In software development, the gap between the security team and development had always been a persistent matter when new approaches are brought into practice to speed up the development process. Some time ago, CI/CD are introduced into the software development strategy where it solved various problems in integrating new code between the development and operation teams which is a good news for the two teams but unfortunately bad news to one team in the project, the security team. While the demand for rapid delivery of software applications are answered with CI/CD tools, the security which ensure secure code delivery turn into a huge challenge as injecting security into the delivery pipeline is not a simple implementation. Subsequently, organisations shifted to shift left security by adding multiple automated AppSec testing (like SAST and DAST tools) to CI/CD. Definitely the shift worked! but the the gap between the security team and development team remains as a problem. Thus, what can an organisation do to reduce this gap? The answer may lie on ASOC or Application Security Orchestration and Correlation, This post discusses the roles of ASOC in bridging the Gap Between AppSec and CI/CD.
The adoption of DAST, SAST and other security application testing tools provide broader range of insights on vulnerabilities as they perform various data analysis from multiple sources. Although every data is deemed valuable in the security team points of view, often times, the developer teams will find it irrelevant to fix everything and expect to fix only important vulnerabilities to allow them meet the tight deadlines in releasing an application.
The shift left security approach has sown the seed of believe in organisation that security had been embedded in the beginning stage of the software development process instead of the believe in the importance of putting security first in the process. Additionally, the software development approach today had shifted to distributed computing model where vulnerabilities may not be detected at the early stage of development, leading to growing demands on the security team performance.
ASOC at its core, is a category of application security introduced to fight threats and vulnerabilities through streamlining multiple application security testing tools and integrating them to single source of truth. ASOC methodology involves approach that injects security from the beginning of the software development process by performing automated tests at every step of the SDLC. At the same time, ASOC organises the collected data into a database for analysing and issue tracking. This enables the security team to prioritise remediation action thus allowing the developer team to iterate and orchestrate security within the CI/CD pipeline without slowing down the development process.
E-SPIN Group in the enterprise ICT solution supply, consultancy, project management, training and maintenance for corporation and government agencies did business across the region and via the channel. Feel free to contact E-SPIN for your project requirement and inquiry.
Other posts that may interest you:
1. Static Application Security Testing (SAST) and Secure Source Code
2. Value for combine SAST and DAST for application security testing
3. Best Practices to Secure your CI/CD Pipeline
