approach application security today.
Application security can no longer be haphazard, tool-centric and tactical. It
must be a strategic business process that connects and aligns security, engineering
and business leaders to collaboratively support the organization's governance
model while improving AppSec, visibility and time-to-market. This is true
DevSecOps.
##
ABOUT THE AUTHOR
Joanne Godfrey is a Security Evangelist at
ZeroNorth. Previous to this, she was a Senior Product Marketing Manager at
IBM Security, where she was responsible for the positioning and
messaging of IBM Security's data security portfolio. Joanne has over two
decades of product marketing leadership experience at technology companies,
including AlgoSec, Bradford Networks (acquired by Fortinet), Shunra Software
(acquired by HP) and Precise Software (acquired by Veritas).
Joanne has a wide range of enterprise
technology expertise, including application, network and data security.
She is also a published author on cybersecurity topics in both industry and
business publications.