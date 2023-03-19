Surfing the wave of automated findings

With automated testing comes automated findings—a lot of automated findings. The trick to running an effective DevSecOps program is to find a way not to drown your developers in the sheer volume of those findings. By using tools that can help to sort, prioritize, and triage automated test results, you can ensure that your developers will surf along the crest of all that information, making the most of the operational velocity you’ve built into your workflows and pipelines.

The first challenge is to prioritize your findings by ranking them against whatever criteria works for your organization. Prioritization criteria can include items as varied as

Standardized risk scores (CVSS, etc.)

Yes/no gates for exploitability

Whether an application is behind a firewall

Whether the file is being used for dev only or going to production

Whether the affected application is customer-facing and revenue-generating

Testing may be automated, but priority is determined by what matters most to your business. Once you’ve determined your business priorities, you can turn once again to automation to enforce the policies you’ve created to manage your activities and risk tolerance before and after scans.

The next challenge of managing testing results without slowing down business velocity is to determine how to triage the prioritized set of automated security findings your policies have returned. While it may be impossible to address all issues in the list even after prioritizing them, you can still categorize which issues to fix depending on your time horizon, risk tolerance, and other organizational or operational factors. Setting your triage policies is key to allowing your developers to surf the surge of findings, instead of being swamped by them.

Once you have prioritization and triage policies in place, your developers can approach remediation using the steps we’re all familiar with: going back to dev, automatically opening a ticket in the issue management system, sending automated notifications of new issues to fix, highlighting policy failures and prioritized risks within the IDE, etc. The difference is that automation allows you to accelerate this process without burning out your developers.

Black Duck has a suite of tools to automate this process, from prioritization, to triage, to fix/remediation, to automation, and they integrate with tools your teams are already using. Black Duck tools include

Software Risk Manager consolidates findings from all your automated and manual tests into a single place, removes duplicative results, triages issues, and provides policy management, all so you can concentrate your efforts on a smaller set of high-priority issues that have the greatest business impact.

Seeker IAST turns functional tests into security tests by monitoring web app interactions in the background and identifying true risks that manifest at runtime.

Code Sight moves security risk detection and triage all the way left onto the developers IDE, where it detects security and quality defects, and delivers detailed remediation guidance as developers work. After all, the most important way to prioritize vulnerability remediation is to prevent them from slipping into your code in the first place.

The 2022 SANS DevSecOps survey makes clear the need for automation and policies for application security. Intelligent, policy-driven DevSecOps means defining policies that run the right tests at the right time. By collecting risk insight that’s automatically verified and cleansed, you can make sure you’re sending only the most impactful priorities to development teams for remediation. By investing in making your developers more security-aware and more security-capable, you’re ensuring that the DevOps loop itself becomes more secure over time. Successful DevSecOps means securing your code at the ever-increasing speeds that business needs, and Black Duck can help you do that.