• Home
  • Blog
  • DevSecOps
  • How to Move Your Innovations Along on the Application Security Range

How to Move Your Innovations Along on the Application Security Range


Publish Date

Aug 21, 2020

Written by

ZN Logo for Blog


Tagged with

  • Cybersecurity
  • Application Security
  • DevSecOps
  • Digital Transformation
  • AppSec
  • CISO

In our third installment of a six-part series on how CISOs can find success in the “Wild West” of application security, we’ll take a look at what equipment is needed to bring innovation to market without falling prey to an outlaw. Stick with us as we travel through this modern territory of security while offe­ring up unique insight on how CISOs today can find a secure home on the range.

(Read part one | part two)

Cattle drives, a major economic activity in the Old West, bear a surprising resemblance to the modern software development life cycle (SDLC). Getting animals to market as quickly as possible, while still maintaining marketable health and weight, was one of a cowboy’s biggest challenges. The professional challenges of the modern, enlightened CISO are not so different, as they are responsible for supporting development teams looking to get software to market “yesterday” while still ensuring “marketable” levels of security have been established and maintained. But just like the cattle hands from a century ago, CISOs trying to move their software through the range of application security (AppSec) need the right tools for their teams, including a method for processing all the valuable data these tools deliver.

Lasso Your Application Security Tool Set

On the range, tools like rope are what most cowboys depend on to keep things running smoothly. Similarly, CISOs must equip their security overseers with the right scanning tools across the entire SDLC—SAST, DAST, SCA, container analysis, cloud security testing and more. Each has a specific use, so it’s not a matter of just picking one. CISOs must find ways to achieve this same level of flexible and effective security by using the tools they have.

For example, companies with a growing AppSec and vulnerability discovery program can bootstrap their efforts with open source software (OSS), no commercial offerings needed. OSS scanning tools can quickly integrate across all phases of the SDLC, thereby reducing business risk immediately. Or these OSS tools can be used to lay the groundwork for a more extensive security program, one that eventually also leverages commercial security scanning tools. And for CISOs who have been shepherding along innovation for some time—buying, onboarding and managing security tools while working to optimize their overall value—it’s time to focus less on what you can do for your tools, and instead, on what they can do for you.

If you have a smattering of scanning tools across the SDLC, you’ll need to identify where there might be security gaps and ensure they are filled. If you’re just starting out in your AppSec journey, that can feel like a lot of tool implementation—and it can quickly become overwhelming, not to mention expensive.

Don’t Forget to Rope in Orchestration

The other piece of “equipment” you’ll need is orchestration. Each tool fulfills its own purpose, but it’s just one part of the full, continuous life cycle. Risk-based vulnerability orchestration ensures all your tools operate within cohesive processes and workflows and align with business risk. Addressing all the vulnerabilities uncovered by myriad security tools, let alone correlating and prioritizing them, eats up valuable time and resources. This is where the power of orchestration comes in, as it allows businesses to take immediate action on findings and integrate security earlier in the life cycle, without impeding development or speed.

Git Along, Little Dogies

In the old West, little “dogies” were calves who fell behind in the herd—the ones who couldn’t quite keep up. The “dogies” in your application security arsenal are (in fact) single tools, often operating in a silo. While using commercial tools may become necessary down the line, you can kickstart or expand a scanning program using OSS tools until your organization is ready for commercial ones.

Whatever the case, if the benefits don’t sufficiently align with the effort and cost of using them, there’s a problem. A security rationalization process can help you optimize your security infrastructure to increase your overall posture. At the same time, it will improve your bottom line and further boost the company’s return on its AppSec investment.

Wrangle All Your Data

Every occupation uses data in some way to be successful. For cowboys, it was fairly simple. They just needed to know which animals were part of their herd. The information they required came from brands and earmarks on the animals themselves. To say the security data you rely on today is more complex is a vast understatement. To manage the mountain of information generated from many, disparate security scanning tools, you need to solve four data challenges: volume, overlap, context and consolidation.

  1. Volume… Each tool generates its own data, and usually in its own unique format. Adding it all up across the entire AppSec stack leaves you with an immense collection of raw data. Before you can even think of using it, you need to normalize and correlate it all.
  2. Overlap… Once you’ve addressed volume, you need to tackle overlap. Even though each tool performs a specific function, there will be areas where they intersect. This means some data will be duplicative, which means you need to synthesize results across similar tools.
  3. Context… Like any other process, software development has dependencies. Data needs must be presented in the appropriate context to be actionable—and synthesized results compared with downstream tools to understand linkages across the SDLC.
  4. Consolidation… When you need to act on the data, developers must do so efficiently and effectively. All of these “to-dos” should be consolidated into logical units of work to align with their workflows.

 Delivering Safely to Market

Instilling AppSec throughout the SDLC to ensure innovations reach the market quickly requires herding a lot of moving parts. This means deploying the scanning tools you need, including the ability to orchestrate them, and eliminating those you don’t. It also means corralling all the raw data into usable insights you can properly evaluate, prioritize—and act on. The result will be a much smoother trail to real application security.

eBooks & Research Reports

Research Report: The Journey to True DevSecOps

Many questions emerge as the topic of DevSecOps is volleyed about. First, confusion exists in terms of understanding what it actually means to get to true ...

Read Now


Application Security: Bridging the Gap Between DevOps and Security Teams

When AppSec and DevOps teams aren’t aligned on how to deliver secure software, fast, organizations are at risk. This video discusses how to tackle this challenge ...

Watch Now

Related Articles


When DevOps as a Service Meets Security

By Joanne Godfrey Jul 20, 2021

DevOps is one of the latest IT methodologies to be offered ‘as a Service’. With DevOps as a Service (DaaS), all tasks related to selecting, managing ...

Read More

Vulnerability Correlation

What is Application Vulnerability Correlation and Why Does it Matter?

By ZeroNorth May 28, 2021

As applications become more complex, and attack vectors grow more sophisticated, the critical importance of comprehensive software security testing emerges. These days, application testing has become ...

Read More

The ZeroNorth DevSecOps platform offers options for your DevSecOps journey—getting started with AppSec, finding enterprise visibility or fully integrating security into DevOps.