Automation is a key component of the secure DevOps, or DevSecOps, approach. Automation is how organizations establish security gates, and it can be used to prioritize findings and triage their remediation response. In 2022, Synopsys commissioned the SANS Institute to examine how improvements in security posture and operational effectiveness can be achieved by aligning development, security, and operations teams around the cultural ideals, practices, and tools of secure DevOps.
In this blog series, we’ve examined what the 2022 SANS DevSecOps Survey can teach us about how implementing DevSecOps practices can help organizations institute secure coding without sacrificing development velocity, establish policies and testing to automate security, and help those involved with triage and remediation work more efficiently.
In this blog post, let’s look at the lessons we can draw from the SANS study about using automation and integrations to ensure that prioritization and triage leads to rapid remediation. Prioritization means implementing automation on the front end to detect the vulnerabilities you’ve identified as important to your business needs, whereas triage means implementing automation on the back end to alert project owners, development engineers, or security personnel who can remediate vulnerabilities in a timely manner.
Automation is a core topic of the SANS survey and respondents from all industry sectors noted that it is increasing in importance as delivery cadence continues to increase. Findings from the report conclude that 32% of respondents deliver system changes to production daily or on a continuous basis, while 61% deliver multiple times a week. This is a lot of code, moving at a very high rate of velocity, and SANS report respondents noted that, as the ratio of developers to security engineers increases, automating security testing in the CI/CD pipeline is the only way to evaluate every one of these code pushes for security flaws.
Automation is the only way forward if DevSecOps is to keep pace with the speed of development and of business, and 83.3% of those queried by the SANS report said that they have built automation to handle these needs. And because security continues to be “pushed left” in the SDLC, the responsibility for detecting and fixing security defects is increasingly falling on developers. This means that developers are having an ever-increasing impact on security.
Organizations need to build efficient automated workflows into the systems developers are already using. Most developers already have advanced issue tracking that can be used for this purpose, but when over 30% of respondents report that they are pushing daily or continuously, security issues detection needs to be automated and enforced by AppSec policies that are set by Security teams. Even better, automated workflows should notify developers as soon as possible about issues that require fixing, including while they’re writing code, and at the commit. For the 80% of respondents who already are working with automated builds, static analysis remains a highly effective security tool that can be run automatically at scale in the native pipeline or in a parallel pipeline for computationally intensive activities.
Respondents also reported needing repositories where the triage history for unknown vulnerability detection can be kept and merged to prevent breaking builds or to prevent sending “noisy” alerts for false positives or known issues. This triage history needs to be available in the tools that developers are using as they code.
At its core, automated policy is a system of record for communicating the security requirements, operational goals, and regulatory compliance needs that affect your project and business. Setting policy is how a small group like a security team can communicate effectively with the C-suite, program owners, or developers at scale and across a complex set of security issues. Since each of these teams has a different role and may prioritize issues differently, automated policies make it possible to engender best practices even when a contributing party isn’t present or able to participate in the project or sprint. Policy violations then become a way to communicate to stakeholders that an aspect of the project or workflow has a problem, and alert them that action needs to be taken.
Automating policy-as-code allows security engineers to define the issues the organization should care about, and prioritize how and when they should be fixed. This means that developers responsible for fixing issues don’t waste time figuring out what to fix and when. They can just get to work.
By automating policy enforcement, organizations can
Automating policy enforcement is how you manage the insight you get from all the tests and tools you are using. An insight management tool normalizes and correlates findings so you can prioritize your efforts to have the greatest efficacy.
With automated testing comes automated findings—a lot of automated findings. The trick to running an effective DevSecOps program is to find a way not to drown your developers in the sheer volume of those findings. By using tools that can help to sort, prioritize, and triage automated test results, you can ensure that your developers will surf along the crest of all that information, making the most of the operational velocity you’ve built into your workflows and pipelines.
The first challenge is to prioritize your findings by ranking them against whatever criteria works for your organization. Prioritization criteria can include items as varied as
Testing may be automated, but priority is determined by what matters most to your business. Once you’ve determined your business priorities, you can turn once again to automation to enforce the policies you’ve created to manage your activities and risk tolerance before and after scans.
The next challenge of managing testing results without slowing down business velocity is to determine how to triage the prioritized set of automated security findings your policies have returned. While it may be impossible to address all issues in the list even after prioritizing them, you can still categorize which issues to fix depending on your time horizon, risk tolerance, and other organizational or operational factors. Setting your triage policies is key to allowing your developers to surf the surge of findings, instead of being swamped by them.
Once you have prioritization and triage policies in place, your developers can approach remediation using the steps we’re all familiar with: going back to dev, automatically opening a ticket in the issue management system, sending automated notifications of new issues to fix, highlighting policy failures and prioritized risks within the IDE, etc. The difference is that automation allows you to accelerate this process without burning out your developers.
Black Duck has a suite of tools to automate this process, from prioritization, to triage, to fix/remediation, to automation, and they integrate with tools your teams are already using. Black Duck tools include
The 2022 SANS DevSecOps survey makes clear the need for automation and policies for application security. Intelligent, policy-driven DevSecOps means defining policies that run the right tests at the right time. By collecting risk insight that’s automatically verified and cleansed, you can make sure you’re sending only the most impactful priorities to development teams for remediation. By investing in making your developers more security-aware and more security-capable, you’re ensuring that the DevOps loop itself becomes more secure over time. Successful DevSecOps means securing your code at the ever-increasing speeds that business needs, and Black Duck can help you do that.