Your AST Guide for the Disenchanted: Part 3
In our previous post, we discussed that the key ingredient to a true DevSecOps process is accurate testing. In this post, we’ll share how to implement an accurate application security testing program that effectively manages risk, while protecting developer productivity.
Two of Each is All You Need
There are many different types of application security testing tools you can choose from. Commonly, it’s questioned why multiple tools are needed. The answer is because there are multiple risks that need to be addressed. The compounding need for multiple tools and management of multiple risks is already reason enough for elevated blood pressure by security teams.
Rest assured, our philosophy is that simplicity is the best facilitator for focus. So, we’ll only ask that you focus on two types of risk and two types of tools. In this blog, we’ll cover the two types of risks to focus on: known and unknown vulnerabilities.
The Known and Unknown Vulnerabilities
Defects are a result of mistakes developers make in their code. When defects are exploitable, they are considered a vulnerability. While there are more than two types of vulnerabilities, we posit that the known and unknown are the minimum to focus on at the beginning of your DevSecOps journey:
- Known vulnerability. Known vulnerabilities have been disclosed to the software vendor and security community. It is a publicly known vulnerability and is given a CVE identifier. Known vulnerabilities are easier to detect and prevent because there is information or a patch available for fixing issues.
- Unknown vulnerability. Unknown vulnerabilities have not been discovered by anyone. They are dormant. Because these vulnerabilities are unknown, when they are found, malicious actors can operate unnoticed for long periods of time. These vulnerabilities are difficult to detect and prevent because there is no information or patch available to fix issues.
As organizations evaluate tools, they’ll want to select tools that address these two risk areas accurately to facilitate the DevSecOps process and mindset.
Until next time…
In this post, we’ve outlined the two types of application security risks to address as a part of your DevSecOps pipeline. In the remainder of the series, we’ll suggest tools that will accurately address these needs and how they complement each other.
Stay tuned for the rest of the series. Meanwhile, find out how to get started with DevSecOps in this explainer video featuring ForAllSecure CEO Dr. David Brumley. For immediate information or a demo, contact us at firstname.lastname@example.org.