This is How Orchestration Can Break the AppSec Stalemate

Central AppSec Management

Publish Date

Oct 31, 2019

Written by

John Worrall

Tagged with

  • AppSec

Since joining ZeroNorth, I’ve spent a lot of time meeting with companies to discuss the challenges and opportunities they’re facing as their digital transformation initiatives accelerate—from moving to the cloud to embracing DevOps and microservices. One resounding theme has emerged from these conversations: there are simply not enough people, resources or hours in the day to understand (let alone manage) risk across these new environments. Often, security leaders I speak with have nascent application security programs, and many lack any type of structured AppSec initiative.

Of course, these leaders are aware of the inherent vulnerabilities in software and infrastructure and recognize the importance of reducing risk across the software development lifecycle (SDLC). But they’re crunched for time and often forced to make security tradeoffs for speed. To make matters worse, when they can actually dedicate resources to new application security tools, where do they even start? There are so many to choose from (there’s an alphabet soup out there—from SAST and DAST to IAST and RASP!) that product evaluation and vetting can take months. And once they’ve added a new tool to address a specific need, security teams have to spend valuable time learning the ins and outs of a new system and console. Multiply this complexity by the number of tools an organization has (or wants), and it’s virtually impossible to scale. For all of these reasons, many organizations have been paralyzed into inaction, and their AppSec programs never get off the ground.

In a time when speed is everything, and while the security stakes have never been higher, IT and security leaders recognize the need for a new approach. Orchestration—the ability to consistently test, select and onboard scanning tools across the SLDC; centrally manage all test and scan tools and present a consolidated view of risk across the enterprise—has the power to turn the tables and break this widespread “AppSec stalemate.” In my ongoing discussions with organizations across industries, the following benefits of orchestration are particularly resonant:

Gain a complete and continuous view of risk.
When you consider the fact that companies like Amazon now deploy code every second (or about 50 million deployments annually), it’s easy to see why scanning once a quarter—even once a week or month—simply won’t cut it. And even if you are consistently scanning, it’s mostly happening in certain phases along the SDLC. We recently conducted a ZeroNorth survey, which indicates that organizations scan most frequently in build and CI environments, yet only 68% are doing so. Meanwhile, only 56% scan deployed software, and 46% scan integrated development environments (IDEs). Picking and choosing what to scan (if you’re scanning at all), leaves you with an incomplete view of risk to your organization. Orchestrated risk management makes it possible to track all applications and infrastructure throughout their respective lifecycles, bridge the gap across distinct scanning tools and gain a clear, consolidated picture of your organization’s security and compliance posture.

Save time and money.
Today, many enterprise organizations have between 12 and 15 application security and testing tools in use. To add complexity, each tool often requires its own separate team for management. The key to overcoming the AppSec stalemate is not adding more tools to the mix—but instead, finding a way to unify and extend the value of the tools you already have. This is the power of orchestration. By eliminating the need to manually evaluate, deploy and manage a host of disparate scanning and testing tools, time-strapped security teams can refocus their effort and skills on more business-critical priorities, while rapidly scaling the security of new applications and infrastructure. In many organizations, this shift can have residual benefits such as empowering a more satisfied, productive workforce and reducing employee churn.

Seamlessly scale.
There’s no silver bullet when it comes to AppSec (and for that matter, any type of security). No single discovery tool can identify all of the bugs, flaws and vulnerabilities that exist in a system. But as we’ve seen, managing multiple tools can be a massive challenge and a time suck. Risk-based vulnerability orchestration enables you to manage five, six, ten—however many tools you want—with one, single platform. This unified approach also gives you the ability to “try before you buy.”

Not sure which AppSec tool to purchase to fill scanning portfolio gaps? Trial and deploy several open source software (OSS) and vendor solutions, run them simultaneously on the platform and see which one is best for your unique environment.

Is your organization suffering from an AppSec stalemate? Orchestration can provide the kick-start you need to accelerate the implementation phase of one AppSec program or jump-start a nascent one. Learn more or feel free to get in touch with me.


eBooks & Research Reports

Research Report: The Journey to True DevSecOps

Many questions emerge as the topic of DevSecOps is volleyed about. First, confusion exists in terms of understanding what it actually means to get to true ...

Read Now

Videos

Application Security: Bridging the Gap Between DevOps and Security Teams

When AppSec and DevOps teams aren’t aligned on how to deliver secure software, fast, organizations are at risk. This video discusses how to tackle this challenge ...

Watch Now

Related Articles

Application Security

ZeroNorth Joins Veracode’s Technology Alliance Program

By ZeroNorth May 10, 2021

Companies looking to extend the power of better application security (AppSec) just received some good news! Veracode, the largest global provider of application security testing (AST) ...

Read More

Application Security

How Emerging AppSec Solutions Can Actually Boost Your ROI

By ZeroNorth Feb 9, 2021

Historically, investments in application security (AppSec) have been seen as financial black holes, with never-ending cost and complexity. And yet, they are a necessity in today’s ...

Read More

The ZeroNorth DevSecOps platform offers options for your DevSecOps journey—getting started with AppSec, finding enterprise visibility or fully integrating security into DevOps.