2022 will be the year when a rising tide of organisations start leveraging application security (AppSec) as a business enabler. Traditionally, AppSec was viewed as a slow, resource-intensive hurdle placed in the way of business progress. We’re passing a tipping point where organisations are realizing that AppSec is inseparable from how we build, deploy, and run software, and it is essential to enterprise security and regulatory compliance. We’ve also just passed the point where AppSec automation has reduced the time and resources needed to secure software.
For organisations that build software, 2022 will be the year of invisible AppSec. When AppSec tools are run automatically, and when results are integrated with existing processes and issue trackers, developers can be fixing security weaknesses as part of their normal workflows. There is no reason for developers to go to separate systems to “do security,” and no reason they should be scrolling through thousand-page PDF reports from the security team, trying to figure out what needs to be done. When security testing is automated and integrated into a secure development process, it becomes a seamless part of application development.
At the same time, organisations are coming to recognise that AppSec is a critical part of risk management, and that a properly implemented AppSec programme results in business benefits. Good AppSec equals fewer software vulnerabilities, which equals less risk of catastrophe or embarrassing publicity, but also results in fewer support cases, fewer emergency updates, higher productivity, and happier customers. But how can organisations turn this knowledge into power?
Application security orchestration and correlation (commonly referred to as ASOC) offers a solution to resolve the seemingly endless conflict between speed and security in software development. While nobody in the industry argues that security doesn’t matter, there is a common hesitation that adding security to value streams may slow down development velocity. ASOC also delivers a centralised view of software-originated enterprise risks, adding coherence and actionability to the jumble of AppSec processes performed by the software and security teams.
The future of data science and risk management
In modern software development, speed rules. The rate of builds is exponentially faster than ever before. Facebook, on Android alone, has between 50,000 and 60,000 builds each day. Further, Amazon reportedly deploys new software to production every second. Put another way, that’s 86,400 builds every day.
ASOC offers an efficient, prioritised, and transparent way of aggregating test results that analyst firm Gartner found significant enough to coin the term “ASOC” and add it to its Hype Cycle in 2019. ASOC holds significant promise in the year ahead because it cuts through the noise of information overload.
But how? Well, a good ASOC solution will accomplish five major things that, collectively, will make software security testing more effective while keeping up with the ever-accelerating pace of development:
- Execute tests. ASOC runs application security tests using whatever AppSec testing tools an organisation has. The orchestration component of a tool, which is programmed to suit the types of applications being tested and the needs of the organisation, ensures the right tests are conducted at the right time.
- Correlate results. Different testing tools present results in various formats and nomenclatures. ASOC normalises them to a single nomenclature and then matches them to eliminate redundancies. It then combines and aggregates them into a superset of results.
- Prioritisation. Not all software defects are equal. Some are trivial while others are critical. Development teams focus on what’s critical. Thus, a robust ASOC tool accomplishes this understanding in two ways; first, with customisable rules allowing organisations to escalate certain items for remediation. The second way is through machine learning (ML) to understand which items should be escalated and which should be ignored. When a scan is carried out, the ASOC tool should be able to present developers with a set of results that, based on prior activities, reflect their priorities for remediation.
- Track remediation. Superior ASOC tooling can take the highest priority defect findings and automatically open a ticket in a defect tracker (e.g., Jira, Bugzilla). It can send the information to the developer with the type of finding, where it is in the code, and also supply remediation guidance. It can also verify when a defect has been corrected, and when completed, automatically close the ticket — known as two-way issue-tracker integration.
- Centralised platform. An analyst or executive doesn’t need to go to each individual tool to understand what problems exist and what’s being done to resolve them. An ASOC solution acts as an AppSec system of record. It also allows security executives to answer fundamental questions that can be crucial in boardroom discussions about how the security team is minimising risk to the business and in situations where legal or compliance questions around security exist. Such questions may include:
- Was the software tested and when? ASOC has that information stored in its central data log and can be presented comprehensively.
- What security and quality defects were identified? While this may seem like a straightforward question to answer, if all your results are in various silos, it can become complex rather quickly. A good ASOC solution can answer this easily as it has recorded and prioritised all issues identified by various AppSec tools and techniques.
- Were they resolved? If an ASOC solution has connected with defect trackers and recorded the remediation status, you can answer this almost instantaneously.
- Where can I see my risk in one place? ASOC solutions can provide a single platform for risk reporting.
The evolution and advancement of penetration testing under Covid-19
You can answer these management questions almost immediately which makes ASOC an effective way to build trust in your software without putting a damper on development velocity. ASOC allows organisations to continue using a variety of security tools and techniques, while continuing to boost their security maturity without slowing them down.