As we outlined in the previous blog post, DevOps is in danger of not being properly secured unless it adopts technologies specifically designed for that purpose.
Traditional application security technologies were not designed to work in a DevOps environment. Even from DevOps name, it is obvious, that DevOps-enabling tools should be designed for Development and Operations specialists. And for some tools that enable DevOps this was the case. Yet, it was not the case with traditional application security technologies. They were built for a different class of users: for dedicated, proficient application security professionals. Use of these tools, require specific aptitude, training, and dedication to do the work. These technologies emerged around 2005-2007, and just several years after, it became clear that enterprises were unable to broadly adopt them for reasons such as these:
- Developers – programmers and testers – lack the security mentality necessary to run these tools efficiently. Developers typically test applications to prove that functionality compiles with specifications. This is not what security testing should be. Security testing should not prove that application does what it is supposed to do. It should prove that there are ways to trick or force application to do what it is not supposed to do, to violate specifications.
- Developers are not driven by security concerns. Their main objective is to deliver required functionality by the deadline and under budget limit.
- AppSec tools are highly complex. Operating these tools is a full-time job, which developers never have time, skills, aptitude and objective to do.
Around 2007, application security industry began responding to these challenges by offering cloud-based application security services. With this paradigm, SAST and DAST run in the cloud by dedicated, independent 3rd party vendors, which relive enterprises from installing tools, training/hiring specialists, running tools, and being responsible for test results. Cloud services do all of it, so enterprises only have to worry about submitting test requests, receiving results, and mitigating detected vulnerabilities. Application security as a service has become a powerful alternative to tools. Enterprises are choosing services over tools, or supplementing tools with services. We estimate that today, adoption of application security services has exceeded adoption of tools.
Cloud services made application security much more transparent and friendly to enterprises, yet these services still were not ready to be handed over to developers. And emergence of DevOps has brought new challenges for application security.
In the next blog-post, we will discuss how application security evolves to address these new challenges.