Software Fast, Software Secure: Improving AppSec without impeding software innovation

Software Fast, Software Secure: Improving AppSec without impeding software innovation

By Joanne Godfrey, Security Evangelist, ZeroNorth

Businesses today are under increasing pressure to deliver more software, at greater speeds, and with better quality. But while DevOps has accelerated to meet velocity demands, security is often left behind, leading to application security (AppSec) vulnerabilities that can easily be exploited. With the recent software supply chain related AppSec vulnerabilities and the resulting breaches, the security of enterprise software has never been more important.

But as modern and transformative organizations rush to deliver innovations to meet their business obligations and gain a competitive edge, they typically struggle with multiple AppSec challenges, all of which can put their organizations at risk.

Securing Software Products: New or updated software products are often stopped at the final security control gate when critical application vulnerabilities suddenly come to light, preventing an on-time deployment. Worse still, products are deployed into production even though they contain critical vulnerabilities that could cause a breach or compliance violation. But application security is a complex, time-consuming and resource-intensive process that needs to be agile enough to adapt and keep pace with a rapidly changing technology landscape. And ramping up an AppSec program is not a simple process. It takes time, staff, expertise and budget – all of which are generally in short supply right now. It also requires a strategy that supports the organization’s specific business needs, development processes and culture.

Driving DevSecOps: Development teams are embracing DevOps to support rapid release cycles and meet the demands of digital and business transformation. But application security testing is extraneous to DevOps; it breaks the flow and agility of DevOps and creates friction between security and development teams. While many development teams today understand the inherent value of embedding security within DevOps processes, they do not have a way to invoke the tools within their pipelines—not to mention, plow through the findings to triage and prioritize critical vulnerabilities, all while maintaining pipeline velocity.

Making Sense of the Vulnerability Data: Most organizations use at least a handful of scanning tools to test their code — from its early beginnings until it’s compiled into applications and deployed in production. With numerous assets being scanned, these tools generate vast amounts of disparate vulnerability data —often with different taxonomies, formats or naming conventions. As a result, developers are overwhelmed with a huge number of vulnerabilities to fix, and no way to prioritize them by criticality. This untenable situation slows down engineering work and delays release cycles, all while critical vulnerabilities are ignored or missed entirely.

Gaining a Single Source of Truth on AppSec Risk: Business, product security and engineering leaders must have the necessary data at their fingertips to easily gain a complete picture of the inherent risk within their application portfolio, at any point in time. This visibility is necessary to make informed business and operational decisions regarding their applications, including delivery timeframes and revenue projections. But security staff, struggling with an unwieldy amount of highly granular vulnerability data—or, conversely, a lack of any data at all—cannot gain a true picture of application security risk. As a result, they have no way to assess the overall security posture of the application portfolio, let alone communicate it to executives in a meaningful and easily consumable format.

For the Good of Software

Many organizations attempt to address these challenges in a piecemeal fashion using siloed or single-threaded tools and processes. This is not the ideal way. While these challenges are distinct from each other, they are also intertwined, and most organizations often face many, if not all of them, simultaneously. Moreover, AppSec directly impacts the company’s bottom line, which means security must be a priority for every team involved in the delivery of applications into production.

To address these challenges, there needs to be a strategy and process coupled with automation and orchestration capabilities that unite the teams that are critical to delivering secure applications at speed in today’s modern enterprise—from developers to security to product owners and business leaders.

This includes the ability to enact central application security standards for the business, and then define and apply policies to individual DevOps pipelines. Security needs to be able to centrally manage the AppSec tools and easily connect and run any AppSec tool of choice within any DevOps pipeline, in a way that is transparent and friction free for developers, to facilitate the easy and early detection of vulnerabilities in the software development lifecycle. AppSec vulnerability data must then be made usable and operational for developers, so that they can then triage and remediate critical vulnerabilities quickly and easily. And lastly there needs to be a way to easily visualize AppSec risk to the business, through analytics that enable security, engineering and business leaders to get on the same page to make the right business and operational decisions for the organization, based on a comprehensive and real-time view of AppSec and risk

For decades, security investments were perceived as never-ending cost centers. Automating and orchestrating AppSec tools in concert with DevOps pipelines within a platform will deliver considerable and quantifiable ROI to security, DevOps and the business at large.

About the Author

Joanne Godfrey is Security Evangelist for ZeroNorth. She serves as Security Evangelist at ZeroNorth. Previous to this, she was a Senior Product Marketing Manager at IBM Security. She has also held management level positions at Egress Software Technologies, AlgoSec, and Bradford Networks (acquired by Fortinet). She holds a MA in Modern History from University of London and a BA in International Relations, Political Science, and Business from The Hebrew University.

Joanne can be reached online at https://www.linkedin.com/in/joannegodfrey or at https://www.zeronorth.io/