While the idea of “automation” may seem like a modern concept, it dates back to around 762 B.C. when the concept was first introduced in Homer’s epic battle poem The Iliad.
Fast forward to life in 2020, where we’re battling against different enemies who wield ones and zeros; binary artillery that can bring the strongest fortress to its knees with one crippling onslaught.
Security Leaders Between a Rock and a Hard Place for AppSec
While appSec has historically been a peripheral responsibility of security managers, this paradigm is changing as risks associated with software development ratchet upwards, with the implications becoming a key point of focus for the C-suite and the board of directors.
When it comes to AppSec, security teams are caught between a rock and a hard place. On the one hand, they must manage operational risk. And research shows vulnerabilities pose serious risk. On the other hand, development teams are measured on speed and agility. Security cannot thwart these objectives. But that is not the case today with traditional AppSec approaches fraught with lengthy manual testing, numerous false positives, and much more.
AppSec Demands Automation
While automation in physical manufacturing and engineering is a model that has been embraced wholeheartedly, the concept of automating security in software development and testing is rapidly gaining momentum.
Automation is a requisite for security leaders seeking to empower DevOps teams to focus on their key business objectives while ensuring application development—and production environments—are protected. Gartner concurs. At last year’s Gartner Security and Risk Management Summit, the opening keynote address focused on this very concept:
“Adopting a DevSecOps approach, a process rich in automation, embedding security in the process from the beginning without creating any negative impact on the process itself. Enter Interactive Application Security Testing (IAST), an innovative and automated testing technique that observes the behavior from the inside.”
Developers also agree. Nearly one-third of them in a Forrester Research study last year said they plan to implement automated testing, and automated testing tools rank at the top of the list of tools they plan to deploy this year. Forrester notes in its “State of Application Security, 2019” report:
“29% of surveyed global developers said they will implement automated testing, and it tops the list of new tools and techniques the surveyed developers plan to adopt in the next year. As interactive application security testing (IAST) assesses parts of an application that have already gone through other types of testing, this trend will provide a boost for firms looking to adopt IAST in favor of DAST in the coming years.”
Validating why instrumentation is the key to automation
Following are four reasons organizations are moving to embrace instrumentation:
Reason 1—Improved Threat Analysis and Prioritization
It’s no surprise that automating some application security processes improves an organization’s ability to analyze and prioritize threats and vulnerabilities. The latest “Cost of a Data Breach Report” from Ponemon Institute and IBM Security finds that organizations without security automation experience breach costs that are 95% higher than breaches at organizations that have fully deployed automation.
However, knowing precisely what security functions to automate and where to automate can be a challenge. Security-specific tasks most likely to be automated include incident response, security analytics, and malware investigation.
Organizations without security automation experience breach costs that are 95% higher than breach costs at organizations with fully deployed automation.
Not sure what security processes to automate? As a starting point, security leaders must consider whether or not a tool requires a human to configure or run. Does it require an expert to interpret or triage the result? And are human experts needed to test things? Here, security leaders must identify repeatable, low-level tasks that can work in concert with human decision-making to help accelerate incident investigations.
As security teams know, developers require a completely different application security approach with automation as a core component. When it comes to application security, creating a fully automated pipeline from development through testing and production is rapidly becoming possible due to instrumentation with sensors embedded directly within applications.
Reason 2—Improved Alert Accuracy
Legacy approaches in AppSec have historically resulted in a deluge of false positives and false negatives, and a high volume of low-fidelity alerts generated by security controls.
A 2019 survey of CISOs reported that “over 41% see more than 10,000 and that some claim to see more than 500,000 alerts daily.” Factors implicated in the generation of false alerts include:
- A lack of context in the alert-generation process
- A lack of the ability to consolidate alerts
- An overall increase in security controls and numbers of tools being used
This overwhelming level of “noise” in the alert process clutters dashboards and distracts attention from legitimate detection of potentially malicious activity. This results in constant firefighting, often relying on a bevy of tools to simply decide if an alert should be escalated.
Additionally, labor-intensive manual steps drive inefficiencies and contribute to stress levels. Respondents to a survey by Enterprise Management Associates noted that 52% of threat alerts are improperly prioritized by systems and must be manually reprioritized, with an underlying cause being a lack of context such as the financial impact if an asset at risk was in fact compromised.
Alert fatigue is a huge factor for security teams, with more than half requiring manual reprioritization. This consumes valuable time while increasing the risk of a potential compromise.
Reason 3—Improved Efficiencies and Cost
Automating security when and where possible helps reduce costs—from improvements in productivity to fewer security analysts. Without automated detection and prevention workflows, organizations must dedicate hard-to-find security analysts to manually review alerts and enact the necessary remediations associated with them. And with the volume of security alerts spiraling out of control and traditional AppSec approaches incurring huge numbers of false positives, the drain on productivity can quickly compile into higher costs and inefficiencies.
