ASOC series part 1: How application security orchestration and correlation can improve DevSecOps efficiency
Application security orchestration and correlation tools empower security teams to speed up the AppSec process without sacrificing quality.
In its 2019 “Hype Cycle for Application Security” report, Gartner revealed a new, high-priority tool category called application security orchestration and correlation (ASOC). ASOC delivers three primary benefits to the AppSec process within organizations: efficiency, scalability, and accountability.
This is the first article in a three-part series in which we take a closer look at each of these benefits. We will focus on efficiency first, demonstrating how ASOC helps DevSecOps team function better.
What is ASOC?
Gartner created the ASOC tool category by combining the categories of application vulnerability correlation (AVC) and application security testing orchestration (ASTO). AVC tools streamline the application security (AppSec) process by correlating and deduplicating the results from a wide variety of AppSec testing tools, yielding a single set of results. AVC tools also prioritize the vulnerabilities identified, so you can manage remediation more efficiently. ASTO tools integrate application security testing tools across the software development life cycle (SDLC), promoting a DevSecOps approach to software development. These categories were merged to create ASOC because many organizations need both AVC and ASTO capabilities, and several vendors in the marketplace were providing them via one tool.
Gartner defines ASOC tools as those that “streamline software vulnerability testing and remediation by automating workflows. They automate security testing by ingesting data from multiple sources (static, dynamic, and interactive [SAST/ DAST/IAST]; software composition analysis [SCA]; vulnerability assessments; and others) into a database. ASOC tools correlate and analyze findings to centralize and prioritize remediation efforts. They act as a management layer between application development and security testing tools.”
To qualify as an ASOC tool, a tool must meet certain criteria that differentiates it from standard AppSec tools:
- It must integrate with a wide range of commercial AppSec testing tools
- It must correlate the findings from these tools
- It must provide orchestration capabilities
Robust ASOC tools integrate with continuous integration and continuous delivery (CI/CD) engines. When evaluating ASOC tools, the following capabilities are important:
- Correlation and analysis of results from a wide range of AppSec testing tools
- Integration with defect-tracking systems
- Out-of-the-box integration and support for existing security testing, development, and CI/CD tooling
- Speed and accuracy of correlation and analysis
- Scope and nature of reporting, including technical metrics, as well as business and risk analysis
Three ways ASOC improves the efficiency of DevSecOps
You can prioritize the most critical vulnerabilities for remediation to properly allocate resources
Resource allocation is a challenge faced by many AppSec teams. AppSec tools uncover a wide range of potential issues—some may be false positives, and others may simply not be relevant to your organization. The amount of time needed to conduct triage on potential vulnerabilities can be debilitating for many companies.
An IEEE study found that it takes an average of 10 minutes to triage one finding and determine if an issue is exploitable and needs to be fixed. Additionally, studies have shown that an average of 66% of findings from the average SAST tool are irrelevant. This translates into an incredible amount of time spent triaging findings that turn out to be false positives or irrelevant. No matter how large your AppSec team is, no organization can afford to waste time researching issues that don’t pose a real threat to application security.
Vulnerability prioritization is just as important for developers as it is for security. Agile development requires rapid iteration. The most critical defects must be addressed before the next build is pushed through to ensure security is maintained throughout the development process.
ASOC tools can prioritize vulnerabilities based on exploitability and assign a severity score to each issue. This enables your security team to focus attention on the vulnerabilities that pose an actual threat to your organization.
If your application must comply with regulations such as HIPAA and PCI DSS, an ASOC tool can check your codebase, identify the exact lines of code that are in violation, and suggest ways to make it compliant. These types of compliance issues are often a high priority, as they can result in severe penalties and fines.
Advanced ASOC tools have a built-in capability that uses machine learning to automatically predict which vulnerability findings are most important, based on past triage decisions. Every 240 findings categorized automatically saves your organization the equivalent of one week’s work from a full-time employee.
The prioritization capabilities provided by ASOC tools give security pros and developers the information they need to make sure the biggest threats are addressed before the next release.
ASOC tools also help manage remediation, allowing security to assign tasks to developers and track progress. Integration with issue-tracking tools and developer environments make it easier for developers to address problems, as they can correct issues directly within their preferred workflow.
