Micro Focus is now part of OpenText. Learn more >

You are here

You are here

The state of app sec testing: DevOps drives evolution

John P. Mello Jr. Freelance writer

Application security testing (AST) is evolving to meet the speed demands of DevOps and the growing complexity of modern software programs.

The major driver in the evolution of the AST market is the need to support enterprise DevOps initiatives, found the Gartner 2021 Magic Quadrant for Application Security Testing. Customers require offerings that provide high assurance and high-value findings, the report noted, while not slowing down development efforts unnecessarily.

To do that, more organizations are moving to a DevSecOps approach to application security, which calls for greater integration of AST tools into the development process. That means change is afoot for software teams.

Here's what your team needs to know about the state of application security testing. 

Get integrated or go home

Josh Stella, CEO of Fugue, a cloud infrastructure security company, said that the message is pretty straightforward in 2021:

"If your security tools aren't fully integrated into your CI/CD pipeline, you'll always be behind the DevOps team."
Josh Stella

Jonathan Knudsen, senior security strategist at the Synopsys Software Integrity Group, said that the necessity for security and software development to march forward in lockstep has been learned the hard way over decades. "DevSecOps is a term than reflects a security-first, proactive approach to software development," he said. "It refers to development processes that emphasize security, automation, integration, and developer productivity."

"When software is designed and built without considering security at every phase, tears and heartburn are sure to follow."
Jonathan Knudsen

He noted that automation and integration were able to shrink the time to market for new ideas, while simultaneously giving developers quick and relevant feedback.

Erez Yalon, head of security research at Checkmarx, said integration can also help security pros better deal with the current crop of apps being produced by developers.

"Modern applications are very complex. They have many different building blocks. But because security is embedded into the DevOps process, security people have visibility into the app so coverage of it is easier."
Erez Yalon

Old "phase gate" methods for testing—where AST was performed just prior to software entering production and production halted if security issues were found—are being phased out, said Daniel Kennedy, research director for information security and networking at 451 Research.

"A continuous process that has developers checking incremental code changes for security concerns in a mostly automated way is a vast improvement and realistically enables a greater scale of testing."
Daniel Kennedy

Checking for application security concerns is increasingly a requirement, and the early methods of doing so were not compatible with the speed of developer change in a CI/CD style pipeline, Kennedy added.

DevOps drives app sec testing's evolution

The impact of DevSecOps on testing, though, goes beyond enabling security teams to meet tighter deadlines and test more complex applications. "The change is actually more profound than that," said Michelle McLean, vice president of Salt Security.

"Companies that have made a lot of progress in DevSecOps are less likely to have a separate security team that’s doing just testing. Instead, these companies are cultivating security champions who are fluent in both dev speak and security speak."
Michelle McLean

These teams embed security practices beyond just testing throughout the dev process. "The biggest benefit has been speed. Teams can create more code more quickly, and the code is better written from the get-go," McLean added.

DevSecOps is driving the evolution of AST, requiring security practitioners not only to be fluent in the main AST styles—static, dynamic, and interactive application testing—but also to be adept at securing open-source and third-party components, programmable infrastructure, containers, APIs, and cloud-native apps, said Deloitte's managing director, Aaron Oh.

"Traditionally you had to just worry about SAST and DAST. Now it's typical to see a DevSecOps pipeline with multiple security tools from multiple security vendors because of all the technologies you have to cover, such as APIs, containers, and infrastructure as code."
Aaron Oh

In the past, vendors knew they had to scan and test code. Now that's not enough, Yalon said.

As more testing becomes automated and integrated into the development pipeline, security pros will see their role evolving. Security professionals have to think of themselves as a vendor to the DevOps team, Stella said.

"Being able to express all your security policies as code, you can often give the DevOps team value early in the SDLC. You're becoming a highway builder, not a toll booth operator."
—Josh Stella

Knudsen explained that the first generation of application security saw a centralized security team struggling to provide security testing for a variety of application development teams.

"This has evolved into a developer-centric second generation of application security, in which security testing is automated and integrated into the development process."
—Josh Stella

Using the same principles as DevOps, security testing can become a seamless part of the development process, with testing results fed back to developers using existing issue tracking mechanisms, he added.

