Vulnerability management has historically focused on network security. Security information and event management (SIEMs) were created to help users manage the plethora of vulnerability data coming from a variety of devices and surfaces and validate the most critical problems to find the metaphorical ‘needle in the haystack’. Application vulnerabilities have been sort of an afterthought as a data source, yet guarding their perimeter is no longer enough as perimeters fade with modern software architectures.
At the same time, many of the recent and most damaging cybersecurity attacks have been against applications. Application vulnerabilities can escalate quickly if left unchecked. Reuse of open source software, along with reuse of proprietary containerized software allows rapid cloning of code, getting developers down the road more quickly. But when those components have security flaws, these vulnerabilities can also be cloned quickly and metastasize rapidly.
In spite of the heightened risks, Application Security has been mostly focused on finding security vulnerabilities while remediating them has proven more difficult. It’s this prolonged remediation that creates the burden to manage vulnerabilities.
Why is remediation difficult? Siloed processes and tools hinder collaboration that is essential to remove the security flaws. The security team finds the vulnerabilities but is typically powerless to remove them from the code while the software engineers are blind to vulnerabilities they’ve created usually until they are onto another project. The result is that most companies have complied with testing requirements so they know about the vulnerabilities in their code, but they’ve done little to remove them. Knowing you have a problem that could leak privacy data or disrupt business operations and not resolving it could potentially open your organization to liability.
Given the fact that most organizations can only afford to test their mission-critical apps, the vulnerabilities they seek to remediate may only represent the tip of the iceberg. Ignorance may be bliss, but it’s also very dangerous, underrepresenting the actual risk.
So how can organizations get ahead of this threat? A highly automated software factory (aka DevOps) can help. DevOps uses source code repositories to manage code changes across multiple engineers, continuous integration and continuous deployment (CI/CD) to automate software assembly, testing, and code release, essentially automating the end-to-end software development lifecycle.
While automation is the foundation, security automation can be an integral part of the effort. It’s required to test every code change at scale, to consistently apply policies, and to deliver software vulnerability findings in an actionable way. Having security testing embedded within the DevOps platform ensures software security is not an afterthought but rather an integral part of the software factory. Often this marriage is labeled as “DevSecOps”.
There are many ways to achieve DevSecOps. Often organizations start with the tools that they already have, integrating legacy application security into modern DevOps workflows. This DIY tool chain can get very complex, fragile, and costly to maintain. More advanced organizations have moved to a better solution by using one end-to-end platform with security already built-in.
A DevOps platform, with embedded security, can help improve your security posture in several ways:
- Better Compliance Controls: Comprehensive security scans, including static and dynamic analysis as well as fuzz testing, can be consistently applied across all projects with policies automatically applied at common control points.
- Immediate Remediation: Developers can find and fix vulnerabilities earlier in the software lifecycle, before security flaws can make it to the production environment where they may be exploited.
- Improved Visibility to Risks: Unresolved vulnerabilities can be seen and managed much earlier in the process, and with a shared view, development and security can collaborate together on their remediation effort.
- Simplification: A DevOps platform that combines the ability to develop, secure, and operate software in a single application can reduce the number of tools needed, simplifying visibility and control for the end-to-end software development lifecycle.
This approach that unites software development and software security better assures the integrity of your software factory and simplifies software vulnerability management at scale. The effort to manage vulnerabilities begins with finding them. If developers have the tools to find them while they are still working on the code, they are in a prime position to also fix them at the same time. This eliminates later rework and greatly reduces the number of vulnerabilities needing to be managed further downstream. Unresolved vulnerabilities can be managed within the context of the software workflow that is essential to eventual remediation. Software vulnerabilities can still be sent to a SIEM for correlation with other threat vectors, but this should take a back seat to improving remediation processes by aligning application security efforts more closely with DevOps.
The cyber security attack Solarwinds has shown us the importance of securing your software development and deployment. The Orion software was used as a point of entry into numerous companies and government agencies, resulting in xxxx…