ZeroNorth, a provider of a namesake platform for orchestrating risk management within the context of application development projects, announced it has garnered another $10 million in funding.
Company CEO John Worrall said most of the funds are earmarked to advance ongoing development and adoption of the platform, which enables IT teams to classify and prioritize security vulnerabilities as they are discovered. That approach then enables cybersecurity teams to have a more relevant conversation with developers concerning which fixes need to be implemented first.
A recent survey of 57 cybersecurity professionals conducted by ZeroNorth regarding risk and security finds 63% of respondents said their organization currently employs six or more scanning tools. The most widely employed are network scanning (53%) and vulnerability scanning (51%).
The survey finds identifying bugs, flaws and vulnerabilities throughout the software development life cycle (SDLC) is either “extremely” (58%) or “very” (42%) important to all participants involved. A total of 47% said it was either “extremely important” or “very important” (35%) to improve visibility around operations by integrating security earlier into the SDLC.
In terms of where those scanning efforts are focused, the most attention is paid to build/continuous integration (CI) environments (68%), followed by container/artifact management (67%), source code repositories (58%), deployment (56%) and integrated development environments (IDEs) (46%).
Worrall said it’s more than apparent cybersecurity teams and developers need to streamline processes. Historically, cybersecurity teams have assembled a list of vulnerabilities to fix that they periodically share with developers without providing any context. Most development teams are already overtaxed so they need guidance concerning which vulnerabilities are the most critical to address. Otherwise, developers will naturally view cybersecurity as a task that does more to slow them down than it does to enhance the overall quality of the application, he said.
Naturally, the degree to which IT organizations will need to embrace best DevSecOps practices will vary, Worrall noted. Plenty of organizations are applying risk management techniques within the context of waterfall processes. By and large, however, the rise of digital business is requiring organizations to build and deploy more secure applications faster regardless of application development methodology, he said.
Of course, cybersecurity teams increasingly will have to learn to trust developers to do the right thing. There simply are not enough cybersecurity professionals who have the time required to participate in every phase of an application development project. Cybersecurity teams, however, are still expected to verify that vulnerabilities have been remediated. Platforms such as ZeroNorth, in addition to helping to prioritize vulnerabilities, provide cybersecurity teams a means to determine what vulnerabilities have been addressed as they are integrated with, for example, a CI/CD platform.
It may be a while before most organizations resolve all the technical and cultural issues that need to be addressed before more secure code can be built and deployed faster. The one thing that is certain is that organizations that don’t find a way to rise to this challenge will soon be left behind as tolerance for application security incidents increasingly declines.