6 Reasons Why More Automation Means More Secure Software
In an age when applications are broken down into microservices, and networks are distributed across regions and clouds, software is being produced faster than ever, in smaller and smaller components.
The only way to keep up? With automation.
Automation can “develop velocity and the speed at which organizations can bring solutions to market,” Arnal Dayaratna, an analyst who leads software developer research at International Data Corporation (IDC), told The New Stack. “The single biggest problem we have is how long it takes to get the code out.”
But it can also enhance your teams’ and your organization’s confidence in the software it produces, and make changes less likely to break your code, according to an unpublished report completed in September by Sonatype and The New Stack.
The report, which surveyed 679 technologists and IT managers across industries, found that the more that software deployment and testing is automated —and the more frequently it is deployed — the greater confidence organizations express in it.
The report found that organizations that fully automate app deployment are 24% more likely to have dependency upgrades that don’t break functionality, compared to all of the survey respondents.
Keeping up with Fast-Changing Code
Today, 62% of companies use more than one cloud provider, according to a 2021 Cloud Security Alliance report. And the use of diverse production platforms, such as containers and virtual machines, is continuing to increase.
With the move to cross-functional DevOps teams and practices, applications are also being updated faster than ever before.
According to research released by Sonatype this past fall, 57% of software development teams deploy at least once a week — and 20% deploy multiple times a day, or with every change.
The average organization, according to Sonatype’s “2021 State of the Software Supply Chain” report, performs 6,200 component migrations per year. When a developer updates a dependency, they have, on average, 21 versions to choose from.
Adding to the security challenge is the fact that developers aren’t writing all the code from scratch.
Nearly all codebases contained some open source code. For instance, 97% of a typical Java application is made up of open source code, according to a survey released in February by Veracode, a software security testing company. The report further revealed:
- Seventy-seven percent of known flaws in third-party libraries remained unfixed three months after discovery.
- The most common type of vulnerability, CRLF injection, was detected in 65% of apps. The second most common type of vulnerability, affecting 61% of apps, is “information leakage,” which could create potential legal liabilities for companies.
Checking all these components for known vulnerabilities and licensing issues is an impossible task if done manually.
And then there’s the potential for vulnerabilities in newly-written code, which has to be tested for flaws before it can be released.
It’s hard to keep up without automation, both in the building and testing of software, Venky Chennapragada, DevOps architect at the consulting group Capgemini Americas, told The New Stack.
“This automation makes it possible for companies to build hundreds of artifacts daily for their applications and microservices,” he said.
The Advantages of Automation
Automation does require a real investment of time and effort to get it right, something which can be hard to justify if it’s important to get something quickly out the door, Matt Keeler, senior DevOps engineer at security consulting firm Bishop Fox, told The New Stack.
But, over time, it leads to a faster release cycle, improved security and a more stable platform, he added.
At Bishop Fox, he said, “we use automation not only for continuous integration and continuous development but for generating documents, deploying our infrastructure, scaling our platform in and out based on load, and even patch management.”
Here are six advantages of automation in the software lifecycle:
1. Automation Standardizes Security Testing.
Automation is one of the critical capabilities for application security testing, according to a 2020 report from Gartner.
“The application security testing market has entered a period of rapid evolution and change,” said Mark Horvath, a Gartner analyst, in the report.
Automation can allow companies to do software security testing not just efficiently and at scale, but also in a standardized way, said Sanjay Srivastava, chief digital officer at the professional services company Genpact.
“If you leave it up to the individual, everyone does it a little differently,” he told The New Stack.
2. Automation Frees Developers to Focus on Innovation.
Automation doesn’t just give developers greater confidence in components and systems, and make developers more productive, but it also makes it more enjoyable, said Keeler.
“Automation lets us offload important but repetitious work onto a machine, freeing us up to focus our creative efforts elsewhere,” he said.
3. Automation Enhances DevOps Practices.
“Automation is critical,” said Dayaratna, of IDC. “And it is also critical to reducing friction between hand-offs in the development lifecycle, particularly in the context of development that’s done by distributed teams.”
When companies switch to DevOps, deployments speed up, he said. “Automation is part of DevOps. It’s central to DevOps practices.”
Many DevOps tools already have automation built in, Dayaratna said. “The next phase of development is to deepen the integration of artificial intelligence and machine learning into DevOps processes and practices.
“That’s going to be a new and exciting phase of the automation of software development — which is not to say it’s not happening already.”
4. AI Can Improve Development and Testing.
For example, a company might need to set different thresholds during peak periods, such as Black Friday’s holiday shopping spree, or for particular types of users. As applications and different use cases multiply, it gets very difficult to keep up with manually.
Automation can help companies address licensing and security issues in software development said Dayaratna.
A large organization may be running hundreds of different tests against their applications, at all points in the software lifecycle, he said. “Many of those tests will fail and will need to be repeated.”
Most automation today is done within predefined parameters, using scripted steps and decision trees to replace time-consuming but routine actions. This allows companies to do what they’re currently doing, Srivastava said, but “better, faster and more efficiently.”
By adding AI to the process, companies bring new value to the table, he said, and not just in speeding up software development and delivery: “You’re going to be fundamentally changing what’s going to be produced.”
5. AI Automation Makes It Easier to ‘Shift Left.’
Software programmers are the single best user group inside the enterprise to understand the benefits of intelligent automation, and make the best possible use of it, added Genpact’s Srivastava.
“They are the best barometer of where the world is going,” he said.
For example, intelligent automation can be introduced at the very start of the software writing process, to dramatically improve the quality and security of code as it is being written, while simultaneously speeding up development.
“It makes you able to do things that you couldn’t do before,” he said. “It puts you into totally new business models.”
By 2025, 75% of all applications will include automatically generated code, according to a report by IDC).
6. Automation Saves Companies Money.
“Intelligent automation that standardizes engineering teams on exemplary open source projects could remove 1.6 [million] hours and $240M of real-world waste spread across our sample of 100,000 production applications,” read Sonatype’s “State of the Software Supply Chain” report.
If extrapolated out for the entire software industry, the report stated, savings could reach billions, with intelligent automation saving companies an average of $192,000 annually.
And it’s not too late to get started, said Dayaratna. “There is still opportunity for technology suppliers to improve in respect to integration of intelligence into software development.”