How to Increase Speed and Security with ASOC
You may be sick of technology acronyms, but if you work in the world of software and you’re not familiar with ASOC (application security orchestration and correlation), add it to your list. ASOC offers the best chance yet to make everyone a winner and resolve the seemingly endless conflict between speed and security in software development, which is revolutionary.
Security and Velocity
Nobody in the industry argues that security doesn’t matter, given daily headlines about the damage from criminals exploiting vulnerabilities in software. By now it is a familiar parade of horribles: compromised personal information, financial data and intellectual property. Millions lost to ransomware and critical infrastructure damaged or shut down.
Does security matter more than the speed of development? This is where things get much fuzzier. As Sammy Migues, principal scientist at Synopsys and a coauthor of the annual Building Security In Maturity Model (BSIMM), said a year ago, the message from software development teams is, “We’d love to have security in our value streams if you don’t slow us down.”
Indeed, in modern software development, speed trumps just about everything. The rate of builds is exponentially faster than even a few years ago. Facebook, on Android alone, has between 50,000 and 60,000 builds each day. Amazon reportedly deploys new software to production every second. For those without your calculators handy, that’s 86,400 builds every day.
There is no way to cope with that level of velocity without automating security testing tools, which vendors have done. Automation alone doesn’t solve the problem, though, because it can lead to vast information overload and slow development as much or more than manual testing.
Testing software effectively requires multiple tools along the software development life cycle (SDLC) — static, dynamic and interactive application security testing, plus software composition analysis for open source components, which now make up the large majority of code bases.
Most organizations have dozens of security testing tools. The Enterprise Strategy Group (ESG) reported more than a year ago that organizations, on average, run 25 to 49 security tools from up to 10 different vendors. Those tools, if not finely configured, can throw thousands of findings at developers, many of them false positives, with little to no guidance on how serious the defects are. If there is nothing to separate the critical from the irrelevant, it all becomes white noise, and developers predictably tune it out.
ASOC: A Quick Overview
Enter ASOC, a more efficient, prioritized, and transparent way of aggregating test results that analyst firm Gartner found significant enough to coin the term and add it to its hype cycle in 2019.
Gartner had been reporting on the trend starting several years earlier, but at that time saw orchestration and correlation as somewhat separate.
Application security testing orchestration (ASTO) was doing what the name implies. Instead of simply “shifting left,” to begin security testing earlier in the SDLC, the move was what the BSIMM calls “shift everywhere,” or “orchestrating” the right test at the right time during the SDLC.
Gartner also reported that some vendors were offering what it called AVC, application vulnerability correlation, which yielded “rationalization and presentation of those results in a risk-based or prioritized manner.”
By 2019, Gartner had combined the two into ASOC, declaring that “a rapidly growing uptake of products, albeit from a small base, indicate the tools are approaching the peak of inflated expectations.”
Whether those expectations are truly inflated still remains to be seen, since ASOC is not yet mainstream. When it first used the term, Gartner said ASOC had penetrated only 1% to 5% of the target audience.
The expectations aren’t simply based on wishful thinking, however. ASOC holds demonstrably significant promise because it addresses the downside of uncontrolled automation: It cuts through the noise of information overload.
Addressing Uncontrolled Automation
How so? Anita D’Amico, vice president of market development with the Synopsys Software Integrity Group and former CEO of Code Dx, recently acquired by Synopsys, said a good ASOC tool will do five major things that, collectively, will make software security testing more effective while keeping up with the accelerated pace of development:
ASOC will run application security tests using whatever testing tools an organization has. It is not bound by brand; it is “tool agnostic.” The orchestration component of the tool, which is programmed to suit the types of applications being tested and the needs of the organization, ensures that the right test is done at the right time.
Different testing tools present results in different formats and nomenclatures. ASOC will “normalize them to a single nomenclature,” D’Amico said, “then match them to eliminate redundancies, and finally, combine and aggregate them into a superset of results.”
Defects in software are not equal; some are trivial while others are critical. Obviously, development teams want to focus on what’s critical and don’t want to deal with the trivial. A good ASOC tool “does that in two ways,” D’Amico said. “First, with customizable rules that you can write and say, ‘We want these things to be escalated for remediation, and these things we want to be ignored.’”
“The other way is through machine learning. We study how the human analyst does this triage — what they ignore and what they escalate — and then the next time, when the scan is done, we present them with a set of results that, based on their prior activity, reflect that.”
A superior ASOC tool offers an added benefit to developers. It will scan all the correlated and prioritized results, take the highest-priority defect findings, and automatically open tickets in a defect tracker like Jira, Bugzilla or Backlog. “It should ship the information to the developer with the type of finding, where it is in the code and even remediation guidance,” D’Amico said, adding that it will also verify when a defect has been corrected and if so, will automatically close the ticket. “That’s what we call two-way issue-tracker integration,” she said.
Also commonly called the “single pane of glass,” it means an analyst doesn’t need to go to each individual tool to see what problems exist and what has been done about them. It makes ASOC “an AppSec system of record,” D’Amico said.
It also lets security executives like CISOs answer fundamental questions that can be crucial both in boardroom discussions about how the security team is minimizing risk to the business and in situations where there are legal or compliance questions about security. D’Amico said those questions usually include:
- Was the software tested, or when was it tested? ASOC has that information stored in its central data and presented as part of the single pane of glass.
- What security and quality defects were found? “That might seem like an easy question to answer, but if all your results are in different silos, it can be very hard to answer,” D’Amico said. Again, a good ASOC tool can answer it because “it has recorded and prioritized all of the issues that were found by all the different AppSec testing tools and techniques.”
- Were they fixed? “Again, this may be difficult to answer if you don’t have a single central platform,” D’Amico said. Though if an ASOC tool has connected with defect trackers and recorded the remediation status, “you can answer that question almost instantaneously,” she said.
- Where can I see my risk in just one place? ASOC should provide that single platform for risk reporting.
In short, “you can answer all those management questions almost immediately,” D’Amico said. All of which makes ASOC a better, and much faster, way to build trust into your software.