While the idea of “automation” may seem like a modern concept, it actually dates back to around 762 B.C. when the concept was first introduced in Homer’s epic battle poem The Iliad. Fast forward to life in 2020 and we are battling against different enemies who wield ones and zeros across borders.
While AppSec has historically been a peripheral responsibility of security managers, this paradigm is changing as risks associated with software development ratchet upwards, with the implications becoming a key point of focus for the C-suite. When it comes to AppSec, they are caught between a rock and a hard place. On the one hand, they must manage operational risk. On the other, development teams are measured on speed and agility.
While automation has been embraced wholeheartedly in manufacturing and engineering, the concept of automating security in software development and testing is only now gaining momentum. So much so, though, that nearly one-third of developers in a Forrester Research study last year said they plan to implement automated testing, and automated testing tools rank at the top of the list of tools they plan to deploy this year.
But what are the reasons for this?
It Improves threat analysis and prioritisation
It’s no surprise that automating some application security processes improves an organisation’s ability to analyse and prioritise threats and vulnerabilities. The latest Ponemon Institute “Cost of a Data Breach Report” finds that organisations without security automation experience suffer breach costs that are 95% higher than those that have fully deployed automation.
However, knowing precisely what security functions to automate and where to automate can be a challenge. Security-specific tasks most likely to be automated include incident response, security analytics and malware investigation.
As a starting point, security leaders should consider whether a tool requires a human to run. Does it require an expert to interpret the results? Here, it helps to identify repeatable, low-level tasks that can work in concert with human decision-making to help accelerate incident investigations.
It improves alert accuracy
Legacy approaches in AppSec have historically resulted in a deluge of false positives and negatives, and a high volume of low-fidelity alerts generated by security controls. In fact, a 2019 survey of CISOs reported that over 41% see more than 10,000 and that some claim to see more than 500,000 alerts daily.
This overwhelming level of “noise” in the alert process clutters dashboards and distracts attention from legitimate detection of potentially malicious activity. This results in constant firefighting, often relying on a bevy of tools to simply decide if an alert should be escalated. Instrumentation can sharpen the tools and improve the signal to noise ratio.
It improves efficiencies and cost
Automating security helps reduce costs – from improvements in productivity to fewer security analysts. Without automated detection and prevention workflows, organisations must dedicate hard-to-find security analysts to manually review alerts and enact the necessary remediations associated with them.
The area where the bulk of time is spent by security analysts is in the remediation stage, often requiring numerous hours from the development teams due to analysing, triaging, reporting and retesting. Instrumentation automates these workflows and processes, eliminating false positives and minimising alerts to only those that matter. As automation enables security teams to discover and remediate vulnerabilities earlier in the software development life cycle, often before code is even checked in, the time to remediate is dramatically reduced.
It improves speed
As businesses place ever more demands on software developers for rapid innovation and delivery, automation becomes a key driver of success. Automation can help shorten feedback loops by delivering instantaneous security feedback to developers, in their native tools and environments, at the far left of the application development cycle – a primary objective for a DevOps team.
Vulnerabilities can be continuously and automatically discovered as developers work, accompanied by code-level actionable remediation guidance. This enables developers to remain focused on code development and meeting time-to-market objectives. Indeed, automation of AppSec processes can drive down mean time to remediation (MTTR) by as much as 70%. Other areas where AppSec teams can see time reductions include incident investigation, implementing fixes, and then re-testing to confirm fixes have been completed.
Traditional AppSec simply can’t keep pace
While much work has been done over the past two decades to address application vulnerabilities, the reality is that the endeavours have had little impact. The average number of vulnerabilities per application has not changed: It was around 26.7 per application in 2000, and it is at the same rate today.
The fact of the matter is that traditional scan and perimeter-based security models cannot keep up with the sheer number of lines of code being developed, a primary reason why application code breaches remain the number one threat to security. Add that there are over 20 million developers worldwide, who churn out large amounts of code daily, and the problem is exacerbated.
Traditional AppSec approaches simply cannot scale to cover the breadth and depth of this new application development reality. This is where instrumentation can help, distinguishing between benign and malicious behaviour, enabling automated and accurate detection from within the applications themselves and providing relevant context with visibility into attacks themselves.
Written by Dena DeAngelo, Content Specialist at Contrast Security