Intelligent CISO Issue 46 | Page 61

V

Software security to shift further left to become SecDevOps

eracode , a global provider of

V

Application Security Testing
( AST ), has revealed usage data that demonstrates cybersecurity is becoming more automated and componentised in line with modern software architectures and development practices . The analysis of 5,446,170 static scans and more than 310,000 apps over 13 months , from September 2020 to October 2021 , found a startling 143 % growth in the number of small apps , like APIs and microservices and a 133 % increase in automated scans run through APIs instead of manually .
COVID-19 has accelerated Digital Transformation over the past 18 months and businesses are competing aggressively to be first to market with digital products and services . Pressure on developers to build and deploy software quicker than ever has precipitated the shift to DevSecOps – integrating Development , Security and Operations to make Application Security an integral part of the software life cycle . At long last , companies are applying AppSec controls to secure the integrity of the development process , as well as scaling DevSecOps pipeline patterns across the entire enterprise .
“ The rise of automation and componentisation in software development has driven a sharp increase in the speed and automation of software security as businesses look to AI and Machine Learning for flaw identification , threat modelling and remediation ,” said Chris Wysopal , Cofounder and Chief Technology Officer at Veracode . “ We ’ ve already seen DevSecOps grow rapidly in maturity and now there ’ s an opportunity to shift
security even further left into the design phase to become SecDevOps .”
Componentisation drives speed and efficiencies
Alongside the upward trajectory in automation , Veracode also found a downward trend in the complexity and size of the code being analysed , as evidenced by the 30 % reduction in the average number of modules scanned per scan , indicating a shift towards scanning of individual components or microservices . This is not surprising considering the rapid adoption of both componentised applications and DevOps practices .
With large applications broken down into small reusable components – or microservices – developers can work in more agile ways to iterate quickly and deliver continuously in
increments . Interestingly , the rise of API-first development has improved software security with the average time to fix a flaw reduced by around 50 % when using static analysis for APIs or microservices . API scanning also enables organisations to find and fix vulnerabilities in APIs as early and efficiently as possible .
“ Recent high-profile attacks , such as the SolarWinds hack , have put the vulnerability of the software supply chain firmly in the spotlight ,” Wysopal added . “ Businesses now seek the next evolution of software security for peace of mind .
“ This means offering the assurance of continuous orchestration , such as policy definition and management , inline remediation with the ability to ‘ self-heal ’ and runtime intelligence that highlights any flaws introduced as underlying components change .” u
intelligent SOFTWARE SECURITY
www . intelligentciso . com
61