Whether you have one AppSec project running or 30, efficient resource allocation is essential to creating an agile development process that keeps security a top priority.
You can centrally manage the results from a large number of AppSec tools across multiple projects and departments
DevOps came about as development and operations teams began working more closely together to support the agile development methodology. As DevOps continued to evolve, security was integrated into the process.
This was an important step, as application security demands full attention at all stages of design and development. However, it has often been a challenge for security teams to keep up with the agile sprints of DevOps.
Application security involves using a number of types of AppSec testing tools:
- Static application security testing (SAST) tools examine the application from the inside, looking for vulnerabilities in the source code, byte code, or application binaries
- Dynamic application security testing (DAST) tools approach the application from the outside, taking on the role of a robot attacker
- Interactive application security testing (IAST) tools combine SAST and DAST tools by using instrumentation technology to leverage information inside the running application to identify vulnerabilities
- Software composition analysis (SCA) tools analyze applications for third-party and open source software to detect vulnerable code
- Threat modeling tools such as STRIDE and DREAD identify and assess potential vulnerabilities
- Manual testing can make sure the application code is high quality and secure
It’s important to note that there are a number of tools in the market that focus on specific challenges within application security. For example, a SAST tool can find weaknesses in proprietary code, while an SCA tool can detect vulnerabilities in open source code. Combining tools ensures a complete picture of your application’s codebase.
However, each tool shows results in a different format, and the same potential issue might be found by multiple tools. Weeding through long lists of results from multiple tools to remove duplicates and determine which vulnerabilities are real and pose the highest threat is inefficient and time-consuming—and it makes it nearly impossible for security to move at the same speed as development.
ASOC tools, however, eliminate these issues by providing:
- A single, central hub for application security
- Support for commercial SAST, DAST, and IAST tools
- Automatic correlation of results from multiple AppSec tools and manual testing into a single set of results
- Integration with popular development environments and issue-tracking tools
- Inclusion of tools to track and remediate vulnerabilities
These features enable organizations to provide better vulnerability coverage and more effective software testing that yields fewer false positives and no duplicate results. You get a single view of AppSec issues, no matter how many tools you’re using. This allows you to rapidly identify where the most significant risks are and address them before they become a problem.
ASOC tools empower your security team to speed the AppSec process without sacrificing quality, fostering a better relationship between development and security teams. A DevSecOps approach can become a reality, enabling your organization to meet the demand for rapid development of secure applications.
You have access to metrics that show how vulnerability management and AppSec are performing over time in your organization
It’s impossible to know if your organization is getting better at application security if you can’t measure performance. Metrics can provide important information for C-level executives and for security and development team members in the thick of AppSec testing.
For example, CISOs may want data on the total number of application vulnerabilities and their severity. This data indicates how well your organization is doing over time at reducing the total number of threats.
Metrics on severity are just as important; they reveal the overall danger to the organization. Severity metrics also help security team members prioritize issues, so the most pressing ones can be addressed first.
Historical data about the number of new vulnerabilities shows how many issues are introduced with a new release. This is important for teams following the agile development methodology, as it validates whether security is being given the attention it requires during rapid iteration. CISOs can use this data to monitor overall risk, and AppSec managers can leverage it to assess the quality of code being written by team members.
It’s not enough just to know how many vulnerabilities are identified; average days to resolution is another important AppSec metric. The longer an issue lingers, the more likely it is to be exploited. Managers can use this metric to assess remediation efforts and identify inefficiencies.
The types of vulnerabilities found is also important. If you know the most common types of vulnerabilities in your applications, you can train your security team and developers to write better code and prevent these issues, as well as remediate them more quickly when they do occur.
ASOC tools provide the metrics that CISOs, AppSec managers, security team members, and developers need to improve over time. Additional features to look for in an ASOC tool include:
- A visual display of metrics, so you can quickly and easily see how AppSec is performing over time and identify trends
- A central dashboard that provides interactive metrics, so you can uncover trends and see critical AppSec information quickly
As ASOC tools become more popular, it’s important for organizations to understand how they can benefit from them. Be on the lookout for future posts in our ASOC series to discover how you can achieve scalability and accountability within AppSec across your entire enterprise.
*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Synopsys Editorial Team. Read the original post at: https://www.synopsys.com/blogs/software-security/improve-devsecops-with-asoc/