DevSecOps: Automation is the key to the kingdom

Since its creation over a decade ago, DevOps has become a vital component of how companies operate. Building upon the foundations of the agile movement, DevOps leverages automation for quality and security testing, as well as for formerly manual deployment and operations activities, in a bid to introduce software into production at speed.

As Peter Chestna, North American CISO at Checkmarx, explains, DevOps in general is about flow, fast feedback loops, and experimentation and learning: known as ‘the three ways’ of DevOps. 

“The ‘Sec’ in DevSecOps calls attention to security as an important part in both the culture and process,” Chestna says. “The main advantage of DevSecOps is that it enables the quick release of secure software to customers. When done properly, experimentation and learning alongside fast feedback enables continuous improvement, which nets faster releases as well as higher quality and security over time.” 

Automation is the key to the kingdom

Automation is at the heart of DevSecOps, with the security tools’ continuous monitoring and testing allowing DevOps teams and security experts to focus on activities that enhance business sense.

DevSecOps removes the overhead of remembering to run security tools and processes. Organisations can set up automatic tests and scans to run at check-ins or other key points during deployment, eliminating the risk of skipping a step.

GitLab’s 2022 DevSecOps Survey found that a majority of DevOps teams are running static application security testing (SAST), dynamic application security testing (DAST), or other security scans regularly, but fewer than a third of developers actually get those results in their workflow. A majority of security pros say their DevOps teams are shifting left, and 47% of teams report full test automation.

“Automation is the key to the kingdom of DevSecOps,” comments Stephen Gates, Security Evangelist at Checkmarx. “However, integration comes first. Once integrated into the development pipeline, security scans can become so automated that they become second nature, and full developer adoption of security scans processed in DevSecOps initiatives will be the outcome.”

Generally, flow is accomplished by releasing small increments quickly, Chestna explains. “This is enabled by automation to make testing-and-release highly repeatable,” he adds. “This is typically referred to as Continuous Integration (testing each change) and Continuous Delivery (releasing each change) and abbreviated as CI/CD or CI/CD pipeline. 

“CI automation codifies the controls, policies, and standards for the company into tests that can be run efficiently against any change to ensure that it is acceptable to release; CD automation ensures that the software can be released on demand without user intervention or the risk of human error.” 

Clearing vulnerability backlogs 

A report by Rezilion – an automated vulnerability management platform accelerating software security – in conjunction with the Ponemon Institute revealed that organisations are losing thousands of hours in time and productivity dealing with a massive backlog of vulnerabilities that they have neither the time nor resources to tackle effectively. 

The State of Vulnerability Management in DevSecOps report highlighted that 47% of security leaders have a backlog of applications that have been identified as vulnerable. Two-thirds of respondents said their backlog consists of more than 100,000 vulnerabilities, while the average number of vulnerabilities in backlogs overall is a mind-boggling 1.1 million, according to the data.

“This is a significant loss of time and dollars spent just trying to get through the massive vulnerability backlogs that organisations possess,” said Liran Tancman, CEO of Rezilion. “If you have more than 100,000 vulnerabilities in a backlog and consider the number of minutes that are spent manually detecting, prioritising, and remediating these vulnerabilities, that represents thousands of hours spent on vulnerability backlog management each year. These numbers make it clear that it is impossible to effectively manage a backlog without the proper tools to automate detection, prioritisation, and remediation.”

Expensive hours are lost trying to wrangle massive backlogs on both the production and development side of software applications. The survey found that 77% of respondents said it takes longer than 21 minutes to detect, prioritise, and remediate just one vulnerability in production. 

“The key to clearing vulnerability backlogs is to have a true correlation of alerts coming from all of the various scans performed,” comments Gates. “Everyone knows security tests return lots of results, but without correlation, developers end up solving issues that aren’t critical, while potentially overlooking ones that are. Correlation of scan results is imperative and, by the way, aggregation is not correlation.”

The battle to stay ahead of security threats 

According to Carlos Morales, Senior Vice President of Solutions at Neustar Security Services, DevSecOps has become a high priority for organisations as they look to better establish security as a central tenet through every phase of the software development lifecycle. 

“By making security a shared responsibility across development, operations and security teams, DevSecOps should help better position organisations to identify potential vulnerabilities early in the process – ideally before being put into production – and save them from much bigger headaches down the line,” he said.

And while organisations may be unable to stay ahead of security threats, utilising DevSecOps teams can help them react quickly to attacks.

“We’ll never be able to stay ahead of security threats,” adds Chestna. “The best we can do is maintain high standards to keep the code base as clean as possible and build the right muscles to allow us to react quickly to emerging threats. The faster and more repeatable the process to release software, the more we can trust it for quick updates during a crisis or incident.” 

“Threats are the attackers, and they will never go away,” concludes Gates. “Neither will their attacks. To stay ahead of threat actors and their attacks, though, one must understand risk. DevSecOps teams must fully understand and accept the risks they are willing to live with and resolve the risks they are not. Once they fully understand and document their intolerable risks, they can manage them more effectively.”