Why Is Application Security Testing Orchestration (ASTO) A Need ?
As more companies are adopting multiple technologies to secure their applications, the findings from various tools are creating an immense complexity for security teams. Given the lack of bodies in security departments to throw at tasks like consolidation and analysis of hundreds if not thousands of vulnerabilities, mean time to fix vulnerabilities has reached 95 days for traditional software architectures and 43 days for micro service.
Needless to mention the upsurge in the number of cyber threats posed to businesses, companies are trying to optimize their resources to protect themselves from malicious attacks. However, the cost of letting anything slip through the cracks is on average $3.9 m for 2018. With this number in mind, it is crucial to shorten the window of exposure and focus efforts on bringing the mean time to fix down. But wait, is this really enough ? You could be fixing more low severity vulnerabilities and the mean time to fix could be coming down but would this be the right approach? So, a better version of the question is, how to reduce mean time to fix vulnerabilities that really matter to your organization and eliminate others quickly to prevent them from being an unnecessary distraction ?
Challenge #1 : Analysis of findings from various AppSec tools
Most organizations are using both SAST(Static Application Security Testing) and DAST (Dynamic Application Security Testing) tools together to increase confidence in the results of their scanners and integrate security tests into a larger part of the software development life cycle.
Studies show that the number of new production vulnerabilities identified in DAST on average show a 50 percent drop after the introduction of SAST into the application security program. A 25 percent drop in mean time to fix has also been recorded after the introduction of SAST which justifies the adoption of multiple security tools by companies and clearly shows that they are on the right path. SCA (Software Composition Analysis), IAST(Interactive Application Security Testing) and CS (Container Security) tools are also on the rise and they will surely get more attention in the near future.
However, it still remains as a huge task to consolidate results of different scanners from different vendors in different formats. Security teams are snowed under with numerous findings and easily get lost in spreadsheets and PDF’s trying to analyze and prioritize the vulnerabilities. On the other hand, already squeezed by tight deadlines to release applications, software developers expect to fix only relevant vulnerabilities and do not hesitate to kick up a fuss if they believe they are bombarded by requests to fix irrelevant vulnerabilities.
ASTO offers a single platform for both parties where they can see outcome of the scans run on projects. Without having to waste precious time on consolidation of findings, security engineers can focus on analyzing trends of projects and teams to take action quickly. As an example, vulnerabilities found by both SAST and DAST scanners are more likely to be a real threat and their prioritization would lead to a meaningful reduction in mean time to fix relevant vulnerabilities.
In addition, as vulnerabilities found by SAST can be tracked down to committer level thanks to integration with source code management platforms, management can easily schedule tailored training programs for different teams or developers considering the common vulnerabilities found on the piece of code committed by those teams or individuals.
Challenge #2 : Communication problems between security engineers and software developers
Remediation is another problem as the process relies mainly on communication between security engineers and software development managers, project managers or security champions of teams depending on the internal structure. If the person in charge knows how to fix the issue and takes responsibility, all is fine. However most of the time, the issue is assigned to the developer who has committed the susceptible piece of code which requires an extensive manhunt, sometimes a fruitless effort as the person responsible for the vulnerability has already left the organization.
How easy things would be if the committer of the code was instantly identified and issues could automatically be opened on issue trackers based on severities of vulnerabilities and assigned to relevant teams or developers. Notifying developers on IDE’s or on internal communication tools is also an option made possible with capabilities of ASTO tools. Even more, once an issue is marked as closed on issue tracker, automated validation scans triggered by the change in the status of the vulnerability, can help ensuring that the issue does not exist any more.
Challenge #3 : Setting KPI’s
One other challenge for security teams is to come up with measurable KPI’s which is a messy process considering that there is no single platform where all activities can be tracked. Fed by the output of various scanners, ASTO tools help a ton with displaying the mean time to fix of closed issues and window of exposure of open vulnerabilities. They also enable comparisons between the security performance of projects, teams and scanners which helps the management have a clear understanding of the general vulnerability management trend in the company and take actions based on data.
Challenge #4 : Gap between AppSec and CI/CD pipeline
Another problem ASTO industry can solve is the gap between vulnerability management and CI/CD processes. Creating playbooks where custom rules to give green or red light to release an application is made possible with ASTO which is in line with the efforts of security teams to make sure no vulnerability slips through the cracks. Introducing custom rules deduced by company-specific risk aversion procedures, ASTO saves security engineers from manually reviewing the security health of each project before releases.
Security is a growing concern for most of the enterprises and ASTO has a lot to offer to facilitate efforts on fixing relevant vulnerabilities faster and managing security risk in line with company standards and procedures. A promising future lays ahead of the industry as gradual incorporation of data science into algorithms of ASTO tools can be a groundbreaking innovation in the application security market. With current and promising capabilities, it seems like ASTO is here to stay and early adopters will start reaping the benefits sooner.