AppSec doesn’t have to compromise velocity | SC Media
Application security

AppSec doesn’t have to compromise velocity

June 17, 2021
  • DevOps teams require speed, but automated security activities are slow.
  • Automated security tools are designed to find all issues—not necessarily the most important issues.
  • DevOps requires constant collaboration, but defect discovery is not uniform. Each security tool has its own API, its own way of providing results, and its own way of breaking the build. Security teams struggle to collaborate due to the inherent differences in each tool automated in the pipeline.
  • DevOps requires scale, but security tools and activities require manual intervention. Not knowing when to perform manual security activities, what activities are needed, and whether they are needed at all make it more difficult for DevOps teams to scale.
  • Automated security tools have high false positives, making resolution and remediation more difficult.
  • Balance the golden triangle: people, process, and technology
  • Run automated security tests without slowing down the pipeline
  • Enforce all processes and policies in an organization
  • Reduce the burden on developers by automating as much as possible and only surfacing the most important issues for remediation
  • Ensure that the right tests and analysis are performed at the right time, based on policies, risk profiles, and changes to the code
  • Provide an automated signoff process when a critical defect cannot be fixed and code must be deployed to production
  • Document all decisions so the auditing or compliance team can review the logs at any time
prestitial ad