Security automation and integration can smooth AppSec friction

DevSecOps is fundamental to faster pipelines

One of the most exciting results of the year is that most organizations have adopted DevSecOps for development, testing, and delivery pipelines. Of the organizations surveyed, 55% reported that they manage application security testing using a centralized platform or interface to pull their test tracking and results together, and a full 60% are using automation to add projects to their security testing queue. These organizations also report that they’ve implemented cross-functional teams of Security, Development, and DevOps contributors to make AppSec testing decisions.

Despite advancements in the adoption of DevSecOps tools and processes, tension remains between the need for thorough security testing and the need for development speed. Eighty-six percent of respondents feel that security testing slows down development by some amount (ranging from slightly to severely). The plurality (43%) feel that testing moderately slows down development. And while one-quarter of respondents feel that security testing only slightly slows down development delivery, another 18% feel that it severely slows the development life cycle.

More insight can be gained when looking at how respondents add software projects to the security testing queue and whether that is an impediment to development and delivery pipelines. Of the respondents who report that security testing severely slows down their pipelines, 33% manage their test queues manually, compared to 17% who manage pipelines entirely through automation.

These statistics underscore the notion that although security may require additional effort and time, these impediments are magnified by manually managing project test queues. And, as we see in the full report, the most efficient way to mitigate testing friction is by adding automation when structuring and managing test queues.

Friction is still a challenge for DevSecOps

Whether you perceive friction between development and security testing to be an impediment or not often depends on your role in the organization. Of the AppSec team members who responded to the survey used for “Global State of DevSecOps” report, 65% felt that that testing impeded pipelines “moderately” or “severely.” While the report didn’t survey why they feel this way, we can speculate that it’s due to their proximity to the testing process, or potentially because they’re feeling pressure to accelerate review processes. Since they are closest to the task, they face the highest scrutiny for its efficiency.

Of the development and engineering team members who replied to the survey, 58% share the sentiment of their AppSec counterparts. It is, however, important to consider that an additional 12% of the surveyed developers and engineers report that they just don’t have enough visibility into security testing to know what’s going on. Were they to have greater visibility into security testing processes, it is quite possible that they, too, would perceive AppSec testing as an impediment to pipelines. And this lack of visibility makes concerted DevSecOps initiatives more difficult to implement since contributors are unable to close feedback loops or optimize development and testing efforts.

The report also tells us that C-suite respondents (CTOs, CPOs, and CISOs) perceive testing as a drag on velocity. Of those surveyed, 51% felt that DevSecOps “moderately slowed down” velocity, while 18% perceived that it “severely slowed down” pipeline development. These executives share the sentiments of their corresponding teams, perhaps with a greater sensitivity to inefficiencies in DevSecOps workflows because of their role in guiding the strategy for evolution and improvement.

It’s important to consider that these responses are a clear representation of perceived impediment—an inherently subjective metric. As such, the actual experienced friction may be lesser or greater than these reported levels. Organizations should, therefore, work toward providing greater visibility into risks and inefficiencies across the pipeline. This will ensure that action is being taken to address actual friction, instead of wasting effort or money addressing issues that are perceived to be more severe than they are.

Accelerating issue prioritization with security automation

Before you can fix issues, you need to prioritize them, and this takes time. AppSec teams commonly have significant backlogs of issues to review, potentially spanning multiple releases or branches. Developers need to focus on innovation, but without insight into prioritization, they might get mired in fixing issues that would be deprioritized based on defined risk-tolerance policies. Security automation is the best solution to speed up issue prioritization.

Interestingly, of all respondents to the “Global State of DevSecOps” report survey, 49% are using automation to accomplish remediation prioritization, while 43% are still prioritizing issues manually. When we correlate that with those who feel that AppSec severely slows down pipelines, 57% of respondents manually prioritize issues while 41% do so automatically. Among those who feel AppSec does not slow down pipelines, only 23% prioritize issues manually while a whopping 69% are using automation.

This gives us a pretty clear indication that not only does security automation speed up the prioritization process, it helps to clear the perception that testing slows development pipelines.

Again, this perception can be influenced by organizational role. So while it seems alarming that the report shows that 72% of AppSec teams and C-suite respondents feel security testing severely slows down pipelines, it turns out, those same respondents are prioritizing issues manually.

Security automation smooths the savage beast

As we have seen so far, the greatest opportunities to minimize friction are in the management of AppSec test queues and in the prioritization of remediation workflows. After security tests have been run but before issues are assigned for remediation, security teams must determine which results are accurate, which provide useful insight, and which are erroneous; failure to do this can lead to further wasted development cycles.

The “Global State of DevSecOps” report tells us that 38% of survey respondents manually interpret and sanitize the findings of all AppSec testing tools, 25% fully automate the process, and 28% use a combination of automated and manual methods. Since manual and hybrid procedures account for 66% of responders, we can see there is still significant room to increase automation and consistency in processing test results.

Using automated data purification methods can accelerate review by automatically parsing and cleansing test results, omitting duplicative results, validating questionable results, and whittling down the issue backlog. Of all survey respondents, the 22% who found it somewhat or extremely difficult to understand and act on test results are parsing and cleansing test results manually. Meanwhile, only 10% of respondents who are using automation reported the same difficulty.

Before converting AppSec to a solely automated process, however, it’s critical to ensure that your policies and automated systems are structured and constrained by human-defined factors. This means ensuring buy-in from each contributing team, incorporating each team’s service level agreements for response, and establishing policies that are customized for relevance to minimize unnecessary alerts. Your ability to automate will vary based on your strengths in these areas.

In short, while automation is the best way to minimize the friction caused by performing security testing in your CI pipelines, your organization will still need thoughtful, collaborative analysis and implementation to build an effective and efficient DevSecOps program.

Evolve your DevSecOps program

What does such a program look like? Data gathered by the “Global State of DevSecOps” report indicates that there are four primary ways to evolve your DevSecOps program.

• Meet developers where they are. By building testing and insight directly into development tools and workflows, you make security frictionless and minimize developers’ desire to circumvent security.
• Integrate and automate testing across the stack. By integrating automated testing aligned to risk tolerance policies, you establish security gates, tighten feedback loops, and eliminate implicit trust in AI.
• Cultivate developers’ security capabilities. By empowering developers with risk awareness and AI-powered fix guidance, you can cultivate higher development standards with every release and fix vulnerabilities at speed.
• Plan for evolution with a strategy that lasts. By unifying policies, insight, and testing atop a flexible application security testing platform, you can build a DevSecOps strategy that will grow with your business.

The report indicates that organizations poised to see the most success from DevSecOps will likely be those that can effectively streamline their AppSec tech stacks, leverage AI responsibly during development, and reduce noise in security test results to foster closer collaboration between security, development, and operations teams.

The DevSecOps journey is far from over, and this year’s “Global State of DevSecOps” report helps define that path so you can navigate it more securely without slowing down.