To stay competitive, organizations are embracing digital transformation and innovating at record speed. In order to achieve this, they’re embracing agility through processes such as DevOps, site reliability engineering, GitOps, and more. They’re building modern applications with new languages and new frameworks, and deploying them on new platforms and with a variety of deployment options.

All these approaches require automation to maximize velocity and enable continuous improvement. Software developers must move fast—they check in their code changes every day, even hourly, and this code is then deployed using continuous delivery or continuous deployment pipelines. Shipping fast is the new normal.

In the face of this emphasis on velocity—and despite a growing awareness and interest in application security (AppSec)—application vulnerabilities are still the biggest cyber security risk. So, security cannot be an afterthought.

Testing modern applications requires multiple activities

We at Synopsys believe that integrating security testing throughout the software development life cycle (SDLC) helps to discover and reduce vulnerabilities early. We call that “building security in.” The trouble is, the more frequently organizations deploy code to production, the less time there is for traditional security activities. Traditional security activities—and even automated tools—often cause friction, reduce speed, and require time-consuming manual processes. And being slow is no longer an option.

The industry problem

Security teams are increasingly adopting DevSecOps methodologies in an effort to catch up. And that means adding automation. But simply adding and automating another AppSec tool won’t cut it. Automating several tools in a pipeline and running them whether or not they’re needed is an ongoing industry problem and creates several challenges, including:

• DevOps teams require speed, but automated security activities are slow.
• Automated security tools are designed to find all issues—not necessarily the most important issues.
• DevOps requires constant collaboration, but defect discovery is not uniform. Each security tool has its own API, its own way of providing results, and its own way of breaking the build. Security teams struggle to collaborate due to the inherent differences in each tool automated in the pipeline.
• DevOps requires scale, but security tools and activities require manual intervention. Not knowing when to perform manual security activities, what activities are needed, and whether they are needed at all make it more difficult for DevOps teams to scale.
• Automated security tools have high false positives, making resolution and remediation more difficult.

The solution

The ideal solution to this problem would:

• Balance the golden triangle: people, process, and technology
• Run automated security tests without slowing down the pipeline
• Enforce all processes and policies in an organization
• Reduce the burden on developers by automating as much as possible and only surfacing the most important issues for remediation
• Ensure that the right tests and analysis are performed at the right time, based on policies, risk profiles, and changes to the code
• Provide an automated signoff process when a critical defect cannot be fixed and code must be deployed to production
• Document all decisions so the auditing or compliance team can review the logs at any time

At Synopsys, we’re building this solution—as well as the next generation of AppSec—with intelligent orchestration and correlation at the center.

Meera Rao, Sr. Director Product Management, Synopsys

The post AppSec doesn’t have to compromise velocity appeared first on SC Media.