In Forrester’s recent “The State Of Application Security, 2020” report, analysts confirm what many security professionals already know from daily experience—the speed of software development is only growing. And as this trend continues, organizations are now recognizing the need to integrate security earlier into their DevOps processes. But there’s a catch. What if, rather than making the development process more secure, the security tools they rely on actually slow down the software assembly line?
How do we reconcile the need for speed with the need for security?
In week four with Forrester’s recent findings, we will consider this conundrum more seriously and hear what experts are saying. At the base of this discussion lies one essential truth: development teams are not slowing down. In fact, development speed continues to accelerate while application security struggles to keep up. And it’s time to look more carefully at what this means for the future.
Security is obviously critical in the building of better applications, but in today’s competitive world, time is of the essence. It’s an unavoidable truth. As we learned two weeks ago with the Forrester report, application security must be continuous. And Forrester agrees, “Security tools and processes that can’t work at development speeds will be tossed aside.” In other words, security can’t afford to fall behind.
Make Way for Secure DevOps
Although Forrester’s recent report doesn’t explicitly mention the insertion of security in DevOps to enable secure DevOps, it does stress the importance of integrating security into the software development lifecycle (SDLC) as early as possible. An SDLC methodology, DevOps has fundamentally changed the development and delivery of software by helping organizations get higher quality products and services to market quickly. And the cultural evolution into DevSecOps—at least on paper—solves the speed versus security problem by ensuring it’s baked in, not bolted on. Secure DevOps supports the theory of “early and often” testing that allows IT and security teams to work together in pushing out safe, quality code.
Change Your Culture, Not Your Tools
While this next statement may seem strange coming from us, we strongly believe organizations don’t need more security tools in their cybersecurity workbench. In truth, most businesses on the road to better application security already have at least a few good scanning tools in place. Once organizations understand the unique demands of their environment, they are able to adopt the appropriate tools. But the next step is key. They must then find a successful method for managing those existing tools more effectively and utilizing the loads of valuable intelligence they produce. And this shift happens through automating and orchestrating these tools, not by adding more.
Forrester recommends automation because it helps find vulnerabilities faster, without slowing down the development process. Automation also helps educate developers in real-time by “teaching them how to spot and fix vulnerabilities in their own code.” ZeroNorth agrees and takes it a step further, recommending orchestrating automated security tools to gain more benefit and value from the data they produce while creating “single units of work” for development, prioritized by genuine risk.
Of course, none of this matters if organizations don’t change the way they approach secure development. Security should seek to understand the needs and incentives of the development teams. And developers—plus the organization as a whole—should begin to view security as a necessity, rather than an obstacle.
The Look and Feel of Secure DevOps
Am I secure? Where are my risks? These are the questions companies are striving to answer. Orchestration of security scanning tools helps in the process by aligning focus around key risks and business priorities—getting everyone on the same page and speaking the same language. This includes development, operations and security teams, as well as executive leadership. From a process perspective, orchestration seamlessly brings security into the equation from the start, and from a tech perspective, orchestration provides the ability to test, select and onboard all application security scanning tools across the SDLC. More importantly, orchestration gives everyone an easy way to manage these tools and the same continuous and consolidated view of risk to critical assets.
ZeroNorth is the first company to effectively integrate security into the end-to-end development process. Learn how we helped Bidpath, one of the world’s leading online auction platforms, gain a consolidated view of risk that enabled them to prioritize vulnerabilities and ensure remediation while demonstrating the company’s dedication to vulnerability-free code.
Download the Complimentary Forrester Report
Download your complimentary copy of The State Of Application Security 2020 to explore vertical-specific trends, learn about testing security earlier in the SDLC, understand automation’s increasing role in remediation—and more. Feel free to contact us at ZeroNorth to learn about how our capabilities for application vulnerability discovery can help you.