Organizations are still unable to detect and address security issues fast enough because traditional approaches to security testing and existing tools were not made with speed, automation and continuous integration (CI) pipelines in mind.
According to Patrick Carey, senior director of market analysis and strategy of the Software Integrity Group at Synopsys, application security is often defined by siloed solutions: static application security testing (SAST), software composition analysis (SCA), dynamic application security testing (DAST), and interactive application security testing (IAST). But these silos conflict with the way developers build, test and fix software. Carey said:
“They don’t care which analysis techniques are used. They just want to quickly identify the issues that pose the highest risk.”
Application security testing needs to not only happen earlier in the application life cycle, it needs to be executed more intelligently. Carrey added:
“As development, security, and operations converge we see these silos being knocked down, with security testing being delivered as an intelligent, integrated system of services that knows which tests to run when, and can identify the highest priority issues.”
The next generation of application security test automation
As software development has picked up speed, organizations have deployed automation to keep up, but many are having trouble working out the security testing aspect of it. Current application security testing tools tend to scan everything all the time, overwhelming and overloading teams with too much information.
If you look at all the tools within a CI pipeline, there are tools from multiple vendors, including open-source tools that are able to work separately, but together in an automated fashion while integrating with other systems like ticketing tools.
“Application security really needs to make that shift in the same manner to be more more fine-grained, more service-oriented, more modular and more automated,” said Carey.
Intelligent orchestration and correlation is a new approach being used to manage security tests, reduce the overwhelming amount of information and let developers focus on what really matters: the application. While the use of orchestration and correlation solutions are not uncommon on the IT operations side for things like network security and runtime security, they are just beginning to cross into the application development and security side of things, Carey explained.
Expanding on intelligent orchestration and correlation
To add to its intelligent orchestration and correlation initiative, Synopsys recently announced it acquired the application security orchestration and correlation solution Code Dx. According to the company, Code Dx complements the Intelligent Orchestration solution released last year. Intelligent Orchestration simplifies and streamlines security testing in CI pipelines by determining and initiating the appropriate tests to run based on predefined policies, application risk profiles, and code changes.