Software Security Automation: A Roadmap Toward Efficiency and Security White Paper
Written by ND-ISAC Application Security Working Group
In “Software Security Automation: Roadmap Toward Efficiency and Security”, members of the National Defense Information Sharing and Analysis Center (ND-ISAC) lay out a strategy for transforming application security from a manual, disconnected, bolted-on process to an automated, integrated function of a continuous software pipeline.
The working group asked for volunteers to write a paper that introduces the importance of security automation and orchestration in the quest to secure software and minimize risk to the organization. From this larger working group, a subgroup formed focusing on collaboration among our member companies to produce a paper that shares their expertise and knowledge.
The paper addresses security components needed for security automation, strategies for integrating metrics, remediation, risk management, API capabilities and runtime protections are presented. Software security automation implementation is covered through the discussion of use cases and guidelines suggested for handling false positives, defect correlation, aggregation and performance.
Technology innovation, agility and the sheer growth in lines of code, all contribute to an overwhelming threat landscape. The speed of modern software development increases feature deployments while exposing a larger attack surface to more capable adversaries. The need to address this snowballing trend in software vulnerabilities has reached a critical point. Despite the need, the cybersecurity industry expects to have 3.5 million security positions unfilled by 2021. At the scale and speed of modern software development traditional manual security checks become a security liability and a business impediment. With such a demanding environment, security teams must become more efficient in reducing risk, while enabling product teams to drive value.
Security automation and orchestration take center stage in the overall strategy to counteract the increasing threat and the gap in human capital. Repetitive processes are better served by automation, while the implementation of specific workflows are orchestrated to better support the security needed in the Software Development Lifecycle. Improving application security is a continuous effort, and from that perspective metrics become an important ingredient in the risk-based decision-making process. Measuring the security compliance of an organization through the tools used to test software security enables teams to become efficient in their remediation efforts and security process improvements. To enable this type of integration through automation, Application Program Interfaces (API) are needed to provide better control over project creation, user management, and access control. Security workflow must be pulled left into Integrated Development Environments (IDE), providing immediate feedback without breaking developer context and minimizing the impact associated with resource constraints and the security skills gap.
Modern security automation is a cultural transformation as much as it is a technical transformation. “Software Security Automation” describes steps to map modern automated security controls to the ‘originating purpose’ of policies and regulations in order to smooth adoption of an automated security pipeline. The paper proposes a way forward from traditional gated IT security culture to a culture of continuous security supporting modern software development.
Finally, with an understanding that many application teams have an existing portfolio and cannot simply restart with a fully automated build pipeline, this white paper provides a transitional approach enabling teams to grow from traditional software security practices into DevSecOps.
The audience for this white paper includes security engineers, lead software engineers, product managers, senior managers and executives responsible for the implementation of software security automation initiatives in the organization, as well as those managing the risk associated with threat vectors in software.
For more information or if you are interested in becoming a member of ND-ISAC contact: info@ndisac.org
Download the White Paper: https://ndisac.org/wp-content/uploads/ndisac-security-automation-white-paper.pdf