Where software was once on the sidelines of organizational success today, it is front and center—with businesses under more pressure than ever before to deliver more software, at greater speed, with better quality. But as the DevOps movement has accelerated to address these challenges head on, and the processes for developing software have become more distributed, responsibility for securing these applications has splintered. As a result, application security has fallen through the cracks and stagnated and the vulnerabilities left in the wake may have – and in some cases already have had – lethal consequences for businesses and for people when those applications are breached once they are in production.
A recent study by the Ponemon Institute underscores the disconnect between security and DevOps teams, finding that 39% of developers believe the security team is ultimately responsible for application security, whereas 67% of AppSec say their teams are responsible. Moreover, 71% of AppSec respondents say security is undermined by developers who do not care about the need to secure applications early in the SDLC, and 53% of AppSec respondents say developers view security as a hindrance to releasing new applications.
This perspective was also shared in the IDC Vendor Profile, “ZeroNorth, Bringing End-to-End Clarity to Application Security,” where they state: “Security teams struggle to keep pace with development, and historically, DevOps teams have neglected security to their peril. With disparate tools clouding the landscape, organizations have left themselves open to attack because of the lack of integration and scant visibility across hybrid environments.”
So, what’s the solution? ZeroNorth is working to facilitate a true DevSecOps revolution with its application security automation and orchestration platform, whose raison d’etre is to unite security, DevOps and the business for the good of software. Underscoring this goal are three fundamental principles: software needs structure; software thrives on speed, and software requires focus. The ZeroNorth platform is supporting these principals by: helping to maintain security standards across the enterprise; while helping to accelerate pipeline velocity; and working to unburden developers.
Accelerate software delivery, without disrupting DevOps
Today we announced new capabilities that are specifically designed to empower the security team to own the enforcement of standards and reporting, while liberating the development team to deliver secure software faster and more easily.
First, the new Application Portfolio Report highlights security policies applied to each application, together with scan results and progress of remediation work, and it enables drill down. It gives CISOs a holistic view of risk, and it gives product security and engineering teams the visibility needed to assess and implement security based on their specific LOB needs.
Second, ZeroNorth is working to make application security programs transparent and friction free for developers so they can meet corporate standards without changing their workflows or be flooded with non-priority tickets. To this end, the ZeroNorth platform has added support for two more application security scanning tools (with more to come) to provide coverage for the different types of applications people use to manage their lives and run their businesses. New tools supported include Scout Suite, an open source multi-cloud security-auditing tool which enables security posture assessment of cloud environments and Aqua Trivy, a comprehensive open source vulnerability scanner for container images.
ZeroNorth has also expanded its DevOps toolchain integrations and now integrates with, and can scan the contents of, BitBucket Server and GitLab source code repositories including branches within both GitLab and GitHub repositories.
Third, we’ve added new features that provide greater flexibility to help security and product teams accelerate application delivery. These include customization of vulnerability data compression parameters, such as name and type of vulnerabilities, libraries included, etc., and customization of alerts to meet the needs of the DevOps process and support data-driven business decisions in real time.
As the IDC Vendor Profile says, “The future is bright for companies that truly provide visibility into security vulnerabilities and reduce workflow challenges for DevOps teams required to remediate security risks.” And with ZeroNorth, “Security thus becomes an enabling part of application development rather than the obstacle.”