Skip to main content

DevOps requires a modern approach to application security

Time to market is a key indicator today of business success, and anything that impedes a business’ ability to move fast needs to be addressed. While there have been a number of efforts to automate and integrate security into the application development process, it continues to be a hindrance to many organizations. 

Organizations are still unable to detect and address security issues fast enough because traditional approaches to security testing and existing tools were not made with speed, automation and continuous integration (CI) pipelines in mind.

According to Patrick Carey, senior director of market analysis and strategy of the Software Integrity Group at Synopsys, application security is often defined by siloed solutions: static application security testing (SAST), software composition analysis (SCA), dynamic application security testing (DAST), and interactive application security testing (IAST). But these silos conflict with the way developers build, test and fix software. “They don’t care which analysis techniques are used.  They just want to quickly identify the issues that pose the highest risk,” Carey said. 

Application security testing needs to not only happen earlier in the application life cycle, it needs to be executed more intelligently. “As development, security, and operations converge we see these silos being knocked down, with security testing being delivered as an intelligent, integrated system of services that knows which tests to run when, and can identify the highest priority issues,” said Carey.    

The next generation of application security test automation

As software development has picked up speed, organizations have deployed automation to keep up, but many are having trouble working out the security testing aspect of it. Current application security testing tools tend to scan everything all the time, overwhelming and overloading teams with too much information.

If you look at all the tools within a CI pipeline, there are tools from multiple vendors, including open-source tools that are able to work separately, but together in an automated fashion while integrating with other systems like ticketing tools. “Application security really needs to make that shift in the same manner to be more more fine-grained, more service-oriented, more modular and more automated,” said Carey. 

Intelligent orchestration and correlation is a new approach being used to manage security tests, reduce the overwhelming amount of information and let developers focus on what really matters: the application. While the use of orchestration and correlation solutions are not uncommon on the IT operations side for things like network security and runtime security, they are just beginning to cross into the application development and security side of things, Carey explained. 

He went on to say that orchestration and correlation can greatly improve application security testing in two ways. First, it can enable teams to be more efficient about the way they use the tools available. “Orchestration and correlation can be the brains behind the system. It can determine which tool to run when and how, so that you’re only running the specific security tests you need when they’re needed,” he said.

Secondly, it can sort through and deduplicate findings from all the tests, remove the lower priority issues and surface the ones that need to be quickly addressed due to the business risks they pose. “This is important when you’re in a DevOps model where teams are releasing not every six months or every year, but multiple times per day. It’s about continuous incremental improvement. By keeping the teams focused on the higher priority risks, they can make that continuous improvement over time. It allows the teams to actually maintain velocity without compromising security because they are actually focusing on what matters,” he said. 

Expanding on intelligent orchestration and correlation

To add to its intelligent orchestration and correlation initiative, Synopsys recently announced it acquired the application security orchestration and correlation solution Code Dx. According to the company, Code Dx complements the Intelligent Orchestration solution released last year. Intelligent Orchestration simplifies and streamlines security testing in CI pipelines by determining and initiating the appropriate tests to run based on predefined policies, application risk profiles, and code changes.

Code Dx will extend the company’s vision, enabling teams to aggregate and correlate security test results from a wide range of Synopsys, third-party and open-source tools,  so they can focus remediation efforts on the security issues with the most business risks. 

“If you can remove friction from the pipeline, and you can stop burying teams with findings, that is really what’s going to be central to being able to realize the vision of DevSecOps where development, security and operations work together in aharmonious fast paced flow,” said Carey. “We’re really getting to the point where these traditional testing tool silos are going to struggle to keep pace with the way development is working today. What you’ll be seeing from us now that Code Dx is part of our portfolio is continuous movement towards a much more integrated, modular, and risk-based way of delivering application security.”

“We believe that application security isn’t about testing to oblivion and finding as many vulnerabilities as possible. It’s about understanding and managing application risk proactively, and doing so in a way that doesn’t impede development velocity and agility.”

Learn more at https://www.synopsys.com 

Content provided SD Times and Synopsys

The post DevOps requires a modern approach to application security appeared first on SD Times.



from SD Times https://ift.tt/3dd0HCq

Comments

Popular posts from this blog

Difference between Web Designer and Web Developer Neeraj Mishra The Crazy Programmer

Have you ever wondered about the distinctions between web developers’ and web designers’ duties and obligations? You’re not alone! Many people have trouble distinguishing between these two. Although they collaborate to publish new websites on the internet, web developers and web designers play very different roles. To put these job possibilities into perspective, consider the construction of a house. To create a vision for the house, including the visual components, the space planning and layout, the materials, and the overall appearance and sense of the space, you need an architect. That said, to translate an idea into a building, you need construction professionals to take those architectural drawings and put them into practice. Image Source In a similar vein, web development and design work together to create websites. Let’s examine the major responsibilities and distinctions between web developers and web designers. Let’s get going, shall we? What Does a Web Designer Do?

A guide to data integration tools

CData Software is a leader in data access and connectivity solutions. It specializes in the development of data drivers and data access technologies for real-time access to online or on-premise applications, databases and web APIs. The company is focused on bringing data connectivity capabilities natively into tools organizations already use. It also features ETL/ELT solutions, enterprise connectors, and data visualization. Matillion ’s data transformation software empowers customers to extract data from a wide number of sources, load it into their chosen cloud data warehouse (CDW) and transform that data from its siloed source state, into analytics-ready insights – prepared for advanced analytics, machine learning, and artificial intelligence use cases. Only Matillion is purpose-built for Snowflake, Amazon Redshift, Google BigQuery, and Microsoft Azure, enabling businesses to achieve new levels of simplicity, speed, scale, and savings. Trusted by companies of all sizes to meet

2022: The year of hybrid work

Remote work was once considered a luxury to many, but in 2020, it became a necessity for a large portion of the workforce, as the scary and unknown COVID-19 virus sickened and even took the lives of so many people around the world.  Some workers were able to thrive in a remote setting, while others felt isolated and struggled to keep up a balance between their work and home lives. Last year saw the availability of life-saving vaccines, so companies were able to start having the conversation about what to do next. Should they keep everyone remote? Should they go back to working in the office full time? Or should they do something in between? Enter hybrid work, which offers a mix of the two. A Fall 2021 study conducted by Google revealed that over 75% of survey respondents expect hybrid work to become a standard practice within their organization within the next three years.  Thus, two years after the world abruptly shifted to widespread adoption of remote work, we are declaring 20