As multiple security technologies need to be used at different stages of the modern software development lifecycle, the findings from various tools are creating an immense complexity for understaffed security teams.
Given the lack of bodies in security departments to throw at tasks like consolidation and analysis of hundreds if not thousands of vulnerabilities, mean time to fix vulnerabilities has reached 95 days for traditional software architectures and 43 days for microservice.
Needless to mention the upsurge in the number of cyber threats posed to businesses, companies are trying to optimize their resources to protect themselves from malicious attacks.
However, the cost of letting anything slip through the cracks is on average $3.9 million. With this number in mind, it is crucial to focus on bringing the mean time to fix down as much as possible.
But wait, is this really enough? You could be fixing more low severity vulnerabilities and the mean time to fix metric could be decreasing but would this be the right approach?
So, a better version of the question is, how to reduce mean time to fix vulnerabilities that really matter to your organization and eliminate others quickly to prevent them from being a distraction?
Most organizations are using both SAST(Static Application Security Testing) and DAST (Dynamic Application Security Testing) tools together to increase confidence in the results of their scanners and integrate security tests into a larger part of the software development life cycle.
Studies show that the number of new production vulnerabilities identified in DAST on average shows a 50 percent drop after the introduction of SAST into the application security program.
A 25 percent drop in mean time to fix has also been recorded after the introduction of SAST which justifies the adoption of multiple security tools by companies and clearly shows that they are on the right path. SCA (Software Composition Analysis), IAST(Interactive Application Security Testing) and CS (Container Security) tools are also on the rise.
However, it still remains a huge task to consolidate the results of different scanners from different vendors in different formats.
Security teams are snowed under with numerous findings and easily get lost in spreadsheets and PDF’s trying to analyze and prioritize the vulnerabilities. On the other hand, already squeezed by tight deadlines to release applications, software developers expect to fix only relevant vulnerabilities and do not hesitate to kick up a fuss if they believe they are bombarded by requests to fix irrelevant vulnerabilities.
“ASOC offers a single platform for both parties where they can see the outcome of the scans. Without having to waste precious time on the consolidation of findings, security engineers can focus on analyzing trends of projects and teams to take action quickly.”
As an example, vulnerabilities found by both SAST and DAST scanners are more likely to be a real threat and their prioritization would lead to a meaningful reduction in mean time to fix relevant vulnerabilities.
In addition, as vulnerabilities found by SAST can be tracked down to committer level thanks to integration with source code management platforms, management can easily schedule tailored training programs for different teams or developers considering the common vulnerabilities found on the piece of code committed by those teams or individuals.
Remediation is another problem as the process relies mainly on communication between security engineers and software development managers, project managers or security champions of teams depending on the internal structure.
If the person in charge knows how to fix the issue and takes responsibility, all is fine. However most of the time, the issue is assigned to the developer who has committed the susceptible piece of code which requires an extensive manhunt, sometimes a fruitless effort as the person responsible for the vulnerability has already left the organization.
How easy things would be if the committer of the code was instantly identified and issues could automatically be opened on issue trackers based on severities of vulnerabilities and assigned to relevant teams or developers.
Notifying developers on IDE’s or on internal communication tools is also an option made possible with the capabilities of ASOC tools. Even more, once an issue is marked as closed on issue tracker, automated validation scans triggered by the change in the status of the vulnerability, can help to ensure that the issue does not exist anymore.
One other challenge for security teams is to come up with measurable KPI’s which is a messy process considering that there is no single platform where all activities can be tracked.
Fed by the output of various scanners, ASOC tools help a ton with displaying the mean time to fix of closed issues and window of exposure of open vulnerabilities.
They also enable comparisons between the security performance of projects, teams and scanners which helps the management have a clear understanding of the general vulnerability management trend in the company and take actions based on data.
Another problem ASOC industry can solve is the gap between vulnerability management and CI/CD processes.
Creating custom rules on when to position security status as a blocker to release an application is made possible with ASOC which is in line with the efforts of security teams to make sure no vulnerability slips through the cracks.
Introducing custom rules deduced by company-specific risk aversion procedures, ASOC saves security engineers from manually reviewing the security health of each project before each release.
Security is a growing concern for most enterprises and ASOC has a lot to offer to facilitate efforts on fixing relevant vulnerabilities faster and managing security risk in line with company standards and procedures.
A promising future lays ahead of the industry as gradual incorporation of data science into algorithms of ASOC tools can be a groundbreaking innovation in the application security market. With current and promising capabilities, it seems like ASOC is here to stay and early adopters will start reaping the benefits sooner.