The area where the bulk of time is spent by security analysts is in the remediation stage, often requiring numerous hours from the development teams due to analyzing, triaging, reporting, and retesting. In contrast, instrumentation automates these workflows and processes, eliminating false positives and minimizing alerts to only those that matter. As automation enables security teams to discover and remediate vulnerabilities earlier in the software development life cycle, often before code is even checked in, the time to remediate is dramatically reduced.
A report by ESG discovered that 42% of cybersecurity teams ignore a significant number of security alerts because they cannot keep up with the volume
Reason 4—Improved Speed
As businesses place ever more demands on software developers for rapid innovation and delivery, automation becomes a key driver of success. Automation can help shorten feedback loops by delivering instantaneous security feedback to developers, in their native tools and environments, at the far left of the application development cycle—a primary objective for a DevOps team.
Vulnerabilities can be continuously and automatically discovered as developers work, accompanied by code-level actionable remediation guidance. This enables developers to remain focused on code development and meeting time-to-market objectives. Indeed, automation of AppSec processes can drive down mean time to remediation (MTTR) by as much as 70%. Other areas where AppSec teams can see time reductions include incident investigation, implementing fixes, and then re-testing to confirm fixes have been completed.
Automation of AppSec workflows and processes can reduce mean time to remediation by as much as 70%, enabling developers to remain focused on coding while improving organizational risk.
TRAditional appsec cannot keep pace
While much work has been done over the past two decades in an attempt to address application vulnerabilities, the reality is that the endeavors have had little impact. The average number of vulnerabilities per application has not changed: It was around 26.7 per application in 2000, and it is at the same rate today.
The fact of the matter is that traditional scan and perimeter-based security models cannot keep up with the sheer number of lines of code being developed, a primary reason why application code breaches remain the number one threat to security. Add that there are over 20 million developers worldwide, who churn out large amounts of code daily, and the problem is exacerbated.
Additionally, open-source code is used frequently, and if not managed and/or patched, can introduce vulnerabilities into development. Indeed, the number of breaches tied to open-source code increased 71% over a five-year time frame.
Traditional AppSec approaches simply cannot scale to cover the breadth and depth of this new application development reality. This is where instrumentation can help, distinguishing between benign and malicious behavior, enabling automated and accurate detection from within the applications themselves, and providing relevant context with visibility into attacks themselves.
IAST with Instrumentation Automates AppSec
Interactive application security testing (IAST) is an area seen as offering a different solution to application testing, one that integrates instrumentation to automate detection, protection, and remediation tasks. IAST is defined by Gartner as:
“IAST uses instrumentation that combines dynamic application security testing (DAST) and static application security testing (SAST) techniques to increase the accuracy of application security testing. Instrumentation allows DAST-like confirmation of exploit success and SAST-like coverage of the application code, and in some cases, allows security self-testing during general application testing.”
Instrumentation is the ability to record and measure information within an application without changing the application itself. When IAST is combined with instrumentation, it delivers accurate, real-time, continuous, and reliable application security:
Accurate security testing
Inaccuracies require experts to triage. Current static application security testing (SAST) and dynamic application security testing (DAST) solutions are prone to false positives and false negatives. This causes alert fatigue that requires manual, cost-prohibitive, time-consuming reviews. In contrast, IAST provides continuous and instant results so flaws can be fixed immediately, even before code is committed.
Real-time application testing
IAST enables direct measurements and feedback to developers as code is being built and tested in their integrated development environment (IDE). It can also run alongside existing tests and quality assurance (QA) and can be instantly configured to create a bug-tracking ticket or fail a build if a security problem is discovered.
Continuous testing and development
IAST runs continuously, in parallel, across an entire portfolio of applications at scale. Ongoing security feedback stays in the flow of development wherever the application is hosted, eliminating the need for a separate testing phase.
Reliable vulnerability alerts
Since IAST has access to code, HTTP traffic, and other sources of security information, it can reliably address a broad range of vulnerabilities. It can also be used in the QA, test, or continuous integration/continuous development (CI/CD) stages to ensure that no vulnerabilities escaped development. Because IAST tests the entire software stack, it can discover zero-day events in the libraries and frameworks in use that attackers may know about but have not yet discovered.
GIVE IAST A TRy
Instrumentation via IAST provides security and development teams with the ability to go beyond the current AppSec cycle where visibility across the application development, testing, and production life cycles and the ability to address vulnerabilities in real time using automation are missing. Security teams can manage application risk more effectively and accurately, while developers do not need to worry about being inundated with alerts and security processes and workflows.
Schedule a demo of Contrast Assess and Protect today, the only DevOps-Native AppSec Platform.