June 24, 2021

DevOps requires a modern approach to application security

DevOps requires a modern approach to application security

DevOps requires a modern approach to application security

Time to market is a key indicator today of business success, and anything that impedes a business’ ability to move fast needs to be addressed. While there have been a number of efforts to automate and integrate security into the application development process, it continues to be a hindrance to many organizations. 

Organizations are still unable to detect and address security issues fast enough because traditional approaches to security testing and existing tools were not made with speed, automation and continuous integration (CI) pipelines in mind.

According to Patrick Carey, senior director of market analysis and strategy of the Software Integrity Group at Synopsys, application security is often defined by siloed solutions: static application security testing (SAST), software composition analysis (SCA), dynamic application security testing (DAST), and interactive application security testing (IAST). But these silos conflict with the way developers build, test and fix software. “They don’t care which analysis techniques are used.  They just want to quickly identify the issues that pose the highest risk,” Carey said. 

Application security testing needs to not only happen earlier in the application life cycle, it needs to be executed more intelligently. “As development, security, and operations converge we see these silos being knocked down, with security testing being delivered as an intelligent, integrated system of services that knows which tests to run when, and can identify the highest priority issues,” said Carey.    

The next generation of application security test automation

As software development has picked up speed, organizations have deployed automation to keep up, but many are having trouble working out the security testing aspect of it. Current application security testing tools tend to scan everything all the time, overwhelming and overloading teams with too much information.

If you look at all the tools within a CI pipeline, there are tools from multiple vendors, including open-source tools that are able to work separately, but together in an automated fashion while integrating with other systems like ticketing tools. “Application security really needs to make that shift in the same manner to be more more fine-grained, more service-oriented, more modular and more automated,” said Carey. 

Intelligent orchestration and correlation is a new approach being used to manage security tests, reduce the overwhelming amount of information and let developers focus on what really matters: the application. While the use of orchestration and correlation solutions are not uncommon on the IT operations side for things like network security and runtime security, they are just beginning to cross into the application development and security side of things, Carey explained. 

He went on to say that orchestration and correlation can greatly improve application security testing in two ways. First, it can enable teams to be more efficient about the way they use the tools available. “Orchestration and correlation can be the brains behind the system. It can determine which tool to run when and how, so that you’re only running the specific security tests you need when they’re needed,” he said.

Secondly, it can sort through and deduplicate findings from all the tests, remove the lower priority issues and surface the ones that need to be quickly addressed due to the business risks they pose. “This is important when you’re in a DevOps model where teams are releasing not every six months or every year, but multiple times per day. It’s about continuous incremental improvement. By keeping the teams focused on the higher priority risks, they can make that continuous improvement over time. It allows the teams to actually maintain velocity without compromising security because they are actually focusing on what matters,” he said. 

Expanding on intelligent orchestration and correlation

To add to its intelligent orchestration and correlation initiative, Synopsys recently announced it acquired the application security orchestration and correlation solution Code Dx. According to the company, Code Dx complements the Intelligent Orchestration solution released last year. Intelligent Orchestration simplifies and streamlines security testing in CI pipelines by determining and initiating the appropriate tests to run based on predefined policies, application risk profiles, and code changes.

Code Dx will extend the company’s vision, enabling teams to aggregate and correlate security test results from a wide range of Synopsys, third-party and open-source tools,  so they can focus remediation efforts on the security issues with the most business risks. 

“If you can remove friction from the pipeline, and you can stop burying teams with findings, that is really what’s going to be central to being able to realize the vision of DevSecOps where development, security and operations work together in aharmonious fast paced flow,” said Carey. “We’re really getting to the point where these traditional testing tool silos are going to struggle to keep pace with the way development is working today. What you’ll be seeing from us now that Code Dx is part of our portfolio is continuous movement towards a much more integrated, modular, and risk-based way of delivering application security.”

“We believe that application security isn’t about testing to oblivion and finding as many vulnerabilities as possible. It’s about understanding and managing application risk proactively, and doing so in a way that doesn’t impede development velocity and agility.”

Learn more at https://www.synopsys.com 

Content provided SD Times and Synopsys