Rethinking GRC for Modern Software Development

By Natasha Gupta, Senior Security Solutions Manager, Synopsys Software Integrity Group

Governance, risk, and compliance (GRC) has become a standard practice for managing organizational risk, particularly for IT assets and operations. Yet, risk mitigation has evolved beyond perimeter defenses.

All software has weaknesses, and those weaknesses make inviting targets for attackers. A 2021 Forrester Report found that 39% of external attacks targeted exploitable web applications, and 30% targeted software vulnerabilities. This software is inclusive of infrastructure, commercial, custom-built, and contracted applications.

What this data indicates is that the attack surface is much larger than previously thought, and security and risk teams must incorporate an application security lens when assessing their organization’s risk and compliance posture. Using an Application Security Orchestration and Correlation (ASOC) solution helps, as it offers valuable capabilities that align with components of a GRC framework.

Applications present unique challenges

It’s important to understand the scope of the GRC problem when it comes to software applications. When assessing an organization’s risk footprint, the potential sources of infrastructure and commercial vulnerabilities can span hundreds of business-critical assets across their IT estate. For custom-built applications, the risk footprint vastly multiplies when considering the volume of software that includes open source and third-party code or carries critical vulnerabilities which go unaddressed in the production process. For large enterprises, the source of this risk could equate to thousands of commits per day. Amazon, for example, reportedly deploys new software to production every second, and in practice, the thousands of applications they depend upon are made up of hundreds of components.

For this reason, modern software development carries many blind spots when it comes to risk and compliance. The widespread adoption of DevOps and Agile methodologies have hastened the speed at which production code is deployed. These fast production cycles open multiple opportunities for software flaws to slip through the cracks.

Additionally, integrating testing, triage, and remediation within the SDLC is complex. Many application security (AppSec) teams invest in a multitude of Application Security Testing (AST) tools to test for specific types of software flaws, at relevant stages of the SDLC. For example, an AppSec team may use static application security testing (SAST) or software composition analysis (SCA) tools to scan source code for quality, security, and compliance issues at build phase, then use dynamic application security testing (DAST) to test for runtime issues in simulated production environments.

Each of these essential types of tests may find thousands of potential flaws and compliance issues and store them in its own siloed repository using a custom taxonomy. It can be difficult to sort through all these findings to identify the most critical issues. To assess overall software risk, one must aggregate all these findings, translate them into a common format, and prioritize the ones that are most impactful—that’s a lot of information to analyze. Furthermore, auditing this data and assessing adherence to required regulatory standards is incredibly challenging as well.

Bridging the GRC-AppSec gap with ASOC

The fundamental building blocks of a sound GRC strategy—standardizing business process and policies, enforcing controls, centralizing risk management, and auditing decisions and artifacts—go beyond implementing GRC software tools. Keeping operations resilient and compliant means understanding your risk at the development level, at earlier stages of the SDLC.

To do this, it helps to be able to answer these questions:

  • When was the software tested?
  • What was found?
  • What was fixed?
  • Do I have a way of identifying my most vulnerable software?
  • What is the extent of my exposure and exploitability?

If you’re unable to answer these questions, an ASOC solution can help.

How does ASOC help address GRC needs?

A significant and pragmatic benefit of ASOC solutions is their ability to empower organizations to glean actionable insight across a variety of AST tools, introduce a uniform risk assessment methodology, and orchestrate necessary testing activities without breaking existing processes. These capabilities are foundational to helping security, risk, and development stakeholders align their existing AppSec processes with business objectives for software quality and compliance, and introduce a risk-based approach to software development practices. There are several components of a GRC framework where ASOC can help:

Risk management—Individual AST tools provide a proprietary assessment of software risk using their own methodology for scoring issue severity, business criticality, and scope. This means teams are forced to wade through a patchwork of proprietary assessments to gauge their overall software risk posture. An ASOC solution simplifies risk assessment, because it correlates issues across all tool types, and normalizes these results to a common scoring methodology. Additionally, an ASOC solution can also export these results to a GRC management tool, enabling you to keep a consistent view across infrastructure and application risks, and incorporating a higher fidelity view of application risk than typical GRC platforms accommodate.

Auditing—advanced ASOC solutions uniquely provide a level of application context and intelligence to help teams trace findings that match specific compliance violations. They provide a consolidated report of high-priority results, controls implemented, and overall application health. Importantly, an ASOC platform uses this information to map software defects to violations of specific regulatory standards, such as PCI. This is an important part of addressing risk blind spots when it comes to auditing software security practices.

Policy management—Making security policy management reflective of individual application needs is a complex undertaking. It requires continuously testing workflows and data, as applications are subject to short and frequent cycles of refresh. An ASOC solution solves this challenge by orchestrating policy-as-code, codifying defined thresholds for triggering testing based on application criticality, scope of code change, and related dependencies. Importantly, this approach does not break existing development pipelines, and through API integration with ticketing systems, offers an automated way to enforce security policies with developers directly.

Software risk is business risk. A successful GRC strategy must address the distinct application security challenges involved in mitigating software risk. An ASOC solution helps establish testing automation, security intelligence, and risk visibility to build a bridge between your GRC workflows and your AppSec tools and processes.

Hot Topics

Related Articles