DevSecOps has become one of the hottest buzzwords in the DevOps and security ecosystem over the past couple of years. But what is it, and how do you turn it into reality?
DevSecOps executes on the belief that security and development teams are jointly responsible for bolstering security – essentially bringing development and operations together. This methodology “bakes” security in as early as possible, covering the entire software development lifecycle, with the aim to find, fix, and prevent security vulnerabilities without degrading productivity or time-to-market.
In theory, it’s easy to understand what DevSecOps means and why people care about it. But practically speaking, how do you actually achieve it? The reality is that many organizations that are adopting agile and DevOp methodologies discover that the security tools they once used can no longer keep up with the speed and frequency of releases.
Here we explore the traditional SAST-DAST AppSec approach, the challenge it is facing when it comes to today’s pace of release delivery, and we introduce the new power couple to fit the DevSecOps era – SAST and IAST.
The traditional duo in the security gate era
Traditionally, to remain secure, organizations implemented AppSec programs that were primarily characterized by the use of toolsets that analyze the code or binary itself (i.e. static application security testing – SAST) or assisted operators in performing simulated attacks to see how an application would react (i.e. dynamic application security testing – DAST). These testing tools were typically managed by a team of security experts who operated in isolation and often requested developers to change the way they worked.
Fast forward to today, multi-day static and dynamic analysis run by a small pool of security experts is not a tenable model, when the business demands multiple software releases per day. While SAST tools can be pushed beyond security usage to the developers, DAST tools cannot. DAST tools must be operated by experienced AppSec teams to truly be useful, making them unsuitable for environments that foster automation and fast turnarounds.
The new power couple in the DevSecOps era
In today’s competitive world, the name of the game is time-to-market. Organizations are under increasing pressure to continuously deliver new and improved software. To win the race, nothing can get in the way of rapid releases. If security is not to be compromised, testing tools that can be automated and integrated into your software development lifecycle (SDLC) are a requirement.
When it comes to scanning your code, you need a SAST solution that can integrate with your CI/CD pipeline and deliver rapid, consistent results with low false-positive rates. To truly scan your code in an agile manner, a solution that provides incremental scanning is required. If you wait until the end of the SDLC to run a full scan of a built application, it will take you more time, attention, and will ultimately cost more money to resolve coding issues.
Similarly, when it comes to securing your runtime applications, you can’t afford to wait for a few days to get DAST results. You need a solution that can be integrated with your CI/CD pipeline and automated as part of every release. This is where Interactive Application Security Testing (IAST) solutions come in. Unlike legacy Dynamic Application Security Testing (DAST) tools, IAST provides real-time vulnerability detection and immediate feedback. Developers receive security feedback as soon as they run their code, so there’s no need to wait for additional scan processes to finish. At the same time, QA testers can quickly identify security vulnerabilities without extensive application security experience.
The real key to successfully adopting security solutions that fit DevSecOps is integration. While it’s great to have SAST that can incrementally scan your code, and IAST that analyses your running application in testing environments, the real DevSecOps benefit comes from bringing the power of these two together. At the end of the day, what’s the use in automating vulnerability scanning and making it faster, if you will still be slowed down by the need to aggregate the different results and make sense of it all? So remember, when evaluating SAST and IAST solutions, it’s important to understand how easy it would be to correlate between the two
Want to learn more? Watch our Better Together: SAST and IAST webinar