One certainty when it comes to Application Security (AppSec) is that automation must be involved. The scale of vulnerabilities is simply too dynamic and expansive for humans to keep up. This is especially true when you couple it with the cybersecurity workforce challenges, which we have previously discussed, where security professionals are often exponentially outnumbered by their development peers, with some studies of large organizations projecting disparities as high as 100:1.
AppSec Tool Categories
The modern DevSecOps stack often consists of robust cybersecurity tooling, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Secrets Scanning, Attack Surface Reduction Tooling, Antivirus, and increasingly SBOM generation/scanning, just to name a subset of common AppSec tooling categories. We’re even seeing traditional manual tests, such as Penetration Testing increasingly making the shift towards automation, with innovative industry leaders such as Horizon3.ai.
The idea of conducting these scans, reviews, and reporting manually is simply unrealistic for any organization, especially those interested in achieving Continuous Delivery or Continuous Deployment. Couple this with the push to “shift security left” and we’re seeing increased security testing earlier in the Software Development Lifecycle (SDLC). That said, this push needs to come with an approach that minimizes friction in the development. Otherwise, it will impede the delivery of business value to customers and organizational stakeholders.
Security Activities Aren’t All Easy to Automate
While many of these tool categories can be automated to some extent when it comes to scanning, it is the follow-on activities of analysis, mitigation, and remediation that aren’t quite so simple to automate. This is due to the fact that these activities often involve human analysis to determine the true severity of the vulnerability, its exploitability, and how it aligns with the organization’s defined risk tolerance, if one has been defined.
Another challenge for many organizations is the actual aggregation of the vulnerabilities that have been identified by these myriads of tools. Organizations often struggle to collectively bring together the findings from these bespoke toolchains.
That said, organizations are increasingly making headway towards security automation when it comes to AppSec tool scanning activities. We’re seeing robust platforms, such as GitLab, which dubs itself “the one DevOps Platform” with a focus on facilitating the shipping of code from planning to production, in a secure and streamlined manner.
A Different Approach to Application Security
Other attempts outside of tool unification to help streamline and automate application security activities include leaders such as Snyk, which leads with a developer-centric approach to application security. Snyk strives to help developers not only identify vulnerabilities in their code, containers, and dependencies, but also facilitate the automation of vulnerability remediation as well.
This approach makes sense, given developers are often assessed on their productivity. This often involves the ability to get code and value to production faster to respond to either market pressures and demands or mission dynamics in high assurance environments, such as the Department of Defense (DoD).
It is also worth noting that the ability to quickly deliver code to production without disruption isn’t just tied to business application focus areas but also actual vulnerability remediation and risk reduction, as studies indicate that high-performing teams that can ship code to production faster are actually more stable and secure as well.
This presents a dichotomy where there are competing pressures that present the dilemma of failing to quickly deliver code to production or ignoring or failing to address potentially critical vulnerabilities that can be exploited by malicious actors, which impacts customer relationships, generates regulatory ramifications, or worse, potentially puts lives in jeopardy.
Final Thoughts on AppSec
While there’s no panacea when it comes to AppSec automation, one thing is for certain: Organizations are steadfast in pursuit of time to value, facilitated by automated security testing with the intent of minimizing friction on the business or mission while driving down organization security risks. However, this is a delicate dance with no simple solution, and one that organizations will continue to struggle with for the foreseeable future.
Want more cybersecurity insights? Visit the Cybersecurity channel:
