On the heels of the RSA Asia Pacific and Japan conference that took place last week, there was one common theme that Checkmarx captured while speaking with visitors at their stand—imbedding security throughout an organizations’ DevOps ecosystem is viewed as a difficult barrier to overcome. Visitors to our booth who work in the field of Application Security (AppSec) were asked to participate in a short survey concerning the Top Key Concerns (or Difficulties) they’re experiencing when trying to add more security within their own software development environments.
From the survey, participants had the option of ranking their first and second Top Key Concern from the list of four shown below:
- I CANNOT KEEP PACE WITH ENGINEERING
- I CANNOT GET DEVELOPERS TO BUY IN
- I’M OVERWHELMED, THERE IS WAY TOO MUCH UNPRIORITIZED INFORMATION
- WHERE DO I EVEN START
From the 126 visitors who filled out the survey pertaining the list above, here’s how respondents ranked their Top Four Key Concerns:
- #1 – I’M OVERWHELMED, THERE IS WAY TOO MUCH UNPRIORITIZED INFORMATION
- 40 percent selected this option as their Top Key Concern
- #2 – I CANNOT GET DEVELOPERS TO BUY IN
- 24 percent selected this option.
- #3 – WHERE DO I EVEN START
- 19 percent selected this option.
- I#4 – I CANNOT KEEP PACE WITH ENGINEERING
- 17 percent selected this option.
Although the number of respondents were smaller than in many surveys, a major theme could easily be recognized—organizations and their Application Security (AppSec) teams are struggling. Some of the major hurdles they face can easily be acknowledged from the survey results. So what’s the problem and how do we solve it?
The overarching problem is actually quite easy to understand. Software is everywhere. Our mobile devices, homes, cars, and much of our work and social lives today are driven by software. And software that contains exploitable vulnerabilities has become the Achilles heel of our industry today. The more “software” developers deliver, and organizations deploy, equates to more vulnerabilities being released into the wild. Trying to add the needed elements of software security into DevOps can be like trying to jump on a Ferris wheel moving at 100 km/h that never stops. Organizations want more-secure software, but many are overwhelmed and are often not sure where to begin.
Since this is the case, what’s the solution that can benefit organizations who are trying to imbed security into their DevOps cultures? According to a Gartner Report called, DevSecOps: How to Seamlessly Integrate Security into DevOps, they say the following, “Our goal as information security architects must be to automatically incorporate security controls without manual configuration throughout this [DevOps] cycle in a way that is as transparent as possible to DevOps teams and doesn’t impede DevOps agility, but fulfills our legal and regulatory compliance requirements as well as manages risk. Security controls must be capable of automation within DevOps toolchains in order to enable this objective.”
One may not realize that there are many aspects of security within DevOps, for example: defining security policies, vulnerability identification, results correlation, vulnerability remediation, and managing / monitoring security programs. Gartner says that automatically incorporating security controls that don’t impede DevOps agility is a key objective. Therefore, what kind of security controls are needed to seamlessly imbed security into DevOps? The answer lies in integrated and automated Application Security Testing (AST) solutions that identify vulnerabilities, correlate results, combine vulnerability remediation with secure coding education, and fit well into DevOps environments.
The recommendation is clear. Organizations that want to imbed security directly into their DevOps initiatives must collectively seek out and implement an integrated software security platform designed to meet the requirements highlighted by Gartner. The platform should include the following components specifically designed to be incorporated directly into developers’ Integrated Development Environment (IDEs):
- Static Application Security Testing (SAST)
- Interactive Application Security Testing (IAST)
- Software Composition Analysis (Open Source Analysis – OSA)
- Secure Coding Education (Codebashing)
Organizations who follow the recommendation and implement integrated and automated AST solutions directly into the tooling within their DevOps environments can better fulfill their legal and regulatory compliance requirements, and increasingly manage their risk overall. Simply put, automation within DevOps toolchains is critical to enable these objectives and meet DevSecOps goals.