A new report out this week highlights how important it is to find ways to fold in vulnerability assessment information into the software development lifecycle. Released by WhiteHat Security, the Website Statistics Report 2015 offers a smorgasboard of interesting data around web application security. Amid all of the statistics, though, DevOps shops should perhaps home in on one major takeaway—statistical evidence that points to a single practice that could make a huge difference in reducing vulnerabilities in the long run. The trick in question? Tying vulnerability data into the bug tracking system.
“When it’s all said and done, there are three metrics that matter in application security. It’s the number of vulnerabilities you have, the speed at which you fix them and the percentage of which are fixed,” says Jeremiah Grossman, founder of WhiteHat. “And what we’ve found is that when you wire into the apparatus whatever vulnerability assessment data that you get into the bug tracking system, which is very important for DevOps, that actually is what achieves the best results.”
As he explains, simply providing vulnerability assessment data in a raw format—for example, a PDF document listing flaws—this does nothing to fit within an automated pipeline and vulnerabilities will remain unfixed. In the report released this week, Grossman reports that organizations that made the connection between the vulnerability feed and the development process’ bug tracking system exhibited 40 percent fewer vulnerabilities, fixed issues a month faster on average and increased their remediation rate by 15 percent compared to the rest of the pack.
While Grossman admits that it is difficult to know exactly what percentage of customers ascribe to different development methodologies, his rough guess is that about half at this point are instituting some kinds of DevOps principles in order to release at least every two to three weeks. He recommends that security professionals hoping to get more involved in the spirit of cooperation that drives DevOps transformations should start with metrics.
“Create a metrics program, just like the DevOps guys do, to measure the security of that environment,” he says, explaining that the three metrics mentioned above are good ones to start with. “Then you can track the performance of the DevOps groups in terms of security and deliver that data back to the group. Then when you want to get strategic about what processes and improvements in the DevOps environment that need work, you can be very laser focused. App sec programs should be tailor-made to the internal processes of the organization around the metrics they want to improve.”