A new approach to transforming AppSec: Top 3 ways to build security into DevOps

Today’s approach to AppSec often requires teams to provide the security functions late in the SDLC. This creates a backlog of vulnerabilities that need to be fixed before they’re released into production.

Read this article to learn how to secure code quickly, run the right tests at the right time, and cut through the noise to focus on what matters most.

Content Summary

Executive Summary
The Status Quo: Velocity over Security
The New Generation of AppSec: Achieving Security Velocity
Empower Your Developers to Secure Code as Fast as They Write It
Run the Right Test at the Right Time
Cut Through the Noise of Findings and Focus on What Matters Most
The Key to AppSec Efficiency: Application Security Orchestration and Correlation
Conclusion

DevOps has changed the way organizations bring software to market, allowing them to deliver new applications and features rapidly and continuously. But it’s also introduced new security challenges as testing and remediation have failed to keep pace. As a result, cybercriminals have developed new attack strategies that intensify their focus on the application layer, including open source and software supply chains, capitalizing on the “velocity over security” ethos of modern software development.

A new approach to software development is needed. One that addresses business risk without impeding business progress. One that removes the false choice between speed and security—and makes the promise of DevSecOps a reality.

This article details three ways of achieving security with speed.

• Run the right test at the right time and to the right depth
• Align remediation efforts with business risks
• Empower developers to secure code as fast as they write it

Organizations that can succeed in these areas will turn software security from a productivity inhibitor into a business enabler and competitive differentiator.

Executive Summary

Today’s approach to application security relies on resource-intensive testing, triage, and vulnerability remediation performed late in the software development life cycle. This results in a backlog of vulnerabilities that often overwhelm development and security teams’ ability to fix them before they’re released into production.

To build security into DevOps and achieve true DevSecOps, organizations need to adopt a new approach that provides intelligent, context-aware application security risk management.

This article details three facets of this new approach.

• Empower your developers to secure code as fast as they write it
• Run the right tests at the right time
• Cut through the noise of findings and focus on what matters most

The Status Quo: Velocity over Security

As organizations adopt DevOps, the speed and complexity of software development has increased. In response, security and development teams are working in tandem to streamline testing by integrating application security testing (AST) tools into DevOps workflows. But integrating security introduces several hurdles that offset the time-savings of DevOps—hurdles such as wading through numerous or redundant findings, extraneous testing, and an inability to triage or understand how to remediate known vulnerabilities. These challenges have caused many DevOps initiatives to stall or fail, leaving applications less than fully tested—and less than fully secure.

Today applications are an attractive vector for cybercriminals to target, making software risk a business risk that extends all the way to a company’s bottom line. Many web, mobile, and microservice applications reside beyond the firewall, but they still provide access to sensitive data and other systems inside the protected network. Cybercriminals have learned it’s often easier to target vulnerable applications than an organization’s network infrastructure. Indeed, nearly 50% of all data breaches over the last several years have exploited application vulnerabilities.

These breaches are also increasingly expensive. The average financial impact of a data breach rose from $3.86 million in 2020 to $4.24 million in 2021—the highest average in the 17-year history of the IBM “Cost of a Data Breach Report 2021.”

These statistics make the findings of a recent study by Enterprise Strategy Group (ESG) all the more alarming: 79% of organizations admitted to pushing application changes into production with known vulnerabilities. When asked why, 54% said the need to meet critical deadlines forced teams to prioritize releasing vulnerable code instead of fixing it. This, despite 70% of the same organizations utilizing 11 or more AST tools at any given time.

Clearly, the legacy approach to application security (AppSec), which “tacks on” testing, triage, and remediation to DevOps, is not keeping pace with modern software development or the threats presented by today’s cybercriminals.

A new approach to AppSec is needed—one that addresses business risk without impeding business progress, removes the false choice between speed and security, and makes the promise of DevSecOps a reality.

The New Generation of AppSec: Achieving Security Velocity

To build security into DevOps and achieve true DevSecOps, organizations need to manage AppSec workflows without hindering speed and flexibility. This requires integrating AppSec at every stage of the software development life cycle (SDLC) and giving security and development teams a global view of software risk, critical vulnerabilities, and workflow management across tools, personas, and operations. Doing so would enable intelligent, context-aware application security risk management.

But how do you get there?

As software development processes and tools become more modular, integrated, and automated, so too must the tools and processes used to secure software. This is especially true for the security tools that are “shifting left” in the SDLC and reaching the developer’s desktop.

But DevSecOps isn’t simply about integrating and automating AST tools. It’s about intelligently running the right tests at the right time and giving teams the ability to focus on the issues that matter most to their business. Organizations that succeed in these areas will turn software security initiatives from a productivity inhibitor into a business enabler and competitive advantage.

Empower Your Developers to Secure Code as Fast as They Write It

The lowest-cost vulnerability to remediate is the one that never makes it into the codebase. Giving developers tools that allow them to fix issues before they commit their code to the build pipeline reduces strain on downstream testing.

