To achieve DevSecOps, as the term implies, the Development, Security and Operations teams must work together to address the needs of the modern enterprise—secure applications, constantly evolving, delivered at speed. For this to happen, all these teams must be working from the same data set—a single source of truth for all the metrics that relate to application security risk—in order to make informed strategic business and operational decisions.
For example, they need to know the top five vulnerabilities, which applications are impacted by them, and the potential risk to the business. Are there gaps in the AppSec program? Where are they and what are the weakest points in the security posture? Is the security governance program on track? If not, why? The answers to these AppSec questions and many others will enable all the teams involved in DevSecOps to get on the same page around prioritizing vulnerabilities for remediation, based on business risk and impact.
For this reason, ZeroNorth recently announced its Advanced AppSec Risk Analytics. This new reporting capability utilizes a customer’s vulnerability data captured by the ZeroNorth AppSec automation and orchestration platform and turns it into a wide range of business intelligence analytics on the risk and health of the organization’s application security program. Reports are available for the enterprise, and for individual business units, product lines, or even individual DevOps pipeline teams.
While many of our customers already use the data collected by ZeroNorth to create their own custom BI reports (see for example this healthcare technology company), it requires a significant investment of their time and resources. So, to follow through on our customers’ requests and needs, we now provide a standard set of AppSec analytics that every organization needs. Additional reports and fully customizable reports are also available to provide customers the greatest flexibility with their AppSec data. The intent, with our new reporting capability, is to make it much easier, quicker and cheaper for ZeroNorth customers to gain a complete picture of their AppSec risk and detect and remediate critical vulnerabilities earlier.
We’re already seeing our reports used in a variety of different scenarios. With application security now a board-level concern, CISOs and product line owners are now using these reports to update their company’s BOD on the health of their security program, including progress made detecting and remediating critical vulnerabilities quarter over quarter.
CISOs are also using these reports to monitor and provide guidance on the organization’s security governance program. Using these reports, the security team can compare the number and severity of vulnerabilities present in code written by different teams and zero in on any problem areas. If a report shows more vulnerabilities in code produced by DevOps Team B, perhaps this should be investigated further… Why is this happening? Does the team need help, or perhaps more training on how to write secure code? Is there a need for some staff changes or other remedial actions?
On a more tactical level, the ZeroNorth reports help make sense of granular vulnerability data. One of the biggest AppSec challenges today is managing the ton of disparate data generated by AppSec tools. The ZeroNorth platform integrates all this data, normalizes it into a common risk framework, and correlates and dedupes the data. These new reports then provide a comprehensive, single view of all the vulnerabilities detected, based on business risk. This is hugely valuable to the product managers, the DevOps team leaders, and even individual pipelines owners who need vulnerability data in a useable format to make operational decisions on what to prioritize and schedule for the next scrum.
To find true DevSecOps, everyone must be looking at the same data so they can make intelligent decisions. This prevents misunderstandings, misperceptions, miscommunications and finger pointing. Ultimately, a clear picture of AppSec drives better risk management across the organization together with continuous improvement of the DevSecOps process. This new reporting capability from ZeroNorth is another milestone on our journey to deliver on our mission to unite security, DevOps and the business for the good of software.
For more information on how your organization can gain a single source of truth on AppSec Risk, or to see the ZeroNorth’s Advanced AppSec Analytics in action, please contact us or request a personal demo.