Find fast, fix fast: building developer-enabled security

Natasha Gupta at Synopsys Software Integrity Group argues for the importance of embedding security into the development process, rather than regarding it as a bolt-on

 

Today, security is at odds with the new normal for software development. There is continued pressure to produce applications faster for businesses to meet customer expectations, avoid downtime, and stay competitive in the post-pandemic economy.

 

Yet reactive, “bolt-on” application security has failed to keep up with the speed of modern development. This often translates to a lack of checks when software is deployed, and presents ample opportunities for hackers to exploit code flaws which slip to production.

 

With a rising number of breaches targeting vulnerable applications, security ownership has largely shifted to developers, who often lack appropriate risk context to make key remediation decisions.

 

However, there is tremendous pushback to adopting additional security tooling and process given the bottlenecks this introduces to developer workloads. This should force organisations to ask: how can we make our application security approach reflective of the current developer experience?

 

Hurdles to effective application security

Over the years, we’ve seen how software development has evolved to embrace practices that champion agility, flexibility, and speed. One of these trends is hosting and developing applications in the cloud. According to the SANS 2022 DevSecOps Survey, the number of organisations running at least a quarter of their applications on-premises has decreased, from 83% in 2021 to 65% in 2022.

 

For development teams, migrating to the cloud offers compelling benefits. Major cloud providers provide a number of developer tools that are well-integrated with DevOps practices, and a lightweight, cost-effective means to quickly deploy applications and ensure business continuity.

 

We also see the maturity of DevOps practices across industries has redefined expectations for software production times and refresh cycles. The use of open source code, the shift towards serverless architectures, and increasing adoption of low-code platforms have facilitated the ability to develop applications at greater velocity.

 

For many enterprises, it is common to have frequent code changes that are committed to production because of incorporating continuous integration / continuous deployment (CI/CD) pipelines. In the same report, 61% of businesses admit to delivering changes on a weekly basis, and 32% make changes at least once a day or on a continuous basis.

 

There are many complexities to integrating security and establishing successful DevSecOps. Application security teams are constantly overburdened with the extensive level of software assets and changes they need to monitor for possible flaws and vulnerabilities.

 

When findings are escalated, fixing defects can be especially time-consuming for development teams. There is often a lack of issue context and priority, and an inability to receive critical defects directly.

 

What we see is that automation is key to meeting development teams where they are, and that carries implications for how application security should be built to account for developer productivity.

 

With this in mind, what can organisations do to drive developer-enabled security and implement effective DevSecOps?

 

Optimising DevSecOps for scalable application security

For many organisations, the inability to foster a shared responsibility model between development and security is a major hurdle. In fact, as many as 44% of respondents noted that lack of developer buy-in is one of their top challenges to implementing DevSecOps.

 

Overcoming this pushback relies on implementing policy-driven DevSecOps—making sure that testing, triage, and remediation is well-incorporated at every stage of the software development life cycle (SDLC); and then, having a way to implement policies which automate these security processes across pipelines.

 

One starting point is incorporating continuous testing to gain a holistic perspective of potential issues. Using static application security testing (SAST) and software composition analysis (SCA) to assess issues at build, interactive application security testing (IAST) and dynamic application security testing (DAST) tools as part of runtime testing, all uncover different types of flaws that can help avoid costly post-production fixes.

 

An IAST tool, for example, can also be used to test critical application components like APIs and microservices. This is particularly relevant when we talk about securing cloud-native applications, where all functions, APIs, and protocols present in an application are potential attack vectors.

 

However, implementing a continuous testing approach can translate to an extensive level of tooling for security and development teams to track and manage.

 

This is where employing an application security orchestration and correlation (ASOC) solution comes in. ASOC solutions help simplify and augment two key aspects of DevSecOps initiatives: centralising control of diverse security testing tools, and providing a single source of record for security risk analysis.

 

What makes an ASOC solution uniquely suited to optimise application security processes is its ability to define and enforce security policies as code. The ability to craft policies that classify critical software assets or code changes, which security testing tools to run, and timelines for fixing issues, is a major component of automating detection, triage, and response.

 

Having security policies that can be used across distributed tools, teams, and workloads is a way to standardise security hygiene across your organisation while keeping pace with developer agility.

 

By codifying these parameters for testing and escalation, security teams can establish universal policies which can be applied across diverse code sources and better integrate security testing within developer workflows.

 

Importantly, ASOC solutions also provide a way to ingest and normalise results from automated and manual security findings and have a means to ascertain risk. It acts as a central repository for this security data by correlating and de-duplicating security findings across tools, and prioritising critical findings based on risk. It escalates high-risk findings to developers directly by syncing with their ticketing systems, eliminating complexity, and improving remediation workflows.

 

What an ASOC solution achieves is granting visibility across your software estate to indicate the most impactful security work and the effectiveness of your application security program. This helps security work within the developer experience by providing a way to automate testing workflows, prioritise critical findings, and push defects directly to those responsible—thus, it can greatly enhance developer productivity and eliminate bottlenecks.

 

This, combined with continuous testing, is paramount to accomplishing an application security approach that can be sustainable.

 

A tough environment to navigate

Application security is a tough environment to navigate, and with the tremendous level of data, process, and change, it is no wonder why both security and development teams are overwhelmed.

 

Ultimately, employing these tactics for policy-driven DevSecOps sets up a framework for accountability, transparency, and efficiency—creating an application security experience that can work for all.

 

---

 

Natasha Gupta is senior security solutions manager at Synopsys Software Integrity Group

 

Main image courtesy of iStockPhoto.com