11 December 2019

The DevSecOps Paradigm is Failing to Deliver Application Security

Mark Kuhr

The industry realizes that security tooling must be integrated into and provide value in the CI/CD toolchain. However, it’s important to recognize that this is not a good parallel to the existing shift to incorporate functional tests. Organizations are prioritizing tooling that primarily acts as compliance checks, mistakenly thinking they are improving their security posture. Here’s why.

First, existing automated security tooling is extremely immature. While improving rapidly, DAST or SAST tooling can run against the same application and get a Venn diagram of results. Each of these tools addresses only a limited step in the development to release workflow and thereby lacks the context they need to provide relevant results. Consumers are forced to either wade through false positives or to tune the tools down to the point of irrelevancy. As a result, it’s impossible to gain confidence that the coverage was sufficient to assess business risk. Did they find everything there was to find? How would you know? Are the findings exploitable? Do they represent real business risk, or are they in something I don’t care about?

Second, unlike bugs, application security postures are highly dynamic, changing over time without releasing new code or making infrastructure changes. There is no way for a tool, integrated into your CI/CD pipeline, to prevent an exploitable vulnerability in production. 

Though at the end of the release cycle, penetration tests and other manual activities can provide thorough assessments and remediation intelligence, but the market is badly underdeveloped. Penetration tests are being used primarily for compliance, they are done infrequently and on a point-in-time basis, and few vendors offer quality vulnerability discovery services. 

True application security has been prohibitively expensive for the majority of the industry. Giants like Amazon and Google staff their own red teams, but nobody else can find and keep enough security experts. That staffing shortage is expected to worsen dramatically over the next several years. Large companies and government supplement their staff with premium, high-quality partners; medium companies are often stranded with only yearly compliance-based pen tests; small companies are still struggling to migrate to CI/CD and can’t afford advanced security tooling or pen tests. 

For this reason, crowdsourcing to augment internal security talent has taken off. In fact, Gartner projects that more than 60% of organizations will rely on crowdsourcing for application testing by 2022. We are already experiencing this shift as we work with companies ranging from the Global 2000 to the start-up and government sectors. 

Security budgets need to be redirected. Organizations cannot wait for the maturation and integration of security tools in the CI/CD pipeline. These should be used judiciously, tuning them down to eliminate false positives and considering them mainly for their compliance value. Instead, budget needs to be expanded towards effective penetration testing. Companies should choose a pen test engagement very carefully to make sure they are getting high quality, actionable results. There is hope – we provide the most trusted, highest quality pen tests and are the only company to offer continuous, “365” pen tests. We scale our penetration tests with our own proprietary scanning tool with augmented intelligence, Hydra. Our tool harnesses learnings from our crowd of top security talent, the Synack Red Team, and sends them suspected vulnerabilities to triage and report on. That way, we remove the noise and only surface high-quality, exploitable vulnerabilities to security and dev teams. Quality security testing should be a continuous, efficient process – because managing your risk is a daily job.