EXPERT OPINION gates . In their place is software-defined life cycle governance .
Another reason is a people shortage – the ‘ skills gap ’ has been a factor in the industry for years and continues to grow . Assigning repetitive analysis and procedural tasks to bots , sensors and other automated tools makes practical sense and is increasingly the way organisations are addressing both that shortage and time management problems .
But while the shift to automation has increased velocity and fluidity across verticals , the BSIMM11 finds that it hasn ’ t put the control of security standards and oversight out of the reach of humans .
Apply a well-rounded risk mitigation strategy
In fact , the roles of today ’ s security professionals and software developers have become multi-dimensional . With their increasing responsibilities , they must do more in less time and while keeping applications secure . As development workflows continue to evolve to keep up with organisational agility goals , they must account for a variety of requirements , including :
• Real-time visibility into what software and services are running , as well as associated environments and configurations
• Insight into running software ’ s composition
• Automatic execution of at least the minimum required vulnerability discovery testing with each release , with results provided directly to bug tracking systems
• Aggregation and search of operational data for meaningful security information across a value stream
• Traceability of running services to the repositories , build and team that produced them
• Enabling engineering teams to remediate security defects
• Updating network , host , container or application-layer configuration through orchestration
• Automatically invalidating and rotating sensitive assets within a deployment
• Automatic fail-over / rollback to working assets or known-good working configuration / build
This is the reality around which organisations build and / or consume software . Over the years we ’ ve witnessed the use and expansion of automation in the integration of tools such as GitLab for version control , Jenkins for continuous integration ( CI ), Jira for defect tracking and Docker for container integration within toolchains . These tools work together to create a cohesive automated environment that is designed to allow organisations to focus on delivering higher quality innovation faster to the market .
Through BSIMM iterations we ’ ve seen that organisations have realised there ’ s merit in applying and sharing the value of automation by incorporating security principles at appropriate security touchpoints in the software development life cycle ( SDLC ), shifting the security
If you ’ re going to mitigate security risk in your open source codebase , you first have to know what software you ’ re using and what exploits could impact its vulnerabilities . effort ‘ left ’. This creates shorter feedback loops and decreases friction , which allows engineers to detect and fix security and compliance issues faster and more naturally as part of software development workflows .
More recently , a ‘ shift everywhere ’ movement has been observed through the BSIMM as a graduation from ‘ shift left ’ – meaning firms are not just testing early in development but conducting security activity as soon as possible with the highest fidelity as soon as is practical . As development speeds and deployment frequencies intensify , security testing must compliment these multifaceted dynamic workflows . If organisations want to avoid compromising security and time to market delays , directly integrating security testing is essential .
Since organisations ’ time to innovate continues to accelerate , firms must not abdicate their security and risk mitigation responsibilities . Managed security testing provides and delivers the key people , process and technology considerations that help firms maintain the desired pace of innovation , securely .
In fact , the right managed security testing solutions will provide the ability to invert the relationship between automation and humans , where the humans powering the managed service act out-of-band to deliver high-quality input in an otherwise machine-driven process , rather than the legacy view in which automation augments and / or complements human process .
It also affords organisations the application security testing flexibility required while driving fiscal responsibility . Organisations gain access to the brightest minds in the cybersecurity field when you need them and not paying for them when you don ’ t ; you simply draw on them as needed to address current resource testing constraints . This results in unrivalled transparency , flexibility and quality at a
42 Issue 31 | www . intelligentciso . com