In our previous post, we discussed that the key ingredient to implementing a true DevSecOps process is accurate testing. In this post, we’ll dissect how accuracy is the single enabler for driving the DevSecOps outcomes you want to see.
The Art of the Possible
During ForAllSecure’s early stages, accuracy was a main focus area. We wanted to explore whether we can rely on machines to autonomously make cybersecurity decisions. Decisions like:
- how to effectively and efficiently test an application so it delivers impactful results
- if a vulnerability is worth remediating
- how to automatically generate a patch that fixes the issue
- if the patch is worth deploying (i.e. Is being more secure, worth degradation of performance?)
It didn’t take long for the founding team to realize that in order for machines to properly reason through a decision, it must first and foremost have accurate information to act on. Without accurate information, the whole process is doomed from step one.
While we may be too early for machines to autonomously make strategic cybersecurity decisions, the founding team was astute. Their vision for the company not only addresses gaps that we see in the application security market today, but beautifully maps to DevSecOps needs.
According to DevSecOps Realities and Opportunities by 451 Research, “46% of participants cited that the noise of false-positives drown out the benefits of security scanning and other elements in CI/CD processes. [They] believe that organizations can help address this issue by choosing security software and services that specialize in effectively reducing false positives and the noise that comes with them. In SAST, for example, this will likely require writing custom rules tailored to the organization’s technology stacks and software.“
Software Security is Simple!
When accuracy is at the basis of security testing, vulnerability management becomes radically simple:
- Detection: Previously automated vulnerability detection was impossible due to false-positives. “Let’s find false-positives found at machine speed and scale” – said no one ever. With accuracy, all detected vulnerabilities are treated with trust, action, and urgency.
- Validation: Accurate security testing results means there’s no longer a need for validations. The elimination of this step is significant, because manual validation is the largest bottleneck today.
- Remediation: With an accurate solution, security testing solutions should be able to easily prove their findings. Examples of actionable remediation include logs, video playbacks, and proof of concept in form of a test case.
Accuracy is the Gateway to DevSecOps Capabilities
If you remember, the key barriers of DevSecOps, outlined by Gartner, are as follows:
- Automation: Security testing couldn’t be automated because no one wants to automate the detection of false-positives.
- Integration: Security testing couldn’t be integrated because no one wants to be distracted by false-positives.
- Speed: Security testing couldn’t be done at speed because no one wants to find false-positives at machine scale.
With accurate testing, vulnerability detection can be conducted at machine speed, scale, and automation as a part of developer workflows.
What DevSecOps is Today
What DevSecOps Could Be
A complex process that leaves people craving simplicity.
A technically complex process that feels simple because security testing happens synchronously and quietly in the background.
Largely a manual process that sucks time and resources.
An automated process that relieves precious time and resources for strategic tasks.
No one wants to own security
Because security is built into development processes, every developer ends up owning the security of their code even if they may not realize it.
Until next time…
In this post, we’ve outlined how accuracy is the key to unlocking the capabilities needed to overcome today’s DevSecOps challenges. In the remainder of this series, we’ll share how to best implement an application security testing initiative that developers can appreciate. Read part three here.
*** This is a Security Bloggers Network syndicated blog from Latest blog posts authored by Tamulyn Takakura. Read the original post at: https://forallsecure.com/blog/%3Cslug%3Eyour-ast-guide-for-the-disenchanted-part-2