Are intelligent orchestration and correlation the key to DevSecOps?

In the ongoing evolution of software development, a troubling reality persists: Developers support security testing—but only if it doesn’t slow them down. Security testing that can’t keep pace with the ever-increasing velocity of development gets left in the dust. Which is not a good thing. Vulnerabilities in software put products, systems, networks, customers—indeed, entire organizations—at risk.

But a more encouraging reality is emerging in the security industry. It’s called intelligent orchestration, and when combined with a correlation tool that automates, accelerates, and prioritizes findings—what Gartner calls application security orchestration and correlation (ASOC)—it offers security teams the means to keep pace with modern development.

Intelligent orchestration means testing at the right time, as determined by risk-based policies, so it can eliminate tests and results that aren’t necessary—the kind that slow development for no good reason.

Deadlines are forcing developers to push code with known vulnerabilities

The need for faster evolution in software security is obvious. A new white paper from ESG titled “Cracking the Code of DevSecOps” points to a survey of 378 IT, cyber security, and application development professionals at organizations in North America that found that nearly half of the respondents regularly push vulnerable code into production, and another 31% admit to doing so occasionally.

According to the ESG paper, which was sponsored by Synopsys, “Despite ongoing investments in application security programs, 79% of organizations admit to pushing application changes with known vulnerabilities.” Why? More than half said the deadline made them do it.

That means security is still trying, and too often failing, to play catch up. As the white paper put it, “Current security strategies are simply not scaling to keep up with modern development practices.” This is no surprise. For years, a regular mantra at security conferences has been that the best way to convince developers to add “Sec” to DevOps is to make the secure way the easier, and therefore faster, way.

Development teams face increased velocity and complexity

But according to the ESG paper, so far that’s not happening. Not because security teams aren’t trying, or because organizations aren’t investing in security. Nearly three-quarters (71%) of survey respondents documented in the ESG paper reported using application security tools on more than 50% of their codebase.

But the challenges are significant. The speed of software development has increased by orders of magnitude over the past decade, going from tens of builds per day to hundreds and even thousands, thanks to agile development and DevOps/GitOps automation.

Along with that, modern software is more complex, now incorporating microservices and serverless technologies. And security programs are frequently a complicated, disorganized mix of manual and automated tools and practices. More than two-thirds of survey respondents report the use of 11 or more automated application security testing tools, including static, dynamic, and interactive application security testing, fuzz testing, and container scans. Many also conduct manual activities including pen testing, code reviews, threat modeling, and red teaming.

If those tools and services aren’t coordinated and configured effectively to conduct the right tests at the right time and to flag only significant defects, they can bog development down and actually undermine security.

This doesn’t mean all security testing tools are bad, or that only one tool is good. But there is such a thing as too much of a good thing. Or too many good things.

Development teams are overwhelmed by security alerts

“Tool sprawl” is when development teams are so overwhelmed by security alerts that they can’t respond to at least 25% of them. Indeed, when security alerts are constant, they become background noise and are ignored—the exact opposite of the intent.

As the paper put it, “Even though only a small percentage of the findings may present enough risk to require immediate attention, identifying and prioritizing high-priority vulnerabilities is a significant burden.”

Lengthy scans slow everything down

According to the ESG paper, the proliferation of tools and scans generates too many findings and lengthy scan cycles that don’t scale and can’t keep up with the speed of modern development. “While build pipelines are often intended to run in seconds to a few minutes, AppSec tool scans can often take several minutes or even hours,” the paper noted. And then they overwhelm the development teams with time-consuming, and in many cases, unnecessary work. ESG found that 30% of respondents are “overwhelmed by the number of testing tools in use. Further, 26% of organizations say their collective application security tools are adding friction to their development processes, impeding development velocity.”

Disconnected security activities increase risk

Other problems generated by excessive and poorly coordinated tools include:

  • Poorly aligned risk models. This means applying a “one size fits all” policy to application changes, which can result in developers wasting time fixing low-risk code issues while not spending enough on those that are high-risk.
  • Disconnected security activities. While automated tools are good at spotting code and configuration vulnerabilities, they don’t do well with architectural flaws. Most organizations use manual tests to fill that gap, including threat modeling, code reviews, and penetration testing. But in too many cases, those activities aren’t aligned with risk policies and aren’t coordinated with findings from automated tools.

In fact, 81% of organizations say they have had their applications exploited, and 60% report that their applications were exploited by OWASP Top 10 vulnerabilities in the previous year.

Intelligent Orchestration and correlation can help

Those are the problems Intelligent Orchestration can help solve. It establishes a separate CI/CD pipeline that runs in parallel with the development pipeline and connects to it via a few API calls. Security analysis results are automatically merged into the development pipeline, so prioritized vulnerability information is delivered directly to the right teams. Intelligent Orchestration quickly determines when to run a specific security test scan and when not to, based on actual code changes, a dynamically calculated total risk score, and the predetermined security policies of each organization.

CodeDx by Synopys aggregates, deduplicates (removes redundant issues), and correlates the output from multiple forms of application security testing—including static, dynamic, and interactive analysis, as well as software composition analysis, which finds defects and potential licensing conflicts in open source software components. It can also correlate findings from manual tests such as threat modeling and penetration testing.

Security teams and development leads can specify that only critical or high-risk vulnerabilities are sent to development teams for remediation, so as not to overwhelm them with insignificant defects. Our machine learning technology filters out results that are likely to be false positives based on organizations own triage decisions for similar findings, which saves valuable time and resources.

In short, Intelligent Orchestration and correlation let security teams focus on what’s important: high-risk vulnerabilities. Which means it gives them what they need—security that won’t slow them down. And that lets them achieve the goal of all good development teams: Building secure, high-quality software faster.

Taylor Armerding, security advocate, Synopsys 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.