But most developers are not security experts. And unfortunately, tools that are optimized for security teams are often too complex and disruptive to be embraced by developers. To make matters worse, security tools often require developers to leave their integrated development environments (IDEs) to analyze issues and determine appropriate fixes. But constantly switching tools and contexts is a productivity killer.

The solution: Fast, lightweight AppSec analysis in the IDE

Developers need an IDE-based AppSec solution that helps them find and fix security issues on the fly, while they code, without switching tools or interrupting their workflows. The solution should combine integrated static application security testing (SAST) and integrated software composition analysis (SCA) to provide real-time alerts and visibility into security weaknesses in proprietary code and known vulnerabilities in open-source dependencies.

Code Sight by Synopsys

Code Sight offers these benefits as well as insight into unsecured infrastructure-as-code (IaC) configurations, potential secrets or sensitive data leakage risks, and vulnerable API usage.

Code Sight analyzes large codebases in seconds; it scans WebGoat in 3 seconds and Apache Hadoop in 10 seconds. It offers detailed remediation guidance directly in the IDE, helping developers fix issues fast and improve code quality.

Code Sight’s integrated SAST automatically scans and analyzes source code and IaC files as developers work. It highlights detected issues in the editor window for easy identification. Hovering over a highlighted line of code displays issue descriptions and remediation guidance, allowing developers to fix many vulnerabilities with a single click.

Code Sight’s integrated SCA detects known security vulnerabilities in both direct and transitive open source dependencies. It identifies the vulnerability as well as the Common Vulnerabilities and Exposures (CVE) and Black Duck® Security Advisory ID directly in the IDE. It also provides severity information based on Common Vulnerability Scoring System (CVSS) scores to help prioritize which issues to fix first.

Remediation guidance helps developers select the next available vulnerability-free or lower-risk version of the component.

Code Sight is unique in that it embeds market-leading open source and code analysis technology, optimized for the speed requirements of developers, directly within the tools they are already using. It proactively improves an organization’s security posture while saving time and money.

Run the Right Test at the Right Time

Choosing the right type of AST tool requires several considerations: the environment in which the tool is deployed, the types of software flaws it searches for, the programming languages the vendor is compatible with, and the stage of the SDLC when testing is run. For this reason, most organizations use a variety of AST tools, including proprietary and third-party/commercial dynamic application security testing (DAST), interactive application security testing (IAST), static application security testing (SAST), and software composition analysis (SCA). According to ESG, 70% of firms use more than 11 AST tools, and 27% use more than 25 AST tools.

Although many tools offer direct integration with DevOps pipelines, teams often struggle with the complexity and time lags this automation introduces. Automating full scans with every build can clog pipelines and overwhelm developers with findings “noise.”

The challenges of integrating and automating AST tools include

• Lengthy scan cycles: DevOps build pipelines run in a matter of seconds to a few minutes, but AppSec tool scans often take several hours. Factor in multiple forms of analysis (SAST, DAST, SCA, etc.) and the problem is compounded, turning remediation hours into days or even weeks.
• Too many findings: Integrating and automating full AST scans into continuous integration pipelines cause an overwhelming volume (and duplication) of results, even if only small percentages are problematic enough to require developer attention. Teams get bogged down in triage and remediation, leading to delivery schedules taking precedence over security concerns.
• Proliferation of tools and scans: Running multiple testing tools at different points of the SDLC can produce duplicate results that need to be correlated and deduplicated later. Most teams fail to merge related findings, increasing the backlog of remediation activities.

The solution: Application security testing orchestration

Smaller, purpose-built tests that can be run intelligently—at the right time, to the right depth, and on the right application—relieve congestion and keep DevOps pipelines running smoothly. To do this, organizations need an application security testing orchestration (ASTO) solution to stitch together disparate tools and processes and coordinate their execution automatically.

ASTO tools integrate security tooling across the SDLC by acting as middleware between

• Development, including IDE, continuous integration/continuous delivery (CI/CD) systems, and bug-tracking
• Operations, including container orchestration engines and continuous configuration automation
• Security, including scanning tools and vulnerability management

Per Gartner, “ASTO solutions aid security, development, and operations teams in coordinating the many security tests that should be performed on code. As such, these solutions can be a significant enabler in implementing DevSecOps initiatives, and they promise substantial benefits in terms of more consistent testing and smoother operations.”

In practice, ASTO solutions automatically run the right security tools or trigger manual testing activities based on the significance of code changes, total risk score, and your organization’s security policies.

Intelligent Orchestration by Synopsys

With Intelligent Orchestration, you gain the option of running your ASTO solution directly in the build/release pipeline; in a separate, isolated pipeline; or through a separate execution environment. The isolated pipeline runs parallel to existing pipelines and integrates into them via APIs (see Figure 1 below). You also get the added benefit of integrating with third-party tools, whether on premises or in the cloud.

Intelligent Orchestration also allows organizations to set policies-as-code, defining the rules for which tests to run and when, and to enact the policies programmatically via API. For example, you can set risk scores based on criteria such as whether an application is internetfacing, business-critical, contains restricted data, includes critical open vulnerabilities, or has had significant code changes. You can customize the score ranges and types of tools to run based on predetermined policies, compliance, and governance requirements.

