Unleashing Speed & Security: The Power of AppSec Integrations in Modern Development
by Charlotte Freeman, Software Security Advocate Synopsys Software Integrity Group
Whether you’re building software, selling it, or using it to run your business, in today’s fully digitised environment, every business is, necessarily, a software business. And to keep your business running at the speed today’s competitive environment requires, you increasingly depend on technology.
Technologies like cloud computing, continuous integration/continuous deployment (CI/CD), microservices, and APIs enable speed and agility in application development, but they also make it more complex. More development means more projects, and more pressure to accelerate releases to get revenue-generating software out to your customers. More development also means more pressure to speed up the release cycles of the internal software you rely on to handle sensitive information.
Compounding this challenge is the growing complexity of the development, software supply chains, and DevOps pipelines your business relies on to get this work done at velocity. When trying to achieve high velocity and throughput, the fact that different development teams choose different tools, setups, and methods can greatly increase that complexity. Incorporating application security (AppSec) into these complex workflows can be challenging, and development teams may choose to disregard security in order to retain their pace.
In short, the central challenge of today’s accelerated digitised business environment is how to keep development moving at speed while making sure that development is secure.
Extract Risk Information to Deliver Security Insight
AppSec integrations can help keep development secure at the speed your business requires. They make it possible to extract valuable security information at different stages in your development pipeline, and they deliver risk insight directly to developers at those points. That makes it possible for developers to mitigate them quickly without derailing workflows.
These automated processes accelerate risk detection, prioritisation, and remediation while preventing issues from proliferating downstream, all without risking missing a software shipping deadline. AppSec integrations make it possible for your static application security testing (SAST), software composition analysis (SCA), interactive application security testing (IAST), and dynamic application security testing (DAST) tools to capture and extract data from multiple sources, including development tools, code and binary repositories, version control systems, build systems, testing environments, and production environments. Integrations also allow organisations to run the right tests at the right time, and at the right depth, so security teams are not constrained to a single tool or testing protocol at a time. Rather, relevant tests run at various stages of the DevOps pipeline mitigate pipeline congestion.
Establish Automated Security Gates
Having the option to deliver risk information in this way allows organisations to establish automated security gates based on policies aligned to the organisation’s risk tolerance thresholds. Development teams work with security teams to automate security across the software development life cycle (SDLC), accelerating risk detection and prioritisation, and preventing issues from proliferating downstream.
Because different security testing tools often have distinct capabilities and integration points, it is important to know which mechanisms each tool’s policies can support (e.g., testing based on pipeline activity, code changes, or risk metrics) and what automated action may be taken upon violation of such a policy (e.g., notification flows, break the build, automate patching). Many SAST, SCA, and IAST solutions can set policies that enforce risk tolerance thresholds or activities required for compliance.
From development through production, these policies must be integrated with the tools and systems used by each contributor. It’s also crucial to avoid creating regulations that are too permissive to be effective or produce obtrusive noise and alarms or are so restrictive that they apply to an irrelevantly small sample set of applications. Policies need to be aligned with each team’s success criteria while being centrally supervised by the security team to prevent any drift over time. Often, using a SaaS-based application security testing platform can allow centralised visibility and control over policies and risks across the full spectrum of projects and tests.
Automate for a More Secure SDLC
Automation can also help remove the subjectivity from security. You don’t want your security risk status to depend on an individual contributor’s subjective assessment of risk or vulnerability—those assessments should be standardised. Automating your systems makes your security more resilient in the face of inevitable changes in personnel, roles, and teams. By automating security policies, integrations free your security teams to solve larger systemic issues while ensuring that security checks will be taking place even when the team is unable to watch for events or review flagged items.
Integrating testing tools, developing contextual regulations, and automating remediation procedures are the best mechanisms for balancing efficacy and efficiency for security and DevOps teams. The success of these DevSecOps initiatives depends on centralising high-quality risk data, maintaining thorough testing coverage suited for the software flowing through the pipeline, and building a scalable strategy.