Over the past decade, DevOps has revolutionized the development process with speed and agility.
Yet, for the most part, application security tools have remained the same for 20 years. Yes, we’ve seen new security scanning tools, but these technologies still focus on identifying vulnerabilities and flaws at specific points in the software development life cycle (SDLC), without considering the broader build-to-deploy development model.
This becomes more problematic when you consider how the world has changed, especially of recent. Every business is a software business, as software is the competitive advantage. While DevOps accelerates software production, security can’t keep up, and this opens up a huge risk chasm.
What does this risk chasm mean in practice? It means that security has little visibility – and no broader context – into the security of an application or the state of application vulnerabilities. It means there’s no way to assess the risk of the application and its impact on the business, and therefore no way to figure out whether to prioritize remediation.
Because of this, it means that remediation attempts slow down development processes, which creates conflict between development and security.
The centralized control model no longer works in today’s software-defined world
Part of the problem is that the DevOps model utilizes a decentralized process to deliver software fast. Security doesn’t. Traditionally, the CISO and their team would set and oversee policies across the enterprise. Businesses adhere to these or face the consequences of policy violations. Security policies are set, and sit, for long periods of time; change is the exception, rather than the rule.
This centralized control model no longer applies to today’s software-defined world. Today, product security teams are often embedded within engineering organizations. These teams are chartered with ensuring the security of their respective product lines while incorporating the risk their businesses are willing to accept. These teams also deeply understand the delivery requirements placed on Development teams.
Within this context, product security does whatever it takes to support their product lines at the speed of business. This can create competing – sometimes conflicting – demands between product security at the line of business (LOB) level and enterprise security at the corporate level.
To work effectively in today’s world a new decentralized, federated responsibility model for application security is emerging. This model enables security, with risk management and compliance, to align with individual LOB operations while retaining corporate standards and policies, to deliver secure applications at the speed of DevOps.
Through this model, corporate security works with governance to set organizational security policy, maintain corporate security visibility, measure the overall risk to the business, and coach product security and operations teams. While product security teams are empowered to own the security of their applications. They in turn provide the specific policies and tools to enable Development to implement consistent security in line with the velocity of DevOps.
The foundations of a federated responsibility model for AppSec
First, there is a need to for enterprise control. You need to set standards