John Worrall, ZeroNorth CEO, said the analytics tool pulls vulnerability data generated by a variety of security tools to provide both DevOps and cybersecurity professionals with a single source of truth for assessing security within an application environment.
The ZeroNorth platform is designed to enable IT organizations to orchestrate multiple vulnerability scanning tools within the context of a larger DevSecOps workflow, and can apply analytics to a large pool of security data. That data can be viewed in the context of specific groups, such as a business unit or specific application development and deployment team, or within the context of whichever application generates the most revenue for the business, Worral said.
Additionally, the Advanced AppSec Risk Analytics module will surface types of vulnerabilities detected and the vulnerabilities most encountered, ranked by criticality, along with other trends in types and number of vulnerabilities detected/remediated, such as the number and criticality of vulnerability findings per specific scanner. It also tracks the applications and entities scanned, number of vulnerabilities detected per application/entity and the applications/entities that have the highest risk.
Armed with that analytics data, Worral said it becomes easier for IT teams to prioritize and focus their efforts, in addition to identifying areas of the business that may need additional cybersecurity resources and training. IT leaders can also get a snapshot view of the top application security risks to better assess the organization’s overall security posture, Worral noted.
The Advanced AppSec Risk Analytics module will also surface vulnerability remediation bottlenecks spanning multiple applications within the context of a software development life cycle (SDLC), Worral added. Longer term, Worral said the data collected by the ZeroNorth analytics application will also create an opportunity for the company to apply machine learning algorithms to DevSecOps.
In general, Worral said the only viable path toward achieving DevSecOps is to foster more collaboration between developers and cybersecurity teams. Getting those teams on the same page in terms of the security data that needs to be analyzed is a crucial first step, Worral said.
It’s still early on in the adoption of DevSecOps best practices within organizations, however, it’s apparent a lack of cohesion between software developers and cybersecurity teams about which vulnerabilities to prioritize is a major source of dysfunction. Cybersecurity teams tend to create long lists of vulnerabilities discovered within applications without providing much context. Developers are then left to weigh, on their own, when to address a vulnerability versus focusing on writing additional code needed to make an application delivery deadline. Developers take potential vulnerabilities seriously, but there are only so many hours in a day to write code.
Unfairly or not, developers are being held more accountable for application security. The challenge – and the opportunity – is to find a way to make the entire DevSecOps workflow a whole lot less contentious by helping DevOps and DevSecOps teams more aware of which tasks should be prioritized when.