As AST has evolved to accommodate the needs of DevOps, the limitations of shifting testing left have also become apparent.

"The pendulum swung really hard over to the left side. We started assuming all security holes were coding problem that could be fixed during development."
—Michelle McLean

But this mentality has its limits, she said, noting that some exposures—especially API exposures—reveal themselves only in runtime. "You can’t see the hole in the business logic that the attacker can leverage until you see the requests and responses in runtime."

She said that organizations evolve their application of AST to span dev, build, and runtime so they can see the whole range of vulnerabilities they need to address.

One thing that will not evolve or change: "All software has to be tested in production, where it is most vulnerable," said Setu Kulkarni, vice president for strategy at NTT Application Security.

"An additional key aspect of the future of the AST market will be the ability to perform production-like dynamic testing within DevOps and the developers' environment."
Setu Kulkarni

Get on top of APIs

As AST evolves, it will find an increasing need to deal with security issues created by the growing use of APIs by developers. In its report, Gartner noted that by 2022, API abuses will move from an infrequent to the most frequent attack vector, resulting in data breaches for enterprise web applications.

By 2023, Gartner predicts that 90% of web-enabled applications will have more surface area for attack in the form of exposed APIs, rather than the user interface, up from 50% in 2020.

APIs are also attractive to hackers because much of the security technology in the market wasn't designed to secure them. "Tools like WAFs and API gateways are built to recognize known attacks, such as a SQL injection or cross-site scripting," McLean explained.

"API attacks are very different. Since every company’s APIs are different, the means to attack them are different. Effectively, every API vulnerability is a zero-day vulnerability. Today’s tools can help only with known attacks."
—Michelle McLean

Moreover, threat actors know that APIs can provide them with rich data. "APIs act like a map showing the path directly to a company’s crown jewels," McLean said. "Hackers realize that companies need to connect their customers and partners to these valuable troves of data and services, so they’re worth the time and effort to probe the business logic of APIs looking for vulnerabilities or mistakes in how the APIs are written."

APIs and microservices go hand in hand with DevOps, Kulkarni observed. "DevOps entails agility and short sprint cycles," he said. "This agility is abetted by microservices-based architectures, which result in API-first applications. While this has numerous benefits, security suffers."

With microservices-style development, every microservice has its own way of interacting with other microservices via APIs, added Stella.

"In the past, we might have had three or four big API touchpoints. Now there can be dozens or hundreds. Securing access across all those touchpoints is a real problem space around securing applications."
—Josh Stella

Testing teams 

It will take some time, but security people and developers will begin to merge as DevSecOps becomes more mature, said Martin Knobloch, global application security strategist at CyberRes, a Micro Focus line of business.

That's what happened with software quality testers, he observed. "We used to have testers on one side of the hallway and developers on the other. If something went wrong, they would blame each other. Now they work together."

"Security will become a mentoring and monitoring function. Developers will get more responsibility. Security must learn to trust, but verify, what the developers do. Good security people won't be wasting time running a tollbooth, but spending time finding functional security problems that can't be found with tools."
Martin Knobloch

Deloitte's Oh added that the concept of one secure pipeline will begin to emerge. "There are a lot of 'ops' out there. Instead of having different pipelines for different ops, there will be a single pipeline for all the ops," he said.

He also expects growth in the use of low-code and no-code to build development pipelines.

"Low-code, no-code doesn't mean low vulnerability, no vulnerability. It is going to introduce a new set of vulnerabilities. Like anything else, we have to look at these platforms and make sure proper security controls are applied to them."
—Aaron Oh

Knudsen predicted that next-generation security will give organizations a more unified approach to thwarting threats. He said customers won't shop around for a collection of separate tools. "Instead, they will simplify how they purchase and implement application security."

Instead of automating and integrating security tools individually, they will integrate to one application security solution that takes responsibility for figuring out which tools to run, running them, aggregating results, and feeding results back into the development process, Knudsen said.

"Application security policies expressed as code will dictate the amount of testing and the kinds of results that are acceptable. Application security will be inseparable from software development, and it will seem backwards and quaint that we ever considered them separately."
—Jonathan Knudsen

Keep learning

Read more articles about: SecurityApplication Security