As agencies adopt a DevOps methodology, they need to adapt their approach to application security. It’s not just about “shifting left,” it’s about approaching security with a DevOps mindset.
The traditional approach to application security relies on several different types of scanning, a penetration test and then an application firewall. None of these techniques were very accurate and relied heavily on experts to manage the process and clean up the results.
Software development velocity increased dramatically with Agile and DevOps. These code updates are put through an automated build pipeline that typically runs in a fraction of an hour. There’s simply no way to run legacy scans, triage false positives, deduplicate findings, rate risks and give feedback to developers during a build pipeline that must finish in 15 minutes.
Application security can’t succeed unless it’s compatible with the way that people are building software, said Jeff Williams, Co-Founder and Chief Technology Officer at Contrast Security, which provides a unified platform for web application and application programming interfaces (API) security observability including security testing, open source security and runtime protection.
Williams discussed three keys to embedding security into DevOps operations.
Get a Unified Picture through Instrumentation
Agencies have responded to the increased complexity of modern application development by buying more tools— one tool for scanning custom code, one for open-source libraries, yet another for APIs, and so on.
The result, said Williams, is “tool soup,” which provides a lot of data but not a unified picture. In contrast, instrumentation automatically embeds sensors within applications and APIs to monitor for vulnerabilities at every stage of the development life cycle. This creates a real-time, holistic view of application security across an entire agency application portfolio.
Give Feedback Directly to Developers
Instrumentation provides benefits both to the application security team and to developers. For the application security team, the tool soup approach often results in so much data, and so many false positives, that they have a difficult time gleaning intelligence from it. The unified picture provided by an instrumentation platform eliminates the noise so that the team can identify and remediate problems quickly.
Instrumentation can also provide accurate feedback directly to developers, so that they can fix vulnerabilities as part of their normal work. “Ultimately, that allows you to use the big machinery of software development to drive application security, as opposed to having a siloed team of experts,” Williams said.
Build on a Platform
Rather than adopting the tool soup approach, you can use an integrated application security platform based on software instrumentation to provide vulnerability testing, open-source analysis and runtime protection. By minimizing the need for application security experts in the critical path, this approach enables teams to deliver software into production at high velocity without compromising security.
The Contrast Application Security Platform enables agencies to ensure compliance with key security regulations, including the National Institute of Standards and Technology’s 800-53 Cybersecurity Framework. The platform also has been accepted into Platform One, the Defense Department’s approved application portal.
“We’ve seen tremendous increases in the rate at which organizations are fixing vulnerabilities,” Williams said. “Instead of just building up a giant backlog of vulnerabilities, they are actually fixing them.”
This article is an excerpt from GovLoop’s recent guide, “Agencies Build Foundation for DevSecOps Success.” Download the full guide here.