Since joining ZeroNorth, I’ve spent a lot of time meeting with companies to discuss the challenges and opportunities they’re facing as their digital transformation initiatives accelerate—from moving to the cloud to embracing DevOps and microservices. One resounding theme has emerged from these conversations: there are simply not enough people, resources or hours in the day to understand (let alone manage) risk across these new environments. Often, security leaders I speak with have nascent application security programs, and many lack any type of structured AppSec initiative.
Of course, these leaders are aware of the inherent vulnerabilities in software and infrastructure and recognize the importance of reducing risk across the software development lifecycle (SDLC). But they’re crunched for time and often forced to make security tradeoffs for speed. To make matters worse, when they can actually dedicate resources to new application security tools, where do they even start? There are so many to choose from (there’s an alphabet soup out there—from SAST and DAST to IAST and RASP!) that product evaluation and vetting can take months. And once they’ve added a new tool to address a specific need, security teams have to spend valuable time learning the ins and outs of a new system and console. Multiply this complexity by the number of tools an organization has (or wants), and it’s virtually impossible to scale. For all of these reasons, many organizations have been paralyzed into inaction, and their AppSec programs never get off the ground.
In a time when speed is everything, and while the security stakes have never been higher, IT and security leaders recognize the need for a new approach. Orchestration—the ability to consistently test, select and onboard scanning tools across the SLDC; centrally manage all test and scan tools and present a consolidated view of risk across the enterprise—has the power to turn the tables and break this widespread “AppSec stalemate.” In my ongoing discussions with organizations across industries, the following benefits of orchestration are particularly resonant:
Gain a complete and continuous view of risk.
When you consider the fact that companies like Amazon now deploy code every second (or about 50 million deployments annually), it’s easy to see why scanning once a quarter—even once a week or month—simply won’t cut it. And even if you are consistently scanning, it’s mostly happening in certain phases along the SDLC. We recently conducted a ZeroNorth survey, which indicates that organizations scan most frequently in build and CI environments, yet only 68% are doing so. Meanwhile, only 56% scan deployed software, and 46% scan integrated development environments (IDEs). Picking and choosing what to scan (if you’re scanning at all), leaves you with an incomplete view of risk to your organization. Orchestrated risk management makes it possible to track all applications and infrastructure throughout their respective lifecycles, bridge the gap across distinct scanning tools and gain a clear, consolidated picture of your organization’s security and compliance posture.
Save time and money.
Today, many enterprise organizations have between 12 and 15 application security and testing tools in use. To add complexity, each tool often requires its own separate team for management. The key to overcoming the AppSec stalemate is not adding more tools to the mix—but instead, finding a way to unify and extend the value of the tools you already have. This is the power of orchestration. By eliminating the need to manually evaluate, deploy and manage a host of disparate scanning and testing tools, time-strapped security teams can refocus their effort and skills on more business-critical priorities, while rapidly scaling the security of new applications and infrastructure. In many organizations, this shift can have residual benefits such as empowering a more satisfied, productive workforce and reducing employee churn.
There’s no silver bullet when it comes to AppSec (and for that matter, any type of security). No single discovery tool can identify all of the bugs, flaws and vulnerabilities that exist in a system. But as we’ve seen, managing multiple tools can be a massive challenge and a time suck. Risk-based vulnerability orchestration enables you to manage five, six, ten—however many tools you want—with one, single platform. This unified approach also gives you the ability to “try before you buy.”
Not sure which AppSec tool to purchase to fill scanning portfolio gaps? Trial and deploy several open source software (OSS) and vendor solutions, run them simultaneously on the platform and see which one is best for your unique environment.
Is your organization suffering from an AppSec stalemate? Orchestration can provide the kick-start you need to accelerate the implementation phase of one AppSec program or jump-start a nascent one. Learn more or feel free to get in touch with me.