They say you can’t manage what you can’t measure. In AppSec, this translates into you can’t protect what you don’t fully understand. This includes all the protective measures you have in place, where you are experiencing gaps and how all these things fit together to create real security governance. This level of accountability and oversight of your security framework is what enables you, as a business, to establish appropriate controls while effectively assessing and mitigating risk.
Establishing an efficient DevSecOps program with strong security governance is about grouping and aligning security issues based on intrinsic risk factors. When ownership and risk are not aligned, communication about security across applications just isn’t possible. So, if you’re running a rapid development or CI/CD pipeline to push out software innovations quickly, this is important to keep in mind. Your AppSec practices have to keep up with the pace of business, without compromising the security of your product.
When You Don’t Know What You Don’t Know
Unless you’re a brand-new startup creating everything from scratch, you’ve got to get your arms around all of your technology assets—such as infrastructure, services and applications—before you can even think about aligning the relationship between ownership and risk. Further, you need to find ways to effectively monitor and communicate about risk in a continuous way.
The first step in this process is clear. You must discover and inventory the “pile” of application and infrastructure assets you have. But where to start? Because systems and processes tend to evolve over time, things might be all over the place. Teams have shifted with employees coming and going, and any institutional knowledge in their heads has gone with them. You may be able to identify a good portion of what you have, but if you miss a component of a critical application, no matter how minor it may seem, you open your business up to considerable risk.
While creating inventory is key, it’s still just a list. This means you must also identify the technology assets across the SDLC. The ultimate goal is to create a view of risk exposure by application, so you can track and manage risk throughout the entire SDLC. To do that, you must tie all those technology assets to lines of business and projects, and then map ownership and risk. And because your organization isn’t static—the environment and assets will continue to evolve—you need to keep that view up to date.
Discovery and Mapping Paves the Way
Building a single, unified view of risk across the SDLC requires you to bring information about disparate components together. First, because risk management and security governance aren’t a one-size-fits-all proposition—different applications will have different risk profiles—it’s important to know where individual components fit. You need to create meaningful groupings of assets and targets.
Second, to understand your risk exposure by target and application, you need to see how those components are used, which requires you to combine telemetry from different lifecycle phases. And finally, you need to operationally track coverage of assets as they move through the SDLC. With this mapped view of assets, you will understand ownership and give yourself the tools to build clear accountability. And you will also recognize your risk expose and how it should best be communicated across teams.
Deliver the What, Where and How
Effective target discovery and application mapping is an important capability within an overall AppSec practice, not just to understand what you have, but to see where and how those assets are used across the entire SDLC—and what the risk impact is at any point in the process. When you can identify the scope and constituency of valued technology assets, including infrastructure, services and applications, you’ll know where you need to apply scanning tools across the SDLC. You’ll also understand how to prioritize identified vulnerabilities to streamline development work, using the necessary information to support security governance through policy configuration.
The ZeroNorth Approach
ZeroNorth’s target discovery & application mapping capability enables businesses to demonstrate discovery of technology assets in each phase of the SDLC, from code repositories to builds to deployment to infrastructure assets. This ability allows you to effectively tie assets to lines of business and projects, so you can realign the relationship between ownership and risk, empower business teams to communicate varying degrees of risk across applications and continuously monitor changing risk of assets and applications.
If you are interested in learning how you can centrally encode security governance as a policy and demonstrate discovery of technology assets in each phase of the SDLC, from code commit to build to deployment, please request a demo of the target discovery & application mapping at any time.