In our third installment of a six-part series on how CISOs can find success in the “Wild West” of application security, we’ll take a look at what equipment is needed to bring innovation to market without falling prey to an outlaw. Stick with us as we travel through this modern territory of security while offering up unique insight on how CISOs today can find a secure home on the range.
Cattle drives, a major economic activity in the Old West, bear a surprising resemblance to the modern software development life cycle (SDLC). Getting animals to market as quickly as possible, while still maintaining marketable health and weight, was one of a cowboy’s biggest challenges. The professional challenges of the modern, enlightened CISO are not so different, as they are responsible for supporting development teams looking to get software to market “yesterday” while still ensuring “marketable” levels of security have been established and maintained. But just like the cattle hands from a century ago, CISOs trying to move their software through the range of application security (AppSec) need the right tools for their teams, including a method for processing all the valuable data these tools deliver.
Lasso Your Application Security Tool Set
On the range, tools like rope are what most cowboys depend on to keep things running smoothly. Similarly, CISOs must equip their security overseers with the right scanning tools across the entire SDLC—SAST, DAST, SCA, container analysis, cloud security testing and more. Each has a specific use, so it’s not a matter of just picking one. CISOs must find ways to achieve this same level of flexible and effective security by using the tools they have.
For example, companies with a growing AppSec and vulnerability discovery program can bootstrap their efforts with open source software (OSS), no commercial offerings needed. OSS scanning tools can quickly integrate across all phases of the SDLC, thereby reducing business risk immediately. Or these OSS tools can be used to lay the groundwork for a more extensive security program, one that eventually also leverages commercial security scanning tools. And for CISOs who have been shepherding along innovation for some time—buying, onboarding and managing security tools while working to optimize their overall value—it’s time to focus less on what you can do for your tools, and instead, on what they can do for you.
If you have a smattering of scanning tools across the SDLC, you’ll need to identify where there might be security gaps and ensure they are filled. If you’re just starting out in your AppSec journey, that can feel like a lot of tool implementation—and it can quickly become overwhelming, not to mention expensive.
Don’t Forget to Rope in Orchestration
The other piece of “equipment” you’ll need is orchestration. Each tool fulfills its own purpose, but it’s just one part of the full, continuous life cycle. Risk-based vulnerability orchestration ensures all your tools operate within cohesive processes and workflows and align with business risk. Addressing all the vulnerabilities uncovered by myriad security tools, let alone correlating and prioritizing them, eats up valuable time and resources. This is where the power of orchestration comes in, as it allows businesses to take immediate action on findings and integrate security earlier in the life cycle, without impeding development or speed.
Git Along, Little Dogies
In the old West, little “dogies” were calves who fell behind in the herd—the ones who couldn’t quite keep up. The “dogies” in your application security arsenal are (in fact) single tools, often operating in a silo. While using commercial tools may become necessary down the line, you can kickstart or expand a scanning program using OSS tools until your organization is ready for commercial ones.
Whatever the case, if the benefits don’t sufficiently align with the effort and cost of using them, there’s a problem. A security rationalization process can help you optimize your security infrastructure to increase your overall posture. At the same time, it will improve your bottom line and further boost the company’s return on its AppSec investment.
Wrangle All Your Data
Every occupation uses data in some way to be successful. For cowboys, it was fairly simple. They just needed to know which animals were part of their herd. The information they required came from brands and earmarks on the animals themselves. To say the security data you rely on today is more complex is a vast understatement. To manage the mountain of information generated from many, disparate security scanning tools, you need to solve four data challenges: volume, overlap, context and consolidation.
- Volume… Each tool generates its own data, and usually in its own unique format. Adding it all up across the entire AppSec stack leaves you with an immense collection of raw data. Before you can even think of using it, you need to normalize and correlate it all.
- Overlap… Once you’ve addressed volume, you need to tackle overlap. Even though each tool performs a specific function, there will be areas where they intersect. This means some data will be duplicative, which means you need to synthesize results across similar tools.
- Context… Like any other process, software development has dependencies. Data needs must be presented in the appropriate context to be actionable—and synthesized results compared with downstream tools to understand linkages across the SDLC.
- Consolidation… When you need to act on the data, developers must do so efficiently and effectively. All of these “to-dos” should be consolidated into logical units of work to align with their workflows.
Delivering Safely to Market
Instilling AppSec throughout the SDLC to ensure innovations reach the market quickly requires herding a lot of moving parts. This means deploying the scanning tools you need, including the ability to orchestrate them, and eliminating those you don’t. It also means corralling all the raw data into usable insights you can properly evaluate, prioritize—and act on. The result will be a much smoother trail to real application security.