Add It Up: Reality Check on Automated Security Testing
Limited automation and ineffectiveness are two problems facing the application security testing market.
As we wrote about previously, tooling does not address a majority of the security tests being conducted. The Cybersecurity Insiders 2018 Application Security Report provides more details, showing that only 43 percent of information security professionals’ organizations have automated security testing in their software release lifecycle. Although most organizations have some DevOps processes in place, in reality, automated security testing is not deployed in a majority of CI/CD pipelines. Furthermore, even among organizations that have automated testing, the number of tests that are automated are still limited.
The DevSecOps Community Survey 2018 found that 67 percent of organizations with mature DevOps processes have automated application security analysis in the QA/testing step phase of the software development lifecycle (SDLC), while only 13 percent of organizations with immature DevOps processes have automation at that point. Those findings exclude companies that are somewhere in between in their DevOps journey. We believe the DevSecOps report overstates the degree of actual automation because automating a single test is different than conducting complete penetration and vulnerability tests that information security teams provide. Looking beyond Dev and Ops to provide a Sec perspective, the Cybersecurity Insiders report reported that 46 percent of automated testing occurs in a formal testing phase, with 25 percent doing so in the code development phase and 30 percent doing automated monitoring of applications in production.
When security testing is done right, it dramatically improves an organization’s security posture. The movement to shift security left in the SLDC process helps reduces the remediation cost for a security breach. Scanning for known vulnerabilities of open source components is also a win. Yet, security testing is not a panacea. In a recent DZone survey, 48 percent of respondents claimed security testing is insufficient even for applications that actually are tested and not overlooked.
The effectiveness of security testing is limited by many factors that are beyond the scope of this column. That being said, despite lip service to the problem, developers don’t prioritize security because of time constraints. According to the DevSecOps survey, 48 percent of developers know security is important but don’t have enough time to spend on it. This has real consequences as 60 percent of developers surveyed by DZone last year said release schedules have overridden security concerns at their organization.
Companies have a lot of work ahead of them before they adequately integrate security into the DevOps process. Don’t think your job is done just because you have automated a few tests and have consulted with the Infosec team.
Recommended articles and graphics from Carnegie Mellon’s Software Engineering Institute:
- 10 Types of Application Security Testing Tools: When and How to Use Them
- Decision-Making Factors for Selecting Application Security Testing Tools
Feature image via Pixabay.