Fortinet, High-Tech Bridge Partner to Advance DevSecOps
Fortinet has partnered with High-Tech Bridge, a provider of application testing tools infused with machine learning algorithms, to advance adoption of DevSecOps.
Neil Prasad, senior director at Fortinet, said the goal is to leverage a virtual patching capability developed by Fortinet to protect applications deployed in a production environment from vulnerabilities discovered by High-Tech Bridge’s ImmuniWeb AI platform.
Alerts from the ImmuniWeb AI platform, which leverages machine learning algorithms to reduce the number of false positives generated, are funneled via application programming interfaces (APIs) into web application firewalls (WAFs) from Fortinet. The Fortinet WAF then creates the appropriate rulesets to protect against newly discovered vulnerabilities by applying a virtual patch. It will be up to each organization to decide how long to rely on that virtual patch before asking application developers to patch the application themselves, said Prasad, noting data generated by the Fortinet WAF can be fed back to a continuous integration (CI) platform to help organizations prioritize those efforts.
Prasad said Fortinet is pursuing a multi-engine approach to applying AI to cybersecurity. The company has developed two core AI engines of its own to identify vulnerabilities and automate processes. At the same time, Fortinet continues to build out an API ecosystem with technology partners including High-Tech Bridge, most of which are developing their own AI capabilities, noted Prasad. There are now more than 50 vendors participating in the Fortinet ecosystem, he said.
There’s no doubt at this point that machine learning algorithms and other forms of AI will play a critical role in going forward in cybersecurity. The only way to compensate for a chronic shortage of cybersecurity personnel is to rely more on automation in all its various forms. Of course, as more security operations become automated, the more cybersecurity tends to become programmable. That, in turn, helps spur adoption of best DevSecOps processes. The rate at which that virtuous cycle is achieved, however, will need to accelerate as more organizations build and deploy modern applications based on microservices. Based primarily on container technologies, each of those microservices will need to be tested for vulnerabilities before and after they deployed. The challenge is that each application could be made up of thousands of interdependent microservices.
Most cybersecurity professionals are still coming to terms with the implications of containers and microservices. But the attack surface that needs to be defended is about to become more fragmented, which means DevSecOps is more critical—developers will need to play a key role by embedding the security controls defined by cybersecurity teams within their applications. That “shift left” of responsibility for cybersecurity also assumes that developers are continuously testing their applications for vulnerabilities before and after they are deployed.
The good news is the developer community seems amenable to making that shift. Less clear is to what degree cybersecurity professionals will allow themselves to count on developers to implement those security controls. After all, the track record developers have established thus far when it comes to cybersecurity clearly leaves much to be desired.
