Improve DevSecOps efficiency and effectiveness
By Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Center (CyRC)
For years I've heard customers complain that they're overwhelmed with security findings. From there perspective, those findings are wasting their time either because they're simply false or that they're so exotic as to be unreachable. Missing from that analysis is the reality that one person's definition of false can be quite different from another's. Context matters, and when the team creating the code and the team operating the code all work for the same employer, you'd think that there would be a clear definition of how best to triage findings.
The problem is, triage criteria is a point in time decision. If you change a regulation, or there is a new attack pattern targeting your business, those triage criteria can, and do, become outdated. A better model is to focus on the concept of continuous improvement, but even then, there is the question of what improved means.
Each of these observations stem from the reality that when faced with a large quantity of findings, finding the starting point can be daunting. While some of the blame can be levelled at tools that seek to identify all possible issues, the reality is you want to know every weakness in your software — you just don't need to know all issues all the time.
Think of it this way, if you know about an issue, and have mitigations in place to protect against the issue — is it still an issue? The only way to confirm that the mitigations are effective is to test them. Tooling can help for some of this, but without a solid understanding of the threats the application might experience, tooling alone can't confirm if the mitigations are sufficient. After all, it's entirely possible that the mitigation might log its actions in ways that facilitate another attack pattern.
Solving both of these situations requires a different approach that starts with correlating the results of multiple tools using automation with deployment context that then allows operations teams to better identify how they need to configure their systems to identify when an application isn't behaving properly. It is this knowledge transfer that allows teams to move from a mountain of findings towards continuous improvement and ultimately to a more secure deployment. This is part of a new generation of security capabilities known as Application Security Orchestration and Correlation geared towards improving DevSecOps efficiency.