Week Five Featuring Research From Forrester: Don’t Forget About Orchestration When You Automate Security

Now in our fifth week with Forrester’s recent report “The State of Application Security, 2020,” we review how increased automation has become a guiding principle for security-minded companies. In this report, Forrester highlights the widespread push for automation across the software development lifecycle (SDLC) and underscores the need for security teams to embrace automation in the CI/CD pipeline—specifically across application security testing and remediation efforts—to mitigate risk and maintain the speed of business.

What can automation do for security?
According to the report, automated scanning within the developer’s IDE serves two purposes. “It helps identify and remediate vulnerabilities before they progress in the SDLC, and it provides developers an in-the-moment, real-time training, teaching them how to spot and fix vulnerabilities in their own code.”

In this way, automation is not an option but rather, a secure DevOps priority. Forrester research from last year confirms, 29% of global development managers say, increasing SDLC automation will be one of their top three priorities for 2020[1]. Why? Because more automation means more (and often continuous) scans. And more scans translates into faster remediation efforts and better overall security. For applications scanned over 260 times per year, the median fix time is 19 days, but the median fix time jumps to 68 days for applications scanned less than 12 times per year[2].

How does orchestration fit in?
ZeroNorth believes organizational teams must embrace automation for more secure DevOps, as is recommended by Forrester. This shared belief suggests automation is a critical piece of the secure DevOps puzzle; however, the truth is, it’s not enough on its own.

For automation to achieve its intended purpose, human intervention is necessary to manage workflows and draw insight, as only humans can do. Take application and infrastructure security tools for example. Static code, as well as container and infrastructure scans, may be automated. This allows each one to execute on a predefined schedule while also targeting a consistent set of assets. But humans are still required to manage each different scanning tool, while also assessing how a vulnerability discovered in one area may bleed into others.

Addressing vulnerabilities uncovered by numerous tools—let alone actually correlating and prioritizing them—eats up valuable time and resources. This is where orchestration comes in. Because automated scanning tools deliver vast amounts of valuable data, to prioritize and speed up remediation efforts, they must be orchestrated to ensure this actionable information isn’t lost within a mountain of reports. In fact, ZeroNorth believes DevOps security automation should deliver consistent implementation and management of individual scanning tools, throughout the entire SDLC. This level of orchestration allows businesses to take immediate action on findings and integrate security earlier in the lifecycle, without impeding development work or speed.

Companies who gain a clear and actionable view of security risk through orchestration are able to ingest their data more effectively while also preserving valuable resources, human and otherwise. Much like a symphony, when automation systems are arranged, coordinated and managed through a comprehensive orchestration process, they become far more effective—and harmonious.

What does orchestration of automated processes look like?
In an ideal DevOps environment, automation and orchestration each play a unique and invaluable role. While automation is focused on technical tasks, orchestration manages workflows and pulls together all automated flows into one. Further, orchestration enables teams to execute various scans through a single integrated platform, minimizing the time, resources and technical burden required to manage all of the scanning tools within their environment.

And it goes beyond data. Embracing automation and orchestration can also help organizations bridge deeply-rooted cultural divides across development, QA, infrastructure, security and beyond. Together, the harmonious automation and orchestration duo enables the integration of security into software development as well as the discovery and remediation of critical code and application vulnerabilities before they are delivered to production.

Automated code analysis and vulnerability scans can be orchestrated across applications and infrastructure, automated based on simple policies and run continuously. In addition to the critical issues in need of remediation and reporting, this effort gives both security and development teams the same level of visibility into all aspects of the security tool chain.

Curious to know about what happens when automation meets orchestration? Access our eBook,  The Essential Guide to Risk-Based Vulnerability Orchestration Across the Software Lifecycle, and find some actionable guidance for integrating security into the DevOps model.

Download the Complimentary Forrester Report
You can also download your own complimentary copy of The State Of Application Security 2020 to explore vertical-specific trends, learn about testing security earlier in the SDLC, understand automation’s increasing role in remediation and more. Feel free to contact us at ZeroNorth to learn about how our capabilities for application vulnerability discovery can help you.

[1] Source: Global Business Technographics Developer Survey
[2] Source: State of Software Security X