Backslash this week made generally available a namesake application security posture management (ASPM) platform that identifies and prioritizes vulnerabilities based on how easy they are to exploit and reach.
Backslash CEO Shahar Man said the goal is to provide a comprehensive approach to providing a vulnerability exploitability exchange (VEX) platform integrated with tools for software composition analysis (SCA), static application security testing (SAST), secrets detection and creating software bills of materials (SBOMs).
That approach makes it possible to visually model threats within the context of the actual application architecture, noted Man. Armed with those insights, it then becomes possible to address cybersecurity issues by pinpointing the lines of code impacted and also identifying the developer who wrote that code.
While there is a pressing need to improve application security, current DevSecOps workflows are inefficient because there is simply too much noise, said Man. Development teams are inundated with alerts that lack any meaningful context, so after a while, they simply start to ignore them, he added.
In addition, cybersecurity teams will often create a spreadsheet with a long list of vulnerabilities to be addressed without knowing whether the code impacted is accessible via the internet or whether the code that might be affected is actually running in a production environment, said Man.
Other issues may involve transitive dependencies in open source software that developers might not even be able to address without the maintainers of those projects providing a patch.
Streamlining DevSecOps workflows has become crucial in an era where organizations are about to be held much more accountable for the security of the applications being deployed. Today, development teams are lucky if they can allocate 10% of their time to remediate vulnerabilities. Organizations need to be certain that time is spent addressing issues that could have the most impact on the business. Otherwise, a level of fatigue sets in the results in developers making the same cybersecurity mistakes time and again, noted Man.
The Backslash platform, on average, identifies one critical toxic flow for every 100 security alerts produced by other tools, he added. Once critical issues are identified, it becomes possible to more effectively apply the limited resources available to improve the overall state of application security in a meaningful way.
The debate, in the meantime, over how far left to shift responsibility for application security continues. In theory, developers are in the best position to remediate issues, but most of them have limited cybersecurity expertise. DevSecOps teams are generally going to be in a better position to identify which issues need to be addressed based on the severity of the risk they might represent. Otherwise, it’s probable IT teams will wind up wasting their time fixing issues while others that might lead to a major breach or blithely ignored.
Regardless of the approach to DevSecOps, the need for a common framework of understanding is crucial if the cultural divide between development teams and cybersecurity professionals that has existed for decades is ever going to be effectively bridged.