| July 22, 2020
AppScan - It's Time For Security To Be Continuous Too
Continuous.
If you’ve been working in DevOps for any length of time, then you have heard this term. It is the essence of what we are trying to do. Continuous is used to describe nearly every capability area. Think: Continuous Integration, Continuous Build, Continuous Deployment, Continuous Testing, Continuous Delivery, Continuous Monitoring and so on.
But one area hasn’t quite caught up yet.
Today, personal information and data privacy matter more than ever, especially as more interaction is driven through online means. There are more stringent rules on data collection and use, and regulations like GDPR, NYDFS, and CCPA demand better security for applications. And these come with serious consequences for violators.
All this means Continuous Security is rising to the forefront. But what IS Continuous Security?
What is Continuous Security?
Conduct an online search and you will find that most discussions revolve around two main ideas: integrating security testing into a pipeline and providing feedback. Additional discussions revolve around performing these activities in ways that are developer-friendly. These two areas are also main components of DevSecOps. Both of these are necessary and awesome to do, but just like automating deployments isn’t the same as doing DevOps, running and reporting on tests in a pipeline isn’t Continuous Security.
Continuous Security is much more, with several different capability areas that need to be addressed, and not all of those align with development in a pipeline. In fact, we have found that there are six capabilities that make a huge difference. We have organized these into three thematic areas. These themes and categories appear in Figure 1 below:
Figure 1: Continuous Security Themes
Key Continuous Security Themes
In this short blog series, we will dive deeper into each thematic area in turn. For now, we will introduce these areas and their meaning.
Construct, as you might imagine, deals most directly with how we are making things. The two capabilities are labeled Design and Automate. With Design, we want to convey the notion of including security right from the beginning and all throughout the SDLC. This includes planning, modeling, prioritization and more. The Automate capability is where most begin with DevOps and DevSecOps, but Automate is more than simply running tests in a prescribed manner. It involves behavior and decisions as well.
Intensify. This area is all about how can we do what we do, but better. Intensify helps address the processes, procedures and learning that is needed to optimize. The Educate capability is needed to continually improve not only code quality, but also improve estimates and trade-off decisions. Educate helps us answer the question: “How are we equipping our teams to be able to succeed?” The Govern capability enables us to move data effectively and make decisions with confidence. Govern examines our processes and helps us balance policies with projects so we can gain productivity.
Assure. This area is all about using the data and information we have to make better, more informed decisions that influence the entire SDLC. The capabilities of Audit and Measure are meant to help utilize data to drive the business. For example, with audits, does information from pen-testing teams get into developer backlogs? When we measure, do we know what the key metrics and measures that provide the greatest benefit to risk management are? These capabilities help determine if we are able to balance risk and speed.
Each of these areas will be explored more in depth in separate blogs and we invite you to read the series and share your comments. In addition, you can hear more thoughts on comments on Continuous Security by viewing our recent webinar on Brighttalk or by listening to Episode #7 of our Application Paranoia Podcast, which can be found on Buzzsprout, Apple Podcasts, Spotify or Google Podcasts.
Comment wrap