Intelligent Orchestration can also initiate manual or out-of-band activities, such as code reviews and penetration tests, through existing defect-tracking systems and communication channels. This enables security and development teams to implement coordinated workflows that align security compliance objectives with application development and release milestones (see Figure 2 below).

With ASTO solutions like Intelligent Orchestration

• Developers spend less time chasing low-priority defects and more time fixing the ones that present the highest business risk
• DevOps engineers add security checks into their existing workflows without breaking them or slowing them down
• AppSec teams ensure compliance with risk policies and integrate manual and out-of-band activities with DevOps workflows

Cut Through the Noise of Findings and Focus on What Matters Most

With most organizations running 11 or more AST tools, and with each scan of each tool producing hundreds or even thousands of findings, it’s easy to see how results can get too unwieldy to manage and triage. Even if you’re using an ASTO solution to limit the frontend load, you will likely struggle to rationalize the disparate findings from different tests, aggregate them into a single source of truth, and prioritize them based on your organization’s risk posture and policies.

It’s no wonder that many security and development teams struggle to answer basic questions such as

• When was my software tested?
• What was found?
• Where do my vulnerabilities come from?
• What is the extent of my exposure/exploitability?
• What was fixed?

Three main issues prevent teams and their executives from answering these questions.

• People. The responsibility for AppSec is split across many teams (Development, QA, AppSec, etc.) and even across projects. Each team is often narrowly focused on its particular component or SDLC phase.
• Process. Manual activities like code reviews and penetration tests are often not coordinated with automated testing activities.
• Technology. Teams must pull findings from the multitude of AST tools they use, which categorize and prioritize findings differently. This makes it difficult to manually normalize and correlate results between them.

The solution: Application vulnerability correlation

The inability to pinpoint vulnerable software, centralize and prioritize critical findings, and track the progress of remediation efforts has led many organizations to implement an application vulnerability correlation (AVC) solution.

AVC tools provide workflow and process management capabilities that help streamline vulnerability remediation in the SDLC by normalizing AST results to a common nomenclature. They also correlate findings from myriad security testing tools and data sources in a central repository, filter our duplicate results, and assess the exploitability and severity of a vulnerability, making remediation and prioritization of security activities more effective. AVC tools optimize the triage process and reduce friction between security and development teams by automating the process flow between people, processes, and technology.

Code Dx by Synopsys

Code Dx integrates all your AST results into a centralized location and automates the most time-intensive tasks to speed up testing and remediation (see Figure 3 below).

The benefits of an ASOC approach

Without automation:

• No bird’s-eye view of results
• Difficult to scale AppSec with DevOps
• Friction between security and DevOps teas
• Vulnerabilities found too late in SDLC
• No centralized record of AppSec processes

With automation:

• One centralized platform to see everything
• Scale on demand
• Security and development work in harmony
• Save remediation costs by fixing earlier in SDLC
• AppSec system of record for accountability

Code Dx

• Correlates results from all your AST tools (static, dynamic, commercial, and open source) into a single console
• Prioritizes vulnerabilities using machine learning to predict which vulnerabilities are most critical to your organization and automatically sends high-priority ones to your developers’ issue-trackers (e.g., Jira) for remediation
• Tracks remediation activities in a system of record to manage accountability and assign tasks to specific team members
• Centralizes risk visibility to provide a 360-degree view of risk for all applications (custom code, third-party components, and network) where your software resides

Code Dx fits seamlessly into the CI/CD pipeline, consolidating all your AppSec activities into a single place. Because Code Dx has two-way integrations with issue-trackers like Jira, your development team never has to interact directly with any application analyzers.

The Key to AppSec Efficiency: Application Security Orchestration and Correlation

Clearly, the rate and complexity of today’s software development requires automation. This includes running the right security tools at the right time as well as managing and triaging the results. The growing adoption of security automation led Gartner to define a new category of solutions that merged ASTO and AVC into one: application security orchestration and correlation (ASOC).

ASOC solutions like Intelligent Orchestration and Code Dx provide the automation needed to scale security testing and identify and conduct the most impactful security activities. This enables stakeholders across security and development to keep up with DevOps pipelines, while still allowing granular control over each step of the process.

ASOC tools

• Automate the deployment of the right tools at the right time
• Allow granular policy enforcement
• Aggregate, deduplicate, normalize, and correlate findings
• Provide audit control and reporting to support organizational and regulatory standards

Conclusion

As you look to accelerate software development, these three pillars will help mitigate software risk and keep your internal operations resilient. Synopsys offers a layered approach to security and development teams to accomplish this. Code Sight provides developers with a quick analysis of source code and remediation guidance to implement security on the ground level. Intelligent Orchestration and Code Dx comprise a complete ASOC solution that enables organizations to gain an AppSec system of record, coordinate testing intelligently, and gauge their most impactful security activities based on risk.