As we outlined in the previous blog post, DevOps is in danger of not being properly secured unless it adopts technologies specifically designed for that purpose.
Traditional application security technologies were not designed to work in a DevOps environment. Even from DevOps name, it is obvious, that DevOps-enabling tools should be designed for Development and Operations specialists. And for some tools that enable DevOps this was the case. Yet, it was not the case with traditional application security technologies. They were built for a different class of users: for dedicated, proficient application security professionals. Use of these tools, require specific aptitude, training, and dedication to do the work. These technologies emerged around 2005-2007, and just several years after, it became clear that enterprises were unable to broadly adopt them for reasons such as these:
Around 2007, application security industry began responding to these challenges by offering cloud-based application security services. With this paradigm, SAST and DAST run in the cloud by dedicated, independent 3rd party vendors, which relive enterprises from installing tools, training/hiring specialists, running tools, and being responsible for test results. Cloud services do all of it, so enterprises only have to worry about submitting test requests, receiving results, and mitigating detected vulnerabilities. Application security as a service has become a powerful alternative to tools. Enterprises are choosing services over tools, or supplementing tools with services. We estimate that today, adoption of application security services has exceeded adoption of tools.
Cloud services made application security much more transparent and friendly to enterprises, yet these services still were not ready to be handed over to developers. And emergence of DevOps has brought new challenges for application security.
In the next blog-post, we will discuss how application security evolves to address these new challenges.