ZeroNorth Raises $10M to Advance Risk Orchestration

ZeroNorth, a provider of a namesake platform for orchestrating risk management within the context of application development projects, announced it has garnered another $10 million in funding.

Company CEO John Worrall said most of the funds are earmarked to advance ongoing development and adoption of the platform, which enables IT teams to classify and prioritize security vulnerabilities as they are discovered. That approach then enables cybersecurity teams to have a more relevant conversation with developers concerning which fixes need to be implemented first.

AppSec/API Security 2022

A recent survey of 57 cybersecurity professionals conducted by ZeroNorth regarding risk and security finds 63% of respondents said their organization currently employs six or more scanning tools. The most widely employed are network scanning (53%) and vulnerability scanning (51%).

The survey finds identifying bugs, flaws and vulnerabilities throughout the software development life cycle (SDLC) is either “extremely” (58%) or “very” (42%) important to all participants involved. A total of 47% said it was either “extremely important” or “very important” (35%) to improve visibility around operations by integrating security earlier into the SDLC.

In terms of where those scanning efforts are focused, the most attention is paid to build/continuous integration (CI) environments (68%), followed by container/artifact management (67%), source code repositories (58%), deployment (56%) and integrated development environments (IDEs) (46%).

Worrall said it’s more than apparent cybersecurity teams and developers need to streamline processes. Historically, cybersecurity teams have assembled a list of vulnerabilities to fix that they periodically share with developers without providing any context. Most development teams are already overtaxed so they need guidance concerning which vulnerabilities are the most critical to address. Otherwise, developers will naturally view cybersecurity as a task that does more to slow them down than it does to enhance the overall quality of the application, he said.

Naturally, the degree to which IT organizations will need to embrace best DevSecOps practices will vary, Worrall noted. Plenty of organizations are applying risk management techniques within the context of waterfall processes. By and large, however, the rise of digital business is requiring organizations to build and deploy more secure applications faster regardless of application development methodology, he said.

Of course, cybersecurity teams increasingly will have to learn to trust developers to do the right thing. There simply are not enough cybersecurity professionals who have the time required to participate in every phase of an application development project. Cybersecurity teams, however, are still expected to verify that vulnerabilities have been remediated. Platforms such as ZeroNorth, in addition to helping to prioritize vulnerabilities, provide cybersecurity teams a means to determine what vulnerabilities have been addressed as they are integrated with, for example, a CI/CD platform.

It may be a while before most organizations resolve all the technical and cultural issues that need to be addressed before more secure code can be built and deployed faster. The one thing that is certain is that organizations that don’t find a way to rise to this challenge will soon be left behind as tolerance for application security incidents increasingly declines.

Michael Vizard

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or ... Read More
Security Boulevard

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 467 posts and counting.See all posts by mike-vizard