Product development has always evolved in response to growing business needs. DevOps was born out of the need to improve speed to market. However, most product teams are often unable to realize the full potential of DevOps’ adoption owing to a myopic and compartmentalized view of its intrinsic practices. I’m talking in particular about the throttling of product release by traditional application security and the corresponding indifference shown by product teams. Most product teams do not recognize delays stemming from application security testing as a problem, as they are unaware of any possible solution for the same.
The Problem of Too Many
Application Security (AppSec) practices today have unfortunately transformed as security gates put in place at strategic points in the software development pipeline. These gates are either manual pen tests, automated SAST runs on source code additions or automated DAST tool led assessments. And any attempt at improving the security testing process translates to an increase in the frequency of testing which is anything but productive. This is because the dominant problem with today’s security testing process is vulnerability remediation and not vulnerability discovery. While most Application Security Testing (AST) tools are able to amplify vulnerability detection, they offer very little help in the form of actionable remediation. Not to mention the sheer enormity of data sets that tools generate during the scanning process.
A robust vulnerability management program is, therefore, necessary to ensure the secure nature of development releases without any time delays. At the heart of such a program is the need to consolidate large vulnerability data-sets from multiple tools into a short list of actionable items.
This is the raison d'être of an Application Vulnerability Correlation (AVC) platform. The primary function of an AVC platform is correlating scan results obtained from multiple sources during the process of application security testing - automated or otherwise. These platforms can typically integrate with commonly used open source and commercial DAST, SAST and SCA tools to consume scan results. They also often have the capability of manually consuming vulnerability data from penetration testing and code reviews. A few other platforms additionally also provide scanner orchestration features to allow security and DevOps engineers to design scanning workflows and accentuate traditional capabilities of scanners.
The Noise Cancellation Device that is AVC
As stated earlier, equally critical in an AppSec program is vulnerability management and remediation. An AVC platform allows organizations to comprehend the true state of vulnerabilities beyond an Open or a Close. It allows the team to appreciate the risk these flaws pose to the application and therefore their true impact on the organization. With this, development teams are better equipped to prioritize remediation strategies which no longer are dependent purely on severity scores. AVC platforms such as Orchestron alters the default severity scores of vulnerabilities (provided by tools) based on additional intelligence
As and when the scans are consumed by an AVC platform, it consolidates all the findings, deduplicates them and gives out detailed information for each class of vulnerability present (severity, CWE ID, remediation advisory). All this information is then ideally displayed in a cohesive manner on a single and easy to understand dashboard. The information is also available to be exported in the form of customized reports.
AVC platforms pursue to have a wider portfolio of testing and assessment tools to be able to offer a more comprehensive view of Application Security. Hence, these platforms include the ability to integrate with several CI/CD and bug tracking tools, thus providing them with the capability of importing security testing data into the platform for analysis and consolidation. Once the vulnerability data is consolidated, the data can be synced with bug tracking tools, where it is easier to access and act on for development teams. An ideal AVC platform enables prioritization of vulnerabilities, by analyzing and understanding the severity of an existing vulnerability. This is an essential feature that helps in assessing the risk a given vulnerability poses to the application.
For Security and Product Engineering alike
AVC platforms offer significant value to security professionals and developers. Security professionals can gather essential information on the most common and recurring types of security flaws, the teams responsible for the most frequent occurrence of flaws, the stage a flaw was introduced in and also the false positives. Automated deduplication and prioritization of vulnerabilities saves a major chunk of time and effort spent by practitioners and allows them to spend more time on a comprehensive assessment of the application. This makes the process of securing the application faster and efficient. Additionally, an AVC platform’s ability to provide a cohesive view of risk posed to the application will drive better awareness in senior management, thereby aiding in decision making in organization efforts towards securing the application